New Installer / Sensitive Network Info

[rkelly1]

Posted this on UBNT forum and a minute later kind of felt like it's too consumer there now so I thought I'd post here...


Up till now all of our installations have been done by company owners. We're at a point that we need to hire a full time installer or two - just too much to do on the network growth side...

How do you guys manage sensitive network information like wireless passwords on CPE's, AP's and backhauls? They will be working for us but if one leaves, I don't want them to have too much information on passwords, etc. I imagine they will help with a lot of stuff in addition to installs, making it more challenging.

Any insight on what has worked is appreciated.
Rob

[sirhc]

WOW - that is an issue we are dealing with now and with airCONTROL (v1.X) unable to do mass password changes - OUCH

Been tempted to try v2.X of airCONTROL

I think Josh has the right idea, Radius authentication which will be put into our switches next version.

Yea not too many consumers over here!

[mhoppes]

Yeah... radius is the way to go. I really wish Ubiquiti would implement three levels of security on their devices.

Operator
Installer
Read-Only

[rebelwireless]

radius for wireless for sure, but for installer logins? not really possible. They need access before the device is online, so they need an on-device password.

As far as permissions go, yes, ubnt needs to solve that. But if you just want a login that you can change so when a tech leaves your radios are accessible, this isn't terribly hard.

for example,


On your airOS device, add an /etc/persistent/rc.poststart
in that file, do
echo "tech:md5password:0:0::Administrator:/etc/persistent:/bin/sh" >> /etc/passwd"
now you will have a file that creates a tech user that works in the UI.
you have to type 'save' and the cli to commit this.

next step, pull a file from a server you control with an updated password and use sed to replace the tech:\+: with your new user md5password. Now radios will update the tech password on startup. optionally, wrap that up in while 0;the command;sleep 600 so that the radio will update every 10 minutes.
remember to type save whenever you alter something in /etc/persistent.

[LRL]

We program all the radios with a default password that gets changed by NOC (me or my partner) before adding to Aircontrol. Then all installers have their own logins to Aircontrol for service calls.

If the radio is off line they must default it and set it back up using our defaults file. NOC once again must touch the radio.

We use radius for WPA auth.