Automatically change WPA2 passphrase by script monthly

  • 2
  • Question
  • Updated 4 years ago
  • Answered

We have a organization with 47 locations connected by WAN connection. Every location has one or more Aerohives AP. Is there a way to program the WPA2 passphrase by script? I want to change the passphrase every first day of the month automatically at 00:00h. The new passphrase will be scripted to display on our intranet.  

Photo of Paul Willemsen

Paul Willemsen

  • 4 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 2
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Hi Paul,

Well, for one thing I'd say the PPSK function within Aerohive would be the way to go. It can be configured to be changed every month on the dot. However, do you want all the locations to have a different password? Or all the same?

Cheers,

Stefan
Photo of Paul Willemsen

Paul Willemsen

  • 4 Posts
  • 0 Reply Likes

Stefan,

All Ap's have the same configuration. So all AP's must changed at the same time with a predefined / or random generated password.

Paul

Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Hi Paul,

That's no problem at all, I was just wondering if you wanted to differ your password per location or the whole network globally. The latter is obviously easier. There's basically two ways you can go, you can either define the passwords yourself and then push them out with a planned config update (a so called delta upload, so a reboot is not necessary). Easier would be to use automatic creation and rotation of pre-shared keys. Let me see if I can find you a link to a document on explaining that. Otherwise I'll try and make some screenshots explaining the steps.

Stefan
Photo of Paul Willemsen

Paul Willemsen

  • 4 Posts
  • 0 Reply Likes

Stefan,


Thx for the fast response. The advantage over pushing by a Delta Upload is that we know the WPA2 password to put on our Intranet site. Otherwise we have to read (scripted) the Password and publish it on our intranet. Is there a manual for change WPA2 password by scheduled Delta Upload somewhere?

Paul 

Photo of Patrick Sewell

Patrick Sewell

  • 3 Posts
  • 0 Reply Likes
Any update on this? I would be interested to know for my company.  Thanks.
Photo of Stefan van der Wal

Stefan van der Wal, Champ

  • 70 Posts
  • 24 Reply Likes
Yes, actually. Excuse me for not responding sooner, I was out of the country and buried in work. For what you are trying to do I would advise to take the following steps:

First, go to SSID and select PPSK as the authentication method and indicate how many devices a user can have on the network at the same time


After doing that, click save. Your config should look something like this:


Now select PSK User groups; select new and configure it something like as follows:


After that you will need to setup a userprofile and make it correspond with the User profile attribute you gave the local user group. This is very important otherwise you will not be able to authenticate. End result should look like something like this:


Now before you push the configuration, go to the tab on the left to the 'show nav' panel. Browse to authentication > local users. In there you should see the user you just made. You can email that to an email address or write it down to give out to people or have it display somewhere. 
This would give you a monthly reset, this means you will not have to do an upload to the AP's. On the other hand, if you do not want to use this method. At step one select WPA2/PSK type in your password, change that manually monthly and update the AP's afterward. The AP's will not need to reboot since it's not a major configuration change. This is the 'delta-upload'.

Would this help?

Stefan
Photo of Patrick Sewell

Patrick Sewell

  • 3 Posts
  • 0 Reply Likes
This is actually extremely helpful. Thank you.

Being able to configure PSK's in advance should save us from needing to do mass delta configurations pushes weekly to change our PSK. We have also been pushing complete configurations each time since you can only schedule activation of the configurations if a complete is pushed. Having the key change automatically at the specified time will also be very nice. This process should save us from doing a lot of unnecessary work.

Hopefully this is also what the OP needed. Thanks.
Photo of Paul Willemsen

Paul Willemsen

  • 4 Posts
  • 0 Reply Likes

Stefan,


Many thanks. Our supplier is still wondering how to fix our question!


Regards (en bedankt)


Paul Willemsen