Automate WPA2 passphrase change on Cisco AP

I recently needed to provide wireless Internet access to Spektrum transmitters so updates could be applied while the transmitters are in for repair. These devices were not working reliably with the existing UniFi Guest Wireless/Portal and the transmitters do not seem able to connect using WPA2-Enterprise authentication. Due to security concerns, I did not want to provide a permanent WPA2 passphrase for ongoing use so I decided to use bash, clogin and cron to create a function that would change the passphrase daily.

I grabbed the first bit of code from Mike Willis’ blog which randomly picks a predefined number of words from a specified wordlist file. I found an acceptable wordlist without special characters from EFF’s site (although it would bee been a better password to use all characters, I didn’t want users to have to enter special characters on the transmitter touch screen). I proceeded to make a few changes to Mike’s script so that the script would only select words that were less than 4 characters and added random digits to the end of the randomly chosen word. After picking a random word and adding 4 digits the script writes the requisite Cisco commands for changing the passphrase to an external file. clogin finishes the process by simply running the IOS commands against the Cisco AP after automatically logging in via SSH (the credentials are stored in the .cloginrc file). If all goes well an email is sent out notifying the users of the new password (if a failure occurs the script sends me an email). Adding the script to crontab makes the process happen every night without any IT intervention.

#!/bin/bash

WORDFILE="/opt/ResetServiceCenterAPPassword.wordfile"
NUMWORDS=1
EMAILLIST="[email protected] [email protected]"

tL=`awk 'NF!=0 {++c} END {print c}' $WORDFILE`
poorchoice=1

while read -r line; do
  while [[ $poorchoice = 1 ]]; do
    rnum=$((RANDOM%$tL+1))
    pword=$(sed -n "$rnum p" $WORDFILE)
    if [[ ${#pword}  > 5 ]]; then
      poorchoice=1
    else
      poorchoice=0
    fi
    pword=$pword$(shuf -i 2000-9999 -n 1)
  done
done < <(echo $WORDFILE)

echo "conf t
dot11 ssid Spektrum
wpa-psk ascii 0 $pword
exit
exit" > /opt/ResetServiceCenterAPPassword.cmds

/opt/clogin -x /opt/ResetServiceCenterAPPassword.cmds <Access Point IP>
status=$?

if [ $status = 0 ]; then
  echo "Spektrum transmitter WiFi password changed to $pword" | mail --append="FROM:IT <[email protected]>" [email protected] -s
"Spektrum transmitter WiFi password changed to $pword EOM" $EMAILLIST
else
  echo "Error with /opt/ResetServiceCenterAPPassword.sh script" | mail --append="FROM:IT <[email protected]>" [email protected] -s "Error with /opt/ResetServiceCenterAPPassword.cmds" [email protected]
fi

Leave a Reply

Your email address will not be published. Required fields are marked *