cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5272
Views
0
Helpful
8
Replies

WAP4410N - SSH user management and log e-mail

fullsix_pt
Level 1
Level 1

Hello all.


We have just bought 4 WAP4410N. These units will be handling wireless network at the edge of our network, only allowing for Internet access.

We will be creating two SSID's, one for employees and another for guests, with different wireless password rotation policies, intended to be changed automatically by an application using SSH.

Is it possible in any way to create another SSH user just for this purpose? I do feel unconfortable using the management user for this (call it paranoia!). The same with having SSH accessible from the wireless end. Any way I can tweak sshd and having it persist between reboots? 

Also, another issue is that we have the AP's configured for e-mailing the log however we don't receive it. Connectivity and sending has been tested with snmpc on console and everything seems to be OK. Any idea of what might be failing here?

Cheers

8 Replies 8

fullsix_pt
Level 1
Level 1

Anoter useful information would be the format of the PSK string when you try to change it though the console.

I'm issuing set psk and always get A_ERROR: Invalid HEX passphrase

If I use the hex of the string with 0x I get the same. If I use only hex the psk is changed to that string.

I'm lost...

I've tryed to find a console manual but couldn't find it anywhere.

After opening a support chat with Cisco regarding the issue with SET PSK command, Cisco has told me CLI access is not supported in this unit.

Just great... So I buy four units with one of the buying reasons to be scriptable, and Cisco now tells me that SSH access to CLI isn't supported.

I guess I'll be returning my four units and buying from a vendor that doesn't advertise unsupported features to earn clients.

Sad sad indeed Cisco... disappointing really!

Tiago,

You mentioned in your last post that " guess I'll be returning my four units and buying from a vendor that doesn't advertise unsupported features to earn clients." Can you show me were cisco advertises that SSH is supported. I looked on Cisco.com website and wasn't able to find this feature; thought i might be overlooking this.definitely need to be address if it is being advertised as supported feature but not supported.

Thanks,

Jason Bryant

Cisco Support Engineer

Hi Jason.

In fact your right. I've searched again and didn't find it. I knew WAP4410N supported SSH access because I have the nasty habit of researching each product I buy (for me and my organization) before in fact choosing it, and this leads me to, among other things, RTFM. And reading the manual I find that the unit does indeed allow ssh access (http://www.cisco.com/en/US/docs/wireless/access_point/csbap/wap4410n/administration/guide/WAP4410N_Admin_Guide.pdf ; Page 58 (numbered)).

Now, when I buy a product that has features mentioned in it's manual I assume I will be able to use it, and won't need vendor's internal documents to be able to use it efficiently. Hence, I assumed (and this seems to have been my mistake, appart from snapping in my earlier post) that if the unit has indeed the feature of a CLI I would be able to use it for scripting (or anything else!). Seems I'm wrong...

Yes, these units were chosen and bought because they seemed adequate for the job, even with all the problems they seem to had in the past (some seem to be current still), but also because of the ability to script CLI operations, among them (and really the most important for us) the PSK change. If CLI is unsupported - what means that Cisco won't help this customer understand a conflicting command syntax (one side demands hex and then shows ascii) - this means that these units aren't adequate for the job they were bought for, hence if no help from Cisco they will be returned and substitute for another that provides the same functionality and more information for CLI.

I mean, Jason, I'm not properly asking the keys for the realm here (and by realm I mean root!), nor ways to hack the firmware. Apart from trying to better secure these units by restricting ssh login and connections, and a mail log that simply isn't working, I'm asking for a command syntax. How hard can this be? Do I need a support contract for this??

fullsix_pt
Level 1
Level 1

Just for reference, to script a PSK change for VAP 1 in the unsupported CLI:

nvram set wlan0_ssid1_passphrase=this.is.a.test

nvram commit

It will persist after reboot.

Check nvram show for other options, and be careful...

Still to troubleshoot the e-mail log issue.

Hi, My name is Eric Moyers. I am a Network Support Engineer in the Cisco Small Business Support Center. I work here with Jason that you have been talking to.

Thank you for buying a Small Business product.

Just to update you with the regards to the case. It is not that we are unwilling to give you any of the syntac for CLI with this device. CLI support for this device is not authorrized for our support staff. The functionality of this router was meant to be configured and used through the WEBgui interface. With that in mind, the support center was never trained in the use of the CLI commands of the interface or it's syntax. The OS of the device is not a true IOS like our Enterprise devices. Only the Business Unit and the Development team had access to that.

Jason and I are in contact with the Business Unit and the Development team to see how they want to address this issue. as soon as we hear from them, I will hastily update you through this post.

Thank you for your time and patience.

Eric Moyers
Cisco Network Support Engineer
1-866-606-1866

fullsix_pt
Level 1
Level 1

Thanks for your clarification Eric.

Using the commands in my earlier post I have sucessfully scripted the PSK change for all AP's.

The e-mail log issue however I'm not having much success with it's troubleshooting. The ability to send e-mail is ok using smtpc through CLI, but the AP never send's me anything on it's free will... All of the events in the WebGUI are selected, but still no dice.

Any ideia of possible things to check?

Mr. Silva, as promised I have been talking to our Business Unit, that manages this device. Their response more or less matches my first response back to you yesterday. I will add it below.

Although the interface exists SSH is NOT supported in our AP line.  The interface is not documented nor has any formal training been delivered to support the interface.

SSH is needed for advanced troubleshooting and large unit deal opportunities that may need mass deployment/provisioning capabilities.

There is an honorable mention in the manual due to the fact that the interface simply exists, however it’s disabled by default.

Currently our stance for this product line, will stay as is. For technical savvy engineers, there are always ways to push products beyond what they were intended for. That is what makes for great engineers. But if customers need the features that you are looking for with the ability to get technical support the best suggestion I have is to look at our Enterprise line of AP's. We have some great products and they are full of features.

For your e-mail issue I will research that for you. I would also ask that you call in to our support center and open a case for this issue and then post it back here.

Eric Moyers
Cisco Network Support Engineer
1-866-606-1866