Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Preshared Keys

SUMMARY Use this information to understand the benefits of using preshared keys (PSKs) and the options for enabling and managing PSK in the Juniper Mist™ portal.

Juniper APs support preshared key (PSK), which is a standard for secure-channel encryption that does not require an additional authentication server. When enabled for a WLAN, clients must present a secure passphrase to connect to the wireless network.

Using PSKs makes onboarding new users to the SSID simple—they receive an email with a QR code to the SSID and authenticate using the PSK. In addition, you can use PSKs in WxLAN policies to control access on a per-user and per resource basis. For example, you could make it so wireless cameras can only connect to the video feed server, so if a camera is ever hacked, there is no path from it to the rest of the network. See Leveraging Roles in a PSK (Use Case).

You can view or edit PSKs in the Juniper Mist dashboard according to WLAN, to site, and for the org as a whole (the latter requires an Access Assurance subscription See Features That Require Access Assurance).

Figure 1: Preshared Key Management for the Organization Preshared Key Management for the Organization

You can use and assign PSKs individually, per user, or by groups, to multiple users (this is known as Multi-Preshared Keys). Likewise, you can assign a given PSK to a set number of devices, or it can be open-ended. The former requires firmware version 0.10 or later.

Key rotation, which is the timely expiration and replacement of PSKs, can also be automated via email. See Rotating PSKs.

Figure 2: Site-Level Preshared Keys Site-Level Preshared Keys

Viewing and Managing PSKs

On the Mist dashboard the PSK is listed alongside the client on the WiFI Clients page for the organization (select Clients > WiFi Clients). Here you can also find any given wireless client by their preshared key, or for multi-preshared keys (MPSK), group all the clients using the same key, just like you'd expect with traditional 802.1X accounting.

Best practices for PSK management include refreshing the PSK weekly, which you can also do from this page.

Figure 3: View and Manage Preshared Keys View and Manage Preshared Keys

From the WiFi clients page, you can drill-down to the Pre-Shared Keys page for a given client, or you an open the page by selecting Organization > Wireless | Pre-Shared Keys in the menu. Either way, you can find clients by PSK name, by SSID, or by role. You can also view and manage PSKs used in the organization, view all currently active clients and see which, if any, PSKs are due to expire soon.

WPA Support

Mist APs support WPA2-PSK, which you can use for multiple passphrases. WPA2-PSK uses Advanced Encryption Standard (AES).

Juniper APs running firmware v0.9.x or later support WPA3/802.1X WPA3 (Wi-Fi Protected Access 3) PSK. APs running firmware v0.8.x or later support WPA3/SAE. WPA3-Enterprise supports 192-bit encryption (128-bit for personal mode) individualized data encryption using Advanced Encryption Standard (AES). WPA3-Enterprise supports 192-bit encryption, and WPA3-Personal mode supports 128-bit encryption.

For the sake of backward compatibility with legacy devices, Juniper Mist also supports (but does not recommend) WPA-PSK and Temporal Key Integrity Protocol (TKIP), the Wi-Fi Protected Access (WPA) security protocol, and Wired Equivalent Privacy (WEP), all of which have known vulnerabilities. These Legacy options are not available by default. If you must enable WPA with PSK/TKIP, Multimode, or WEP keys, contact the Juniper Mist support team by creating a support ticket. For help with support tickets, see the Juniper Mist Management Guide.