CommScope RUCKUS Community Forums

So, just an update of where I'm at.

The only publicly-available Ruckus documentation I've been able to find is the AAA interface guides for SmartZone, most of which are available on the support portal with only a registration (not restricted to paid users). The SmartZone 3.5.1 guide is more detailed on this than the newer guides, but the details there may be obsolete as I still haven't been able to get this to work.

The 3.5.1 guide has a section called "External DPSK over Radius." According to the guide and as observed, the client association request will cause the AP to send an Access-Request to the RADIUS server. The RADIUS server sends back an Access-Accept (if desired) with the Radius-DPSK VSA. The first byte of the VSA value is supposed to be 0x00, followed by the WPA2 PMK for the desired passphrase (PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)). The total length of the VSA value should be 33 bytes; despite being listed as potentially of variable length, as described in the guide it will always be 33 bytes.

In my testing, this doesn't work.

The most recent SmartZone 5.1 guide changes things. Its only section related to external DPSK is called "DPSK for Cloud over RADIUS." The most useful information about the VSA -- the specification for the value (0x00 first byte, WPA2 PMK) -- is gone; only the basic details (like the VSA ID) remain. It's unclear if that information was removed because it is now obsolete (which would suggest the SmartZone 3.1 information isn't going to be useful for Unleashed either, assuming Ruckus would use their most recent implementation) or for some other reason.

Either way, as things currently stand, I have no idea how to get this to work with Unleashed, and Ruckus doesn't appear to have any documentation publicly available for it. The KB article might provide some insight that is usable for Unleashed, but Ruckus has locked it behind the paywall. Which, TBH, is ridiculous -- I'm not asking for hand-holding, a step-by-step how-to guide, or for someone to do it for me, I'm just asking for a technical specification. I'm hoping one of the Ruckus reps here will see this and be able to provide (or obtain) some insight. I did try checking with support, making clear that I wasn't looking for any kind of personalized support but just for documentation, but they refused to provide the KB article or any other information because of my lack of a support contract. (The same support agent also seemed to think reporting a broken link on the support site required a support contract, but ultimately agreed to pass the message on internally. As of now, the link isn't fixed.)

One good thing: if Ruckus can provide a working specification for how the RADIUS server is supposed to provide the DPSK, the implementation appears to be flexible. Although the limited documentation indicates that the external DPSK feature can only be used for "bound" (i.e. single-MAC) DPSKs, I see no reason group DPSKs and unbound DPSKs couldn't be provided by a sufficiently-configured RADIUS server. The AP may only accept a single possible DPSK for a given Access-Request, but the Access-Request includes the Ruckus-DPSK-Anonce (message 1 of 4 in the WPA2 4-way handshake) and Ruckus-DPSK-EAPOL-Key-Frame (message 2 of 4) VSAs (sub-attributes of Ruckus-DPSK-Params), so it should be possible for the RADIUS server to test against multiple possible PSKs and return the appropriate one.