cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Automated password for Guest wireless user

SOLVED
Conversationalist

Automated password for Guest wireless user

Hi all, Has anyone implemented or know a way to automate a password on weekly basis for a Meraki guest user account?

1 ACCEPTED SOLUTION

Accepted Solutions
Kind of a big deal

Re: Automated password for Guest wireless user

You could also use the dashboard API to change the password weekly with a timed script.

 

PUT Update the attributes of an SSID
 

HTTP REQUEST

PUT /networks/[networkId]/ssids/[number]

PARAMETERS

Parameter Description
nameThe name of an SSID
enabledWhether or not an SSID is enabled
authModeThe association control method for the SSID ('open', 'psk', 'open-with-radius', '8021x-meraki' or '8021x-radius')
encryptionModeThe psk encryption mode for the SSID ('wpa', 'wep' or 'wpa-eap')
pskThe passkey for the SSID. This param is only valid if the authMode is 'psk'
wpaEncryptionModeThe types of WPA encryption. ('WPA1 and WPA2' or 'WPA2 only')
splashPageThe type of splash page for the SSID ('None', 'Click-through splash page', 'Billing', 'Password-protected with Meraki RADIUS', 'Password-protected with custom RADIUS', 'Password-protected with Active Directory', 'Password-protected with LDAP', 'SMS authentication', 'Systems Manager Sentry', 'Facebook Wi-Fi', 'Google OAuth' or 'Sponsored guest'). This attribute is not supported for template children.
radiusServersThe RADIUS 802.1x servers to be used for authentication. This param is only valid if the authMode is 'open-with-radius' or '8021x-radius'
hostIP address of your RADIUS server
portUDP port the RADIUS server listens on for Access-requests
secretRADIUS client shared secret
radiusCoaEnabledIf true, Meraki devices will act as a RADIUS Dynamic Authorization Server and will respond to RADIUS Change-of-Authorization and Disconnect messages sent by the RADIUS server.
radiusFailoverPolicyThis policy determines how authentication requests should be handled in the event that all of the configured RADIUS servers are unreachable ('Deny access' or 'Allow access')
radiusLoadBalancingPolicyThis policy determines which RADIUS server will be contacted first in an authentication attempt and the ordering of any necessary retry attempts ('Strict priority order' or 'Round robin')
radiusAccountingEnabledWhether or not RADIUS accounting is enabled. This param is only valid if the authMode is 'open-with-radius' or '8021x-radius'
radiusAccountingServersThe RADIUS accounting 802.1x servers to be used for authentication. This param is only valid if the authMode is 'open-with-radius' or '8021x-radius' and radiusAccountingEnabled is 'true'
hostIP address to which the APs will send RADIUS accounting messages
portPort on the RADIUS server that is listening for accounting messages
secretShared key used to authenticate messages between the APs and RADIUS server
ipAssignmentModeThe client IP assignment mode ('NAT mode', 'Bridge mode', 'Layer 3 roaming', 'Layer 3 roaming with a concentrator' or 'VPN')
useVlanTaggingDirect trafic to use specific VLANs. This param is only valid with 'Bridge mode' and 'Layer 3 roaming'
concentratorNetworkIdThe concentrator to use for 'Layer 3 roaming with a concentrator' or 'VPN'.
vlanIdThe VLAN ID used for VLAN tagging. This param is only valid with 'Layer 3 roaming with a concentrator' and 'VPN'
defaultVlanIdThe default VLAN ID used for 'all other APs'. This param is only valid with 'Bridge mode' and 'Layer 3 roaming'
apTagsAndVlanIdsThe list of tags and VLAN IDs used for VLAN tagging. This param is only valid with 'Bridge mode', 'Layer 3 roaming'
tagsComma-separated list of AP tags
vlanIdNumerical identifier that is assigned to the VLAN
walledGardenEnabledAllow access to a configurable list of IP ranges, which users may access prior to sign-on.
walledGardenRangesSpecify your walled garden by entering space-separated addresses, ranges using CIDR notation, domain names, and domain wildcards (e.g. 192.168.1.1/24 192.168.37.10/32 www.yahoo.com *.google.com). Meraki's splash page is automatically included in your walled garden.
minBitrateThe minimum bitrate in Mbps. ('1', '2', '5.5', '6', '9', '11', '12', '18', '24', '36', '48' or '54')
bandSelectionThe client-serving radio frequencies. ('Dual band operation', '5 GHz band only' or 'Dual band operation with Band Steering')
perClientBandwidthLimitUpThe upload bandwidth limit in Kbps. (0 represents no limit.)
perClientBandwidthLimitDownThe download bandwidth limit in Kbps. (0 represents no limit.)
 

HEADERS


X-Cisco-Meraki-API-Key
{{X-Cisco-Meraki-API-Key}}
Content-Type
application/json

BODY


{
    "name": "viaPostman935",
    "enabled": false,
    "splashPage": "None",
    "perClientBandwidthLimitUp": 0,
    "perClientBandwidthLimitDown": 0,
    "ssidAdminAccessible": false,
    "ipAssignmentMode": "NAT mode",
    "authMode": "open"
}

 

Here are the docs for that endpoint:

https://documenter.getpostman.com/view/897512/meraki-dashboard-api/2To9xm?version=latest#712cd25d-f8...

13 REPLIES 13
Kind of a big deal

Re: Automated password for Guest wireless user

Splash Access do a rotating WPA2-PSK option with a QR code for configuring guest WiFi devices.

https://www.splashaccess.com/

Kind of a big deal

Re: Automated password for Guest wireless user

You could also use the dashboard API to change the password weekly with a timed script.

 

PUT Update the attributes of an SSID
 

HTTP REQUEST

PUT /networks/[networkId]/ssids/[number]

PARAMETERS

Parameter Description
nameThe name of an SSID
enabledWhether or not an SSID is enabled
authModeThe association control method for the SSID ('open', 'psk', 'open-with-radius', '8021x-meraki' or '8021x-radius')
encryptionModeThe psk encryption mode for the SSID ('wpa', 'wep' or 'wpa-eap')
pskThe passkey for the SSID. This param is only valid if the authMode is 'psk'
wpaEncryptionModeThe types of WPA encryption. ('WPA1 and WPA2' or 'WPA2 only')
splashPageThe type of splash page for the SSID ('None', 'Click-through splash page', 'Billing', 'Password-protected with Meraki RADIUS', 'Password-protected with custom RADIUS', 'Password-protected with Active Directory', 'Password-protected with LDAP', 'SMS authentication', 'Systems Manager Sentry', 'Facebook Wi-Fi', 'Google OAuth' or 'Sponsored guest'). This attribute is not supported for template children.
radiusServersThe RADIUS 802.1x servers to be used for authentication. This param is only valid if the authMode is 'open-with-radius' or '8021x-radius'
hostIP address of your RADIUS server
portUDP port the RADIUS server listens on for Access-requests
secretRADIUS client shared secret
radiusCoaEnabledIf true, Meraki devices will act as a RADIUS Dynamic Authorization Server and will respond to RADIUS Change-of-Authorization and Disconnect messages sent by the RADIUS server.
radiusFailoverPolicyThis policy determines how authentication requests should be handled in the event that all of the configured RADIUS servers are unreachable ('Deny access' or 'Allow access')
radiusLoadBalancingPolicyThis policy determines which RADIUS server will be contacted first in an authentication attempt and the ordering of any necessary retry attempts ('Strict priority order' or 'Round robin')
radiusAccountingEnabledWhether or not RADIUS accounting is enabled. This param is only valid if the authMode is 'open-with-radius' or '8021x-radius'
radiusAccountingServersThe RADIUS accounting 802.1x servers to be used for authentication. This param is only valid if the authMode is 'open-with-radius' or '8021x-radius' and radiusAccountingEnabled is 'true'
hostIP address to which the APs will send RADIUS accounting messages
portPort on the RADIUS server that is listening for accounting messages
secretShared key used to authenticate messages between the APs and RADIUS server
ipAssignmentModeThe client IP assignment mode ('NAT mode', 'Bridge mode', 'Layer 3 roaming', 'Layer 3 roaming with a concentrator' or 'VPN')
useVlanTaggingDirect trafic to use specific VLANs. This param is only valid with 'Bridge mode' and 'Layer 3 roaming'
concentratorNetworkIdThe concentrator to use for 'Layer 3 roaming with a concentrator' or 'VPN'.
vlanIdThe VLAN ID used for VLAN tagging. This param is only valid with 'Layer 3 roaming with a concentrator' and 'VPN'
defaultVlanIdThe default VLAN ID used for 'all other APs'. This param is only valid with 'Bridge mode' and 'Layer 3 roaming'
apTagsAndVlanIdsThe list of tags and VLAN IDs used for VLAN tagging. This param is only valid with 'Bridge mode', 'Layer 3 roaming'
tagsComma-separated list of AP tags
vlanIdNumerical identifier that is assigned to the VLAN
walledGardenEnabledAllow access to a configurable list of IP ranges, which users may access prior to sign-on.
walledGardenRangesSpecify your walled garden by entering space-separated addresses, ranges using CIDR notation, domain names, and domain wildcards (e.g. 192.168.1.1/24 192.168.37.10/32 www.yahoo.com *.google.com). Meraki's splash page is automatically included in your walled garden.
minBitrateThe minimum bitrate in Mbps. ('1', '2', '5.5', '6', '9', '11', '12', '18', '24', '36', '48' or '54')
bandSelectionThe client-serving radio frequencies. ('Dual band operation', '5 GHz band only' or 'Dual band operation with Band Steering')
perClientBandwidthLimitUpThe upload bandwidth limit in Kbps. (0 represents no limit.)
perClientBandwidthLimitDownThe download bandwidth limit in Kbps. (0 represents no limit.)
 

HEADERS


X-Cisco-Meraki-API-Key
{{X-Cisco-Meraki-API-Key}}
Content-Type
application/json

BODY


{
    "name": "viaPostman935",
    "enabled": false,
    "splashPage": "None",
    "perClientBandwidthLimitUp": 0,
    "perClientBandwidthLimitDown": 0,
    "ssidAdminAccessible": false,
    "ipAssignmentMode": "NAT mode",
    "authMode": "open"
}

 

Here are the docs for that endpoint:

https://documenter.getpostman.com/view/897512/meraki-dashboard-api/2To9xm?version=latest#712cd25d-f8...

Conversationalist

Re: Automated password for Guest wireless user

Thanks for the info. Appreciate it
Kind of a big deal

Re: Automated password for Guest wireless user

You're welcome.

Getting noticed

Re: Automated password for Guest wireless user

a bit late to the camp but I recently just finished a powershell script and implemented it last week:

 

It generates a random password (length and complexity can be changed in the script), it then updates the relevant SSID in the required site and emails the password to the reception mailbox.

 

Site name and SSID name are passed as parameters to the script.  Its currently used for just the guest wifi, but can obviously be used for any that uses a PSK.

 

It's scheduled to run at 4pm Fridays (this gives reception time to print out the new password ready for the nights and weekend security teams.

 

e.g.:

MerakiPSKTool.ps1 -site <sitename> -ssid <ssidname>

 

rgds

Gary

Ven
Here to help

Re: Automated password for Guest wireless user

This is exactly what I'm looking for.  SSID's psk must be changed once a month and the password emailed to a distro list.

Can you share your script?  I'm no good with power shell, but some folks here are.  I'm sure I could get them to help me implement.

 

thanks!

Conversationalist

Re: Automated password for Guest wireless user

Gary,

   Is your script available to share?  I am looking for something like this as well.  I am trying Splash Access now but I only want just that feature from them and not the whole package.  I don't think they price it separately.  There's automates the rotating of the PSK, but I believe I can only do one SSID.

Thanks,

   Steve

Kind of a big deal

Re: Automated password for Guest wireless user

For those still looking to do this. I just wrote a script to do it. You can find it here:

https://community.meraki.com/t5/Wireless-LAN/Automatic-rotating-PSK-for-wireless/m-p/66028/highlight...

 

Getting noticed

Re: Automated password for Guest wireless user

Hi Steve,

 

Below is the powershell script - As it stands, it is hard coded for a single organisation as the base URI contains the Org ID

 

You will just need to populate the necessary areas with your particular details etc.

 

I.E. smpt server and recipient info in function sendMail

API key in function Get-WifiSSID

base_uri & api_key in #setup some global static stuff section

email message body in section # build email message body and send it

 

You can change password length (currently 10 chars) and complexity by changing the code in function createPassword

 

 

 

 param([string]$site="",[string]$ssid="",[string]$action="")
  
 function sendMail([string]$txtbody)
	{
     #SMTP server name
     $smtpServer = "<InsertYourSMTPMailServerInfoHere>"

     #Creating a Mail object
     $msg = new-object Net.Mail.MailMessage

     #Creating SMTP server object
     $smtp = new-object Net.Mail.SmtpClient($smtpServer)

     #Email structure 
     $msg.From = "merakiapi@<YourMailDomainHere>"
     $msg.To.Add("<RecipientMailAddressHere>")
	 #$msg.To.Add("<OtherRecipientAddressHere")
     $msg.subject = "New password for guest Wifi" 
     $msg.body = $txtbody
	 $msg.IsBodyHTML=$true

     #Sending email 
     $smtp.Send($msg)
	}

function Get-RandomCharacters($length, $characters)
	{ 
    $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length } 
    $private:ofs="" 
    return [String]$characters[$random]
	}

function Scramble-String([string]$inputString)
	{     
    $characterArray = $inputString.ToCharArray()   
    $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length     
    $outputString = -join $scrambledStringArray
    return $outputString 
	}

function updateWiFiPSK ([string]$s_id, [string]$w_id, [string]$newpassword)
	{
	[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

	# PSK = New password
	$data = @{
		"psk" = $newpassword
		}

	#Convert data to Json format
	$jbody = ConvertTo-Json -InputObject $data

	#Combine base URL and ssid
	$request_uri = $base_uri + $networks_uri + $s_id + "/ssids/" + $w_id
	
	$r = Invoke-WebRequest $request_uri -Method:Put -Headers $header_org -Body $jbody

	return $r
	}
	
function Get-SiteID
    {
    #get site id
    $request_uri = $base_uri + $networks_uri
    $r = Invoke-WebRequest $request_uri -Method:Get -Headers $header_org

    $json = $r | ConvertFrom-Json
    for($i=0;$i -lt $json.count;$i++)
        {
        if ($site -eq $json[$i].name)
            {
            Write-host "Network Name : " $json[$i].name
            Write-host "id           : " $json[$i].id
            Write-host "Type         : " $json[$i].type

            $s_id = $json[$i].id
            }
        }

    return $s_id
    }

function Get-WiFiSSID ([string]$s_id)
    {
    #get wifi network ID from site requested
    if ($s_id -ne "")
        {
        $request_uri = $base_uri + $networks_uri + $s_id + "/ssids/"
        $r = Invoke-WebRequest $request_uri -Method:Get -Headers @{"X-Cisco-Meraki-API-Key"="<ReplaceWithYouAPIKeyHere>"} -ContentType "application/json"

        $z = $r | ConvertFrom-Json

        for($i=0;$i -lt $z.count;$i++)
            {
          
            If ($z[$i].name -eq $ssid)
                {
                Write-host "SSID Name    : " $z[$i].name
                Write-host "SSID#        : " $z[$i].number 
                Write-host "Current PSK  : " $z[$i].psk

                $w_id = $z[$i].number
                }
            }
        }

    return $w_id
    }

function createPassword
	{
	$password = Get-RandomCharacters -length 4 -characters 'abcdefghiklmnoprstuvwxyz'
	$password += Get-RandomCharacters -length 2 -characters 'ABCDEFGHKLMNOPRSTUVWXYZ'
	$password += Get-RandomCharacters -length 2 -characters '1234567890'
	$password += Get-RandomCharacters -length 2 -characters '!$%&()?}][{@#+'	

	#Write-Host $password
		
	return Scramble-String $password
	}

# setup some global static stuff
$base_uri = "https://<InsertYourMerakiAPIBaseURLHere>"
##    E.G.   n34.meraki.com/api/v0/organizations/<OrgID>/
$networks_uri = "networks/"
#Meraki API KEY
$api_key = "<InsertYourAPIKeyHere>"
$header_org = @{"X-Cisco-Meraki-API-KEY" = $api_key;"Content-Type" = 'application/json'}

$s_id = ""
$w_id = ""
$mode = ""

If ($site -eq "" -or $ssid -eq "")
    {
    Write-Host "MerakiPSKTool - (c) 2019"
    Write-Host ""
    Write-Host "Site/SSID parameter is missing"
    Write-Host "Usage: MerakiPSKTool.ps1 -site <sitename> -ssid <ssidName> -action [Change | Display]"
    Write-Host ""
    
    exit
    } 

# if action not passed or is blank, set default mode to Display
if ($action -eq "")
    {
    $action = "Display"
    }

switch ($action)
    {
    {@("Display", "display") -contains $_ }
        {
            "Displaying Wifi details"
            $mode = "display"
        }
    
    {@("Change", "change") -contains $_ }
        {
            "Change Wifi password"
            $mode = "change"
        }

    default { "MerakiPSKTool.ps1" }
    }


# get ID of the site passed in params (set a default value if no site passed)
$s_id = Get-SiteID

If ($s_id -ne "")
    {
    # get id of Wifi network that password is to be changed for
    $w_id = Get-WifiSSID($s_id)

    #Write-Host "Site ID      : " $s_id " | Wifi #: " $w_id
    } 

if ($mode -eq "change")
    {
    # generate a new complex password
    $newpassword = createPassword 

    $result = updateWiFiPSK $s_id $w_id $newpassword

    #Write-Host $result

	# build email message body and send it
    if ($result.StatusCode -eq 200)
        {
        Write-Host "Sending Email"

        $txtbody = "<html><body>"
        $txtbody = $txtbody + "The new password for " + $ssid + " at " + $site + " is<br><br><b><font size=30 color=green>"
        $txtbody = $txtbody + $newpassword + "</font></b>"
        $txtbody = $txtbody + "<br><br>If you have any problems please contact <SomeContactDetailsHere>"
        $txtbody = $txtbody + "<br><br>regards<br>SignoffInfo"
        $txtbody = $txtbody + "</body></html>"

        #Write-Host $txtbody

		# send the email
        sendMail $txtbody
        }
    else
        {
        Write-Host "Password change failed for " + $ssid + " at " + $site
        }
    }

 

 

Copy and paste the above into text editor, make the necessary changes and save as MerakiPSKTool.ps1

 

to display current PSK for site, use

 

MerakiPSKTool.ps1 -site <sitename> -ssid <SSIDName> -action Display

 

to change psk for site use

 

MerakiPSKTool.ps1 -site <sitename> -ssid <SSIDName> -action Change

 

if no Action value provided it will default to Display

 

Current email body looks like this:

 

The new password for [ssidName] at [SiteName] is

z$ys$63mPX

If you have any problems please contact [ContactName] on [ContactTel] or [ContactEmail]

regards
[Contact]

 

Subject line is New password for guest Wifi

 

 

I'm not a pro programmer so use at own risk, i've had it running now for a good couple or months or so now and it's worked fine since.

 

rgds

Gary

 

Ven
Here to help

Re: Automated password for Guest wireless user

Thanks BrechtSchamp!

I've just gotten started with Python, so this is a great script to use and learn!

I'm working on one that will run multiple remote commands on multiple Cisco wireless controllers. So far, it's very promising.

Conversationalist

Re: Automated password for Guest wireless user

nealgs,

  THANK YOU for the reply.  I am getting an error that I think may be related to the base URL.  I am not sure where I find the orgid?  Can you give me a pointer on that please?

Thanks,

   Steve

Getting noticed

Re: Automated password for Guest wireless user

hi Steve,

 

from your Meraki dashboard, type this url into address bar

 

https://dashboard.meraki.com/api/v0/organizations

 

or even just append your dashboard address to be

 

https://<yourdashboardurl>/api/v0/organizations

 

and press Enter - it should then return some json info:

 

 

 

[{"id":"<yourOrgID>".......

 

 

 

use the value in there for orgid - think it's a 6 digit number, at least ours is 

Getting noticed

Re: Automated password for Guest wireless user

great question!
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.