From the Unleashed 18.104.22.168.64 release notes (released April 17, 2019):
Enhancements in Release 22.214.171.124.64
Unfortunately, I'm not seeing any documentation about this in the Unleashed 200.7 manual
. Searching the Ruckus support portal, I do see that there is what appears to be a relevant KB article called "External DPSKs over Radius Server" at https://support.ruckuswireless.com/articles/000009006
. However, accessing it requires a support contract which I don't have. Since there doesn't appear to be any other documentation about this (including the Unleashed manual, which *is* made publicly available with only a free registration and no support contract), is it possible this KB could be made public? I realize the KB entry probably pertains to one of the controller-based Ruckus products, but I suspect the implementation details (i.e. the RADIUS attributes) are going to be the same.
I've tried to infer the details myself but haven't had any luck so far. The way I would expect this feature to work is to have the RADIUS server respond with the plaintext DPSK for the user (identified by client MAC address); the WPA2 4-way handshake means the AP doesn't have the plaintext of the PSK the client entered. There are two VSAs that would seem relevant, Ruckus-Dpsk and Ruckus-DPSK-Params. In my testing of trying to authenticate against an SSID with external DPSK enabled, I can see the AP sends an Access-Request with the username and password set to the client MAC address and the Ruckus-DPSK-Params VSA (which is a TLV with 4 sub-attributes: Ruckus-DPSK-AKM-Suite, Ruckus-DPSK-Cipher, Ruckus-DPSK-Anonce, and Ruckus-DPSK-EAPOL-Key-Frame). Returning an Access-Accept with Ruckus-Dpsk set to the desired DPSK (in plain text) only seems to result in an infinite loop of the AP making the same Access-Request over and over again.