I like the idea that Unifi has the option now for the preshard key for a SSID having the ability to connect to VLAN vs. a VLAN per SSID. I am looking at a migration plan and tested it out with a lab access point and I think there are limitation on how to handle a migration.
PC (VLAN 15)
IoT (VLAN 20)
Guest (VLAN 30)
Constitution (SSID dependent, 15 and 20) - This is the migration SSID
What I found is that you can configure for this, but it doesn’t work. Connecting to “Constitution” doesn’t pass traffic to the VLAN based on the pre shared key. The dashboard shows the connection established and the device shows the same. But no DHCP or network connectivity.
This would have been a great approach to migrate 8 PC’s and about 40 Iot devices from dedicated SSID’s to single SSID with PSK per VLAN.
I setup a test access point for testing end state:
And this works just fine so my conclusion you can’t have multiple SSID’s connecting to same VLANs.
Any thoughts of how to best handle this type of SSID / PSK reassignment? I would hate to delete the original SSID’s and do the big bang, was hoping to do this device by device. I may have to put two AP’s in zones where I am migrating, one with new, leave the old alone, and do the migration on that equipment to the new AP.
Actually, now you can have one SSID and then the PSK for that SSID determines what VLAN you get assigned to. The goal is to reduce overhead of having multiple SSID’s leveraging this model to reduce some of the wireless spectrum overhead per SSID.
The technique from Unifi is called Private Pre Shared Keys:
Migrating to this model from a SSID per VLAN you can configure say the new SSID with the PSK per VLAN of 20 in addition to the existing SSID that is associated to VLAN 20 on the same access point. With the intention of taking all the devices from single SSID per VLAN and migrating them to the single SSID with PSK model for that same VLAN. The controller allows you to configure for it but it doesn’t work. When a client connects to the new SSID with the specific PSK it doesn’t pass traffic to the network.
I have tried multiple ways in a test AP to see if it’s possible but based on my observations only one SSID can put traffic on a specific VLAN. This will make migration a bit harder since I am going room to room to migrate devices to the new model and wanted the new SSID/PSK to coexist on the same AP.
Thank you for asking the clarifying question. Other than reporting this to Unifi to prevent this type of configuration to be deployed I am going to take my time and over this weekend to deploy a second AP in the original configuration (call it the roving AP) and update the current AP into the new configuration and migrate the devices. Then move to the next room/area and take the roving AP to the next location and do the same until the building is done.
In the end we will only have 2 ssid’s for the entire building. One guest for customers, and then one for all the PC’s, IoT, Camera’s, and other devices which will be sorted into the right VLAN based on PSK.
ahh ok, after reading up on it this looks pretty cool. I think you are right that you can only specify 1 network per SSID and cannot have multiple SSID’s with a network attached to it.
I’m not sure why you would have a SSID for a network, but then add that network to a PPSK SSID. What would be the use case for that?
