Posted this on UBNT forum and a minute later kind of felt like it's too consumer there now so I thought I'd post here...
Up till now all of our installations have been done by company owners. We're at a point that we need to hire a full time installer or two - just too much to do on the network growth side...
How do you guys manage sensitive network information like wireless passwords on CPE's, AP's and backhauls? They will be working for us but if one leaves, I don't want them to have too much information on passwords, etc. I imagine they will help with a lot of stuff in addition to installs, making it more challenging.
Any insight on what has worked is appreciated.
Rob
New Installer / Sensitive Network Info
-
sirhc - Employee
- Posts: 7414
- Joined: Tue Apr 08, 2014 3:48 pm
- Location: Lancaster, PA
- Has thanked: 1608 times
- Been thanked: 1325 times
Re: New Installer / Sensitive Network Info
WOW - that is an issue we are dealing with now and with airCONTROL (v1.X) unable to do mass password changes - OUCH
Been tempted to try v2.X of airCONTROL
I think Josh has the right idea, Radius authentication which will be put into our switches next version.
Yea not too many consumers over here!
Been tempted to try v2.X of airCONTROL
I think Josh has the right idea, Radius authentication which will be put into our switches next version.
Yea not too many consumers over here!
Support is handled on the Forums not in Emails and PMs.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
Before you ask a question use the Search function to see it has been answered before.
To do an Advanced Search click the magnifying glass in the Search Box.
To upload pictures click the Upload attachment link below the BLUE SUBMIT BUTTON.
-
mhoppes - Associate
- Posts: 664
- Joined: Thu Apr 10, 2014 9:14 pm
- Location: Pennsylvania
- Has thanked: 10 times
- Been thanked: 125 times
Re: New Installer / Sensitive Network Info
Yeah... radius is the way to go. I really wish Ubiquiti would implement three levels of security on their devices.
Operator
Installer
Read-Only
Operator
Installer
Read-Only
-
rebelwireless - Experienced Member
- Posts: 607
- Joined: Mon Sep 01, 2014 1:46 pm
- Has thanked: 31 times
- Been thanked: 136 times
Re: New Installer / Sensitive Network Info
radius for wireless for sure, but for installer logins? not really possible. They need access before the device is online, so they need an on-device password.
As far as permissions go, yes, ubnt needs to solve that. But if you just want a login that you can change so when a tech leaves your radios are accessible, this isn't terribly hard.
for example,
On your airOS device, add an /etc/persistent/rc.poststart
in that file, do
echo "tech:md5password:0:0::Administrator:/etc/persistent:/bin/sh" >> /etc/passwd"
now you will have a file that creates a tech user that works in the UI.
you have to type 'save' and the cli to commit this.
next step, pull a file from a server you control with an updated password and use sed to replace the tech:\+: with your new user md5password. Now radios will update the tech password on startup. optionally, wrap that up in while 0;the command;sleep 600 so that the radio will update every 10 minutes.
remember to type save whenever you alter something in /etc/persistent.
As far as permissions go, yes, ubnt needs to solve that. But if you just want a login that you can change so when a tech leaves your radios are accessible, this isn't terribly hard.
for example,
On your airOS device, add an /etc/persistent/rc.poststart
in that file, do
echo "tech:md5password:0:0::Administrator:/etc/persistent:/bin/sh" >> /etc/passwd"
now you will have a file that creates a tech user that works in the UI.
you have to type 'save' and the cli to commit this.
next step, pull a file from a server you control with an updated password and use sed to replace the tech:\+: with your new user md5password. Now radios will update the tech password on startup. optionally, wrap that up in while 0;the command;sleep 600 so that the radio will update every 10 minutes.
remember to type save whenever you alter something in /etc/persistent.
-
LRL - Experienced Member
- Posts: 238
- Joined: Sun Nov 23, 2014 4:00 am
- Location: Rock Springs, WY
- Has thanked: 18 times
- Been thanked: 49 times
Re: New Installer / Sensitive Network Info
We program all the radios with a default password that gets changed by NOC (me or my partner) before adding to Aircontrol. Then all installers have their own logins to Aircontrol for service calls.
If the radio is off line they must default it and set it back up using our defaults file. NOC once again must touch the radio.
We use radius for WPA auth.
If the radio is off line they must default it and set it back up using our defaults file. NOC once again must touch the radio.
We use radius for WPA auth.
-LRL
"My reading of history convinces me that most bad government results from too much government." - Thomas Jefferson
"My reading of history convinces me that most bad government results from too much government." - Thomas Jefferson
5 posts
Page 1 of 1
Who is online
Users browsing this forum: No registered users and 11 guests