Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2862
Views
0
Helpful
9
Replies

Can changing the PSK on a wireless controller be scripted?

PJV
Level 1
Level 1

‎01-22-2019 11:11 AM - edited ‎07-05-2021 09:44 AM

Any suggestions for how to automate a monthly change to the PSK for the guest wireless ssid.  Attempts to connect to the wireless controllers in Powershell with poshssh and plink run into issues trying to authenticate. The first prompt at login being "login as" rather then user as is the case with most ssh connections.  

1 person had this problem
Labels:
0 Helpful
9 Replies 9

jcohoe
Cisco Employee
Cisco Employee

‎01-22-2019 11:13 AM

Hello, have you tried using Ansible with the aireos_config and aireos_command modules?

0 Helpful

PJV
Level 1
Level 1
In response to jcohoe

‎01-22-2019 11:55 AM

I have not tried Ansible. Can you point me to an example using Ansible?  

0 Helpful

jcohoe
Cisco Employee
Cisco Employee
In response to PJV

‎01-22-2019 01:40 PM - edited ‎01-22-2019 02:53 PM

Hi, we are planning to release a blog post in March, to coincide with the Ansible release. Their release has a fix for both "legacy" and the new SSH mechanisms within AireOS. As you may be aware, in AireOS 8.6+ the CLI wrapper around the authentication is disabled by default, providing a more native SSH experience. Prior to 8.6 there is a wrapper around the authentication, which is where your powershell etc scripts are likely failing.

To work around this, you could try upgrading to 8.6+ code (recommend 8.8). However I understand this is much easier said that done :)

 

There is a video showing this in action: https://www.youtube.com/watch?v=KIJBE9DVMDA

 

Here is the config for Ansible

aireos_hosts.txt

[all:vars]
ansible_connection=local
ansible_user=your_wlc_username
ansible_password=your_wlc_password
ansible_port=22
[aireoswlc]
wlc1 ansible_host=10.10.10.2

 

aireos_show.yaml

---
- hosts: aireoswlc
  gather_facts: no
  tasks:
   - aireos_command:
      commands:
       - show boot
     register: show
   - debug: var=show.stdout_lines

Execute the playbook with:

ansible-playbook -i ./aireos_hosts.txt ./aireos_show.yaml

 

Documentation on the 2 modules are available at:

https://docs.ansible.com/ansible/2.4/aireos_command_module.html

https://docs.ansible.com/ansible/2.4/aireos_config_module.html 

 

Jeremy

0 Helpful

PJV
Level 1
Level 1
In response to jcohoe

‎01-29-2019 09:55 AM

Thank you for all the responses. Our device is a Cisco 5508 WLC . The latest version I can find is 8.5 . Can anyone confirm that this supports the new cli wrapper ?

 

0 Helpful

jcohoe
Cisco Employee
Cisco Employee
In response to PJV

‎01-29-2019 01:07 PM

Yes the latest supported code for 5508 is 8.5. The Ansible modules now work with both legacy and current SSH implementation.

0 Helpful

khan.mohd.sharif1
Level 1
Level 1
In response to jcohoe

‎12-23-2021 06:31 AM

I tried the same script on Ansible Tower but could not get the response and got the error message.

 

Attached the error message for your reference. Please suggest.

 

 

Preview file
32 KB
0 Helpful

Leo Laohoo
Hall of Fame
Hall of Fame

‎01-23-2019 12:54 AM - edited ‎01-23-2019 12:56 AM

Python scripts are available that will generate random characters.  Add a few lines to instruct the system to remote into the WLC to change the PSK (alternatively, can use SNMP to push the new PSK) and at the same time email you the new PSK.  
Use crontab to schedule how often you want the script to run.

0 Helpful

patoberli
VIP Alumni
VIP Alumni

‎01-25-2019 07:51 AM

There is also another way, requiring a RADIUS server, but could also maybe (ab)used for your requirement:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-5/b_Identity_PSK_Feature_Deployment_Guide.html

But honestly, it's easier with SNMP or SSH.
For SSH, try to send an empty username at first try, then the console should start and ask for the username, where you send the correct one. That would probably require a timed character sequence.
0 Helpful

Ercuru
Level 1
Level 1

‎06-27-2023 01:46 AM - edited ‎06-27-2023 01:51 AM

Have used posh-ssh module for PowerShell for automation with New-SSHShellStream commandlet:

 

$ssh = New-SSHSession -ComputerName $IP -Credential (New-Object System.Management.Automation.PSCredential ($Username, (ConvertTo-SecureString -String $Password -AsPlainText -Force)))
$stream = New-SSHShellStream -SessionId $ssh.SessionId
Start-Sleep -Seconds 2
$stream.read()
$stream.WriteLine("$($Username)")
Start-Sleep -Seconds 2
$stream.read()
$stream.WriteLine("$($Password)")
Start-Sleep -Seconds 2
$stream.read()
$stream.WriteLine("config wlan disable <YOUR_WLAN_ID>")
Start-Sleep -Seconds 2
$stream.read()
$stream.WriteLine("config wlan security wpa <YOUR_OPTIONS_FOR_PSK>")
Start-Sleep -Seconds 2
$stream.read()
$stream.WriteLine("config wlan enable <YOUR_WLAN_ID>")
Start-Sleep -Seconds 2
$stream.read()
$stream.WriteLine("save config")
Start-Sleep -Seconds 2
$stream.read()
$stream.WriteLine("y")
Start-Sleep -Seconds 2
$stream.read()
$stream.WriteLine("logout")
Start-Sleep -Seconds 2
$stream.read()
$stream.Close()
Remove-SSHSession -SessionId $ssh.SessionId

 

$Username - variable with your login, $Password - variable with your login password, $IP - variable with remote controller IP
$stream.read - used for getting shell output back for logging

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card