LANCOM invented an interesting feature to assign each device its own PSK. The biggest disadvantage of (current) PSK is that every device knows the centralized PSK (what if the PSK gets leaked?). Some weird devices do not work well with 802.1x. A middle way would be to assign each device its own PSK, therefore each device can be placed in a different VLAN and can be individually denied access to the corporate Wifi (without touching the others).
LANCOM invented such a feature lately (could you implement such a feature for legacy devices as well?):
LANCOM Enhanced Passphrase Security Users (LEPS-U) allows a set of passphrases to be configured and assigned to individual users or groups. This avoids having one global passphrase for an SSID. Instead, there are several passphrases, which can then be distributed individually.
This is useful for onboarding devices into the network. For example, a network operator "onboarding" multiple WLAN devices into different areas of the network does not want to configure each specific device; instead this should done by the users of the devices themselves. In this case, users are given a preshared key for the company WLAN for use with their own devices. The preshared key is used to map each user to a VLAN, thus automatically assigning them to a specific network. The configuration of LEPS-U takes place on the infrastructure side only, which assures full compatibility to third-party products.
The security issue presented by global passphrases is fundamentally remedied by LEPS-U. Each user is assigned their own individual passphrase. If a passphrase assigned to a user should "get lost" or an employee with knowledge of their passphrase leaves the company, then only the passphrase of that user needs to be changed or deleted. All other passphrases remain valid and confidential.