When setting up an enterprise wireless network, it is common to configure WPA2 Password authentication to onboard users onto the wireless network. However, this method has limitations. For example, IT administrators cannot use different passwords on the same SSIDs to assign different VLANs or firewall rules to groups of users. While using 802.1X authentication, IT administrators can provide this level of granularity; however, it’s not always possible to use 802.1X because not all devices support it.
Therefore, IT administrators are left with two options:
They can provision a new SSID with a dedicated password for each device type. Unfortunately, this creates a lot of RF overhead and lowers possible throughputs.
They can create a single SSID with one password shared among all devices incapable of 802.1X (RADIUS) authentication. However, this approach has significant security and management overhead issues. IT administrators must reconfigure every device with a new password if this single password gets compromised.
Meraki solves this use case with Identity Pre-Shared Key (IPSK) without RADIUS. This feature allows you to configure multiple passwords for a single SSID and assign different Group Policies to each password without the added complexity of configuring and maintaining a RADIUS server. Furthermore, devices that cannot use 802.1X authentication (e.g., IoT devices) can also benefit from this feature.
https://documentation.meraki.com/MR/Design_and_Configure/Configuration_Guides/Encryption_and_Authent...
I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.
Please, if this post was useful, leave your kudos and mark it as solved.
