Configure Private Pre-Shared Key SSID Authentication

Before you begin

Create a Standard Wireless Network configuration.

About this task

A PPSK is a unique pre-shared key assigned to a user rather than to an SSID. With this approach, you can assign different PPSKs and user profiles to different users on the same SSID. If a user is no longer permitted to use the WLAN or a wireless client becomes lost, stolen, or compromised, you can revoke just that user's PPSK without having to reconfigure the PPSKs on all the other clients. Use these steps to configure Private Pre-Shared Key SSID authentication options.

Note

ExtremeCloud IQ Connect does not support Private Pre-Shared Keys.

Procedure

Choose one of the following Key Management options:
- WPA3 (SAE) to negotiate using WPA3 with clients. If all the wireless clients support WPA3, it is a better choice than WPA2.
- WPA2-(WPA2 Personal)-PSK to use WPA2 for key management. WPA2 supports PMK caching and pre-authentication, whereas WPA does not.
- WPA-(WPA or Auto)-PSK) to use WPA for key management. WPA does not support PMK caching or pre-authentication, but if the clients were released before IEEE 802.11i was ratified and support WPA (not WPA2), this option allows the Extreme Networks device to support them.
- Auto-(WPA or WPA2)-PSK to negotiate the use of WPA2 or WPA with clients based on the version they support.
For Encryption Method (WPA or WPA2 only): Choose CCMP (AES).
CCMP (AES) (Counter Mode-Cipher Block Chaining Message Authentication Code Protocol) is a security protocol that uses AES (Advanced Encryption Standard) encryption. CCMP provides message integrity by combining counter mode with CBC (cipher block chaining) to produce a MAC.
Note
When the wireless network (SSID) is configured for WPA3 (SAE), the encryption method is always set to 128-bit encryption.
Enter the maximum number of simultaneous clients allowed for each PPSK user, from 1 through 15, or 0 for an unlimited number.

Note
Setting the maximum number of clients per PPSK in the user group to a custom (non-zero) value overrides this setting in the SSID.
If necessary, select MAC binding.
When you enable this option, an Extreme Networks AP functions as a PPSK server and automatically binds MAC addresses to PPSKs. When the first client authenticates with a PPSK, the PPSK server creates an internal MAC address-to-PPSK binding list for it. If a second client authenticates with the same PPSK, the server automatically binds its MAC address to the PPSK and adds it to the list—if allowed by the configuration. You can configure a PPSK server to bind up to five MAC addresses to one PPSK so users can submit the same PPSK for all their smart phones, tablets, PCs, and other clients.
1. Choose an Extreme Networks AP from the list to define it as a PPSK server.
  A PPSK server stores PPSK users, binds multiple client MAC addresses to a PPSK, and automatically updates and tracks PPSK-to-MAC address bindings. It must be an AP that is at the network policy's site. Extreme Networks APs (PPSK authenticators) at the same site contact this server when checking and requesting a user-submitted PPSK binding to the user's client MAC address.
  Note
  Only APs that you previously configured with static network settings appear in the PPSK server list.
To configure Private Client Group Options, see Configure a Private Client Group.
Select PPSK Classification Options to use this network policy with associated Local User Groups.
See Configure a Local User Group for more information.

What to do next

Continue configuring the Standard Wireless Network.