Change AP password without disconnecting clients

Hi,

I Have Multiple SSID on same radio , one is for "private" use and other is for guests.

Guest network does not have access to the LAN.

I currently have a static password for the guest WIFI network.

I want the password to change every X hours , I tried doing it by cron job as POC and it does work.

The main problem is reloading the wifi config from disk causes all clients to disconnect (same as changing it via LuCI).

This behavior is understandable but really undesirable.

Is there way to reload WIFI config from disk without client disconnection ?

Of course clients that actively connected to the guest SSID with old password wont be able to reconnect , but also clients from "internal" SSID are getting disconnected.

Thanks in advance.

You can try

# wifi reload

I seem to remember, and a quick test seems to confirm, that it only restarts wifi interfaces devices with interfaces that changed configuration.

# wifi reload <wifi_interface_name>

That being said, changing passwords "every few hours" may be a bit excessive. Changing it once a day may be sufficient, and then you can put that change into the wee hours when no guest is connected/using the wifi anyway.

Thanks for your answer.

Both reload and reload with the interface name causes a full restart and all clients disconnects.

calling wifi reload when there are no changes does nothing and not clients get disconnected.

Taking a look at wifi, all reconfiguration of hostapd is ultimately handled by ubus, which in turn takes down the interface device and brings it back up with the new configuration. I'm a bit out of my depth there, most especially I'm not familiar enough with hostapd, I can't tell if there is a way of directly setting a single parameter. It may well be that configurations can not be changed without taking down the interface device and bringing it back up, dropping all clients in the process.

There's of course always another option, albeit a much more involved one: use a RADIUS server to authenticate a connection.

could perhaps removing and re-adding the SSID be an option ?

Thanks for you answer.

If you mean removing the "config wifi-iface" section from the file and calling reload , no , it does not change the behavior and clients gets disconnected.

There's no way to change the WiFi password without clients disconnecting, as you're changing the encryption key.

Or do you mean the issue is with the non-guest network disconnecting too?

Yes , The issue is other SSID clients (aka non guest) also get disconnected , even when there is no changes over there.

I guess hostapd process is recycled so all gets shut down, still hoping for a solution/workaround...

After some experimentation/observation, if one interface is reloaded because of changes, the whole device it is on needs to be restarted, including all the other interfaces on the device.

You could mitigate that by having the main network on 5GHz device and the guest network on the 2.4GHz device (how much speed do guests need anyway?). This way the restart of your guest interface does not restart the main interface.

have you tried using radius authentication for the guest network instead of a shared key, if that would help in your use case?

I am vaguely familiar with radius authentication , but if there is "simple" solution for "external" password server/service i would be happy to get some quick pointers (like the server will read the password from a simple file that i would change from time to time by cron script)