I wish more consumer devices supported multiple PSKs on the same SSID. It's a handy feature much better for airtime than creating multiple separate SSIDs and much better for sanity than 802.1x user or cert auth.
> I wish more consumer devices supported multiple PSKs on the same SSID
Could you name any enterprise APs that do this, short of running your own custom AP software? As far as I know (would love to be corrected on this), Unifi APs can't do this, and they're at the very least "prosumer".
I was very excited by this, but I found that some of my dumber IoT devices would refuse to connect to the network if it used PPSK. If I connect them to a separate SSID I use for IoT devices with a basic WPA2 PSK, they work totally fine, but I didn't dig too much so it could also be user error
Ah ok, strange that the feature is only becoming mainstream now (as in added by Unifi, and I never heard of it before). It's very good to hear actually because most of the devices I want to have on separate VLANs are quite dumb (IoT home automation stuff in particular) and they won't have WPA3 (and often even only have 2.4Ghz).
Aruba, Cisco, Extreme, Mist, Ruckus. The first I saw use it was Aerohive (now part of Extreme) and it took the enterprise market by storm about 5 years ago. For most enterprise deployments 802.1x (either username+password or certificate) makes more sense but once you get into BYOD land (say, senior living) not all devices support that (say an Xbox) but you still want to give a user a way to connect anywhere they go not just their main living area. Similar with the BYOD network on schools, give out the PSK to anyone staff and a year later the kids all have it and you have to change every PSK only device to a new PSK manually to fix it. Use multiple PSKs to give different groups of devices different PSKs, and even different staff different keys, and you not only contain the problem but can actually narrow down on the worst leak offenders as well.
Doing multiple PSK / PPSK is not compatible with WPA3 (at least as supported by most APs today*, as WPA3 requires management frame encryption), so you limit to WPA2 only, therefore you're better off just having multiple SSIDs with WPA3 support. (Also that way you can have a "secure" network which is WPA3 Personal only, much easier than using WPA Enterprise and gives a reasonable level of security for home use.)
hostapd has supported multiple SAE passwords and identifiers since 2019; it even allows to bind a password to a specific MAC address and VLAN id.
Since most AP software is just hostapd wrapped up in some GUI, if they don't support these features it's probably just due to lazyness on the vendor part.
Could you name any enterprise APs that do this, short of running your own custom AP software? As far as I know (would love to be corrected on this), Unifi APs can't do this, and they're at the very least "prosumer".