This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

The "Limit D-PSK generation per user" feature is case sensitive, allowing more than the actual limit

ken_yeh
New Contributor III

‎10-16-2015 10:38 AM

We are testing the "Limit D-PSK generation per user to '#' devices" feature, and it appears that the username field is case sensitive. This means that "username" is counted as a different identify than "Username" or "USERname". I have the Limit D-PSK set to 3 devices max, and when testing this I was surprised that I was able to connect with more than 3 devices. When I looked on the Currently Active Clients I noticed that I had used different capitalization for some of the usernames. When I tried to create more than 3 using the same capitalization scheme, the system worked as expected and would not create an additional D-PSK.

The problem, however, is that an account named "username" can seemingly create an enormous number of D-PSKs, limited only by the number of different capitalization combinations for their username.

How can we prevent this? We are on a ZoneDirector 3100, running version 9.7.1.0 b.17.
5 REPLIES 5

andrew_bailey_7
New Contributor III

‎10-16-2015 10:51 AM

Ken,

I think this was recognised as an issue and resolved in a later release. I can't remember exactly which version but you should be able to find it in the release notes.

Hope that helps,

Andy.
0 Kudos

ken_yeh
New Contributor III

‎10-16-2015 11:19 AM

Thanks, Andy! Great to hear that it has been resolved!
0 Kudos

ken_yeh
New Contributor III

‎10-16-2015 04:12 PM

Hmm... unfortunately it appears that the issue has not been fixed as of release 9.8.3.0.14, which is the last version that we can install due to the fact that our ZF7962 APs are not supported beyond this. It is rather disconcerting that an issue like this has been left open for so long. It's been several years since D-PSK was rolled out, yet a firmware released July 2015 still has not patched this security gap.

I can only hope that none of our users discovers this bug and takes advantage of it. Or does anyone have a workaround fix for this issue?
0 Kudos

michael_brado
Esteemed Contributor II

‎10-20-2015 10:10 AM

Looks like there is an unresolved feature request FR-978, and the underlying problem is that AD's
db is not case sensitive.

Ex: Test, test, tEst - are all treated the same on AD and the same user can download multiple DPSK's even though the 'Limit DPSK to 1 user' feature has been enabled.

I have an inquiry in to product marketing and development engineering, will let you know.
0 Kudos
Copyright © 2024 Khoros, LLC