Creating a Network That Uses a Dynamic Pre-Shared Key

You can create a network authenticated by a unique passphrase created by using dynamic pre-shared key (DPSK).

Complete the following steps to create a DPSK-protected network.
Note: Currently, for the DPSK settings, configuration of WPA2/WPA3 mixed mode as the Security Protocol is available only to the Admins that have opted for the RUCKUS One Beta Program. To use this feature, you must participate in the RUCKUS One Beta Program by following the process: on the navigation bar, click Administration > Account Management > Settings > Enable RUCKUS One Beta Features. Review and accept RUCKUS One Beta Terms and Conditions. For more information, refer to Setting up Your Account.
  1. On the navigation bar, click Wi-Fi > Wi-Fi Networks > Wi-Fi Networks List.
    The Networks page is displayed.
  2. Click Add Wi-Fi Network. Alternatively, select a DPSK network setting that you want to copy and click Clone at the top of the table.
    The Create New Network page is displayed.
  3. Complete the following settings in the Network Details page.
    • Network Name: Enter a name (up to 32 characters) that you want assign to the network.
    • Set different SSID: Use this option to configure the SSID different from the network name.
    • Description: Enter a description (up to 64 characters) to help you identify the network using.
    • Network Type: Select Dynamic Pre-Shared Key (DPSK).
    When the network type is selected, a structure diagram of a DPSK type of network displays.
  4. Click Next.
    The DPSK Settings page is displayed.
    DPSK Settings Page
  5. Complete the settings on the DPSK Settings page.
    • Security Protocol : Select WPA or WPA2(recommend) from the drop-down list. By default, WPA2(recommend) is selected.
    • WPA2 (Recommended) is strong Wi-Fi security that is widely available on all mobile devices manufactured after 2006. WPA2 should be selected unless you have a specific reason to choose otherwise.
    • WPA3 is the highest level of Wi-Fi security available but is supported only by devices manufactured after 2019.
    • WPA2/WPA3 mixed mode supports the high-end WPA3, which is the highest level of Wi-Fi security available and WPA2 which is still common and still provides good security. In general, mobile devices manufactured after 2006 support WPA2 and devices manufactured after 2019 support WPA3.
      Note: Wi-Fi-6E clients must connect on 2.4 GHz/ 5 GHz to bound the passphrase first and then connect to service DPSK network on 6 GHz radio.​
    • WPA security can be configured if you have older devices that do not support WPA2. These devices were likely manufactured before 2006. RUCKUS recommends that you upgrade or replace the older devices. 6 GHz radios are supported with WPA3 only.
    • WEP: RUCKUS does not recommend using WEP to secure your wireless network because it might be insecure and could be exploited easily. RUCKUS One offers WEP to enable customers with very old devices (that are difficult or expensive to replace) to continue using those devices to connect to the wireless network. If you must use WEP, do not use the devices using WEP to transmit sensitive information over the wireless network. 6 GHz radios are supported with WPA3 only.
    • Use the DPSK Service: Select the radio button to enable this option and configure the DPSK Service. This option is disabled if you enable the Use the RADIUS Server option.
      • DPSK Service: Select the existing DPSK service from the drop-down list or complete the following steps to add a new DPSK service.
        1. Click Add DPSK Service and configure a new DPSK service. For more information, refer to Adding a DPSK Service.
    • Use the RADIUS Server: Select the radio button to enable this option and configure the RADIUS Server.
      Note: This option is grayed out if you select the Security Protocol as WPA2/WPA3 mixed mode.
      • Authentication Service: Select the existing RADIUS Server from the drop-down list or complete the following steps to add a new RADIUS Server.
        1. Click Add Server and configure a new RADIUS Server. For more information, refer to Creating a Radius Server Profile.
      • Proxy Service: By default, Proxy Service is enabled. A proxy for a RADIUS server acts as an intermediary to handle authentication and accounting requests.
        Note: The Authentication Service is supported in both proxy and non-proxy modes, while the Accounting Service is supported only in proxy mode.
      • Accounting Service: Toggle the switch to ON to enable this option and select the existing RADIUS Server from the drop-down list or complete the following steps to add a new RADIUS Server.
        1. Click Add Server and configure a new RADIUS Server. Refer to Creating a Radius Server Profile.
  6. By default, the VLAN tab is selected. Complete the following VLAN settings:
    • VLAN Pooling: Toggle switch to ON to enable the VLAN pooling.
    • Select VLAN Pooling: Select a VLAN pool from the drop-down list or complete the following steps to add a new VLAN pool.
      1. Click Add Pool and configure a new VLAN pool. Refer to Creating a VLAN Pool.
    • VLAN ID: Type the VLAN ID number (default is 1) that you want to assign to this network. The valid range is from 1 to 4094. VLAN ID option is not available if VLAN Pooling is enabled. VLAN ID option is disabled if you enable the Enable RUCKUS DHCP service option.
    • Dynamic VLAN: By default, Dynamic VLAN is enabled.
    • Proxy ARP: Toggle the switch to ON to enable the proxy ARP.
  7. Select the Network Control tab and complete the following services settings:
    Network Control
    • DNS Proxy: Toggle switch to ON to enable the DNS proxy.
      DNS Proxy Dialog Box
      1. Select a DNS Proxy from the table or add a new DNS proxy.
      2. Click Add Rule to add a new DNS proxy. The Add DNS Proxy Rule dialog box is displayed.
        Adding DNS Proxy Rule
      3. Complete the following fields:
        • Domain Name: Enter a domain name for the DNS proxy rule.
        • IP Addresses: Enter an IP address.
      4. Click Add, to add the domain name and IP address to the table.
      5. Click Save.
      6. Click OK.
    • Wi-Fi Calling: Toggle switch to ON to enable the Wi-Fi Calling.
      Wi-Fi Calling Dialog Box
      1. Click Select Profiles. The Select Wi-Fi Calling Profiles dialog box is displayed.
        Selecting Wi-Fi Calling Profiles
      2. Select the profiles in the Available Profiles table and click Add to move the selected profile to the Selected Profiles table. To remove the profiles from the Selected Profiles table, select the profiles in the Selected Profiles table and click Remove.
      3. Click Save.
    • Client Isolation: Toggle switch to ON to enable the client isolation.
      Client Isolation
      1. Complete the following fields:
        • Isolation Packets: Select Unicast, Multicast/broadcast, or Unicast and Multicast/broadcast.
        • Automatic support for VRRP/HSRP: Set the switch to ON to enable the automatic support for VRRP/HSRP.
        • Client Isolation Allowlist by Venue: Set the switch to ON to enable the client isolation allowlist by venue.
    • Anti-spoofing: Toggle switch to ON to enable the anti-spoofing.
      Anti-spoofing
      1. Complete the following fields:
        • ARP request rate limit: Enter the ARP request rate limit.
        • DHCP request rate limit: Enter the DHCP request rate limit.
    • Enable logging client data to external syslog: Enable the Enable logging client data to external syslog.
    • Under DHCP, enable the Force DHCP feature. This feature is disabled if you enable the Anti-spoofing feature.
    • Under DHCP, enable the DHCP Option 82 feature. DHCP Option 82 allows a DHCP Relay Agent to insert circuit−specific information into a request that is being forwarded to a DHCP server. This option works by setting two sub-options: Circuit ID and Remote ID. The insertion of DHCP Option 82 information is now supported for wireless clients in RUCKUS One. By default, this feature is disabled.
      Configuring DHCP Option 82
    • Access Control: Toggle the Access Control switch to ON to enable the access control policy feature.
      Access Control
      • Complete the following steps to enable the create a new access control policy:
        1. Toggle the Access Control switch to enable the access control feature. By default this feature is disabled.
          Enabling Access Control
        2. (Optional) Select a policy from the Access Control Policy drop-down.
        3. (Optional) Click Add to add an access control policy.
        4. (Optional) Click Select Separate Profiles to select another access control policy. For more information, refer to Creating an Access Control Policy.
        5. (Optional) Click Save as AC Policy to display the Add Access Control Policy dialog box and create a new access control policy.
          Adding an Access Control Policy
        6. For Policy Name, enter a name.
        7. For Description, enter a short description for the policy.
        8. Configure Layer 2, Layer 3, Device & OS, Applications, and Client Rate Limit. For more information, refer to Creating an Access Control Policy.
        9. Click Save as AC Profile to create a new Access Control policy.
        10. If you want to cancel the Access Control Policy selection, click Select separate profiles to exit from the Select Access Control Profile.
  8. Select the Radio tab and complete the following radio settings:
    Radio Settings
    1. Complete the following fields:
      • Hide SSID: Select this feature to hide SSID.
      • Load Control: Complete the following fields:
        • Max Rate: Choose one of the following options from the drop-down list:
          • Unlimited—no limits on bandwidth allocation.
          • Per AP—The max bandwidth allocation limit of all connections to that specific network on the AP. If selected, two other options appear, Upload Limit and Download Limit. If either (or both) boxes are checked, a sliding scale appears and you can drag your cursor along the line to choose the Mbps limits.
        • Max clients per radio: Limit the number of clients that can associate with this network per AP radio (default is 100).
        • Enable load balancing between all radios: Select this check box to enable load balancing for all radios. Load balancing helps improve network performance by helping to spread the client load between the radios on the AP.
        • Enable load balancing between APs: Select this check box to spread the client load between nearby access points, so that one AP does not get overloaded while another sits idle.
      • OFDM only (Disables 802.11b): Select the check box to enable this option. Enabling this option disables CCK rates of 1, 2, 5.5, and 11 Mbps, so no 802.11b-only clients can connect. Beacons and probe responses will be transmitted at 6 Mbps, and data frames at 6, 9, 18, 24, 36, 48, and 54 Mbps. Enforcing higher minimum data rates increases overall network throughput capacity, but reduces the distance at which clients are able to remain connected.
        OFDM Settings
      • Data Rate Control (2.4 GHz & 5 GHz): Configure the following:
        • BSS Min Rate: Select None, 12 Mbps, or 24 Mbps from the drop-down list. Use this option to configure the minimum transmission rate supported by the network. If OFDM Only is enabled, the only valid options are 12 Mbps and 24 Mbps, with Mgmt Tx frames fixed at 6 Mbps. This option can also be used to prevent 11b clients from connecting, and to allow greater client density with higher data rates.
        • Mgt Tx Rate: Select 1, 2, 5.5, 6, 9, 11, 12, or 18 Mbps from the drop-down list. This option is only available if both Enable OFDM only and BSS Min Rate are disabled. (Otherwise, the Mgmt Tx Rate is defined by those settings.) Use this setting to configure the rate at which management frames are sent. The default is 6 Mbps.
  9. Select the Networking tab and configure the following.
    Networking Settings
    • Enable Agile Multi-Band (AMB): Introduced by the Wi-Fi Alliance, Agile Multiband is a collection of features designed to improve resource utilization, balance Wi-Fi load, increase capacity, and provide the best possible Wi-Fi experience. AMB configures WLANs to send IE Multi Band Operation announcements that include beacon reporting, channel non-preference, cellular capability, and association disallow. It interoperates with existing load balancing protocols including 802.11k and 802.11r.
    • Enable 802.11k neighbor reports: Select the check box to enable this option. Enhances roaming by providing a list of neighbor APs to the client device.
    • Enable 802.11d: Select the check box to enable this option. Allows the AP to support multiple regulatory domains by the addition of a country information element to beacons, probe requests, and probe responses.
    • Enable 802.11r Fast BSS Transition: 802.11r Fast BSS Transition fast roaming protocol that reduces the number of frame exchanges required for roaming and allows the clients and APs to reuse the master keys obtained during a prior authentication exchange.
    • Client Inactive Timeout: Enter the duration in seconds. This option disables the client if the client is inactive for the configured duration.
    • Directed MC/BC Threshold: Enter the number of counts. The point at which an AP stops converting group addressed data traffic to unicast is indicated by the number of radio client counts.
    • Airtime Decongestion: Set the switch to ON to activate the airtime decongestion feature.
    • Join RSSI Threshold: Set the switch to ON and then enter the threshold value. This option is disabled if you enable the Airtime Decongestion option.
    • Transient Client Management: Set the switch to ON and the configure parameters for Join Wait Time, Join Expire Time, and Join Wait Threshold.
      Transient Client Management
    • Optimized Connectivity Experience (OCE): Set the switch to ON and then and configure parameters for Broadcast Probe Response Delay and RSSI-Based Association Rejection Threshold.
      Optimized Connectivity Experience (OCE)
    • Select the AP Host Name Advertisement in Beacon check box to enable the feature. When this feature is enabled, the AP will take the configured host name and insert it as a separate vendor-specific IE in beacon and probe response frames, which will be used by our partners to identify the AP by name.
    • Enable the GTK Rekey option. This feature helps period generation of the new group key for secure Multicast and broadcast traffic.
    • Enable the Multicast Filter feature. By default, this feature is disabled. When the Multicast Filter option is enabled on an AP, it will drop all IPv4 and IPv6 multicast and broadcast from associated wireless clients except for the below which forms into "multicast filter bypass" list. Note that the downstream multicast is unaffected.
      • ARP Request
      • DHCPv4 Request
      • DHCP v6 Request
      • IPv6 NS
      • IPv6 NA
      • IPv6 RS
      • IGMP
      • MLD
      • All unicast packets

      Multicast Filter and Multicast Rate Limiting are mutually exclusive features. From the RUCKUS One web interface, you cannot enable them at the same time.

    • Enable the Multicast Rate Limiting feature. Multicast rate limiting and Multicast filtering are mutually exclusive features, SSID rate limiting will always take precedence if Multicast rate limiting is also configured. Multicast downlink rate limiting should not be greater than 50% of BSS min rate.
    • Basic Service Set: Choose the BSS priority as High or Low.
      Note: The BSS priority configuration is applied to uplink traffic only.
    • Wi-Fi 7: Toggle the Enable Wi-Fi 7 switch to ON (enabled by default). Toggle the Enable Multi-Link operation (MLO) switch to ON.
      Note: In a DPSK Network, if the Security Portocol is configured as WPA2/WPA3 mixed mode, the Multi-Link option (MLO) feature is currently not supported. Therefore, the Enable Multi-Link option (MLO) is displayed as greyed out.
      Wi-Fi 7 Configurations
  10. Select the Advanced tab and configure DITM, QoS Mirroring, and QoS Map set.
    1. Set the DTIM (Delivery Traffic Indication Message) Interval by dragging the slider between Lower latency to Longer client battery life. The valid range is from 1 through 255.
    2. Toggle the QoS Mirroring switch to enable the feature and configure the QoS mirroring scope. From the QoS Mirroring Scope drop-down, select one of the following options:
      Note: QoS Mirroring allows an AP to use a client's uplink Quality of Service (QoS) classification (voice, video, best effort, or background) to classify the client device's downlink packets in the mirrored (reverse direction) stream. The AP assigns the downlink packets to the same QoS category as the uplink packets. By default, this feature is enabled. This QoS Mirroring is supported only on the APs that are running RUCKUS One AP firmware version 7.0 or higher.
      • MSCS requests only: When selected, QoS mirroring is enabled only for clients that send mirrored stream classification service (MSCS) requests. This is the default setting.
      • All clients: When selected, QoS mirroring is enabled for all clients.
      Configuring QoS Mirroring
    3. Toggle the QoS Map Set switch to enable QoS Map Set and configure the feature. The QoS Map Set feature reprioritizes downlink packets based on the configured mappings. When an AP receives a downlink packet, it checks the existing DSCP (Layer 3 QoS) marking, compares it to this map set, and changes the user priority (Layer 2 QoS) values for transmission by the AP. QoS map settings can be customized and applied per WLAN. From the Priority list, select a priority and click Next. To edit the QoS Map Set, select a priority from the list and click Edit. In the Edit QoS Map page, configure the DSCP Range and Exception DSCP Values. You can enter multiple exception DSCP values separated by commas.
      Configuring QoS Map Set
  11. Click Next.
    The Venues page is displayed.
    Venues Page
  12. Complete the following steps to configure a venue:
    1. Select the venues in which you want to activate this network:
      • To activate the network in all of your venues, select the check box beside Venue at the top of the table and click Activate.
      • To activate the network in a specific venue, locate the venue from the list, and set the switch to ON in the Activated column.

      The APs, Radio, and Scheduling of the selected venue is displayed in the table.

      Select Venues
    2. By default, this network configuration is applicable for all APs and with Radio Band of 2.4 and 5 GHz. To select specific AP groups and modify Radio Band, complete the following steps:
      1. Click All APs in the APs column. The Select APs dialog box is displayed. To activate this network on all current and future APs at this venue. You can also choose a radio band of 2.4 GHz, 5 GHz, or both.
        Select APs Dialog Box
      2. Click Select specific AP groups to activate this network on specific AP groups including any AP that is added to selected AP groups in the future. The APs not assigned to any group option is displayed. After APs not assigned to any group is selected, VLAN and Radio Band options are displayed:
        Select specific AP groups
      3. In the VLAN option, by default VLAN-1 is selected. Click Edit (pencil icon) icon and configure the VLAN or VLAN pool for the selected AP group.
      4. In the Radio Band option, select 2.4 GHz, 5 GHz, or both 2.4 and 5 GHz from the drop-down list for the selected AP group.
      5. Click Apply.
    3. By default, this network configuration is scheduled for 24/7. To configure the Scheduling, complete the following steps:
      1. Click 24/7 in the Scheduling column. The Schedule for Network <network-name> in Venue <venue-name> dialog box is displayed. You can also choose a schedule of 24/7 or follow below steps to customize the schedule.
        Schedule for Network Dialog Box
        1. Click Custom Schedule.
        2. Network schedule is customized as per the your requirement. You can configure the schedule for Monday through Sunday and from midnight to midnight (from 00:00 hours through 23.59 hours). For more information, click See tips. The Network Scheduler Tips dialog box is displayed.
          Network Scheduler Tips
        3. Click OK to close the Network Scheduler Tips dialog box.
        4. Click Apply.
  13. Click Next.
    The Summary page is displayed.
  14. Review the settings that you configured.
  15. Click Add.
    The newly added DPSK network is displayed in the Wi-Fi Network List page.
    DPSK Wi-Fi Networks
  16. Click Show Onboard Network to view the onboarding SSID.
    The onboarding network details is displayed.
    Displaying Onboarding Networks
    Note: The following are a few DPSK network-related known limitations:
    • An administrator cannot modify the Intermediate DPSK WLAN configuration.
    • With the deployment limitation for 6GHz, when both 2.4 and 5 GHz services are turn off, a client cannot bound the passphrase with the DPSK service.
    • If a client does not follow 11v BTM request, the client behavior might not work as expected.
    • When the DPSK network with the Security Protocol configured as WPA2/WPA3 mixed mode is removed, the on-boarding network also will be removed.
    • Currently, the DPSK network does not support external authentication via external Cloudpath.