WiFi random password changer

[jskrzypacz]

Hello guys!

I am looking for a specific solution for future wireless network configuration.

The point is - we want to have two WiFi SSIDs - one for employees (let's say: PRODUCTION) and second one for guests (GUEST). The guest network should be protected by password which we want to change everyday. It's not a problem to do it manually but the point is, to have it done automatically.
When a guest comes at DAY1 for a password he can connect to network but on DAY2 there is new password generated and the historical is not active.

I don't even know to look for it in hardware configuration and specification or for some additional software? Any ideas?

Thanks a lot for all your answers

 

[0xBahaa]

The only thing I can think of right now would be to write a script (small program) to automate that. After that, all you gotta do is run the script every morning (or even add it to task scheduler to run at a specific time if one PC/server will be On all the time).
P.S. I can test my skills and try to do it for u if u like

 

[jskrzypacz]

Yeah, script is a solution but I'd like to avoid it if possible. We're looking at Cisco 2504 Wireless Controller and Cisco 1700 Series Access Point but i can't find any infromation concerning this feature.

Maybe we can try another approach - when new user comes to the environment it has to go, for example to the front desk and ask for password. It should be generated at the exact moment by someone from staff. It'd be also nice to configure expiration time for that password (few hours, 2 days etc.).

Another idea - maybe some integration with RADIUS, RSA Device, Token Keys or any other service/device which can generate random password?

 

[bill001g]

Generally this function is done by a external server. You could use anything that will run as a radius server, microsoft ad server can work if you already have one. This would give each user their own ID and password with its own expire time. Almost any AP/Router support WPA2-enterprise mode which uses radius.

The other way to do this is with what is called a captive portal. This is more firewall feature but some router/ap have some support. This is what you see in hotels etc that force you to agree to some terms or put in some information and then allow access. This to requires a server that puts up the web page and then inserts a firewall rule. Some firewall have this ability as a feature. This design has to be used carefully since the end device actually is on the WiFi network even if they do not authenticate with the firewall. They can't get to the internet but they may be able to see other devices they should not.

 

[0xBahaa]

This design has to be used carefully since the end device actually is on the WiFi network even if they do not authenticate with the firewall. They can't get to the internet but they may be able to see other devices they should not.

Exactly. This is another way.
You could make the wifi without a password, or make a fixed password that everyone knows.. but you will be doing the filtration in the next stage. It has the pros of being exactly what you want (you can have session keys and expiration time and quota/bandwidth limiting and stuff), but I'd avoid it if there are any concerns about security (u dont want anyone sniffing around ur guests).

 

[jskrzypacz]

Hello guys,
Thanks for your answers.

So it means, there will be two stages of authentication. First - user just enters the password for guest wifi and then he/she will have to give another credentials on captive portal? But as far as I know someone will have to create/activate some guest account, password and expiration time manually?

Our goal is to implement this solution to work as automatically as possible. Still looking - might be hard task ;<

 

[bill001g]

It depends how you want it to work. Some captive port software pretty much is just a disclaimer that you agree to not do bad things you click yes and you get access for some period of time. The simple one just puts in a rule that says allow mac address xxxxxx access until time yyyyy. What it generally does when the period expires is it brings up the screen and you must agree again.

How you would get it totally automated to generate passwords and then somehow get them to a end users without someone being involved is tough. You would have to get into some fancy system that changes passwords and then send them via text message to the users phone or something. Guest networks are always a risk and there will always be those that try to abuse the usage.....there are tons of posts on these forums asking how to build big antenna so they can get remote access from home.

 

[kanewolf]

There was a thread over at SmallNetBuilder.com on this topic -- http://www.snbforums.com/threads/setting-a-random-password-for-guest-wifi.22700/
And a WIKI on GitHub -- https://github.com/RMerl/asuswrt-merlin/wiki/Setting-a-random-password-for-guest-wifi

This implementation uses specific hardware and second source firmware so it isn't universally applicable but it is an interesting way to go.

 

[Pooneil]

The safest guest network is one on a completely different ISP network. If you get a modest speed DLS line that is separate from the company's main internet service, it will be just as if the guest is on any random DLS line anywhere else. Security is costly, whether it is worth it depends on how much the user needs it.