RUCKUS One® “The All-in-One Managed Wi-Fi® Solution for MDU”

Wi-Fi as the “Fourth Utility” 

Internet connectivity through Wi-Fi has become the "fourth utility." Reliable internet access is now as essential to daily life as traditional utilities like electricity, water, and gas. This is perhaps the main reason why Real Estate Developers have chosen the pre-installed nature of "Managed Wi-Fi solutions" using Network Segmentation over the conventional physical residential gateway per unit, where each resident or tenant must wait for the next available truck roll, which can sometimes take weeks. People today want and expect reliable, high-performance Internet connectivity ready on Day One.

What is the Managed Wi-Fi Solution? 

Managed Wi-Fi in a multi-dwelling units (MDU) property typically involves a Managed Service Provider (MSP) overseeing the deployment and operation of Wi-Fi services, with costs included in the association fees paid by unit owners or tenants' rent. The provider strategically plans and installs access points for optimal coverage, based on a comprehensive professional design, reducing interference and ensuring consistent Wi-Fi access throughout the complex. This reliable infrastructure not only attracts and retains tenants but also supports 'Smart Home' solutions and enhances facility management efficiencies, offering tangible business benefits. 

Benefits of reliable, high-performance managed Wi-Fi across the property for MDUs

• Differentiate properties in a competitive market by appealing to tech-savvy residents who demand fast Wi-Fi service everywhere.
• Boost tenant renewals, as satisfied tenants are more likely to renew their leases.
• Provide new wireless Smart Home and business services, including IoT applications like keyless entry, sensors, employee and asset location, analytics, and more.
• Enhance technology capabilities without hassle through centrally managed Wi-Fi services delivered by wireless experts who can proactively prevent problems.
• Simplify wireless service management with multiple control options available in the cloud or on-premises.
• Attract future tenants more effectively, as guests experiencing excellent Wi-Fi are more likely to consider the property for their next home.

 Managed Wi-Fi solutions often leverage network segmentation to enhance security, performance, and management efficiency. 

What is Network Segmentation?

Network segmentation entails breaking down a network into smaller subnetworks, effectively isolating users' end devices from each other to improve IT security and user experience. Devices are placed into separate virtual networks, preventing threats to enter the network from moving laterally across segments to other devices. This approach is particularly effective for MDU, such as apartment buildings, college dormitories, senior living facilities, or anywhere residents live communally. The cornerstone of Wi-Fi network segmentation is per-user/per-device PSKs.

What is per-user/per-device PSKs?

Per-user/per-device PSKs (Pre-Shared Keys) are proprietary PSKs solutions, designed to address the vulnerabilities associated with traditional PSK authentication, particularly in environments like MDU. The primary concern with using a single PSK for all devices on a WLAN is the vulnerability to social engineering. If the PSK is shared, whether inadvertently or deliberately, with unauthorized individuals, it jeopardizes the security of the entire WLAN.

Per-user/per-device PSKs offer a solution by assigning a unique PSK to each device or user. This means that each device uses its own unique PSK for connecting to the WLAN, and the MAC address or multiple MAC addresses (due to MAC randomization) of each device are mapped to a unique personal passphrase. These individual PSKs can be created dynamically or manually and are tied to a single SSID. This approach provides unique identity credentials for each device while keeping the simplicity of using a single SSID, enhancing security by isolating each device's access credentials.

Benefits of the per-user per-device PSKs

• Enhance security by preventing decryption of unicast traffic
• Eliminates the management burden when a passphrase must be changed due to an individual leaving the Property/Company
• Allows granular, user-specific control of network privileges.
• Provide enhanced accounting functionality.
• Transparent for the client devices, acting as a regular PSK network on their side

The RUCKUS patented per-user per-device PSK Solution: Dynamic PSK™

Dynamic PSK is a CommScope-patented technology that enhances network security by providing unique encryption keys for each user or device connecting to the RUCKUS network. Users can obtain their unique Wi-Fi passwords either through self-service or from an IT administrator, making the connection process intuitive and like home network setups. Unlike conventional PSKs, the Dynamic PSK solution allows administrators to define access policies and revoke access for individual users without affecting others. Wireless traffic is encrypted using WPA2™-Personal or WPA3™-SAE, optimizing a robust network and data security. The Dynamic PSK solution is a key part for RUCKUS Network Segmentation.

Breaking Barriers: The RUCKUS Innovation for 6 GHz WPA3 Challenges

When the 6 GHz band was opened for unlicensed use in April 2020, the Wi-Fi Alliance mandated Wi-Fi Protected Access® 3 (WPA3) and Opportunistic Wireless Encryption (OWE) as the standards for Wi-Fi security for all Wi-Fi 6E devices and any future devices using the greenfield 6 GHz band. This posed a challenge for per-user, per-device PSKs implementations, as WPA3-SAE inherently prevents the use of multiple keys, eliminating the possibility of reverse-engineering the passphrase used in traditional Dynamic PSK and other vendor solutions.

However, there's no need to be disheartened. Initially, there was no per-user per-device PSK solution for 6 GHz (WPA3-SAE mandatory), but in early 2023, RUCKUS introduced a groundbreaking innovation. The magic unfolds as the "RUCKUS Team" turns the impossible dream into reality with per-user, per-device PSKs on the 6 GHz band. After rigorous testing by the Development and Quality Assurance Teams, RUCKUS released the patented "Dynamic SAE (DSAE) or DPSK3." This innovation made per-user, per-device PSKs possible in the 6 GHz band using WPA3-SAE, positioning RUCKUS as the first vendor in the industry to offer a multiple password solution on the new 6 GHz band without RADIUS (Remote Authentication Dial-In User Service). RUCKUS DPSK3 extends the successful Dynamic PSK technology to support WPA3, delivering all the benefits of the Dynamic PSK solution while keeping robust WPA3 security.

Key Advantages of Network Segmentation through DPSK3

• 6 GHz Band Compatible: The 6 GHz frequency addition marks the largest expansion of Wi-Fi spectrum ever, with 59 more channels, enabling a dramatic increase in bandwidth and reduction of latency. DPSK3 is fully compatible with the 6 GHz band. 
• RUCKUS One Single Network Platform: Deploying DPSK3 within the RUCKUS One solution, alongside Property Management/Residential Portal, Identity Groups, and Adaptive Policy features, eliminates the need for third-party captive portals or advanced gateways. This makes DPSK3 in the RUCKUS One solution an affordable, optimal, and feature-rich solution for MDU, Higher Education Dorms, Hospitality, and other verticals. 
• Clean Radio Frequency (RF) Air Space: A single SSID deployment throughout the property, using RUCKUS One AI RRM (Radio Resource Management through Artificial Intelligence), minimizes Co-Channel Interference (CCI), known as "the Wi-Fi Killer". This creates a cleaner RF environment compared to the conventional "one standalone Wi-Fi router per unit" setup, where frequency coordination is impossible, substantially increasing CCI.
• Universal Coverage Throughout the Property: Residents/Tenants can access their private LAN using the same SSID from anywhere, in their unit, the Common Areas or any other space covered by the Wi-Fi Signal. Basically, their own private LAN follows them around the property, creating a ubiquitous network connection.
• Enhanced Network Security: By segmenting the network, any malware or breach in one segment of the network can be contained to that smaller network segment, making it more difficult to spread horizontally throughout the entire network. In the animation below the malware is confined to the specific microsegment/VLAN, affecting only one customer, and preventing horizontal propagation to other network segments.

• Defeats MAC Randomization (Private MAC Address): With RUCKUS Dynamic PSK and DPSK3 solutions, segmentation is achieved through the uniqueness of the password, independent of the MAC address. This means that even if a device uses multiple randomized MAC addresses, it will consistently use the same password. As a result, all those MAC addresses will be added to its private LAN, enabling seamless connectivity and optimizing security.
• Property Management can revoke access at any time without impacting others: Conventional PSKs involve shared Wi-Fi passwords, making it challenging to revoke access for an individual without affecting everyone else. In contrast, with RUCKUS Dynamic PSK and DPSK3 solutions, access can be individually managed. If a resident sells their unit or a tenant's lease expires, access can be revoked through the Resident Portal or by Property Management. Additionally, Customer Service, the Network Operation Center (NOC) for ISPs, or any Network Administrator with proper privileges can manage access rights effectively.
• Private Network for each Tenant: The benefits of this Private LAN architecture include:
  • All devices belonging to a single tenant can communicate with each other, while preventing access to other tenants' devices.
  • Residents or tenants can only view their own traffic when using packet sniffers like tcpdump or Wireshark, ensuring they cannot intercept others' traffic.
  • Congestion is reduced by limiting unnecessary traffic flow between segments.
• Unique Public IP per Tenant: Each private network can be linked to a unique public IP address, granting tenants control over their inbound and outbound connectivity, benefits include: 
  • The unique public address typically helps Service Providers comply with CALEA (Communications Assistance for Law Enforcement Act) non-repudiation requirements, enabling the origin and the integrity of data to be verified.
  • Devices that rely on Universal Plug and Play (UPnP), such as game consoles, can function properly without any effort from the tenant or operator.
  • Applications that depend on broadcast and multicast-based protocols, such as multicast Domain Name System (mDNS), function properly.

Network Segmentation with DPSK3 Proof of Concept (POC) for a Partner

The purpose of this POC Lab was to deliver a "Single Pane of Glass" Managed Wi-Fi Solution on 6 GHz to a long-standing ISP/MDU Partner. This partner successfully implemented Network Segmentation using the RUCKUS Dynamic PSK solution across multiple properties, including MDUs, hotels, and university environments. However, as mentioned, with the introduction of 6 GHz and the requirement for WPA3, the Dynamic PSK solution was challenged, but the RUCKUS Team embraced this challenge and developed the DPSK3 solution.

Now, the partner’s requirements were not just about network security, they also needed an affordable and easy to deploy solution. Typically, with most vendors, achieving all three is difficult, often resulting in a compromise of one or two of the three. To provide a Wi-Fi network that is both reasonably secure and easy to deploy, customers often need to invest in expensive advanced gateways and/or costly RADIUS servers, increasing CapEx and reducing competitiveness. Alternatively, opting for a cheaper solution typically compromises security and performance. However, the RUCKUS solution offers partners all three benefits: security, affordability, and ease of deployment, along with RUCKUS's unmatched RF performance. Configuration can be automated using the template capabilities built into the RUCKUS One solution, facilitating "cookie-cutter" future deployments.

Requirement added per Partner Feature Request

In addition to the above requirements, the partner, being an ISP, needed different Bandwidth Service Tier levels per user, such as:

1. Bulk Service: Bandwidth Down = 100 Mbps, Bandwidth Up = 100 Mbps 
2. Silver Service: Bandwidth Down = 500 Mbps, Bandwidth Up = 500 Mbps 
3. Gold Service: Bandwidth Down = 1000 Mbps, Bandwidth Up = 1000 Mbps

The RUCKUS Engineering and Development Team returned to the drawing board and undertook significant coding efforts to provide the Partner with the requested Rate Limiting option. At that point, the RUCKUS One solution became the single, cloud-based platform to manage all network components across all properties; enabling the partner to monitor, configure, and optimize networks remotely using the following features:

Main RUCKUS One Solution Features

Centralized and Automated Management

The RUCKUS One solution provides a single, unified platform for managing both wired and wireless networks, with automation tools for configuration, updates, and monitoring to enhance efficiency and reduce manual workload.

AI-Driven Analytics and Security

The platform leverages Artificial Intelligence (AI) and Machine Learning (ML) for real-time network analytics, predictive maintenance, and robust security features, including intrusion detection and automated updates, to proactively manage and secure network performance.

Scalability and Remote Capabilities

Designed to scale with organizational growth, the RUCKUS One solution supports remote monitoring and management, allowing for efficient network optimization and bandwidth management across all properties.

Specific RUCKUS One Solution Features

Network Segmentation through DPSK3 Service on 6 GHz

The animation below illustrates the customer's mobile phone in UNIT 104, initially connected on 6 GHz within their unit, roaming to different APs and bands, eventually reaching the pool area and going back to 6 GHz. Throughout this process, the device remains connected to its own private VLAN704. (Note: Hopefully, the phone is indeed water-resistant—just a lighthearted remark!)

Property Management

Enables the creation of an unlimited number of units for the MDU. For example, the system can accommodate a property with 500 units/ identities.

Residential Portal

The RUCKUS Resident Portal feature provides a user-friendly interface for managing network access in MDU. It allows property managers to create and manage multiple units, offering residents seamless connectivity and secure access to the network. The portal supports self-service options for residents to obtain, change/reset unique Wi-Fi credentials and control devices connected to their private network.

Adaptive Policy

Rate Limiting based on RADIUS Attributes for the different Tiers Services (Bulk: 100x100, Silver 500x500, Gold:1000x1000).

“Matrix Like” Role Base Access Control (RBAC) for their different management Tiers

NOC, Engineering and others

Wi-Fi Calling

Facilitates cell phone calling in areas with low or no cellular signal.

Hotspot 2.0

This feature was a requirement from the MDU developers, enabling their users to automatically connect to Wi-Fi across multiple properties and roam seamlessly through OpenRoaming™.

The All-in-One Solution for MDU Network Management: RUCKUS One

RUCKUS DPSK3, when deployed within the RUCKUS One solution, emerges as the most versatile and comprehensive solution for MDU environments. It provides a single platform that fulfills all the requirements a Managed Service Provider (MSP) needs to offer a Managed Wi-Fi Solution on all bands, including 6 GHz. All the features discussed in this publication are integrated into the RUCKUS One solution, serving as a single pane of glass to monitor, manage, and control Access Points, Switches, RUCKUS Edge™, Property Units, Residential Portals, and Policies for Rate Limiting, Service Scheduling, and more. Additionally, it offers RUCKUS AI RRM, Analytics, and Reports, with upcoming support for features like PON (Passive Optical Networks) management and IoT integration.

© 2025 CommScope, LLC.  All rights reserved.  CommScope and the CommScope logo are registered trademarks of CommScope and/or its affiliates in the U.S. and other countries.  For additional trademark information see https://www.commscope.com/trademarks.  Wi-Fi, Wi-Fi 6E, WPA2, WPA3 and Wi-Fi Protected Access are trademarks of the Wi-Fi Alliance. OpenRoaming is a trademark of the Wireless Broadband Alliance. All product names, trademarks and registered trademarks are property of their respective owners.