This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Documentation for external DPSK in Unleashed

eddie_k_5vv41lg
New Contributor II

‎04-21-2019 10:56 PM

From the Unleashed 200.7.10.102.64 release notes (released April 17, 2019):

Enhancements in Release 200.7.10.102.64

  • ...

    External DPSK: Dynamic PSKs can now be created for clients authenticated via external RADIUS server, in addition to internal database.

Unfortunately, I'm not seeing any documentation about this in the Unleashed 200.7 manual. Searching the Ruckus support portal, I do see that there is what appears to be a relevant KB article called "External DPSKs over Radius Server" at https://support.ruckuswireless.com/articles/000009006. However, accessing it requires a support contract which I don't have. Since there doesn't appear to be any other documentation about this (including the Unleashed manual, which *is* made publicly available with only a free registration and no support contract), is it possible this KB could be made public? I realize the KB entry probably pertains to one of the controller-based Ruckus products, but I suspect the implementation details (i.e. the RADIUS attributes) are going to be the same.

I've tried to infer the details myself but haven't had any luck so far. The way I would expect this feature to work is to have the RADIUS server respond with the plaintext DPSK for the user (identified by client MAC address); the WPA2 4-way handshake means the AP doesn't have the plaintext of the PSK the client entered. There are two VSAs that would seem relevant, Ruckus-Dpsk and Ruckus-DPSK-Params. In my testing of trying to authenticate against an SSID with external DPSK enabled, I can see the AP sends an Access-Request with the username and password set to the client MAC address and the Ruckus-DPSK-Params VSA (which is a TLV with 4 sub-attributes: Ruckus-DPSK-AKM-Suite, Ruckus-DPSK-Cipher, Ruckus-DPSK-Anonce, and Ruckus-DPSK-EAPOL-Key-Frame). Returning an Access-Accept with Ruckus-Dpsk set to the desired DPSK (in plain text) only seems to result in an infinite loop of the AP making the same Access-Request over and over again.
5 REPLIES 5

eddie_k_5vv41lg
New Contributor II
In response to michael_brado

‎04-23-2019 11:07 AM

Or did you buy your APs on the "grey" market, and re-flash them with free Unleashed code?

It was purchased used, which I'm sure Ruckus would term "grey market," so I doubt it will be eligible for any kind of support contract; I know it's not eligible for any warranty. That's why I've been clear in looking for only documentation (which pretty much every enterprise network vendor, including Cisco, Juniper, and Aruba, makes available publicly without a support contract), not personalized help. This AP is for my homelab, not any kind of mission-critical or commercial setup, so the lack of a warranty or personalized support isn't an issue.
0 Kudos
Copyright © 2024 Khoros, LLC