Working with Dynamic PSKs

Dynamic PSKs (DPSKs) are unique pre-shared keys assigned to a user or device. DPSKs are used to provide secure wireless access, which helps avoid manual wireless configuration and managing encryption keys.

DPSK is a form of PSK (static key) in a WPA2 WLAN and its purpose is to provide each user device with a unique dynamic PSK to associate to a WLAN without any modifications to the WLAN configuration. For example, a school administrator provides a time-limited DPSK for student's device so that the student can access the school's WLAN for the period their DPSK is valid. After the validity period ends, the DPSK expires and the student's device can no longer access the school's WLAN. Without the use of DPSKs, the school administrator would have to change the default static key to prevent the student from using the WLAN resources, which in turn would impact all other users of that WLAN.

Individual DPSKs can be deleted in the event of a student leaving the school, or their device being lost or stolen without impacting other users of the WLAN.

A “bound” DPSK is one which is assigned to the MAC address of a user device at the time of creation. No other user device can utilize this DSPK. Bound DPSKs are stored in on APs.

An “unbound” DPSK is not assigned to a device's MAC address during creation, but upon its first use (that is, when the device first connects to a WLAN and the DPSK is entered as the WLAN security key). Once a DPSK becomes assigned to a user device, it becomes bound and no other user device can use it.

NOTE
If you generate a single unbound DPSK, then only one device can be connected to the DPSK WLAN by the key, since other devices can still use “admin” PSK to connect to the DPSK WLAN. However, when devices from different APs try to use the same unbound DPSK simultaneously, for a short period, they could both connect to the WLAN successfully, but the later device will be disconnected by the controller. If the AP happens to disconnect from the controller, the device could stay connected until the AP connects back to the controller.

When DPSKs are created, there are some prevented behaviors that are considered database conflicts such as the following:

  • You cannot create two unbound DPSKs with the same passphrase.
  • You cannot create two bound DPSKs for the same MAC address and passphrase. Create two DPSKs for the same MAC address, the former will be replaced. However, you can create multiple bound DPSKs with different MAC addresses and the same passphrase.
  • You can also create bound DPSKs and a single unbound DPSK with the same passphrase.

UEs within a PSK WLAN use the same shared key to encrypt data traffic, but if the key is compromised by even one WLAN user, the entire user traffic can be accessed/hacked. Therefore, a secure tunnel is created for each user connected to the WLAN, by configuring the PSK WLAN as an Internal or External DPSK.

In Internal DPSKs, the controller manages and records the DPSK for each individual user and a limited number of DPSKs are supported.

In External DPSKs, the DPSK is maintained by the Radius Server (AAA) and Radius protocols are used to authenticate the UE. The UE is authenticated by the open authentication WLAN - WPA/WPA2 encryption where in, the controller uses the RADIUS interface with the RADIUS server (AAA includes the DPSK in the Radius response or Access Accept message and sends it to the AP) so that the DPSK is maintained in one place. There is no limitation on the number of DPSK supported in this mode.

NOTE
Only proxy AAA authentication is supported for External DPSK.
NOTE
External DPSKs are supported only on bounded DPSKs.