Documentation for external DPSK in Unleashed

  • 1
  • Question
  • Updated 1 year ago
  • Acknowledged
From the Unleashed 200.7.10.102.64 release notes (released April 17, 2019):

Enhancements in Release 200.7.10.102.64
  • ...

    External DPSK: Dynamic PSKs can now be created for clients authenticated via external RADIUS server, in addition to internal database.

Unfortunately, I'm not seeing any documentation about this in the Unleashed 200.7 manual. Searching the Ruckus support portal, I do see that there is what appears to be a relevant KB article called "External DPSKs over Radius Server" at https://support.ruckuswireless.com/articles/000009006. However, accessing it requires a support contract which I don't have. Since there doesn't appear to be any other documentation about this (including the Unleashed manual, which *is* made publicly available with only a free registration and no support contract), is it possible this KB could be made public? I realize the KB entry probably pertains to one of the controller-based Ruckus products, but I suspect the implementation details (i.e. the RADIUS attributes) are going to be the same.

I've tried to infer the details myself but haven't had any luck so far. The way I would expect this feature to work is to have the RADIUS server respond with the plaintext DPSK for the user (identified by client MAC address); the WPA2 4-way handshake means the AP doesn't have the plaintext of the PSK the client entered. There are two VSAs that would seem relevant, Ruckus-Dpsk and Ruckus-DPSK-Params. In my testing of trying to authenticate against an SSID with external DPSK enabled, I can see the AP sends an Access-Request with the username and password set to the client MAC address and the Ruckus-DPSK-Params VSA (which is a TLV with 4 sub-attributes: Ruckus-DPSK-AKM-Suite, Ruckus-DPSK-Cipher, Ruckus-DPSK-Anonce, and Ruckus-DPSK-EAPOL-Key-Frame). Returning an Access-Accept with Ruckus-Dpsk set to the desired DPSK (in plain text) only seems to result in an infinite loop of the AP making the same Access-Request over and over again.
Photo of Eddie

Eddie

  • 6 Posts
  • 2 Reply Likes

Posted 1 year ago

  • 1
Photo of Eddie

Eddie

  • 6 Posts
  • 2 Reply Likes
So, just an update of where I'm at.

The only publicly-available Ruckus documentation I've been able to find is the AAA interface guides for SmartZone, most of which are available on the support portal with only a registration (not restricted to paid users). The SmartZone 3.5.1 guide is more detailed on this than the newer guides, but the details there may be obsolete as I still haven't been able to get this to work.

The 3.5.1 guide has a section called "External DPSK over Radius." According to the guide and as observed, the client association request will cause the AP to send an Access-Request to the RADIUS server. The RADIUS server sends back an Access-Accept (if desired) with the Radius-DPSK VSA. The first byte of the VSA value is supposed to be 0x00, followed by the WPA2 PMK for the desired passphrase (PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)). The total length of the VSA value should be 33 bytes; despite being listed as potentially of variable length, as described in the guide it will always be 33 bytes.

In my testing, this doesn't work.

The most recent SmartZone 5.1 guide changes things. Its only section related to external DPSK is called "DPSK for Cloud over RADIUS." The most useful information about the VSA -- the specification for the value (0x00 first byte, WPA2 PMK) -- is gone; only the basic details (like the VSA ID) remain. It's unclear if that information was removed because it is now obsolete (which would suggest the SmartZone 3.1 information isn't going to be useful for Unleashed either, assuming Ruckus would use their most recent implementation) or for some other reason.

Either way, as things currently stand, I have no idea how to get this to work with Unleashed, and Ruckus doesn't appear to have any documentation publicly available for it. The KB article might provide some insight that is usable for Unleashed, but Ruckus has locked it behind the paywall. Which, TBH, is ridiculous -- I'm not asking for hand-holding, a step-by-step how-to guide, or for someone to do it for me, I'm just asking for a technical specification. I'm hoping one of the Ruckus reps here will see this and be able to provide (or obtain) some insight. I did try checking with support, making clear that I wasn't looking for any kind of personalized support but just for documentation, but they refused to provide the KB article or any other information because of my lack of a support contract. (The same support agent also seemed to think reporting a broken link on the support site required a support contract, but ultimately agreed to pass the message on internally. As of now, the link isn't fixed.)

One good thing: if Ruckus can provide a working specification for how the RADIUS server is supposed to provide the DPSK, the implementation appears to be flexible. Although the limited documentation indicates that the external DPSK feature can only be used for "bound" (i.e. single-MAC) DPSKs, I see no reason group DPSKs and unbound DPSKs couldn't be provided by a sufficiently-configured RADIUS server. The AP may only accept a single possible DPSK for a given Access-Request, but the Access-Request includes the Ruckus-DPSK-Anonce (message 1 of 4 in the WPA2 4-way handshake) and Ruckus-DPSK-EAPOL-Key-Frame (message 2 of 4) VSAs (sub-attributes of Ruckus-DPSK-Params), so it should be possible for the RADIUS server to test against multiple possible PSKs and return the appropriate one.
Photo of Michael Brado

Michael Brado, Official Rep

  • 3288 Posts
  • 520 Reply Likes
Hi Eddie,


    I think your "broken link" was intended to provide the Unleashed 200.7 Online Help.  This is the same destination you'll hit if you clicked Help in the top/right of your Unleashed WebUI.  Here is the link in long form:  http://docs.ruckuswireless.com/unleashed/200.7/GUID-577F5F8B-BCB6-4BF5-9FA6-8A41DC821927-homepage.ht...
Photo of Eddie

Eddie

  • 6 Posts
  • 2 Reply Likes
I was referring to the "download PDF" link on the top right corner of the page you linked. It's still a 404.
Photo of Michael Brado

Michael Brado, Official Rep

  • 3288 Posts
  • 520 Reply Likes
Just curious, since we only sell APs thru authorized vendors, why haven't you purchased support for Unleashed?

You could call tech-support and get deeper investigation than I'm willing to do...  (VSA exchange in sniffer trace, etc)

Or did you buy your APs on the "grey" market, and re-flash them with free Unleashed code?

[ NOTE: APs that have been RMA'd but not returned and were then re-sold, are not eligible for replacement anymore...! ]
(Edited)
Photo of Eddie

Eddie

  • 6 Posts
  • 2 Reply Likes
Or did you buy your APs on the "grey" market, and re-flash them with free Unleashed code?

It was purchased used, which I'm sure Ruckus would term "grey market," so I doubt it will be eligible for any kind of support contract; I know it's not eligible for any warranty. That's why I've been clear in looking for only documentation (which pretty much every enterprise network vendor, including Cisco, Juniper, and Aruba, makes available publicly without a support contract), not personalized help. This AP is for my homelab, not any kind of mission-critical or commercial setup, so the lack of a warranty or personalized support isn't an issue.