Any day you learn something new is a good day


Automating the changing of a Ruckus WiFi password

, posted: 13-Mar-2019 11:33

We’ve been needing to provide guest internet access via our campus wireless network ever since we implemented it. People who visit just expect us to provide it.

We first tried to use the guest functionality that comes with Ruckus, but it’s a bit clunky, and then we tried using Linewize’s built-in guest functionality, and that’s just as clunky.  I toyed with creating guest user accounts in our directory and using 802.11x authentication to handle them as our directory supports automatic disabling of accounts after a time period, but that’s just as clunky to manage.

So, after some deliberations, we decided to investigate a way to automate the changing of an SSID’s password somehow.

Ruckus ZoneDirector’s support SSH connections, but it’s not a *real* ssh connection, it’s more like encrypted telnet. You need any username to be entered, then you get prompted for the real credentials.  All the ssh libraries that I tried to use can’t handle this and freaked out. (I’m wanting to use python for this, there may be other languages that had working libraries but I didn’t branch out too far).

But, as luck would have it, Ruckus ZD’s also support enabling insecure telnet access, which just presents a username & password prompt to the connection. I had already written some telnet stuff in python, so was able to reuse my code for this purpose. (Caveat, the machine initiation the telnet connection and the ZD receiving it are in the same secure room, on the same switch - good luck packet capturing that!)

 

The process to follow is thus;

* telnet into the ZD, enter the credentials to log in as admin

* enter configuration mode

* select the appropriate wireless network

* change the password

* exit out of configuration mode, and the telnet session

 

The exact commands that to be entered from the command line are;

 

enable

config

wlan {case sensitive SSID}

open wpa2 passphrase {ourpasswordhere} algorithm aes

exit

exit



If you want to disable/enable access to the WLAN, we use a fake VLAN and add this command after changing the password;

 

vlan {fakevlanID/realvlanID}

 

I’d prefer to have used a command to disable the SSID entirely, but I couldn’t find one documented, so fake VLAN will have to do.



We now have a daily cronjob that fires and changes the main guest network’s password and notifies those who need to know what the password for that day is, and also have another one for enabling & disabling our large group guest network. The python code for the more complex script is available at this url;

 

https://drive.google.com/file/d/1RNATCEmPmlhinVbfagaM2s52G0m2CCg7/view?usp=sharing



The last step is to compile it (on the machine intended to run it) with

python3 -m py_compile configure_wifi.py

 

This creates a compiled python script where only the strings are human readable, so the code used to decrypt the credentials using our key is hidden from view.



So, I have a pair of crontab entries for when we want the group guest network on/off;

 

mm hh dd mm * {cronuser} python3 /path/to/configure_wifi.pyc {ournetwork} on newpassword

mm hh dd mm * {cronuser} python3 /path/to/configure_wifi.pyc {ournetwork} off

 

Now we can preset the WiFI password for an event in the future and know that it will be available for use 30min before the event starts, and unavailable an hour after it finishes, without human intervention other than copying two lines in a crontab.

 

The daily guest network’s password is changed by similar code, just the auto-generated password is a bit easier than what the disable part above will create.

Other related posts:
Extending the CEPH cluster, things we've learnt
Creating redundant, clustered & scalable storage - a DIY guide
Building A Win8.1 based Chromebook - A How To




nzsouthernman's profile

Dael 
Christchurch
New Zealand


This blog is mainly going to be for writing down things when I work them out so when I have to try and do it again I don't have to think too hard.  And also to comment on stuff.  Hopefully not too much rant /rant involved.

My latest finished and successful home project;

QNAS NAS/SAN Appliance
8x 750GB 2.5" SATA in R6 array, running PLEX and providing additional storage for MythTV


Toys in the attic;
PS3
PSP
iPhone 7+ (2D)
MythTV separated backend with 2 DVB-S encoders & 2TB disk space & two frontends

Follow me on twitter; http://twitter.com/nzsouthernman