UniFi's Awesome New PPSK Feature - But There's a Catch!

ah yes

Hahaha, good point. Especially good for neighbors pretending they need wifi for some days for Whatsapp.

My reply is always I trust you, just not your phone, computer etc.

This is probably the main disadvantage of PPSK, however it's not something I've found to be a major issue - I have my firewall configured to allow me to access anything I'd need to regularly access on other VLANs from my main trusted LAN, so I rarely need to actually switch to a different wireless network. Of course, multiple SSIDs are still a completely valid option for situations where they'd be more suitable, however just bear in mind that a hidden SSID still broadcasts beacons, they just don't contain the SSID, so hiding SSIDs doesn't help avoid congestion issues.

I wondered about this, too, with regards to the (well, ) future 6ghz radio implementation. Without testing, wouldn't it just mean that you'd then have 2 SSIDs; one for 2.4 & 5 radios and a separate SSID for 6 ghz? PPSK on the 2.4/5 SSID but not on the 6

Yeah, this is similar on Ruckus - those settings are configured at the wireless network level and not the PPSK level - Not sure if it's a limitation they can easily fix or if it's something that isn't actually possible.

What would client isolation per PPSK do?

Client isolation is circumventable even with a different password per vlan, you'd need to have a single password per station for it to be effective.

@@abdullahX001 client isolation will isolate clients connected to the same SSID/WLAN. It's a layer-2 level of blocking since the clients will use the same subnet. I think what OP wants is to set client isolation per VLAN but using the same SSID with PPSK. With PPSK the clients using the same password will connect to the same VLAN within a single SSID, but he doesn't want those devices to communicate with each other. If you enable client isolation for the SSID itself then it will isolate all clients on VLANs.

@@---GOD--- thank you!

That's true, although personally I just have my firewall configured to allow devices on my trusted LAN to access stuff on other VLANs, needing to regularly switch VLAN gets messy - on WiFi at least you can change to a different SSID but on a wired machine, you end up needing to constantly change the switch port configuration which isn't fun.

Imagine patenting ugh i hate the anti competition

@@iunstable0seems like the mosty hacky thing ever to patent, ugh 😂

Unfortunately not, a hidden SSID will still beacon, the beacon messages just don't contain an SSID.

PPSK is around when WPA3 was not even a draft... Only UniFi took that long to implement it...

@@binarybear9711 And ? Already invested to upgrade all my home devices to WPA3 for better WIFI security, so whats good for me that PPSK is here for a long time? One thing for sure I will not downgrade to WPA2.

It's definitely not particularly engaging and I'd have loved to do some nice animated diagrams but this video was a bit of a time constrained nightmare. Wanted to get it out this week while the technology was still "current news" - first had the time to film it on Thursday, had a migraine so couldn't then after filming on Friday, right as I was about to edit, managed to badly cut my finger with a stanley knife while cutting up a cardboard box so ended up editing this late at night shortly after getting back from hospital! 🤦‍♂️. Talking head is an interesting one, I've done it a couple of times in the past, and it's definitely more engaging, although I'm not particularly well versed at sitting in front of and talking to a camera. It's maybe something I'd consider doing longer term although I'd need to get a lot more comfortable with it first.

@@camerongray1515 yikes that sounds like a total nightmare! Impressed you got a video out at all, esp after having to go to hospital! Hope it's all healing up now. Talking head would hopefully be quicker than an animation but appreciate you might not want to do when not feeling 100%! Just wanted to flag up as an idea anyway, as I say the actual content was great, esp the WPA3 stuff which really took me by surprise as this PPSK setup sounds eminently sensible!

​@@camerongray1515Migraines suck

It's this: houseofworktops.co.uk/wooden-worktops/iroko-worktop - got it from them cut to size (also opted to keep the offcut which I'm using as the bit that stands up at the back) It's pretty good and looks great on camera although definitely a lot easier to dent/scratch than laminate so I have to be relatively careful with it - I have some wooden boards that I put things like servers on top of to protect it from the sharp metal. One thing I'd definitely do differently is I'd get them to profile the edges to a curve. I just got the regular square edges and they're really easy to dent.

you could enable PPSK for both of your mentioned SSID-band combinations.

I haven't tested this but I imagine it would be fine, you'd just create the separate SSIDs as normal and restrict each to its respective radio, then set up the same PPSK keys on both. At the very least, the option to select the radios to use for each SSID is still available when PPSK is enabled.

Ugg, posted that before 'the catch', I'm currently using U6 devices.. Still, I think adding an old WIfi-5 device (AC Pro maybe?) might be in order, and going down to two total SSID's....

You wouldn't necessarily need new devices - you can just configure your PPSK SSIDs to use the 2.4 and 5GHz bands while the others can also include the 6GHz band broadcasting from the same APs. Also bear in mind that if by "U6 devices" you are referring to regular WIFi 6, these are only 2.4/5GHz APs anyway, to get the 6GHz band you'd need WiFi 6E APs. The "6" in "WiFi 6" is essentially a version number, not a frequency.

@@camerongray1515 you, sir, are absolutely correct, lol. I'd forgotten the Lite was 2.4/5ghz only (we use the enterprise models at work, I use Lite at home). I'm still going to be putting in another AP here (probably a AC-Pro long range model) since I have some dead spots on the property that my U6 isn't covering.

Just to follow up, I went through the setup, and it works a treat.. Going ahead and reconfiguring everything this afternoon, going to be doing a bunch of esphome firmware compiles & uploads now, lol.

I think you'll still run into the issue of increased beacon traffic.

@@OrianIglesias You shouldn't as it's the same exact SSID.

The SSID limit depends on how pedantic you want to be. If you start disabling features like meshing, then lets put the SSID limit in proper terms and call it 8 SSIDs per radio/band, which would give you 16 SSIDs on a dual-band (2.4+5GHz) AP.
Whether that makes sense to have up to 8 2.4G-only SSIDs and up to 8 additional 5G only SSIDs (or even 8 additional SSIDs on APs with a secondary 5GHz or also 6GHz radio) or not is up to the user to decide, same with the disabled meshing.
Fact is, you could indeed get more SSIDs than just the mentioned 4, at the loss of functionality.

It definitely seems as though Alta Labs heavily pushing PPSK made it much more well known and probably pushed UniFi to finally implement it - that's where I found out about it, but until they release a local controller and demonstrate an ongoing commitment to supporting it long term, they aren't even a consideration for me.

The Controller is coming :) don't worry. & it will be 900x better then Unifi too ! @@camerongray1515

@@JasonsLabVideos Once I see it and they demonstrate that it's something that they'd actually care about supporting long term I'd be slightly more interested. I'm aware they are "planning on releasing a local controller" but it's been several months now with nothing. For me, it's a bit of a red flag when a company's clear priority is a cloud controller since the last thing I want to do is invest in a given ecosystem only to find the support gets pulled at a later date or they begin to slack on releasing updates for the local controller in favour of the cloud one. Seems like a strange business decision to release cloud only at first and then promise a local controller at a later date - now almost all reviews of their products heavily focus on the fact that there's no local controller.

LOL you run unifi thats a Eco CRAP system ! @@camerongray1515

You consistently hate on UniFi but have never cited any actual issues. Sure they're not perfect and have made some stupid decisions in the past, but no platform is. Personally I'd rather use a system that doesn't rely on a cloud service that can be pulled/charged for at any time - look at what happened to Open Mesh!
I also don't currently use UniFi at home, my home network uses a Ruckus Unleashed AP, OPNSense firewall and Cisco Business switches. That said, I use their APs with self hosted controllers in several other environments and they've been rock solid for years.

I think my information was possibly outdated, UniFi historically had a limit of 4 SSIDs per radio however it looks like this is now up to 8 SSIDs per radio on *most* APs where wireless uplink is disabled. So you could technically have up to 8x 2.4GHz SSIDs and 8x 5GHz SSIDs or 8x dual band SSIDs per AP. That said, I'd never recommend creating that many SSIDs from an airtime usage perspective which is why PPSK is such a useful feature.

I don't think PPSK is for everyone. In fact, I don't think it benefits most people.
Better to create one SSID per VLAN and have it configured specifically for that VLAN.

An integrated RADIUS server would be nice, however 802.1X using RADIUS isn't really the same thing as using PPSK. 802.1x/WPA-Enterprise is only supported by certain clients (and not many embedded devices such as IoT devices, games consoles, TVs.etc) whereas PPSK works with any device that supports WPA2-PSK.

​@@camerongray1515 Sure sure, it hasn't seen nearly the popularity it deserves. But in my experience in most embedded devices it only comes down to the developer not caring. Eg. everything based on an ESP8266 can do EAP-TTLS and even certificate base EAP-TLS. Could just be you need to flash your device first (maybe not such a bad idea as it probably won't get updated to WPA3 anyway)

It's true that most devices *should* really support it, but sadly many don't and while flashing is possible on some very specific devices (such as those that can run Tasmota), it doesn't really work for devices such as TVs, games consoles, IP cameras, or things like my Nest thermostat which can't just be flashed with different firmware. In a business environment you can probably get away with it, but in a home setting, even if all of your devices support 802.1x now, it's likely that you'll end up in a situation where you'll want to use a new device that doesn't at which point you're stuck!

@@camerongray1515 At which point this device will get its own 2.4G AP if it stops bothering the rest... People using proprietary closed cloud environments will not care about splitting their network. They don't even use the default guest network their router puts up.
It's nice these manufacturers have conjured up a temporary stopgap measure, but still nobody (except eduroam) is incentivising manufacturers to support safe solutions.

You'd ultimately need to reconnect everything to the network although there's nothing stopping you keeping the old SSID/Password that the IoT devices are currently connected to active and then also setting up PPSK on a new SSID allowing you to move devices over one by one without much downtime.

It's not perfect although I haven't really had any major issues in practice. I think the only issue I've had was connecting my washing machine where the app would insist on grabbing the saved credentials from my phone without prompting me because I was picking the same SSID so "surely the saved credentials that the phone is connected using are the correct ones" but even this was a relatively simple case of joining my phone using the IoT PSK, connecting the washing machine and then reverting the phone back to my main LAN's PSK. Network hopping is slightly inconvenient but it's not something I need to do particularly regularly so forgetting and rejoining the network isn't a huge deal. Pretty sure you'd have the same issue with 802.1x WPA2-Enterprise.

The U6 Enterprise and U6 Enterprise In-Wall are both WiFi 6E so they do offer it, only at the high end, but it's only a matter of time until they release lower end 6E APs.

This is true, you've now got me thinking of the term "LoT" (LAN of Things) to refer to this sort of stuff, nicer terminology for the VLAN names vs my current "iot_lan" and "iot_wan"

Fair point on WPA3 but other than that, you can still use PPSK with separate 2.4GHz and 5GHz SSIDs, although personally I prefer just to keep all SSIDs both 2.4GHz and 5GHz and use band steering type technology to direct 5GHz capable clients to that band while allowing legacy clients (or those with a weak signal) to connect on 2.4GHz. That said, PPSK could still be useful in a situation like yours if you wanted to separate out your 2.4GHz IoT network to isolate different types of devices from each other (e.g. one VLAN for cameras, one for super sketchy untrusted devices, one for devices that need to access a NAS for media streaming.etc)