Creating a Network That Uses a Dynamic Pre-Shared Key

You can create a network that uses dynamic pre-shared key (DPSK) authentication, which dynamically creates a unique passphrase for each user to connect to the network.

Complete the following steps to create a DPSK-protected network.
  1. On the navigation bar, click Wi-Fi > Wi-Fi Networks > Wi-Fi Networks List.
    The Networks page is displayed.
  2. Click Add Wi-Fi Network. Alternatively, select a DPSK network setting that you want to copy and click Clone at the top of the table.
    The Create New Network page is displayed.
  3. Complete the following settings in the Network Details page.
    • Network Name: Enter a name (up to 32 characters) that you want assign to the network.
    • Set different SSID: Use this option to configure the SSID different from the network name.
    • Description: Enter a description (up to 64 characters) to help you identify the network using.
    • Network Type: Select Dynamic Pre-Shared Key (DPSK).
    When the network type is selected, a structure diagram of a DPSK type of network displays.
  4. Click Next.
    The DPSK Settings page is displayed.
    DPSK Settings Page
  5. Complete the settings on the DPSK Settings page.
    • Security Protocol : Select WPA or WPA2 (recommended) from the drop-down list. By default, WPA2 (recommended) is selected.
    • WPA2 (Recommended) is strong Wi-Fi security that is widely available on all mobile devices manufactured after 2006. WPA2 should be selected unless you have a specific reason to choose otherwise.
    • WPA security can be configured if you have older devices that do not support WPA2. These devices were likely manufactured before 2006. RUCKUS recommends that you upgrade or replace the older devices. 6 GHz radios are supported with WPA3 only.
    • WPA2/WPA3 mixed mode supports the high-end WPA3, which is the highest level of Wi-Fi security available and WPA2 which is still common and still provides good security. The WPA2/WPA3 mixed mode only will apply to the ‘supported’ AP models. This Network will not be applied to the Non-Supported AP models. Note that the combination of Dynamic Pre-Shared Key (DPSK) technology with WPA3 encryption results in a DPSK3.
      Note:
      • Wi-Fi-6E clients must connect on 2.4 GHz/ 5 GHz to bind the passphrase first and then connect to service DPSK network on 6 GHz radio.​
      • In general, mobile devices manufactured after 2006 support WPA2 and devices manufactured after 2019 support WPA3.
    • Use the DPSK Service: Select the radio button to enable this option and configure the DPSK Service. This option is disabled if you enable the Use the RADIUS Server option.
      • DPSK Service: Select an existing DPSK service from the drop-down list or click Add DPSK Service to add a new DPSK service. For more information, refer to Adding a DPSK Service.
    • Use the RADIUS Server: Select the radio button to enable this option and configure the RADIUS Server.
      Note: If you select the Security Protocol as WPA2/WPA3 mixed mode, the Use RADIUS Server(Cloudpath Server Only) option is displayed. For DPSK networks using WPA2/WPA3 mixed mode, only a Cloudpath RADIUS server configured in non-proxy mode and having the Enable RadSec (over TLS) option disabled is supported. Currently, proxy configurations are not supported.

      RUCKUS One extends the DPSK functionality by integrating with Cloudpath clusters. This allows users with existing, complex Cloudpath configurations and policies for DPSK to seamlessly transition to DPSK3. This integration maintains existing security and access controls.

      Using the RADIUS Server(Cloudpath Server Only) Option
      • Authentication Service: Select an existing RADIUS Server from the drop-down list or click Add Server to access the Add AAA Server sidebar in which you can configure a new RADIUS Server.
        Adding an AAA Server
        1. For Profile Name, enter a name.
        2. For Enable RadSec (over TLS), enable this option only if you are adding a regular (non-CloudPath) RADIUS Server. If you have configured the Security Protocol as WPA2/WPA3 mixed mode and selected the Use RADIUS Server(Cloudpath Server Only) option, then leave the Enable RadSec (over TLS) option disabled.
        3. For Primary Server, enter the IP address of the Cloudpath server.
        4. For Port, select a port from the drop-down. By default, the port is set to 1812.
        5. For Shared Secret, enter the shared secret of the Cloudpath server.
        6. Click Add.
        Refer to Creating a Radius Server Profile. for more information on how to add and manage RADIUS Server profiles.
      • Accounting Service: Toggle the Accounting Service to enable this option and select the existing RADIUS Server from the drop-down list or click Add Server and configure a new RADIUS Server. For DPSK networks using WPA2/WPA3 mixed mode, only a Cloudpath RADIUS server configured in non-proxy mode and having the Enable RadSec (over TLS) option disabled is supported. Refer to Creating a Radius Server Profile.
  6. Click Show more settings.

    By default, the VLAN sub-tab is displayed. Each sub-tab includes additional Wi-Fi configuration options to configure the settings of your preference. Refer to Configuring Additional Settings for a Wi-Fi Network to configure each of the available settings.

  7. Click Next.
    The Venues page is displayed.
    Venues Page
  8. Complete the following steps to configure a venue:
    1. Select the venues in which you want to activate this network:
      • To activate the network in all of your venues, select the check box beside Venue at the top of the table and click Activate.
      • To activate the network in a specific venue, locate the venue from the list, and toggle the switch in the Activated column. By default, the venue is not activated.

      The APs, Radio, and Scheduling of the selected venue is displayed in the table.

      Select Venues
    2. By default, this network configuration is applicable for all APs and with Radio Band of 2.4, 5, and 6 GHz. To select specific AP groups and modify Radio Band, complete the following steps:
      1. Click All APs in the APs column. The Select APs dialog box is displayed. To activate this network on all current and future APs at this venue. You can also choose a radio band of 2.4 GHz, 5 GHz, 6 GHz or all.
        Select APs Dialog Box
      2. Click Select specific AP groups to activate this network on specific AP groups including any AP that is added to selected AP groups in the future. The APs not assigned to any group option is displayed. After APs not assigned to any group is selected, VLAN and Radio Band options are displayed:
        Select specific AP groups
      3. In the VLAN option, by default VLAN-1 is selected. Click Edit (pencil icon) icon and configure the VLAN or VLAN pool for the selected AP group.
      4. In the Radio Band option, select 2.4 GHz, 5 GHz, or both 2.4 and 5 GHz from the drop-down list for the selected AP group.
      5. Click Apply.
    3. By default, this network configuration is scheduled for 24/7. To configure the Scheduling, complete the following steps:
      1. Click 24/7 in the Scheduling column. The Schedule for Network <network-name> in Venue <venue-name> dialog box is displayed. You can also choose a schedule of 24/7 or follow below steps to customize the schedule.
        Schedule for Network Dialog Box
        1. Click Custom Schedule.
        2. Network schedule is customized as per your requirement. You can configure the schedule for Monday through Sunday and from midnight to midnight (from 00:00 hours through 23.59 hours). For more information, click See tips. The Network Scheduler Tips dialog box is displayed.
          Network Scheduler Tips
        3. Click OK to close the Network Scheduler Tips dialog box.
        4. Click Apply.
  9. Click Next.
    The Summary page is displayed.
  10. Review the settings that you configured.
  11. Click Add.
    The newly added DPSK network is displayed in the Wi-Fi Network List page.
    DPSK Wi-Fi Networks
  12. Click Show Onboard Network to view the onboarding SSID.
    The onboarding network details is displayed.
    Displaying Onboarding Networks
    Note: The following are a few DPSK network-related requirements and known limitations:
    • For a DPSK3 network, two networks having the same SSID are created, one service network and one onboarding network (also known as an Intermediate DPSK WLAN). An administrator cannot modify the Intermediate DPSK WLAN configuration; they can edit only the Service WLAN.
    • The 6 GHz band uses Reduced Neighbor Reports (RNR) Information Elements (IEs) in the 2.4 GHz and 5 GHz beacons to inform Wi-Fi 6E clients about the 6 GHz SSID. The 6 GHz band also suppresses certain frames like FILS and unsolicited probe-response frames, which are necessary for initial network discovery and authentication. Meaning, Wi-Fi 6E clients must use the information in the 2.4 GHz and 5 GHz beacons RNR IEs to discover the 6 GHz AP and then move to the 6 GHz band after binding the passphrase on the lower frequency bands. Therefore, when both 2.4 and 5 GHz services are turned off, a Wi-Fi 6E client cannot bind the passphrase with the DPSK service.
    • If a client does not follow the IEEE 802.11v BSS Transition Management (BTM) request from the AP (which helps manage client roaming and load balancing, improving connection quality), the client behavior might not work as expected.
    • When the DPSK service network with the Security Protocol configured as WPA2/WPA3 mixed mode is removed, the associated onboarding network (Intermediate DPSK WLAN).
    • APs must be running firmware version 7.0.0.103.292 or later to support DPSK3.
    • Utilizing the 6GHz band for DPSK3 requires concurrent operation of the 5GHz band due to the WPA2/WPA3 mixed mode requirement.