Juniper Mist Access Assurance provides support for WPA3 Multiple Passphrases WLANs that allows customers to deploy a single WPA3-Personal SSID with multiple passphrases using MAC-based registration. Unlike with WPA2 MultiPSK, due to the nature of SAE authentication, MAC address of the client or MAC OUI needs to be pre-associated with the Passphrase in order for the key match to work.
Requirements:
AP Firmware 0.14.x and above
Access Assurance Standard (or higher) subscription
Configuration:
WLAN
Select WPA3 Personal(SAE) > Multiple Passphrases > RADIUS PSK. Default PSK / Default VLAN ID are optional and will be used when no matching passphrase : client MAC is found. Then, scroll down select Mist Auth as your authentication server. Scroll further down and configure Dynamic VLANs section, which should include all VLAN IDs that you are planning to use when creating WPA3 Passphrases.
Now, navigate to Organization > Wireless > Pre-Shared Keys
Click on Add Key, select SSID from the list that is configured with WPA3 RADIUS PSK. Provide all the required information, eg Key Name, passphrase, VLAN ID, expiry date, and most importantly registered MAC address(es) or MAC OUIs. Then click Create.
Verification:
Navigate to Clients > NAC Clients. For all connected clients using WPA3 Multi PSKs you would see a Key Name reflected as Username, from there you can navigate to client insights to inspect client events related to the key lookup process:
