MPSK profiles
You can batch generate or import multiple pre-shared keys (MPSK), export MPSK keys to a CSV file, dynamically assign VLANs based on used MPSK, and apply an MPSK schedule in the GUI. MPSK related configurations are managed from the MPSK profile, which is available when you enable Advanced Wireless Features (see Advanced Wireless Features). MPSK profiles support WPA2-Personal, WPA3-SAE and WPA3-SAE Transition security modes.
In the GUI, MPSK key entries are organized in different MPSK groups. An MPSK group can be created manually or imported. When MPSK is enabled, the previous single passphrase is dropped and a dynamic VLAN is automatically enabled.
In the CLI, an mpsk-profile is assigned in the VAP settings and MPSK is enabled. The dynamic VLAN is automatically enabled. Only one MPSK profile can be assigned to one VAP at a time.
To configure an MPSK profile - GUI:
- Go to System > Feature Visibility and enable Advanced Wireless Features.
- Click Apply.
-
Go to WiFi & Switch Controller > Connectivity Profiles > MPSK Profiles and click Create new to create an MPSK profile.
The New MPSK Profile window loads.
-
Enter an MPSK profile Name and select a security Type.
-
Under MPSK group list, click Add > Create Group to create a new MPSK Group.
The New MPSK Group window loads.
-
In the New MPSK Group window, enter an MPSK Group Name and click Add > Create Key to add a new key.
The New MPSK Key window loads.
- If you selected WPA3 SAE or WPA2 Personal as your MPSK Profile security type, the Type is automatically set.
- If you selected WPA3 SAE Transition, you can choose between WPA2 Personal or WPA3 SAE as the MPSK Key security type.
-
In the New MPSK Key window, enter an MPSK Key Name, SAE password or Pre-shared key, and MAC address.
Note: If you selected WPA3-SAE Transition, you can create multiple MPSK keys with WPA2 Personal and WPA3 SAE security types.
-
When you are finished, click OK to save your MPSK profile configurations.
-
Go to WiFi & Switch Controller > SSIDs and select or create a new SSID.
-
Under Security Mode Settings, select the Security mode and SAE password that matches your MPSK profile.
- If your security mode is WPA3 SAE:
Under Pre-shared Key, enable MPSK Profile and then select the WPA3 SAE MPSK profile you configured.
- If your security mode is WPA3 SAE Transition or or WPA2 Personal:
In Mode, select Multiple.
the MPSK profile, select the WPA3 SAE Transition or WPA2 Personal MPSK profile you configured.
- If your security mode is WPA3 SAE:
-
When you are finished, click OK.
To configure an MPSK profile with WPA3 SAE security mode - CLI:
-
Create an MPSK profile with WPA3 SAE security mode:
config wireless-controller mpsk-profile edit "wifi" set mpsk-type wpa3-sae config mpsk-group edit "g1" config mpsk-key edit "p1" set key-type wpa3-saeset mac f8:e4:e3:d8:5e:af set sae-password ENC next end next end next end -
Apply the MPSK profile to a VAP with the security mode also set to WPA3 SAE:
config wireless-controller vap edit "wifi" set ssid "FOS_81F_WPA3_MPSK" set security wpa3-sae set pmf enable set schedule "always" set mpsk-profile "wifi" set dynamic-vlan enable set sae-password ENC next end
To configure an MPSK profile with WPA3 SAE Transition security mode - CLI:
-
Create an MPSK profile with WPA3 SAE Transition security mode:
config wireless-controller mpsk-profile edit "wifi2" set mpsk-type wpa3-sae-transition config mpsk-group edit "g1" config mpsk-key edit "p1" set key-type wpa2-personal set passphrase * next edit "p2" set key-type wpa3-sae set mac f8:e4:e3:d8:5e:af set sae-password * next end next end next end -
Apply the MPSK profile to a VAP with the security mode also set to WPA3 SAE:
config wireless-controller vap edit "wifi2" set ssid "FOS_81F_WPA3_Transition" set security wpa3-sae-transition set pmf optional set schedule "always" set mpsk-profile "wifi2" set dynamic-vlan enable set sae-password ENC next end
To configure an MPSK profile with WPA2 Personal security mode - CLI:
-
Configure the MPSK profile from the GUI or CLI.
config wireless-controller mpsk-profile edit "wifi-mpsk" config mpsk-group edit "group-a" set vlan-type fixed-vlan set vlan-id 10 config mpsk-key edit "key-a-1" set passphrase ENC set mpsk-schedules "always" next end next edit "group-b" set vlan-type fixed-vlan set vlan-id 20 config mpsk-key edit "key-b-1" set passphrase ENC set concurrent-client-limit-type unlimited set mpsk-schedules "always" next end next end next end -
Apply the MPSK profile to a VAP with the security mode also set to WPA2 Personal:
config wireless-controller vap
edit "wifi-mpsk"
set ssid "wifi-mpsk"
set local-bridging enable
set schedule "always"
set mpsk-profile "wifi-mpsk"
set dynamic-vlan enable
next
end
-
Verify the event log after the WiFi client is connected:
1: date=2020-07-10 time=16:57:20 logid="0104043573" type="event" subtype="wireless" level="notice" vd="root" eventtime=1594425440439070726 tz="-0700" logdesc="Wireless client authenticated" sn="FP423E3X16000320" ap="FP423E3X16000320" vap="wifi-mpsk" ssid="wifi-mpsk" radioid=2 user="N/A" group="N/A" stamac="3c:2e:ff:83:91:33" srcip=10.0.10.2 channel=144 radioband="802.11ac" signal=-52 snr=50 security="WPA2 Personal" encryption="AES" action="client-authentication" reason="Reserved 0" mpsk="key-a-1" msg="Client 3c:2e:ff:83:91:33 authenticated."