You can create a network that uses Dynamic Pre‑Shared Key (DPSK) authentication, which dynamically creates a unique passphrase for each user to connect to the network.

1. On the navigation bar, click Wi-Fi > Wi-Fi Networks > Wi-Fi Networks List.
   The Networks page is displayed.
2. Click Add Wi-Fi Network. Alternatively, select a DPSK network setting that you want to copy and click Clone at the top of the table.
   The Create New Network page is displayed.
3. Complete the following settings on the Network Details page.
   • Network Name: Enter a name (2–32 characters) for the network. By default, this name is also used as the SSID.
   • (Optional) Set different SSID: Click Set different SSID to configure an SSID that differs from the network name.
     The SSID field is displayed.

     • SSID: Enter an SSID name (2–32 characters; up to 32 bytes for UTF‑8 non‑Latin characters).
   • (Optional) Description: Enter a description to help you identify the network.
   • Network Type: Select Dynamic Pre-Shared Key (DPSK).

     The structure diagram of a Dynamic Pre-Shared Key (DPSK) network is displayed.

   Note: If you used the Clone option, the Network Type is already set to Dynamic Pre-Shared Key (DPSK).
4. Click Next.
   The DPSK Settings page is displayed.

   

5. (Optional) Security Protocol: Select the Security Protocol method. The options include the following:
   • WPA2 (Recommended) (default): Select WPA2 (Recommended) to provide strong Wi‑Fi security and support most devices manufactured after 2006.

     When you select WPA2 (Recommended), the following options appear:

     • Use the DPSK Service
     • Use RADIUS Server

     The network supports 6 GHz radios only when WPA3 is selected.

   • WPA: Select WPA only to support legacy devices that do not support WPA2 and are manufactured before 2006. RUCKUS recommends upgrading or replacing these devices because WPA provides weaker security than newer standards.

     When you select WPA, the following options appear:

     • Use the DPSK Service
     • Use RADIUS Server

     The network supports 6 GHz radios only when you select WPA3.

   • WPA2/WPA3 mixed mode: Select WPA2/WPA3 mixed mode to allow devices to connect using either WPA3 or WPA2, enabling compatibility for mixed device environments. WPA3 provides the highest available level of Wi‑Fi security, and WPA2 remains widely supported. This mode applies only to supported AP models. The configuration does not apply to unsupported AP models.

     When you select WPA2/WPA3 mixed mode, the following options appear:

     • Use the DPSK Service
     • Use RADIUS Server (Cloudpath Server Only)
     Note:

     • To enable Use RADIUS Server (Cloudpath Server Only), you must select WPA2/WPA3 mixed mode.
     • When you use Dynamic Pre‑Shared Key (DPSK) with WPA3 encryption, the network operates as a DPSK3‑secured network.
     • Wi‑Fi 6E clients must first connect by using the 2.4 GHz or 5 GHz band to bind the passphrase and then connect to the DPSK service network by using the 6 GHz radio.
     • Most devices manufactured after 2006 support WPA2, and devices manufactured after 2019 typically support WPA3.
6. Use the DPSK Service: Select this radio button to enable DPSK authentication and configure the DPSK service.
   • DPSK Service: Select an existing DPSK service from the drop‑down list or click Add DPSK Service to create a new service in the Add DPSK service dialog box. Refer to Adding a DPSK Service for more information.
7. Accounting Service: Toggle the switch on to enable this option and select the existing RADIUS Server from the Accounting Server drop-down list.
   If the server is not available, you can create a new one; click Add Server, complete the fields in the Add AAA server sidebar, and click Add. Then select the newly created RADIUS from the drop‑down list. Refer to Adding and Managing a RADIUS Server.
   • Proxy Service: Toggle the switch on to enable the proxy service.
     Note: Use the controller as a proxy in 802.1X networks. When access points send authentication and accounting messages to the controller, the controller forwards these messages to an external AAA server.
     Note: DPSK networks using WPA2/WPA3 mixed mode support only a Cloudpath RADIUS server configured in proxy mode with RadSec enabled.
8. Use the RADIUS Server: Select this radio button to enable RADIUS‑based authentication.
9. Use RADIUS Server (Cloudpath Server Only): This option appears only when WPA2/WPA3 mixed mode is selected and allows authentication through a Cloudpath RADIUS server.

   For DPSK networks that use WPA2/WPA3 mixed mode, only a Cloudpath RADIUS server configured in proxy mode or non‑proxy mode with the Enable RadSec (over TLS) option disabled is supported.

   RUCKUS One extends DPSK functionality by integrating with Cloudpath clusters. This integration allows deployments with existing Cloudpath DPSK configurations and policies to transition seamlessly to DPSK3 while maintaining existing security controls and access policies.

10. Authentication Service: Toggle the switch on to enable this option and select the existing RADIUS Server from the Authentication Server drop-down list.
    If the server is not available, you can create a new one; click Add Server, complete the fields in the Add AAA server sidebar, and click Add. Then select the newly created RADIUS from the drop‑down list. Refer to Adding and Managing a RADIUS Server.
    • Proxy Service: Toggle the switch on to enable the proxy service.
      Note: Use the controller as a proxy in 802.1X networks. When access points send authentication and accounting messages to the controller, the controller forwards these messages to an external AAA server.
11. Click Show more settings.

    By default, the VLAN sub-tab is displayed. Each sub-tab includes additional Wi-Fi configuration options to configure the settings of your preference. Refer to Configuring Additional Settings for a Wi-Fi Network to configure each of the available settings.

12. Click Next.
    The Venues page is displayed.
13. Select one or more venues to activate the network by clicking the checkbox alongside the venue name, and then toggle the switch on in the Activated column.
    The details in the APs, Radios, and Scheduling columns are displayed for all the activated venues. By default, this network configuration applies across All APs and their applicable radio bands and is scheduled to be available 24/7.

    Note: The Scheduling column displays availability based on the local time zone of the venue’s AP devices (for example, UTC offsets).
    1. Click the All APs hyperlink in the APs column or the list of radios in the Radios column to configure APs and radio-frequency bands for the selected venue.
       The Select APs dialog box is displayed. Select one of the following options:

       • All APs: Select All APs to activate the network on all current and future APs for this venue. Choose a radio band from the drop-down list. You can choose one or more of the supported radio bands.

         

       • Select specific AP groups: Select Select specific AP groups to activate the network on specific AP groups, including any AP added to the selected AP groups in the future. The APs not assigned to any group option is displayed with a checkbox and a reminder to select an AP Group.

         Click the APs not assigned to any group checkbox; the VLAN and Radio Band options are displayed:

         

       • VLAN: Select VLAN-1, which is selected by default. Click the icon, and select a VLAN or a pool from the drop-down list. Depending on the selection, enter the VLAN ID or select a pool from the drop-down list.
       • Radio Band: Select one or more supported radio bands from the drop-down list for the selected AP group.
       • Click Apply.
    2. Click the 24/7 hyperlink in the Scheduling column to customize the schedule.
       The Schedule for Network <network-name> in Venue <venue-name> dialog box is displayed.

       

       You can choose 24/7 or Custom Schedule. Configure the following if you select Custom Schedule:
       • Click Custom Schedule to customize the network schedule as required.
         The Custom Schedule has Basic and Advanced tabs.

         Note: The venue time zone appears at the bottom of the dialog box.
       • On the Basic tab, you can configure the following:

         

         • Start Date: Displays the date when the schedule begins. You can select any future date using the date picker. The schedule always uses the local time of the AP devices.
           Note: When the Start Date is today, time slots that have already passed are disabled.
         • (Optional) All day: Select this option to make the network available for the entire day. When All day is selected, the From and To fields automatically disappear.
         • From and To: These fields appear only when All day is not selected. You can select the start and end times in 15‑minute intervals, where the From time ranges from 00:00 to 23:45, the To time ranges from 00:15 to 24:00, and the To time must always be later than the From time.
           Note: The selected times follow the local time of the venue’s AP devices.
         • Select a repeat rule to determine how the network availability repeats after the Start Date. The available options are Do not repeat (default), Repeat Daily, Repeat Weekly, and Repeat Monthly.
           Note: The Do not repeat option displays a one‑time schedule for the selected Start Date.
         • End Date:
           • Select None or Select date if Repeat Daily is selected. Pick an end date from the date picker when Select date is chosen.
           • Select the required weekday, and then select None or Select date if Repeat Weekly is selected. Pick an end date from the date picker when Select date is chosen.
           • Select a monthly recurrence option such as Day <date> of every month, the <nth> <weekday> of every month, or the last <weekday> of every month, and then select None or Select date if Repeat Monthly is selected. Pick an end date from the date picker when Select date is chosen.
             Note: Selecting at least one weekday is mandatory if Repeat Weekly is selected, and selecting a monthly recurrence option is mandatory if Repeat Monthly is selected.
             Note: Monthly options depend on whether the Start Date falls on the first through fourth weekday occurrence or the last weekday of the month. Daily, Weekly, and Monthly repeat rules deactivate the network automatically at midnight on the selected End Date.
             Note: If an End Date is selected, the schedule ends at midnight on that date.
       • On the Advanced tab, you can configure the following:

         

         • Start Date: Displays the date when the schedule begins. You can select any future date using the date picker. The schedule always uses the local time of the AP devices.
           Note: When the Start Date is today, time slots that have already passed are disabled.
         • (Optional) Select a repeat rule to determine how the network availability repeats after the Start Date. The available options are Do not repeat (default) and Repeat Weekly.
           Note: The Do not repeat option displays a one‑time weekly schedule for the selected Start Date. The network automatically deactivates at the end of the last active time slot.
         • End Date:
           • Select None or Select date if Repeat Weekly is selected. Pick an end date from the date picker when Select date is chosen.
             Note: When the Start date is chosen, selecting a date from the date picker is mandatory.

             Note: If an End Date is selected, the schedule ends at midnight on that date.
         • Mark the required time on the weekly grid to enable or disable network availability in fifteen‑minute intervals. You can click a single slot or click and drag to update multiple adjacent slots. A full day can be enabled or disabled using the checkbox next to each day. Dragging across a range of slots changes all slots to the opposite state of the first slot selected.
         • Click See tips to view guidance on how to activate or deactivate the network for the entire day, individual time slots, or multiple adjacent time slots. The See tips option opens the Network Scheduler Tips window, which explains how to use the checkbox for full‑day selection, how to click individual slots, and how to drag across the timeline to update multiple time slots.
       • Click Apply. The hyperlink updates to ON now. When you hover over it, it displays the time until which the scheduler will remain active (<Day> <Time>).
         Note: If no weekday is selected, the message Network is configured to be unavailable at all times is displayed on the Network Scheduling dialog box. You can continue by clicking OK or by clicking Cancel to configure the required days.

       
    3. Toggle the Network Tunneling switch on to define how network traffic is tunneled at the venue. When toggled on, a Tunnel: <venue-name> sidebar is displayed.
       Note: The Network Tunneling switch is displayed only when the venue is Activated.
       • Select a Tunneling Method from the drop-down.
       • If you choose SoftGRE, select a SoftGRE profile and optionally enable and configure IPsec. (Refer to Creating a SoftGRE Profile and Adding an SD-LAN Service).

         The SD-LAN option is available only when RUCKUS Edge devices are present.

       • Click Add to save and apply.
14. Click Next.
    The Summary page is displayed.
15. Click Finish.
16. Click Show Onboard Networks to view the WPA3‑DPSK3 onboarding SSIDs.
    The onboarding network details are displayed.

    

    Note: The following are a few DPSK network-related requirements and known limitations:

    • For a DPSK3 network, two networks having the same SSID are created, one service network and one onboarding network (also known as an Intermediate DPSK WLAN). An administrator cannot modify the Intermediate DPSK WLAN configuration; they can edit only the Service WLAN.
    • The 6 GHz band uses Reduced Neighbor Reports (RNR) Information Elements (IEs) in the 2.4 GHz and 5 GHz beacons to inform Wi-Fi 6E clients about the 6 GHz SSID. The 6 GHz band also suppresses certain frames like FILS and unsolicited probe-response frames, which are necessary for initial network discovery and authentication. This means that Wi-Fi 6E clients must use the information in the 2.4 GHz and 5 GHz beacons' RNR IEs to discover the 6 GHz AP and then move to the 6 GHz band after binding the passphrase on the lower frequency bands. Therefore, when both 2.4 and 5 GHz services are turned off, a Wi-Fi 6E client cannot bind the passphrase with the DPSK service.
    • If a client does not follow the IEEE 802.11v BSS Transition Management (BTM) request from the AP (which helps manage client roaming and load balancing, improving connection quality), the client's behavior might not be as expected.
    • When you remove a DPSK service network configured with WPA2/WPA3 mixed mode, the system also removes the associated onboarding network.
    • Utilizing the 6 GHz band for DPSK3 requires concurrent operation of the 5 GHz band due to the WPA2/WPA3 mixed mode requirement.