The most common way for users and devices to connect to the wireless network is via a pre-shared key, or password.
Some organisations have implemented 802.1x and already have some control over who can access their network.
Another option is a Private Pre-Shared Key, which we believe has many of the benefits of 802.1x without any of the additional infrastructure requirements.
Sounds too good to be true, right?
Below we outline the pros and cons of Pre-Shared Keys, 802.1x and Private Pre-Shared Keys, to help you decide what's right for your organisation.
All devices receive the same pre-shared key to connect to a wireless access point. The benefit of using this method is that it's very simple for the end user to use. There's one password to remember, and all devices use it to connect to the wireless. It's easy and requires no further back-end infrastructure.
Because each device uses only one password, there's no ability to uniquely identify devices, or the users using them. It it not possible to apply unique policies to these traffic streams. For example, there's no ability to assign different VLAN, Quality of Service (QoS) and firewall policies.
Another consideration, particularly in a corporate environment, is when an employee leaves. In this case you'll have to revoke the one password and reissue another pre-shared key to everyone at the company.
This creates additional workload and overhead as far as support is concerned. There are also security concerns, as if this one password is compromised, unfettered access across the wireless network is theoretically possible.
Another method of connecting to the wireless network is 802.1x. This is typically done through credentials like a username and password stored on an Active Directory, in conjunction with certificates. Again, this is more commonly found in corporate environments, and is deemed to be a more secure method of connecting to a wireless network than a Pre-Shared Key.
However, this method does require additional back-end infrastructure including a RADIUS server, an Active Directory and certificates.
Every user, or device, requires a unique set of credentials to connect to the wireless network. The obvious benefit is every connection can be identified, and because they're uniquely identifiable, VLAN, RADIUS and firewall policies can be applied. Essentially, much more visibility and control over who connects to the wireless is available to the manager of the network.
But what happens when someone leaves an organisation?
In this case, all that's required is to disable or remove the user's account from the Active Directory, effectively denying them access to the internet via the wireless.
All together, this is considered a more sophisticated and secure solution.
As outlined, additional infrastructure is required to make 802.1x work, and in turn, additional skills to manage the network effectively. A RADIUS server needs to be provisioned as well as an Active Directory and certificates to validate the identity of your back end access points, or even the client devices themselves.
Private Pre-Shared Key
With PPSK each device or user has their own pre-shared key, or password. This is particularly important in BYOD deployments where everybody needs to be uniquely identified, but you're unsure what device users might use, and whether these devices will support 802.1x.
In this scenario there is no additional infrastructure required, negating the need for a RADIUS server, Active Directory and certification. Everything required is contained within the access point. This allows you to have thousands of unique keys.
You get the simplicity of a pre-shared key, but each device is uniquely identified without the need to provision the additional infrastructure required for 802.1x.
This gives you a lot of control over policies and VLANs, without any additional infrastructure complexities.