Guest Wifi, changes Password daily, updates dumb APs

Hello,
In a network I have several "dumb" APs that have a Guest-WiFi. The task was to change the password daily. To be able to hand out the password to guests a very simple internal site (=Owners-Wifi) is generated and this site can be accessed from the internal network (=Owners-Wifi).

Usage:

  • Guest approaches owner and asks for Guest-Wifi access
  • Owner is always authenticated to his internal network (=completely different ESSID & credentials) and can access the site http://maindevice.lan/guest.html. Owner shows and or prints QR code to/for the guest.
  • Guest can use the handed credentials of the Guest-Wifi until a new password is generated.

Details:

  • the QR / Password page is also accessible with unsecure http:// protocol in order to avoid confusion and issues with self-signed certificates. The page is made accessible exclusively from the "internal" owners WiFi.

Contents of script /etc/config/GaesteWLAN/script.sh to generate new password:

#!/bin/bash

ZUFALLSWOERTER="$(cat /etc/config/GaesteWLAN/Woerter.txt)"

#busybox shell does not have regular arrays, but positional arguments work
set -- $ZUFALLSWOERTER

DAS_ZUFALLSWORT="$(cat /dev/urandom | tr -dc "A-Za-z0-9" | head -c8)"

#add one or up to five words from the word-list
for i in $(seq 1 5); do
	ZUFALLSZAHL=$(cat /dev/urandom | tr -dc 0-9 | head -c3 | sed -e "s/^0*\([0-9]*$\)/\1/" -e "s/^$/0/")
	DER_INDEX=$(($ZUFALLSZAHL % $#))
	shift $DER_INDEX
	DAS_ZUFALLSWORT="$DAS_ZUFALLSWORT $1"
done

DAS_ZUFALLSWORT="$(echo "$DAS_ZUFALLSWORT" | xargs -n1 | sort -u | xargs | sed -e 's/\ /-/g')"

logger -t "Generated new guest-password is: " "$DAS_ZUFALLSWORT"

DIE_SSID="Gaestenetz"

# WIFI:S:<SSID>;T:<WPA|WEP|>;P:<password>;;
qrencode -t SVG -o /www/qr.svg --dpi 50 "WIFI:S:${DIE_SSID};T:WPA;P:${DAS_ZUFALLSWORT};;"

#Generate webpage
OUTPUT="/www/guest.html"
cat << 'EOM' > $OUTPUT
<!DOCTYPE html>
<html lang="de">
<head>
	<meta charset="utf-8">
	<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
	<title>🦄 Dein Titel 🐴</title>
	<style>
		h1,#QR,p {
			text-align: center
		}
		#QR {
			box-shadow: 0 10px 90px #00000024;
		}
		body {
			border: 5px solid transparent;
			border-image: linear-gradient(to bottom right, #b827fc 0%, #2c90fc 25%, #b8fd33 50%, #fec837 75%, #fd1892 100%);
			border-image-slice: 1;
			background:
				radial-gradient(black 15%, transparent 16%) 0 0,
				radial-gradient(black 15%, transparent 16%) 8px 8px,
				radial-gradient(rgba(255,255,255,.1) 15%, transparent 20%) 0 1px,
				radial-gradient(rgba(255,255,255,.1) 15%, transparent 20%) 8px 9px;
				background-color:#282828;
				background-size:16px 16px;
		}
		#card {
			padding: 10%;
			background-color: white;
		}
	</style>
</head>
<body>
	<div id="card">
		<h1>🦄 {SSID} 🐴</h1>
		<div id="QR">
			<object data="qr.svg" type="image/svg+xml">
				<p>QR Code fehlt leider</p>
			</object>
		</div>
		<p>WLAN Passwort: {PASSWORT}</p>
		<p>Datum: {DATUM}</p>
	</div>
</body>
</html>
EOM

#adjust the template above
sed -i -e "s/{SSID}/$DIE_SSID/g" -e "s/{PASSWORT}/$DAS_ZUFALLSWORT/g" -e "s/{DATUM}/$(date)/g" $OUTPUT

#Update the Password for each DumbAP in our network
for host in "DumbAP1.lan" "DumbAP2.lan" "DumbAP3.lan"; do
	IFACES="$(ssh root@$host 'uci show wireless' | grep \.ssid=\'$DIE_SSID\' | sed -e "s/.*\.\(.*\)\..*/\1/" | xargs)" || continue

	for i in $IFACES; do
		ssh root@$host "uci set wireless.$i.key=\"$DAS_ZUFALLSWORT\" && uci commit wireless && wifi reload" || continue 2
	done
done

To generate longer password that are still simple enough for humans to enter manually, the generated short password is lengthened by a varying number of words from a word-list /etc/config/GaesteWLAN/Woerter.txt. Here is a shortened example. Make a similar, but longer list based on your words:

WIFI
WLAN
Wetter
Huehnchen
Lecker
Blau
Zaun
Traenke
Baum
Essen
Schubkarre
Zuegel
Zaumzeug
Tor
Stein
Weg
Blatt
Gruen
Pink
Nase
Auge
Brille

Further steps:

  • Adjust the script.sh to your needs. Especially the SSID and names of the "DumbAP*.lan" need to be adjusted. The script above assumes there are only three Dumb-APs and iterates through those.
  • The script needs to be able to SSH-access the DumbAPs without being queried by a password. To make that work, use dropbearkey to generate an internal/public key for the device where the script is running. Copy the public-key to the DumbAPs.
  • On the DumbAPs you need to configure the GuestWifi manually for the first time. You can use LuCI or uci to configure it. The script searches for precisely the ESSID at the DumbAP and only changes the password of each VAP with that ESSID.
  • Configure cron to execute the script. I recommend to run it daily at night-time.

Have fun!

5 Likes