We are testing the "Limit D-PSK generation per user to '#' devices" feature, and it appears that the username field is case sensitive. This means that "username" is counted as a different identify than "Username" or "USERname". I have the Limit D-PSK set to 3 devices max, and when testing this I was surprised that I was able to connect with more than 3 devices. When I looked on the Currently Active Clients I noticed that I had used different capitalization for some of the usernames. When I tried to create more than 3 using the same capitalization scheme, the system worked as expected and would not create an additional D-PSK.
The problem, however, is that an account named "username" can seemingly create an enormous number of D-PSKs, limited only by the number of different capitalization combinations for their username.
How can we prevent this? We are on a ZoneDirector 3100, running version 188.8.131.52 b.17.
Hmm... unfortunately it appears that the issue has not been fixed as of release 184.108.40.206.14, which is the last version that we can install due to the fact that our ZF7962 APs are not supported beyond this. It is rather disconcerting that an issue like this has been left open for so long. It's been several years since D-PSK was rolled out, yet a firmware released July 2015 still has not patched this security gap.
I can only hope that none of our users discovers this bug and takes advantage of it. Or does anyone have a workaround fix for this issue?