Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Multi-Preshared Keys

SUMMARY Use this information to understand the benefits of multi-preshared keys (MPSKs) and the options for enabling MPSK in the Juniper Mist™ portal.

The Juniper Mist portal supports multi-preshared keys (MPSK) (also known as private preshared keys or PPSK). Each PSK in the Mist platform gets its own key name, which is essentially an identity that can be leveraged for user-level accountability for WxLAN policies, key rotation, and visibility in the Mist dashboard. See the Mist API documentation for information on cloud-based PSK. MPSK uses WPA2/PSK.

For example, you can assign PSKs individually to corresponding VLANs for dynamic network segmentation within the same SSID. This is especially useful for IoT devices in, say, healthcare or warehouse environments because you can group devices of the same type, assign a PSK, or segment the different groups to different VLANs.

You can also use MPSKs in multi-user environments to automatically, and securely, onboard new devices, as well as authorize users' BYOD. MPSK/email pairs are especially useful in WxLAN policies, for example, when creating a policy for personal WLANs. Note that certain aspects and features of PSK require an Access Assurance subscription.

Lookup Methods

With WPA2, there are two methods of MPSK lookup for WLANs in the Mist portal: Local and RADIUS. With WPA3, you can enable RADIUS PSK.

  • (WPA2 Only) With Local lookup, keys are stored on the AP and can be created at both the site and organization level. It does not require connectivity to the Mist Cloud. Local is typically used for IoT, where PSKs are configured per device. Key rotation occurs at the hour of expiration. Local lookup supports up to 5000 PSKs per AP. It's a good option when you want to support devices rather than clients and when the keys don't need to be changed often.

    Multiple Passphrases - Local Option Selected
  • (WPA2 and WPA3) With RADIUS lookup, PSKs are stored on the RADIUS server and the AP sends a MAC authentication request to it. The RADIUS server returns the passphrase using Cisco AVPair. RADIUS is typically used when integrating with a third-party PSK hosting service. RADIUS lookup support includes Identity Services Engine (Cisco ISE), Aruba ClearPass, RG Nets, and Eleven Wireless. RADIUS lookup requires firmware version 0.8x or later.

    Multiple Passphrases - RADIUS PSK Option Selected

MPSK Features and Benefits

MAC-less client device onboarding

  • You don't have to plan out PSK or client MAC address pairings.

  • Avoids the pitfalls of MAC randomization.

PSK life-cycle management

  • Create, rotate, and auto-expire PSKs.
  • If ever a single PSK is compromised, you can quickly identify the blast radius and rotate the affected PSK without disturbing other clients.

Dynamic traffic engineering

  • Assign VLANs per PSK.
  • Create user-specific WxLAN policies by assigning roles to PSKs.

Personal WLAN

  • You can create virtual broadcast domains on a per-PSK basis.

User-level accountability

  • With PSK naming you can view client sessions in the Mist portal.
  • Supports third-party audit integration.

Automatic PSK provisioning and rotation

  • Onboard users with their SSO login.
  • Automatically create an identity pair from the SSO user name and a personal PSK.

Features That Require Access Assurance

You need an Access Assurance subscription for some MPSK features, including:

  • Cloud-based PSK lookup.
  • Support for more than 5000 PSKs at the organization level.
  • Automatic client onboarding, and PSK portals.
  • Features of the PSK life-cycle management, including PSK expiration, rotation, and per-PSK accounting and visibility (on the Wi-Fi Clients page of the Mist portal).

The Access Assurance subscription is calculated according to the number of concurrent, active, client devices that are using MPSK as aggregated over a seven-day period (which accommodates usage peaks).