Split Approach Certs CN = MAC O/OU = Administrative Domain PSKs Identity and Hint Some preformatted key name Maybe KeyName = Hash(PSK || “CAPWAP PSK”) Leave unspecified Provision key name with the PSK Drawback Need more complex back-end authorization service to handle multiple different types of identities |