Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-25 19:54:33 - last edited 2024-06-26 07:04:39
Tags: #PPSK
Model: OC200  
Hardware Version: V1
Firmware Version: 5.13.30.20

Hi Support,

 

We are building a wifi mesh for a large village showground in the UK (Heckington Show, Heckington, Lincolnshire).

OC200 controller, router ER706W-4G, bridge tx/rx 2 x CPE710, switches 2 x SG2008P, 10 x EAP650 as 2 meshes (5 in each) located in two large fields totalling an area about 150m wide x 700m long.

 

There will be almost 250 trade stands spread throughout the showground, and each trade stand needs to accept payment cards for purchases by customers.

The card readers need to connect to the wifi, most will be via bluetooth through the traders mobile phone, but many may also be direct connection from the card reader to the wifi (no user interaction for login name/password, just the passphrase set in the card reader).

 

Plan is to use PPSK without Radius to provide per trade stand authentication to the wifi. (Prefer not to use captive portal or local user as this may cause a problem for some card readers and we think PPSK without Radius will serve the purpose).

 

However there appears to be a limit of 128 records per PPSK Profile ?

 

Question 1: Is this 128 limit just an arbitrary figure? (I believe it has already been increased from 50 to 128 a couple of years ago).

 

Question 2: What is this limit related to? Is it a mesh limit, an AP limit, a Controller limit, or a Router limit? Will my workaround suggested below help or will the system run out of some resource, counters, memory, or affect client connection/data statistics?

 

We need possibly up to 250 unique passphrases (although some trade stands might not want wifi access). We will use the auto-create feature of the PPSK profile to create the full range of 250 randomly generated passphrases, which will be provided to traders, together with their allocated stand number, in advance of the show which happens July 27th/28th.

 

Ideally, the easiest way for this to be done would be using a single PPSK profile applied to one VLAN ID, and hence to a single site wide SSID applied to ALL APs in both of the meshes.

 

However, to workaround the 128 record limit I was wondering if we can set up two PPSK profiles, one containing 128, the second containing the remaining 122 (total 250)?

 

But then we have to arrange these two profiles applying them across the two meshes, enabling the two corresponding VLAN/SSIDs to the APs to coincide roughly with the physical locations of the trade stands (with some overlap where some trade stands will be covered by two or more APs).

 

If there are two SSIDs for the traders then they need to know which SSID their passphrase applies to.

This can be made obvious by naming the SSIDs as tradestands1-128 and tradestands129-250.

 

Also would we be able to use the same VLAN ID in both profiles? I have a feeling we might need two VLAN ID's as well.

 

Would really appreciate your input on this please. We have already purchased enough network kit for us to perform initial setup and testing (OC200,router, one switch, 3 EAP650s), and we have now come across this conundrum!!

 

It's entirely possible that the answer is actually fairly simple - I'm quite good at making things more complicated than they need to be, lol !!

 

Thanks

Jim

Jim Prior Cogitare et Vivare - sit atur ad Astra (To Think is to Live - Thus reach we the Stars)
  2      
  2      
#1
Options
1 Accepted Solution
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards-Solution
2024-06-26 06:58:28 - last edited 2024-06-26 07:04:39

  @UKJim 

One SSID can have up to 128 passphrases. This is a performance restriction of the OC200. If you create two SSIDs, you can specify two profiles with the same VLAN ID. The router's ability to allocate VLANs allows them to be on the same VLAN.

However, I recomend you try setting up PPSK with an external radius, which will allow you to employ more passphrases. The external radius server determines the number of passphrases and the authentication process.

Here's how to configure PPSK with different RADIUS servers:PPSK Function with Different RADIUS Servers Configuration Guide

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#3
Options
11 Reply
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-25 22:29:25 - last edited 2024-06-25 22:30:45

I'm slightly confused. What are your reasons for wantiing to use individual PSK's for every stand if you're just going to have them all on the same VLAN?

 

Thinking this setup will work purely as a mesh setup is also very unwise and is a disaster waiting to happen. You should be using dedicated PtP backhaul links to each of the AP locations. 

  0  
  0  
#2
Options
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards-Solution
2024-06-26 06:58:28 - last edited 2024-06-26 07:04:39

  @UKJim 

One SSID can have up to 128 passphrases. This is a performance restriction of the OC200. If you create two SSIDs, you can specify two profiles with the same VLAN ID. The router's ability to allocate VLANs allows them to be on the same VLAN.

However, I recomend you try setting up PPSK with an external radius, which will allow you to employ more passphrases. The external radius server determines the number of passphrases and the authentication process.

Here's how to configure PPSK with different RADIUS servers:PPSK Function with Different RADIUS Servers Configuration Guide

 

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
Recommended Solution
  0  
  0  
#3
Options
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-26 23:02:53

  @Hank21 

 

Hank21 wrote

  @UKJim 

One SSID can have up to 128 passphrases. This is a performance restriction of the OC200. If you create two SSIDs, you can specify two profiles with the same VLAN ID. The router's ability to allocate VLANs allows them to be on the same VLAN.

However, I recomend you try setting up PPSK with an external radius, which will allow you to employ more passphrases. The external radius server determines the number of passphrases and the authentication process.

Here's how to configure PPSK with different RADIUS servers:PPSK Function with Different RADIUS Servers Configuration Guide

 

 

Hi Hank and thank you for your swift response.

I had considered whether setting up a Radius server was necessary, but its yet more expense and work for this project, which is essentially just wifi access (we have no internal business servers) for the traders for a 2-day event every year. The showground is a "greenfield" site, i.e. no buildings or structures, just open space which must be reverted back to empty fields when the show ends.

 

We obtained quotes from event wifi solution specialists, but these were going to be 4 or 5 times the cost (every year!) of us buying the network gear ourselves and reusing it on consecutive years. TP-Link Omada seems right for our event.

 

Another question about the PPSK without Radius (built-in Radius) please.

When creating the profiles using the auto-generate method, it asks for a PPSK Name Prefix, which it then appends underscore + a number to make each record unique, e.g. I created "HS-ts000" as the prefix which resulted in "HS-ts000_1", "HS-ts000_2", "HS-ts000_3", etc.

I thought this name would be shown somewhere in the Clients connection lists (perhaps in Insights->Known Clients or Past Connections) to help identify which PPSK the client connection relates to.

Can you tell me where the generated name is used/displayed? As this would be useful to understand which PPSK's are being used.

 

Thank you.

Jim

 

 

Jim Prior Cogitare et Vivare - sit atur ad Astra (To Think is to Live - Thus reach we the Stars)
  0  
  0  
#4
Options
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-26 23:42:59

WiFiGuy01 wrote

I'm slightly confused. What are your reasons for wantiing to use individual PSK's for every stand if you're just going to have them all on the same VLAN?

 

Thinking this setup will work purely as a mesh setup is also very unwise and is a disaster waiting to happen. You should be using dedicated PtP backhaul links to each of the AP locations. 

Hi  @WiFiGuy01 

Reasons for wanting to use individual PSK's:-

As with any PPSK, security. Particularly in a situation where we want to be seen as doing our best to be PCI Compliant (Payment Card Industry).

Also you might see from my response to Hank above that I'm interested in being able to identify which clients (trade stands) are logging in. Either for support purposes, problems with logging on, or too many different logins against a single trade stand, for example the trader has shared their PSK with other people.

 

Disaster waiting to happen?

A bit more background on this project.....

Purpose:
To enable 250 businesses in trade stands site-wide around the showground to get reliable internet for taking payments using their own point-of-sale card payment systems.

 

Reason:
The traders normally use their mobile phones for internet connections but the show gets about 30,000 members of public over the weekend and the rural 4G service on our local telecoms masts becomes overwhelmed, so causing payment connection problems for the traders, and the show staff/employees who also suffer poor phone communication.

 

We would allow low-bandwidth (Rate Limited) connections for the traders to be able to run their business and sell their products. It's not really intended for video streaming(!), Facebook, voice/video calls, eg WhatsApp, but would probably get used for that to some extent. They are there to sell their wares, not play games or watch videos.

 

The payment transactions are very low bandwidth (2-3kb per transaction), plus emails and similar minimal business work so should be easy work for the network.

The show is a registered charity and needs to work to a tight budget. The Omada EAP Outdoor AP range (we've decided on EAP650's) look like they will provide what we need. However the network topology is what we welcome help and advice with.

 

The showground site is long and thin located in 2 large fields approx 150m wide and 660m long. There are some trees/hedges dotted around the site, but mostly open space. Access points would be put up on masts, marquee poles, lighting stands, and towers, and similar structures to gain some height for better coverage and avoiding obstacles like tall parked vehicles.

 

We envisage 2 mesh sets, each with a central Uplink AP, and 1 or 2 hop APs each side. Hopefully Mesh 1 would provide coverage for the bottom half of the site and the second mesh (Mesh 2 connected via a long-range bridge) covers the top half of the site.

 

 

Numerous diesel electricity generators supply mains power for the site, lighting, etc.

 

Laying ethernet cables is to be minimal due to cost and limitations of long PoE/ethernet runs and the size of the site and avoiding areas of most movement of public on foot and lots of show vehicles. There are no permanent buildings/structures since it is a "greenfield" site and all equipment has to be removed at the end of the show. Therefore we want to utilise a wireless backhaul mesh system. PoE would follow mains cables where laid to various (non-vehicle) areas of the showground, and Ethernet backhaul only where necessary to root AP's, wirelessly connected to the mesh APs.

 

Due to the length of the site a point-to-point bridge will be used, 2x CPE710 each one on tall masts, with a distance of approx 350m apart, to feed Mesh 2.

 

We have Gigabit fibre (1GB up/down) by a local provider into the site, into a cabinet where the main ONT, router, switch and controller will be sited.

 

Note the wifi network is NOT for public use! It will be a PCI Compliant secure authenticated (WPA2/3) private WLAN used only by the trade stands and show staff, therefore we don't consider it a High Density environment.

 

We understand that careful planning of Channels, Bandwidths, Tx power and frequencies are important for an optimised mesh solution. We have performed in-field testing to ascertain distances and speeds and mesh connectivity. We will use additional wired backhaul where possible.

 

Please feel free to offer any additional advice or concerns - we are not experts, but we are quick learners and we certainly don't want a disaster! wink

Jim Prior Cogitare et Vivare - sit atur ad Astra (To Think is to Live - Thus reach we the Stars)
  0  
  0  
#5
Options
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-27 02:53:07

  @UKJim 

You can just run the external radius server on your computer.Currently, the controller client list does not include the ppsk name. We've already given feedback to our related department. It is used to determine which client connects to the password. However, it did not display.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#6
Options
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-27 03:12:25

  @UKJim 

 

This setup is a terrible idea. The reason a professional company quoted a lot more is because it would have probably been a rock solid solution that would not fail.

 

There is no way in the world I would ever engineer a mesh solution like you're doing. It is a disaster waiting to happen. Every single one of those AP's needs to have it's own dedicated backhaul either over PtP or PtMP 5Ghz or preferably 60Ghz.

 

  0  
  0  
#7
Options
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-27 06:13:46

  @WiFiGuy01 

 

OK, understood.

So ideally I should cable for wired backhaul from the switch located at each mesh to each AP?

 

I take it you have practical experience of Omada in this respect? Do you work with other brands of mesh devices?

 

Why would Omada offer wireless backhaul as a feature if it won't work?

 

Can you offer any advice for AP radio settings to provide best stability?

Jim Prior Cogitare et Vivare - sit atur ad Astra (To Think is to Live - Thus reach we the Stars)
  0  
  0  
#8
Options
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-27 06:28:19

  @UKJim 

 

I design and build a lot of indoor WiFi networks along with outdoor networks for events such as concerts. I use a myriad of different brands of equipment because there is no one size fits all solution.

 

The word mesh does not exist in my vocabulary when it comes to engineering any form of wireless network. I never have and never would ever deploy a mesh solution (regardless of the brand of hardware) in an environment where performance is critical, and especially one outdoors at an event where the noise floor will be impacted by thousands of mobile phones.

 

Every single one of your AP's should be backhauled to one or more central locations using PtP or PtMP connections.

 

  1  
  1  
#9
Options
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-27 08:43:17 - last edited 2024-07-02 13:07:59

WiFiGuy01 wrote

  @UKJim 

 

...and especially one outdoors at an event where the noise floor will be impacted by thousands of mobile phones.

 

Every single one of your AP's should be backhauled to one or more central locations using PtP or PtMP connections.

 

  @WiFiGuy01 

 

Aha! That's the spanner in the works then. I hadn't appreciated that.

So not only do the thousands of mobile phones hammer the local phone network to the point its unusable.

They can also cause too much interference for the wireless backhaul to work properly.

 

Seriously, Thank you for firing a warning shot across our bow!

I hope you'll forgive me for wanting to ascertain you weren't just some doomsaying troll frown

 

So will the CPE710's likewise suffer as PtP, or are they less affected because they use a focused beam and if we use appropriate channel selection?

Should we use something else like 60Ghz PtP to get away from 5GHz ac/ax entirely?

 

Thank you for your valued input.

Much appreciated

Jim

Jim Prior Cogitare et Vivare - sit atur ad Astra (To Think is to Live - Thus reach we the Stars)
  0  
  0  
#10
Options
Re:Workaround for PPSK 128 record limit? Large Showground wifi for trade-stand sales by payment cards
2024-06-27 08:49:55

  @Hank21 

Thanks, that's interesting

Hank21 wrote

Currently, the controller client list does not include the ppsk name. We've already given feedback to our related department. It is used to determine which client connects to the password. However, it did not display.

 

Any idea when this will be done?

Jim Prior Cogitare et Vivare - sit atur ad Astra (To Think is to Live - Thus reach we the Stars)
  0  
  0  
#11
Options