Dynamic Pre Shared Key

A recent in-house training course at DigitalAir Wireless explored 802.1x and its various methods. Security is an extremely important, integral part of any well designed and implemented wireless network. Currently the most secure method for any enterprise class network is via the 802.1x standard, more specifically certain methods of EAP (Extensible Authentication Protocol) many variations of the method have been developed however the most effective are the hardware based and a certificate based authentication methods.

Although these methods are secure they can be complex and costly to implement. There are several manufactures on the market that tried to simplify this while retaining the point of 802.1x. One such company is Ruckus. In 2010 Ruckus's ground breaking new security feature named Dynamic Pre Shared Key (D-PSK) had gone live. Rather than dealing with the complexities of implementing 802.1x Ruckus has developed an elegant solution easy to implement and use while retaining the security.

How does it work?

Once D-PSK is implemented, a new user connects to the wireless network and authenticates via a captive portal hosted on the ZoneDirector. This information is confirmed with an authentication (AAA) server such as Active Directory, RADIUS, LDAP, or a database internally stored within the ZoneDirector itself.

Upon successful authentication, the ZoneDirector generates a unique encryption key for each user. The lifetime of the key can be configured to align with company policies. A temporary applet with the unique user key and other wire-less configuration information is then pushed to the client. This applet automatically configures the user's device without any human intervention.

  1. User attaches to a wireless LAN
  2. User authenticates via the Ruckus captive portal
  3. One authentication is granted an encryption key is generated dynamically that is unique to the user by the ZoneDirector.
  4. The key is then passes to the user's device and is automatically configured with the configuration settings of the wireless device.
  5. User is now able to connect to the network.

Once associated, the unique Dynamic PSK is bound to the specific user and the end device being used. Administrators can create a batch of Dynamic PSK keys for easier maintenance of multiple machines. These keys, provided via a CSV file, can then be added to any script designed to image an end device. These Dynamic PSK keys can be assigned to a specific MAC address upon creation or handed out in a later point to a user/machine.

TThis is an example of Zero-IT using D-PSK. The implementation of Zero-IT can only be done on a ZoneDirector and therefore this wouldn't be possible with the SmartZone OS unless utilising Ruckus' CloudPath enrolment system.

To summarise Ruckus's Dynamic Pre Shared Key is easy to implement with none of the time consuming administrative tasks that are typical with a standard pre shared key network. It is also extremely secure without requiring time consuming implementation of 802.1x.