CommScope Ruckus

Ruckus Integration

Configure Ruckus SmartZone, vSZ, and ZoneDirector to authenticate with NetKey RADIUS for DPSK, iPSK, and dynamic VLAN assignment.

Ruckus DPSK

Ruckus uses "DPSK" (Dynamic PSK) terminology. This is compatible with NetKey's iPSK when using Ruckus-DPSK-Passphrase attribute.

Prerequisites

  • Ruckus SmartZone 5.x/6.x, vSZ, or ZoneDirector
  • Access Points adopted and operational
  • Network connectivity to NetKey RADIUS
  • NetKey Group configured with RADIUS secret
Finding Your RADIUS Server Details

Log in to app.netkey.noSettings → RADIUS Clients to find your RADIUS server IP/hostname and create a shared secret for your Ruckus controller.

SmartZone Configuration

Add AAA Server

1

Navigate to Services & Profiles → AAA → AAA Servers

2

Click Create and configure:

Name NetKey-RADIUS
Type RADIUS
IP Address your-radius-server
Port 1812
Shared Secret Your NetKey RADIUS secret
3

Configure Accounting (optional):

Enable Accounting Yes
Accounting Port 1813

Create WLAN with DPSK

4

Navigate to WLANs and click Create

5

Configure WLAN settings:

Name Corporate-DPSK
SSID Corporate-WiFi
Authentication Type Standard + MAC Authentication
Encryption WPA2
WPA Version WPA2 or WPA2/WPA3
6

Enable Dynamic PSK (DPSK):

DPSK Enabled Yes
DPSK Type External (RADIUS)
Passphrase Set a fallback PSK (8+ chars)
7

Configure MAC Authentication:

MAC Auth Enabled
MAC Auth Server NetKey-RADIUS
MAC Format AABBCCDDEEFF (uppercase, no delimiter)
MAC Format Important

Ensure NetKey is configured with matching MAC format. Go to Group Settings → RADIUS → MAC Format and select uppercase without delimiter.

DPSK via RADIUS

NetKey returns the device-specific passphrase via Ruckus VSA.

RADIUS Response

RADIUS Access-Accept 
Ruckus-DPSK-Passphrase = "UniqueDevicePass123"
Tunnel-Type = VLAN
Tunnel-Medium-Type = IEEE-802
Tunnel-Private-Group-ID = "100"
Attribute Description
Ruckus-DPSK-Passphrase The unique PSK for this device
Ruckus-User-Role Optional user role assignment
Tunnel-Private-Group-ID Dynamic VLAN assignment

NetKey Endpoint Configuration

Create endpoints in NetKey for each device:

1

Navigate to Clients in NetKey

2

Click Add Client:

MAC Address AA:BB:CC:DD:EE:FF
Name John's Laptop
Passphrase *Generated or custom*
VLAN 100

Dynamic VLAN

Configure VLAN pools in SmartZone for dynamic assignment.

Create VLAN Pool

1

Navigate to Services & Profiles → VLAN Pooling

2

Create a pool with all allowed VLANs:

Name Corporate-VLANs
VLANs 100, 200, 300, 400
3

Assign VLAN Pool to WLAN in Advanced Options

Enable RADIUS Override

4

In WLAN settings, enable:

RADIUS Attribute Override Enabled

ZoneDirector Configuration

For ZoneDirector appliances, the configuration is similar.

Add AAA Server

1

Navigate to Configure → AAA Servers

2

Click Create New:

Name NetKey
Type RADIUS
IP Address your-radius-server
Port 1812
Shared Secret Your secret

Create DPSK WLAN

3

Navigate to Configure → WLANs

Create new WLAN with:

Authentication Open
Encryption WPA2
DPSK Enabled
External DPSK NetKey (AAA server)

Ruckus Unleashed

Unleashed APs support external DPSK with RADIUS.

1

Access Master AP web interface

2

Go to Admin & Services → Services → AAA Servers

3

Add RADIUS server:

Server Type Non-Proxy RADIUS
IP Address your-radius-server
Port 1812
Shared Secret Your secret
4

Create WLAN with Dynamic PSK enabled

Select External (AAA/RADIUS) for DPSK type

Testing & Verification

Test RADIUS Connectivity

SmartZone provides built-in RADIUS testing:

1

Go to Services & Profiles → AAA → AAA Servers

2

Click on your RADIUS server

Use Test button with a known MAC address

View Connected Clients

Navigate to Monitor → Clients to see:

  • Connected devices and their MAC addresses
  • Assigned VLAN
  • Authentication status
  • DPSK status

Troubleshooting

  • Check MAC format matches between Ruckus and NetKey
  • Verify endpoint exists in NetKey with correct MAC
  • Check NetKey Auth Logs for the MAC authentication attempt
  • Ensure RADIUS returns Ruckus-DPSK-Passphrase attribute
  • Verify RADIUS server is reachable from controller
  • Check shared secret matches exactly
  • Ensure MAC Auth is enabled on WLAN
  • Review SmartZone event logs for RADIUS errors
  • Verify VLAN exists in VLAN Pool
  • Check RADIUS Attribute Override is enabled
  • Ensure Tunnel-Private-Group-ID is returned by NetKey
  • Verify switch ports allow the VLAN