topic Re: Can changing the PSK on a wireless controller be scripted? in Wireless

Can changing the PSK on a wireless controller be scripted?

PJV — Mon, 05 Jul 2021 16:44:15 GMT

Any suggestions for how to automate a monthly change to the PSK for the guest wireless ssid. Attempts to connect to the wireless controllers in Powershell with poshssh and plink run into issues trying to authenticate. The first prompt at login being "login as" rather then user as is the case with most ssh connections.

Re: Can changing the PSK on a wireless controller be scripted?

jcohoe — Tue, 22 Jan 2019 19:13:59 GMT

Hello, have you tried using Ansible with the aireos_config and aireos_command modules?

Re: Can changing the PSK on a wireless controller be scripted?

PJV — Tue, 22 Jan 2019 19:55:07 GMT

I have not tried Ansible. Can you point me to an example using Ansible?

Re: Can changing the PSK on a wireless controller be scripted?

jcohoe — Tue, 22 Jan 2019 22:53:30 GMT

Hi, we are planning to release a blog post in March, to coincide with the Ansible release. Their release has a fix for both "legacy" and the new SSH mechanisms within AireOS. As you may be aware, in AireOS 8.6+ the CLI wrapper around the authentication is disabled by default, providing a more native SSH experience. Prior to 8.6 there is a wrapper around the authentication, which is where your powershell etc scripts are likely failing.

To work around this, you could try upgrading to 8.6+ code (recommend 8.8). However I understand this is much easier said that done 🙂

There is a video showing this in action: https://www.youtube.com/watch?v=KIJBE9DVMDA

Here is the config for Ansible

aireos_hosts.txt

[all:vars]
ansible_connection=local
ansible_user=your_wlc_username
ansible_password=your_wlc_password
ansible_port=22
[aireoswlc]
wlc1 ansible_host=10.10.10.2

aireos_show.yaml

---
- hosts: aireoswlc
  gather_facts: no
  tasks:
   - aireos_command:
      commands:
       - show boot
     register: show
   - debug: var=show.stdout_lines

Execute the playbook with:

ansible-playbook -i ./aireos_hosts.txt ./aireos_show.yaml

Documentation on the 2 modules are available at:

https://docs.ansible.com/ansible/2.4/aireos_command_module.html

https://docs.ansible.com/ansible/2.4/aireos_config_module.html

Jeremy

Re: Can changing the PSK on a wireless controller be scripted?

Leo Laohoo — Wed, 23 Jan 2019 08:56:53 GMT

Python scripts are available that will generate random characters. Add a few lines to instruct the system to remote into the WLC to change the PSK (alternatively, can use SNMP to push the new PSK) and at the same time email you the new PSK.
Use crontab to schedule how often you want the script to run.

Re: Can changing the PSK on a wireless controller be scripted?

patoberli — Fri, 25 Jan 2019 15:51:31 GMT

There is also another way, requiring a RADIUS server, but could also maybe (ab)used for your requirement:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html

But honestly, it's easier with SNMP or SSH.
For SSH, try to send an empty username at first try, then the console should start and ask for the username, where you send the correct one. That would probably require a timed character sequence.

Re: Can changing the PSK on a wireless controller be scripted?

PJV — Tue, 29 Jan 2019 17:55:56 GMT

Thank you for all the responses. Our device is a Cisco 5508 WLC . The latest version I can find is 8.5 . Can anyone confirm that this supports the new cli wrapper ?

Re: Can changing the PSK on a wireless controller be scripted?

jcohoe — Tue, 29 Jan 2019 21:07:21 GMT

Yes the latest supported code for 5508 is 8.5. The Ansible modules now work with both legacy and current SSH implementation.

Re: Can changing the PSK on a wireless controller be scripted?

khan.mohd.sharif1 — Thu, 23 Dec 2021 14:31:44 GMT

I tried the same script on Ansible Tower but could not get the response and got the error message.

Attached the error message for your reference. Please suggest.

Re: Can changing the PSK on a wireless controller be scripted?

Ercuru — Tue, 27 Jun 2023 08:51:37 GMT

Have used posh-ssh module for PowerShell for automation with New-SSHShellStream commandlet:

$ssh = New-SSHSession -ComputerName $IP -Credential (New-Object System.Management.Automation.PSCredential ($Username, (ConvertTo-SecureString -String $Password -AsPlainText -Force))) $stream = New-SSHShellStream -SessionId $ssh.SessionId Start-Sleep -Seconds 2 $stream.read() $stream.WriteLine("$($Username)") Start-Sleep -Seconds 2 $stream.read() $stream.WriteLine("$($Password)") Start-Sleep -Seconds 2 $stream.read() $stream.WriteLine("config wlan disable <YOUR_WLAN_ID>") Start-Sleep -Seconds 2 $stream.read() $stream.WriteLine("config wlan security wpa <YOUR_OPTIONS_FOR_PSK>") Start-Sleep -Seconds 2 $stream.read() $stream.WriteLine("config wlan enable <YOUR_WLAN_ID>") Start-Sleep -Seconds 2 $stream.read() $stream.WriteLine("save config") Start-Sleep -Seconds 2 $stream.read() $stream.WriteLine("y") Start-Sleep -Seconds 2 $stream.read() $stream.WriteLine("logout") Start-Sleep -Seconds 2 $stream.read() $stream.Close() Remove-SSHSession -SessionId $ssh.SessionId

$Username - variable with your login, $Password - variable with your login password, $IP - variable with remote controller IP
$stream.read - used for getting shell output back for logging