Device Specific Pre-shared key or Multiple Pre-shared keys

We all know how Pre-Shared Key /WPA2-Personal SSID works, that is, One SSID one Pre-shared key. Anyone who knows the Pre-shared key (or Passphrase) can connect to the network, and all the users who successfully connect to the network will have the same type of access to the network.

With Device Specific Pre-shared key or Multiple Pre-shared Keys, we can have an SSID that can accept multiple Pre-shared keys for Successful connection. This is concept is normally used in IoT environments so that all the different types of IoT devices connect to the same SSID with different Pre-shared and have network access to specific servers etc.

Let me take an example to explain to avoid any confusion on this.

Example: Let's assume we have configured SSID by name "DSPSK" with WPA2+ Personal with Device Specific Pre-shared Key or Multiple Pre-shared Keys functionality,

User 1 can successfully connect to the SSID with Passphrase1, and after Successful connectivity, the user will have Authenticated-Role1.

User 2 Can successfully connect to the Same SSID with a PassPhrase2 (different Passphrase), and after successful connectivity, the user will have Authenticated-Role2.

A Group of the other Devices (Like Wireless cameras) can connect to the same SSID with PassPharse3, and after Successful connectivity, all the Devices will have Authenticated-Role3.

An SSID can accept multiple Pre-shared keys for Successful connection, achieved by having a Radius server, Enabling MAC Authentication, and associating user device Mac-address with a Pre-shared key in the Radius Server.

Below is the frame/packet flow for Successful connectivity with an SSID which supports Multiple Pre-shared keys.

Note: If the user device's MAC address is not available in the Radius Server and the Access point / Authenticator receives a Radius Access-Reject, there will be no EAPOL Key exchange.

Wireless frames will not have any difference when we compare with normal WPA2-Personal or Mutlple Pre-shared keys SSID.

Below are the Association Request and Response frames for Mutlple Pre-shared keys.

After sending out a successful Association Response, the Access-point / Authenticator will send the Radius Access-Request to validate the user device's Mac address.

Radius will Send will Radius Access-Accept if the user mac-address is available in the Database else Radius Access-Reject.

In Radius Database, each Mac address is associated with a Passphrase. If Authenticator Receives a Radius Access-Accept, Authenticator will use the specific Passphrase associated with the user device Mac address to generate the keys (like PMK, PTK, etc.) to provide the network access to the user device.

Radius Accept will have the Role for the user device.

If the user device's passphrase and the Authenticator passphrase do not match, we will not see EAPOL keys 3 & 4.

If Authenticator receives Radius Access-Reject from Radius for the user-device, the session or transactions ends, and no more Eapol key exchange between the user-device and the Authenticator.