Introducing mPSK for simple and robust per-device control of WiFi networks

Multi-pre-shared key (mPSK, also called PPSK, ePSK, iPSK, or even DPSK) remains the most optimal way to provide simple and robust per-device control of Wi-Fi networks. It gives each device or user a unique key, letting you dynamically assign VLANs and bandwidth rules — all while keeping one SSID. And now, mPSK support is part of Splynx. No extra systems. No extra cost.

Suppose you’re running networks in multi-dwelling unit (MDU) environments, such as campuses, apartment buildings, or multi-tenant complexes, where implementing advanced IEEE 802.1X authentication may be too costly or complex. In that case, mPSK gives you real security and scalability without asking your users to be network engineers.

How mPSK can improve security and manageability of WPA2-Personal (WPA2-PSK) networks

Utilizing standard WPA2-PSK “4-way handshake” authentication protocol, mPSK addresses the limitations of a single “Pre-Shared Key” (PSK) by allowing network administrators to define multiple, unique pre-shared keys for use on the same SSID. So, instead of the same passphrase shared by every single device connecting to this one SSID, each device or group of devices can be assigned its own distinct PSK. This enables differentiated access control and policy enforcement based on which key a user or device uses to connect, offering effective Wi-Fi microsegmentation.

Using mPSK usually means you need a central system to manage it. This can be a RADIUS server or built-in advanced tools on the wireless controller or access point. When a device tries to join the WPA2-PSK network, the access point sends its MAC address to the RADIUS server. The server checks the device and finds the right PSK for it (or for its group). It then sends that PSK back to the access point. The access point uses it to check the device’s PSK during the standard 4-way handshake. If the device gives a PSK that doesn’t match what the access point expects for that device, the 4-way handshake fails and the device can’t join the network.

Beyond providing a unique PSK, mPSK solutions often integrate with VLAN assignment. A RADIUS server can instruct the AP to place the connecting device into a specific VLAN based on a device’s identity or the group it belongs to. This provides network micro-segmentation and adds security, preventing individual network tenants from snooping on each other’s traffic.

The key benefits of mPSK include:

• Enhanced Security. mPSK significantly improves security compared to a single shared PSK. If a specific PSK associated with an account or device is compromised, only that particular access is affected, leaving the rest of the network secure. With a single fixed WiFi password, a hacker only needs to capture the 4-way handshake to generate encryption keys and decrypt wireless traffic. However, with unique PSKs, an intruder would need to brute-force each key individually, and an “insider attack” becomes more difficult. If a key is shared or leaked, the entire network is not impacted, and the compromised key can simply be disabled, maintaining the same level of security.
• Segmentation. Using different WiFi passwords allows for segmenting users and groups. This means you can define different VLANs, and for some vendors, even apply distinct schedulers, Quality of Service (QoS) rules, and Firewall rules. For example, in a school, teachers, students, and principals could be placed in different VLANs, or policies could be set to restrict student internet access or YouTube usage to specific times. Similarly, separate policies can be created for BYOD (Bring Your Own Device), guest, or IoT devices. This microsegmentation can prevent individual network tenants from snooping on each other’s traffic.
• Improved Accountability. Since each account or group has a unique PSK, it becomes easier to track which specific PSK might have been compromised or is associated with particular network activity. This deters users from easily sharing passwords, as they are responsible for the internet behavior linked to their personal password.
• Simplified Onboarding/Offboarding. When someone leaves an organization, their access to the internal network needs to be deactivated. With a fixed WiFi password, changing it affects all other employees’ devices and leads to many support calls for the IT department. Unique WiFi passwords allow you to disable only the specific password for the departing individual without impacting the rest of the company. Similarly, when a device needs to be added or removed, only its specific PSK needs to be managed, rather than changing a global PSK and reconfiguring all other devices.
• Guest Network Management. Many companies use insecure open SSIDs for guest networks, even with captive portals. While NAC (Network Access Control) solutions are secure, they are often difficult to set up and complicated for guests. Unique WiFi passwords can simplify guest onboarding through QR codes, which guests can scan with their mobile phones to connect. You can also define the validity period for these passwords and automate their creation upon arrival and deactivation upon departure.
• Reduced SSID Sprawl. Multiple WiFi networks (SSIDs) negatively affect WiFi quality by increasing overhead and reducing airtime for actual data. With unique passwords, you can achieve segmentation within a single WiFi network, thereby requiring fewer SSIDs and improving RF efficiency.
• Secure onboarding and management of IoT devices. Many IoT devices don’t support advanced login methods like WPA2-Enterprise (802.1X/EAP). mPSK offers a safer way to connect these devices using individual passwords, without adding extra steps or pressure on low-power hardware

Automated mPSK provisioning and enforcement based on business workflow

Splynx provides self-registration and central management of mPSK based on RADIUS. It simplifies the use of mPSK by fully automating how Wi-Fi passwords are created, managed, and assigned to customers without requiring local key storage or manual AP configuration. Each user gets their own unique PSK, which is tied directly to their service plan and billing status.

Splynx allows network administrators to define multiple Wi-Fi passwords for each customer, sub-customer, or device while keeping just one SSID. It can also download and distribute printable PDFs with QR codes for easy connection.

If the service is suspended, access is blocked automatically. This makes secure Wi-Fi access in MDUs simple, scalable, and hands-free for ISPs.

Centralized Management

• ISPs can manage all mPSK settings through the Splynx interface, which acts as a central RADIUS server, eliminating the need for manual configuration on individual APs.

Automated Provisioning

• When a customer is added or their service is updated, Splynx can automatically assign a unique PSK, streamlining the onboarding process.

Access Control

• Splynx can disable a customer’s PSK if their account is suspended or terminated, enforcing access policies efficiently.

Integration with Splynx Ecosystem

• MPSK works with other Splynx tools like TR-069 (for device provisioning), QoE-based monitoring and traffic management, creating a cohesive ecosystem for network management. For example, TR-069 can push firmware updates to APs while mPSK handles authentication.

Getting started with Multiple PSK

Ready to simplify per-device control of Wi-Fi networks and boost customer experience? Head to the Config → Networking → Multiple PSK section in your Splynx dashboard to start configuring individual PSKs for each user or device. You can find all details and step-by-step instructions in our documentation.