Security

We have PLCs, Printers, etc that need to connect to our corp network over wifi. We have a number of personal devices that continue to figure out our PSK after it has changed and also connect to our corp wifi instead of using guest. My idea is to configure MPSK and the Aruba videos I found are detailing that steps are to configure the controller, clearness, then guest. I found it odd it involves guest but I understand it will generate the unique psk for each device created and use the selected role. 

Is this in fact true when using MPSK for non guest devices and network?

I am testing now with an iPhone that I have added to the device list in Guest, but the iPhone continues to get a prompt to enter the psk instead of automatically allowed to connect by Mac auth from the device list in Guest.

Have I misunderstood how this works? Can I not test with an iPhone even though that is exactly what I'm trying to not allow once I know it's working? The video I found shows that the device will show a web auth in access tracker, disconnect, then be allowed to connect after matching the Mac address that was added in the Guest module. If anyone has a great document on setting this up for the scenario I described and would be willing to share, that would be great. Maybe an iPhone is a bad device to test with?

ArubaOS 8.9 Series - Part 13 - Multi Pre Shared Key (MPSK)

YouTube		remove preview
ArubaOS 8.9 Series - Part 13 - Multi Pre Shared Key (MPSK) In this video I am going to show you how configure and use the Multi Pre Shared Key (MPSK) feature. ⏰Timestamps: 00:00 Introduction to MPSK 01:15 Network Diagram 01:25 What do you need? View this on YouTube >

-------------------------------------------

Original Message:
Sent: 4/9/2026 4:38:00 AM
From: Ben_C
Subject: RE: IOT WITH MPSK on CORP NETWORK

Hi Carl,

It is 100% true that you need to use guest.

EDIT: - Its 100% true that you need to use guest if you are giving each device a unique PSK. If you want groups of devices to share the same passphrase, for example all iphones use the same passphrase and all printers use a different one, then you can do this without guest by using enforcement profiles, enforcement policies and role mappings only.

Although it's called guest, it's just a device repository where you can customize your forms to be how you like and have the freedom to create device registration flows, which does include MPSK.

If configured correctly for any device registered, from the client's perspective, they should enter their unique passphrase once, then the end client should always use that for authentication (it'll be cached).

In reality, ClearPass doesn't actually care about the MPSK too much; it's just MAC authentication on ClearPass whereby when you have a successful MAC auth, ClearPass returns a RADIUS attribute to the controller saying, "I know this device, if the password it put in is xxxxx then let it on, if not reject it."

How the flow should work:

1. Register the device.

2. You should see a registration disconnect in the access tracker (usually pointless for MPSK unless editing as the device shouldn't be on the network yet).

3. Once you have registered your device, connect it to the network, entering the unique passphrase you were given whilst registering the device.

4. You should see a MAC authentication in the access tracker.

5. Your MPSK should be returned to the controller (check the output tab on access tracker).

6. The device should be connected.

If you have any more questions, I'm more than happy to help.

If you still have issues, if you can provide screenshots, I'll be able to see where it's going wrong.

Regards,

Ben Casey

Current state, I see the device in access tracker doing a web auth but the psk is not being accepted on the device, they continue to get an error message "Incorrect Password". This makes me wonder if the config is not right on the conductor/controller for this site and test SSID. 

I have added screens shots from each system showing current configuration. Thank you for being willing to take a look at this.

-------------------------------------------

Original Message:
Sent: Apr 09, 2026 04:37 AM
From: Ben_C
Subject: IOT WITH MPSK on CORP NETWORK

Hi Carl,

It is 100% true that you need to use guest.

EDIT: - Its 100% true that you need to use guest if you are giving each device a unique PSK. If you want groups of devices to share the same passphrase, for example all iphones use the same passphrase and all printers use a different one, then you can do this without guest by using enforcement profiles, enforcement policies and role mappings only.

Although it's called guest, it's just a device repository where you can customize your forms to be how you like and have the freedom to create device registration flows, which does include MPSK.

If configured correctly for any device registered, from the client's perspective, they should enter their unique passphrase once, then the end client should always use that for authentication (it'll be cached).

In reality, ClearPass doesn't actually care about the MPSK too much; it's just MAC authentication on ClearPass whereby when you have a successful MAC auth, ClearPass returns a RADIUS attribute to the controller saying, "I know this device, if the password it put in is xxxxx then let it on, if not reject it."

How the flow should work:

1. Register the device.

2. You should see a registration disconnect in the access tracker (usually pointless for MPSK unless editing as the device shouldn't be on the network yet).

3. Once you have registered your device, connect it to the network, entering the unique passphrase you were given whilst registering the device.

4. You should see a MAC authentication in the access tracker.

5. Your MPSK should be returned to the controller (check the output tab on access tracker).

6. The device should be connected.

If you have any more questions, I'm more than happy to help.

If you still have issues, if you can provide screenshots, I'll be able to see where it's going wrong.

Regards,

Ben Casey

With Aruba controller-based Wi-Fi, MPSK only works in conjunction with MAC address authentication. The Guest Device Repository is indeed the right choice. Although it has "Guest" in its name, it can be used normally for MAC authentication on corporate devices.

Unlike with WPA2, in an MPSK Wi-Fi network the PSK is not stored in the Wi-Fi controller within an SSID profile. After successful MAC authentication, it is sent to the controller in an Aruba RADIUS attribute. The content of this attribute is then used for the Pairwise Master Key calculation and for the 4-way handshake.

ClearPass checks the MPSK field on the guest device and sends the content to the controller, following syntax is used in the enforcement profile: Radius:Aruba:Aruba-MPSK-Passphrase=%{Authorization:[Guest Device Repository]:Device MPSK}. If the content does not match the password entered on the end device, the user is prompted to re-enter the password.

For this use case, you can use the service template "Aruba Wireless with MPSK" or create the enforcement policy manually. You must ensure that ClearPass sends an 'Accept' and "Aruba-MPSK-Passphrase" to the controller. The "Aruba-User-Role" can also be used optionally.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------

Original Message:
Sent: 4/9/2026 8:00:00 AM
From: Lord
Subject: RE: IOT WITH MPSK on CORP NETWORK

With Aruba controller-based Wi-Fi, MPSK only works in conjunction with MAC address authentication. The Guest Device Repository is indeed the right choice. Although it has "Guest" in its name, it can be used normally for MAC authentication on corporate devices.

Unlike with WPA2, in an MPSK Wi-Fi network the PSK is not stored in the Wi-Fi controller within an SSID profile. After successful MAC authentication, it is sent to the controller in an Aruba RADIUS attribute. The content of this attribute is then used for the Pairwise Master Key calculation and for the 4-way handshake.

ClearPass checks the MPSK field on the guest device and sends the content to the controller, following syntax is used in the enforcement profile: Radius:Aruba:Aruba-MPSK-Passphrase=%{Authorization:[Guest Device Repository]:Device MPSK}. If the content does not match the password entered on the end device, the user is prompted to re-enter the password.

For this use case, you can use the service template "Aruba Wireless with MPSK" or create the enforcement policy manually. You must ensure that ClearPass sends an 'Accept' and "Aruba-MPSK-Passphrase" to the controller. The "Aruba-User-Role" can also be used optionally.

------------------------------
Regards,

Waldemar
ACCX # 1377, ACEP, ACX - Network Security
If you find my answer useful, consider giving kudos and/or mark as solution
------------------------------