Configure and Manage Pre-Shared Keys
Understand the benefits of pre-shared keys, add them to your WLAN, and refresh them periodically.
What Are Pre-Shared Keys (PSKs)?
Juniper APs support pre-shared keys (PSKs) to provide secure-channel encryption without an additional authentication server. When enabled for a WLAN, clients must present the secure PSK passphrase to connect to the wireless network.
Using PSKs makes onboarding new users to the SSID simple—they receive an email with a QR code to the SSID and authenticate using the PSK. You can assign PSKs individually, per user, or by groups, to multiple users via Multi-Pre-Shared Key (MPSK). You also can limit a given PSK to a set number of devices (requires firmware version 0.10 or later).
Each PSK in the Mist platform gets its own key name, which is essentially an identity that can be leveraged for user-level accountability for WxLAN policies, key rotation, and visibility in the Mist dashboard. For example, you can assign PSKs individually to corresponding VLANs for dynamic network segmentation within the same SSID. This is especially useful for IoT devices in, say, healthcare or warehouse environments because you can group devices of the same type, assign a PSK, or segment the different groups to different VLANs.
WLAN Security and PSK
Consider the following options when setting up your WLAN.
-
WPA3/802.1X WPA3 (Wi-Fi Protected Access 3) PSK requires AP firmware v0.9.x or later.
-
WPA3/SAE requires AP firmware v0.8.x or later.
For the sake of backward compatibility with legacy devices, Juniper Mist also supports (but does not recommend) WPA-PSK and Temporal Key Integrity Protocol (TKIP), the Wi-Fi Protected Access (WPA) security protocol, and Wired Equivalent Privacy (WEP), all of which have known vulnerabilities. These Legacy options are not available by default. If you must enable WPA with PSK/TKIP, Multimode, or WEP keys, contact the Juniper Mist support team by creating a support ticket.
-
To configure the multiple passphrase option with WPA3, you need AP firmware version 0.14 or higher.
-
With WPA2, there are two methods of MPSK lookup for WLANs in the Mist portal: Local and RADIUS. With WPA3, you can enable RADIUS PSK.
(WPA2 Only) With Local lookup, keys are stored on the AP and can be created at both the site and organization level. It does not require connectivity to the Mist Cloud. Local is typically used for IoT, where PSKs are configured per device. Key rotation occurs at the hour of expiration. Local lookup supports up to 5000 PSKs per AP. It's a good option when you want to support devices rather than clients and when the keys don't need to be changed often.
(WPA2 and WPA3) With RADIUS lookup, PSKs are stored on the RADIUS server and the AP sends a MAC authentication request to it. The RADIUS server returns the passphrase using Cisco AVPair. RADIUS is typically used when integrating with a third-party PSK hosting service. RADIUS lookup support includes Identity Services Engine (Cisco ISE), Aruba ClearPass, RG Nets, and Eleven Wireless. RADIUS lookup requires firmware version 0.8x or later.
Additional Options with Access Assurance
Access Assurance for Additional Features
If you have an Access Assurance subscription, you can enable additional MPSK features, including:
- Cloud-based PSK lookup.
- Support for more than 5000 PSKs at the organization level.
- Automatic client onboarding, and PSK portals.
- Features of the PSK life-cycle management, including PSK expiration, rotation, and per-PSK accounting and visibility (on the Wi-Fi Clients page of the Mist portal).
The Access Assurance subscription is calculated according to the number of concurrent, active, client devices that are using MPSK as aggregated over a seven-day period (which accommodates usage peaks).
Configure PSKs
You can add, view, modify pre-shared keys on the WLAN Settings page, the Pre-Shared Keys page, and the Wifi Clients page.
-
WLAN Settings Page—Navigate to your WLAN or create a new one (see Adding a WLAN).
-
Security Type—Select WPA3 with Personal (SAE) or select WPA2 with Personal (PSK).
- Enter the Passphrase or enable Multiple Passphrases.
-
-
Pre-Shared Keys Page—From the left menu, select Site >Wireless > Pre-Shared Keys.
-
To view keys for a site—Select a site at the top of the page.
Note:With an Access Assurance subscription, you also can view pre-shared keys at the organization level.
-
To change a key's passphrase, role, VLAN, or other properties—Click the key that you want to change. Make your changes, and then click Save.
-
To add or remove keys—Use the buttons at the top-right corner of the page: Import, Export, Add Key, and Delete Key.
-
-
Wifi Clients Page—From the left menu, select Clients > WiFi Clients.
-
To view keys for a site or WLAN—Select a site at the top of the page, or enter an SSID in the Filter box.
-
To change the passphrase—Click the SSID to go to the WLAN page. Under Security, enter a new PSK. Then click Save at the top-right corner of the page.
-
As a best practice, refresh the PSK weekly.
You can automate the rotation process via email. See Rotating PSKs.