Authentication

EasyPSK

EasyPSK provides simple pre-shared key authentication with unique passwords for each user. Perfect for guest networks, contractors, and temporary access scenarios where traditional WPA2-PSK falls short.

Overview

Traditional WPA2-PSK networks share a single password with all users. When that password is compromised or a user leaves, you need to change the password for everyone. EasyPSK solves this by giving each user their own unique passphrase.

Unique Per-User PSK

Every user gets their own password. Revoke access instantly without affecting others.

Automatic Expiration

Set passwords to expire after hours, days, or weeks. No manual cleanup needed.

Usage Tracking

See when and how often each password is used for security and compliance.

Dynamic VLAN

Assign users to different VLANs based on their PSK for network segmentation.

How It Works

1

User Connects to Wi-Fi

The user selects your SSID and enters their unique PSK passphrase.

2

Wireless Controller Queries RADIUS

The controller sends the passphrase to NetKey RADIUS for validation.

3

NetKey Validates PSK

NetKey checks if the PSK exists, is enabled, and hasn't expired.

4

RADIUS Response

On success, NetKey responds with Access-Accept and optional VLAN assignment.

5

User Connected

The user is connected to the network with appropriate access level.

Technical Detail

NetKey uses the Calling-Station-Id (MAC address) as username and validates the PSK via RADIUS. The PSK itself authenticates the 4-way handshake, while RADIUS provides the authorization decision and VLAN assignment.

Creating PSKs

Via Web Dashboard

1

Navigate to PSKs in the left navigation.

2

Click Add PSK button in the top right.

3

Fill in the PSK details:

Name Descriptive name (e.g., "Guest - John Smith")
Passphrase Leave blank to auto-generate, or enter custom (8-63 chars)
VLAN Select VLAN for this user (optional)
Expires Set expiration date/time (optional)
SSID Restrict to specific SSID (optional)
4

Click Save. The PSK is immediately active.

Via API

cURL 
curl -X POST "https://api.netkey.no/v1/psks" \
  -H "X-API-Key: nk_live_abc123..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Guest - John Smith",
    "vlan_id": 100,
    "expires_at": "2025-12-31T23:59:59Z"
  }'

Response:

JSON 
{
  "success": true,
  "psk": {
    "id": 42,
    "name": "Guest - John Smith",
    "passphrase": "XjK9#mP2$vL5",
    "vlan_id": 100,
    "expires_at": "2025-12-31T23:59:59Z"
  }
}

Managing PSKs

Viewing PSKs

The PSK list shows all PSKs with key information:

  • Name - Descriptive identifier
  • Status - Enabled, disabled, or expired
  • VLAN - Assigned network segment
  • Expires - Expiration date or "Never"
  • Last Used - Most recent authentication
  • Usage Count - Number of authentications

Disabling a PSK

Disable a PSK to immediately prevent access without deleting it. Click the toggle in the PSK row or edit the PSK and uncheck "Enabled".

Immediate Effect

Disabling a PSK takes effect immediately. Active sessions may continue until re-authentication, depending on your controller's session timeout settings.

Regenerating a Passphrase

If a passphrase is compromised, regenerate it without creating a new PSK. Edit the PSK, clear the passphrase field, and save. A new secure passphrase will be generated automatically.

Bulk Operations

Select multiple PSKs using checkboxes to:

  • Delete multiple PSKs at once
  • Enable or disable multiple PSKs
  • Export to CSV

Passphrase Policy

Configure passphrase generation settings in Group Settings.

Setting Default Description
Minimum Length 12 Minimum passphrase characters
Include Uppercase Yes Include A-Z characters
Include Lowercase Yes Include a-z characters
Include Numbers Yes Include 0-9 characters
Include Symbols Yes Include special characters
Exclude Ambiguous Yes Exclude 0/O, 1/l/I for readability

Expiration & Lifecycle

Setting Expiration

PSKs can be set to expire:

  • Never - PSK remains valid indefinitely
  • Fixed Date - Expires on specific date/time
  • Relative - Expires X hours/days from creation

Expired PSK Behavior

When a PSK expires:

  1. New authentication attempts are rejected
  2. PSK status changes to "Expired" in dashboard
  3. Active sessions may continue until re-auth
  4. PSK can be re-enabled by setting new expiration

Automatic Cleanup

Configure automatic deletion of expired PSKs in Group Settings. Options: Keep forever, delete after 7/30/90 days.

VLAN Assignment

Assign PSKs to VLANs for network segmentation.

Per-PSK VLAN

Each PSK can specify a VLAN. When the user authenticates, NetKey returns the VLAN ID in the RADIUS response using standard tunnel attributes.

RADIUS Attributes

RADIUS Response 
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = 100

Default VLAN

If no VLAN is specified on a PSK, users are placed in the WLAN's default VLAN as configured on your wireless controller.

SSID Restriction

Restrict PSKs to specific SSIDs for multi-SSID environments.

Use Cases

  • Separate guest network from IoT network
  • Different PSKs for different building SSIDs
  • Prevent credential sharing across networks

Configuration

When creating/editing a PSK, select the allowed SSID. Leave blank to allow authentication on any SSID.

Called-Station-Id

SSID restriction uses the Called-Station-Id RADIUS attribute. Ensure your wireless controller is configured to include the SSID in this attribute.

Best Practices

Use Descriptive Names

Include the user's name, department, or purpose in the PSK name for easy identification. Example: "Guest - Jane Doe - Marketing Meeting 2025-01-20"

Always Set Expiration

For temporary access, always set an expiration date. This prevents PSK accumulation and reduces security risk.

Use VLANs for Segmentation

Assign guests to a separate VLAN from employees to limit network access and meet compliance requirements.

Regular Cleanup

Review expired and unused PSKs periodically. Enable automatic cleanup for expired PSKs.

Monitor Usage

Check the usage count and last-used date to identify unused PSKs that can be deleted.

Disable Fast Transition (802.11r)

Fast Transition must be disabled on EasyPSK SSIDs. FT pre-caches the PMK for fast roaming, but with unique PSKs per user, the target AP cannot know which PMK to use. Standard roaming still works well without FT.

Troubleshooting

  • Verify the passphrase is entered exactly (case-sensitive)
  • Check if PSK is enabled in dashboard
  • Check if PSK has expired
  • Check if SSID restriction matches
  • View Authentication Logs for detailed error
  • Verify VLAN ID is correct in PSK settings
  • Check "AAA Override" is enabled on wireless controller
  • Ensure VLAN exists and is allowed on controller
  • Check Auth Logs for RADIUS attributes sent
  • Verify RADIUS server is configured on controller
  • Check RADIUS secret matches exactly
  • Verify network connectivity (ping RADIUS server)
  • Check firewall allows UDP 1812/1813
  • Enable RADIUS debug on controller