The "Limit D-PSK generation per user" feature is case sensitive, allowing more than the actual limit

  • 1
  • Question
  • Updated 2 years ago
  • (Edited)
We are testing the "Limit D-PSK generation per user to '#' devices" feature, and it appears that the username field is case sensitive. This means that "username" is counted as a different identify than "Username" or "USERname". I have the Limit D-PSK set to 3 devices max, and when testing this I was surprised that I was able to connect with more than 3 devices. When I looked on the Currently Active Clients I noticed that I had used different capitalization for some of the usernames. When I tried to create more than 3 using the same capitalization scheme, the system worked as expected and would not create an additional D-PSK.

The problem, however, is that an account named "username" can seemingly create an enormous number of D-PSKs, limited only by the number of different capitalization combinations for their username.

How can we prevent this? We are on a ZoneDirector 3100, running version 9.7.1.0 b.17.
Photo of Ken Yeh

Ken Yeh

  • 24 Posts
  • 1 Reply Like

Posted 2 years ago

  • 1
Photo of Andrew Bailey

Andrew Bailey

  • 15 Posts
  • 8 Reply Likes
Ken,

I think this was recognised as an issue and resolved in a later release. I can't remember exactly which version but you should be able to find it in the release notes.

Hope that helps,

Andy.
Photo of Ken Yeh

Ken Yeh

  • 24 Posts
  • 1 Reply Like
Thanks, Andy! Great to hear that it has been resolved!
Photo of Ken Yeh

Ken Yeh

  • 24 Posts
  • 1 Reply Like
Hmm... unfortunately it appears that the issue hasĀ not been fixed as of release 9.8.3.0.14, which is the last version that we can install due to the fact that our ZF7962 APs are not supported beyond this. It is rather disconcerting that an issue like this has been left open for so long. It's been several years since D-PSK was rolled out, yet a firmware released July 2015 still has not patched this security gap.

I can only hope that none of our users discovers this bug and takes advantage of it. Or does anyone have a workaround fix for this issue?
Photo of Michael Brado

Michael Brado, Official Rep

  • 2106 Posts
  • 297 Reply Likes
Looks like there is an unresolved feature request FR-978, and the underlying problem is that AD's
db is not case sensitive.

Ex: Test, test, tEst - are all treated the same on AD and the same user can download multiple DPSK's even though the 'Limit DPSK to 1 user' feature has been enabled.

I have an inquiry in to product marketing and development engineering, will let you know.
Photo of Ken Yeh

Ken Yeh

  • 24 Posts
  • 1 Reply Like
Thanks for checking on this, Michael!