Hi Carl,
It is 100% true that you need to use guest.
EDIT: - Its 100% true that you need to use guest if you are giving each device a unique PSK. If you want groups of devices to share the same passphrase, for example all iphones use the same passphrase and all printers use a different one, then you can do this without guest by using enforcement profiles, enforcement policies and role mappings only.
Although it's called guest, it's just a device repository where you can customize your forms to be how you like and have the freedom to create device registration flows, which does include MPSK.
If configured correctly for any device registered, from the client's perspective, they should enter their unique passphrase once, then the end client should always use that for authentication (it'll be cached).
In reality, ClearPass doesn't actually care about the MPSK too much; it's just MAC authentication on ClearPass whereby when you have a successful MAC auth, ClearPass returns a RADIUS attribute to the controller saying, "I know this device, if the password it put in is xxxxx then let it on, if not reject it."
How the flow should work:
1. Register the device.
2. You should see a registration disconnect in the access tracker (usually pointless for MPSK unless editing as the device shouldn't be on the network yet).
3. Once you have registered your device, connect it to the network, entering the unique passphrase you were given whilst registering the device.
4. You should see a MAC authentication in the access tracker.
5. Your MPSK should be returned to the controller (check the output tab on access tracker).
6. The device should be connected.
If you have any more questions, I'm more than happy to help.
If you still have issues, if you can provide screenshots, I'll be able to see where it's going wrong.
Regards,
Ben Casey
Original Message:
Sent: 4/8/2026 7:44:00 PM
From: CroweNet
Subject: IOT WITH MPSK on CORP NETWORK
We have PLCs, Printers, etc that need to connect to our corp network over wifi. We have a number of personal devices that continue to figure out our PSK after it has changed and also connect to our corp wifi instead of using guest. My idea is to configure MPSK and the Aruba videos I found are detailing that steps are to configure the controller, clearness, then guest. I found it odd it involves guest but I understand it will generate the unique psk for each device created and use the selected role.
Is this in fact true when using MPSK for non guest devices and network?
I am testing now with an iPhone that I have added to the device list in Guest, but the iPhone continues to get a prompt to enter the psk instead of automatically allowed to connect by Mac auth from the device list in Guest.
Have I misunderstood how this works? Can I not test with an iPhone even though that is exactly what I'm trying to not allow once I know it's working? The video I found shows that the device will show a web auth in access tracker, disconnect, then be allowed to connect after matching the Mac address that was added in the Guest module. If anyone has a great document on setting this up for the scenario I described and would be willing to share, that would be great. Maybe an iPhone is a bad device to test with?
ArubaOS 8.9 Series - Part 13 - Multi Pre Shared Key (MPSK)
| YouTube |
remove preview |
|
| ArubaOS 8.9 Series - Part 13 - Multi Pre Shared Key (MPSK) |
| In this video I am going to show you how configure and use the Multi Pre Shared Key (MPSK) feature. ⏰Timestamps: 00:00 Introduction to MPSK 01:15 Network Diagram 01:25 What do you need? |
| View this on YouTube > |
|
|
-------------------------------------------