ppsk vs wpa2

PPSK Is Not an Alternative to 802.1x

Patrick Grubbs Education, Uncategorized

PPSK Is Not an Alternative to 802.1x

Believe it or not, the aging WPA-Personal protocol has seen some innovation in the past few years. Several companies have developed unique PSK authentication protocols with varying names, though “Private PSK” (PPSK) has emerged as the commonly-accepted phrase.

Here are some of the proprietary names for the same technology:

  • Private PSK – Aerohive and Extreme
  • Identity PSK – Cisco
  • ePSK – Cambium and Mist/Juniper

What is PPSK? It’s a step up from vanilla PSK, there’s no doubt. In a regular WPA-Personal network with pre-shared key authentication, one password is used to connect any number of devices to the access point (AP). PPSK is a configuration in which each device has a unique pre-shared key that it uses to authenticate to the AP.

Does that sound familiar? Oh yeah, that’s pretty much how 802.1x authentication works. So why not just use that?

802.1x Is a Better Alternative to Unique PSK

There’s this lingering impression that 802.1x is complicated, expensive, and ultimately not worth it…

That couldn’t be further from the truth.

802.1x is Easier to Implement than Unique PSK

The belief that 802.1x and WPA2-Enterprise are difficult to implement is outdated. That hasn’t been true for years. With the advent of cloud computing, on-premise RADIUS is a distant memory. SecureW2 can configure a Cloud RADIUS server and a managed PKI service for you in less than a day. Onboarding software has also made it incredibly easy to setup and manage devices for 802.1x.

It’s true, however, that WPA-PSK requires little-to-nothing in the way of setup, but it’s less true when talking about unique PSKs. You have to generate a new credential for each device. Most, if not all, of the implementations of unique PSK have a method to bulk-generate credentials, but not all vendors have a key component of onboarding: credential distribution.

Distributing those generated credentials and registering them to each device is usually called device onboarding. The ease with which you can onboard devices to 802.1x is one of its great strengths – our own JoinNow software can automatically configure your devices to receive credentials or certificates and self-enroll to your WPA2-Enterprise network.

Not every vendor has a solution for distributing credentials. If you have hundreds or thousands of devices, it quickly becomes infeasible to enroll each for a credential manually.

802.1x is More Secure than Unique PSK

No one is really arguing about this one. It’s an undeniable truth that PSK is intrinsically more vulnerable than the combination of a RADIUS server and a PKI.

Pre-shared key authentication only validates credentials one way. The access point just needs to see the correct sequence of characters and it grants access.

RADIUS authentication is more robust. A device submits its credentials or certificate to the access point, then the RADIUS checks against a directory stored in the PKI. The PKI confirms whether or not that user is valid, then sends the OK back to the RADIUS which authenticates the device. It can even be configured for Identity Lookup, which validates a user is active within the organization at the time of authentication, further increasing security.

RADIUS can be even more secure if you utilize the EAP-TLS authentication protocol, which allows you to use digital certificates for authentication. Certificates are like photo IDs for devices – they confirm who is using the credential, which makes them immune to over-the-air attacks, such as the notorious man-in-the-middle attack.

 802.1x is Future-Proofed

… Or, as future-proofed as any cybersecurity can be.

If you’re going to spend the time, effort, and money to upgrade security, why would you devote those resources to a “less-bad” version of an ailing authentication protocol?

Even though WPA3 already exists, the most secure organizations are still using WPA2-Enterprise with EAP-TLS. It’s the best network security solution on the market and it looks like it’ll remain that way for the foreseeable future.

Unique PSK is simply a stop-gap measure. If it isn’t obsolete now, it will be soon. Eventually, as your organization scales, you’ll need to upgrade anyway. 802.1x can scale with you – services like our Cloud RADIUS are appropriate (and affordable) for organizations of all sizes.

Unique PSK is Vendor-Locked

Notice how every company has their own branded version of unique PSK? That’s because they’re all proprietary solutions that vendor-lock your device’s security.

Having your network security held hostage isn’t just uncomfortable – it’s risky. It prevents you from choosing the safest route, forcing you to accept the rest of their product ecosystem.

The most prudent option is to use a vendor-agnostic service, like SecureW2’s. Our products can be integrated into your existing network without any forklift upgrades because they are compatible with every major vendor.

Use Cases for Unique PSK

ppsk vs wpa2

We haven’t been kind to unique PSK in this article, but in the interest of fairness, we’ll admit it does have one compelling use case.

Unique PSK is the best option for devices that do not support 802.1x. Whether they’re old devices with outdated network infrastructure or highly specialized devices with an incompatible OS (such as some medical equipment), some devices simply can’t integrate into an 802.1x network.

In these cases, we encourage you to use unique PSK. It’s certainly better than standard PSK and is a solid way to compartmentalize your network resources with or without dynamic VLAN.

However, unique PSK only works for wireless devices – there’s no wired security option. Not every device is wireless-enabled, and that is especially true for devices that have stringent security requirements… which is where you need network protection the most.

802.1x is Better than Unique PSK

802.1x with WPA2-Enterprise (and ideally EAP-TLS auth protocol) is more efficient, more secure, easier to implement, and will be relevant long after unique PSKs fall to the wayside.

Let us show you how easy and affordable it can be to implement a robust Cloud RADIUS and managed PKI service for your organization. Click here to see our pricing.


Trademark Legal Notice. All product names, logos, and brands are property of their respective owners in the United States and/or other countries. All company, product and service names used on this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.


Learn About This Author

Patrick Grubbs

Patrick is the SEO guy at SecureW2, but he enjoys writing a little too much to give it up entirely. He got his start blogging about his ever-expanding collection of succulents and cacti. His hobbies include running, gardening, playing video games, and buying tools he will never use. Special skills: 5th grade chess champion, ultra-specific color identification, clapping with one hand