Configure PPSK (Private Pre-Shared Key) for an Access Point SSID

Applies To: WatchGuard Cloud-managed Access Points (AP130, AP230W, AP330, AP332CR, AP430CR, AP432)

PPSK (Private Pre-Shared Key) enables you to configure unique passphrases for individual wireless clients to securely access an SSID with WPA2 Personal security. This passphrase can be temporary with a configured expiration date, or the passphrase can be permanent. PPSK enhances security for guest networks because you assign private passphrases to each client instead of a common public passphrase to access the wireless network.

PPSK is also helpful for deployments that do not have a RADIUS authentication server to manage unique wireless user passwords or where you must support a wide variety of client device types that might not support Enterprise RADIUS authentication.

You can create and print vouchers to distribute to clients so they can easily create secure connections to your wireless network with their own unique passphrase. You can also assign a VLAN for each PPSK for additional security to isolate users to specific networks.

PPSK Requirements

  • PPSK requires a USP Wi-Fi Management license for your access points.
  • Access points require firmware v2.6 or higher.
  • You must configure PPSK in an access point site.
  • You can create a maximum of 500 PPSKs that you can use with multiple SSIDs.
  • Each PPSK must be unique and cannot be the same as any other PPSK or the primary passphrase of the SSID on which you have enabled PPSK. We recommend you create strong, unique passphrases and manage these PPSKs in a password manager.
  • You cannot use PPSK on an SSID that has NAT, Captive Portal, Network Access Enforcement, or Access Point VPN enabled.

Configure PPSK in an Access Point Site

To configure PPSK in an access point site in WatchGuard Cloud:

  1. Select Configure > Access Point Sites.
  2. Select an existing access point site, or create a new site.
  3. In the Wi-Fi Networks widget, click SSIDs.
  4. To add an SSID, click Add SSID icon, or click an existing SSID to configure its settings.
  1. Configure these SSID settings:

  • SSID Name — Type the SSID name. This is the name for this wireless network that appears to clients.
  • Broadcast SSID — Select the Broadcast SSID check box to broadcast the SSID name to wireless clients. Clear this check box if you want to hide the SSID name.
  • SSID Type
  • Private — Create a private wireless network.
  • Guest — Create a guest wireless network that provides limited access to protect devices and resources on your private wireless network.
  • Radio — Select the access point radios (2.4 GHz, 5 GHz, or both 2.4 GHz and 5 GHz) that broadcast this SSID.
  • Security — Select WPA2 Personal. PPSK is only supported with the WPA2 Personal security mode.
  • Enable PPSK — Select the Enable PPSK check box to enable PPSK for this SSID.
  • Passphrase — Enter a primary passphrase for this SSID. This is required so that you can use the primary passphrase to connect to the SSID, even if PPSK is disabled, or if there are no PPSKs configured for the SSID, or if the access points do not have a USP Wi-Fi Management license. You configure the individual unique PPSKs for your users in the PPSK widget of the access point site settings.
  1. Click Save.
  2. Click Back to return to the access point site configuration details page.

  1. In the Authentication widget for the access point site settings, select PPSK.
    The PPSKs management page opens.

  1. Click Add PPSK.

  1. Select the Enable private pre-shared key check box.
  2. In the Passphrase text box, type a passphrase for this PPSK. This passphrase must be unique to each PPSK. Make sure you do not use the primary passphrase for the SSID on which you have enabled PPSK.
  3. In the Description text box, type a description for this PPSK.
  4. From the SSID drop-down list, select the SSIDs with which you can use this PPSK.
  5. From the Expiration drop-down list, select an expiration period for the PPSK. Select Never Expire if you want this PPSK to never expire. The expiration is based on the creation date of the PPSK.
  6. Select the Use custom VLAN check box if you want to assign a VLAN to this PPSK, then select a VLAN ID.
  7. Select the Create another PPSK check box if you want to create a new PPSK after you save the current PPSK.
  8. Click Add.

Manage PPSKs

From the PPSK management page, you can view, manage, import, and download PPSKs. You can also download and print your PPSK vouchers.

  • From the SSID drop-down list, select a specific SSID to view or select All SSIDs.
  • In the Search text box, type a search query to search all columns in the PPSK list.
  • Click Filter icon to apply filters to the PPSK list based on SSID, Creation Date, Expiration Date, and VLAN ID.

You can perform these actions from the PPSKs management page:

  • Add a PPSK — To add a new PPSK, click Add PPSK.
  • Edit a PPSK — To edit a PPSK, select one or more PPSKs, then click Edit.
  • Disable a PPSK — To disable a PPSK, select a PPSK, click then click Disable. When you disable a PPSK, it still exists in your list of PPSKs, but it cannot be used by any SSID.
  • Enable a PPSK — To enable a PPSK that is disabled, select the PPSK, click then click Enable.
  • Delete a PPSK — To delete PPSKs, select one or more PPSKs from the list, then click Delete.
  • Download PPSKs — To download a list of PPSKs in CSV format, click Download CSV.
  • Import PPSKs — To import a list of PPSKs in CSV format, click Import. For more information, go to Import PPSKs.
  • Print PPSK Vouchers — To print PPSK vouchers for your users, click Print Vouchers. For more information, go to Print Vouchers.

Import PPSKs

You can import a list of PPSKs to more easily add a large number of PPSKs.

Each PPSK must be unique and cannot be the same as any other PPSK or the primary passphrase of the SSID with PPSK enabled. We recommend you create strong, unique passphrases and manage these PPSKs in a password manager.

The PPSK list must be in a comma-separated value (CSV) file format with these fields:

  • Passphrase (required)
  • Description (optional)
  • Expiration date (YYYY-MM-DD) (optional, leave empty for no expiry)
  • VLAN ID (optional)

For example:

ppsk-passphrase1,ppsk1,2025-12-31

ppsk-passphrase2,ppsk2,2025-12-31,10

ppsk-passphrase3,ppsk3

If you edit the CSV file with Microsoft Excel, the expiration date might be automatically converted to a different format such as MM/DD/YYYY which cannot be imported. Make sure the expiration date uses the format YYYY-MM-DD. You can update the cell format within Excel to use this date format.

To import a PPSK list:

  1. From the PPSKs management page in an access point site, click Import.
    The Import Private Pre-Shared Keys page opens.
  2. Drag and drop the file that contains your PPSK list into the Pre-Shared Keys List box, or click select the file to select the file from your computer.

Screenshot of the Import Private Pre-Shared Keys page

  1. Click Next.

  • On the Importable tab, the table shows a list of valid PPSKs to import from the file. These PPSKs are automatically selected for import.
  • On the Non-Importable tab, the table shows a list of PPSKs that you cannot import from the file. These PPSKs might be incorrectly formatted, contain invalid data, or are duplicates. You can download these incorrectly formatted PPSKs in CSV format to correct the format and re-import the PPSKs.
  • If a duplicate entry is detected in the imported list and your existing PPSKs, you can skip or replace the entry.
  1. Select the SSID to which you want to import the PPSK list.
  2. Click Finish to import the PPSKs.

Print Vouchers

You can print vouchers of your PPSKs to distribute to end users. You can customize the voucher with your company logo and custom header text. A PDF file of the PPSK vouchers is generated that you can download and print.

To download and print PPSK vouchers:

  1. From the PPSK management page, click Print vouchers.
    The Print PPSK Vouchers page opens.

  1. From the SSID drop-down list, select the SSID that contains the PPSKs you want to print.
  2. From the PPSKs drop-down list, select All PPSKs to print all of your PPSKs, or choose Select to select which PPSKs you want to print.
  3. From the Printout Type drop-down list, select the type of PPSK vouchers you want to print.
  • Full Page voucher — Print the PPSK voucher as a single full page.
  • Individual PPSK vouchers — Print several individual PPSK vouchers on a single page. From the Page Layout drop-down list, select the type of layout and the number of vouchers on a page. You can select 2x2, 2x3, or 2x4.
  1. In the Header Text text box, type the header text that appears at the top of the voucher.
  2. Select the Use company logo check box to add your logo to the top of the voucher. The default logo image is from your WatchGuard Cloud account branding.
  3. Select the Show PPSK expiration date check box to print the expiration date of the PPSK on the voucher.
  4. Click Print.

A PDF file of the PPSK vouchers is generated that you can download and print.

Related Topics

Configure Access Point Device Settings

Configure Access Point Radio Settings

About Access Point Sites