L

12 Messages

 • 

302 Points

Mon, Apr 12, 2021 2:16 PM

Dynamic VLANs assigned by DPSK

I am trying to determine whether or not Unleashed on an R850 can support dynamic VLAN assignment by shared DPSK using a single WLAN SSID.

I can confirm that both dynamic VLANs and DPSK are supported by unleashed independently. Note, the Ruckus community has some outdated posts indicating otherwise, but these features were added in recent versions of Unleashed. The thing I cannot confirm is whether these features can be configured to work together in Unleashed. 

See DPSK configuration for Unleashed here https://docs.commscope.com/bundle/unleashed-200.9-onlinehelp/page/GUID-3F754D0C-89AC-496D-9FC3-FFEFD9F2E407.html. This includes the ability to use "Shared DPSK", this is what I would need.

Dynamic VLANs can be enabled in Unleashed here https://docs.commscope.com/bundle/unleashed-200.9-onlinehelp/page/GUID-F714A41F-7AF5-4D8D-AA98-808F4E2EF27E.html. "Dynamic VLAN can be used to automatically and dynamically assign wireless clients to different VLANs based on RADIUS attributes. The Dynamic VLAN option is only available for 802.1X EAP WLANs with a RADIUS server configured.".

This seems to imply it is not possible to use dynamic VLANs with DPSK, however, if we look at this same documentation for the Unleashed cli interface, it seems to imply it is possible to assign VLANs by DPSKs. See here https://docs.commscope.com/bundle/unleashed-200.9-commandref/page/GUID-293311F7-10AB-4152-A724-E8F50EA77615.html. "Dynamic VLAN can be enabled or disabled in the following two conditions: 1) The authentication method is '802.1X/EAP' or 'MAC Address', Encryption method is WPA, WPA2, WPA mixed, or none. 2) Authentication method is 'Open', Encryption method is WPA, WPA2 (Algorithm may not be Auto), enable Zero-IT Activation, enable Dynamic PSK."

So I am looking for some clarification of the documentation. Is it or is it not possible using Unleashed to dynamically assign a VLAN based on the shared DPSK a client used to connect to a WLAN?

If this is possible, is there some place I can find documentation on how to do this?

If this is not possible, which Ruckus products can support such a configuration?

Accepted Solution

12 Messages

 • 

302 Points

7 m ago

I have confirmed that VLANs can be dynamically assigned by DPSK using the internal database on an R850 running Unleashed 200.9.10.4.233.

Unleashed doesn't document the feature anywhere I could find, nor is it suggested anywhere in the Unleashed UI. But it suffices to say that generating DPSKs in Unleashed works the same as ZoneDirector, just follow the ZoneDirector documentation for using a custom batch DPSK profile here zd-10.4.1-userguide. Note the VLAN ID and Role columns shown in the sample for ZoneDirector, those work on Unleashed too, they just aren't documented or shown anywhere in the UI.

(edited)

12 Messages

 • 

302 Points

6 m ago

BEWARE!!! DO NOT UPGRADE to Unleashed 200.10! Support for dynamic VLANs assigned by dynamic PSK has been removed in Unleashed 200.10. Do not upgrade beyond 200.9 if you are using this feature, your network will break without any warning. The feature works perfectly in Unleashed 200.9, but cannot be enabled after upgrading to 200.10! This change is not documented anywhere I can find in the 200.10 release notes. 

12 Messages

 • 

302 Points

There is some good news here. If you made the mistake of upgrading to 200.10, you can downgrade back to 200.9.10.4.243. This is the latest version that seems to work perfectly with dynamic VLANs assigned by dynamic PSK. The backup configuration also preserves the the VLANs associated with each DPSK. I had to rollback and everything worked perfectly, the network is back up assigning the correct VLAN to each user based on the PSK they used to authenticate.

It would be really nice if someone from Ruckus could acknowledge this feature and explain a few things... Why was this disabled in 200.10? Was that a mistake, will it be fixed (enabled again) in a future release? The Unleashed web UI doesn't provide any means for viewing DPSK VLAN configurations, but otherwise the feature works perfectly as far as I can tell... Am I missing some subtle issue?

12 Messages

 • 

302 Points

4 m ago

I've been testing this solution for about a month now and so far I've found only one issue. 802.11r fast transition doesn't work when assigning VLANs by DPSK. When VLANs are assigned by DPSK and a client roams, the device will do a full dissociation and reassociation with the next access point, regardless of whether 802.11r is enabled or not. Without DVLANs + DPSK, fast transitioning is working for me using the same client devices. It's disappointing fast transition is broken, but otherwise everything seems full functional.

I've still received no feedback from Ruckus on this feature or especially on why this feature was disabled in 200.10. I tried opening a support ticket about it, but without a support contract they closed it without acknowledging this issue. I attempted to purchase a support contract through the same vendor I acquired my ruckus hardware through, but had no luck there either. According to the vendor Ruckus gave them the runaround about issuing the support contract, after three weeks they refunded my money with an apology. Maybe the problem was just the vendor, I will try again with someone else...

12 Messages

 • 

302 Points

5 d ago

Some great news here, the DVLANs assigned by DPSKs feature is enabled again with the Unleashed 200.11 release. And not only is it working with 200.11, but the fast transition issues when using this feature with 200.9 seem to be fixed in 200.11 too. I've been testing 200.11.10.5.195 for about 2 weeks now and everything is looking much more stable than 200.9. Online upgrade from 200.9.10.4.243 to 200.11.10.5.195 worked perfectly, no special steps required. Ruckus also added an input to the Unleashed UI for specifying a DVLAN ID when generating DPSKs, though the docs still don't clearly explain this feature.

Connectivity in general is greatly improved, but I'm still seeing some connectivity instability. I am no longer sure if it is related to this particular feature being enabled though. I will keep monitoring/testing and post here again if I find a clear connection with this feature.

Important Announcement