Whether it’s the departure of an employee or simply company policy, there’s frequently the need to change passwords on PMP450 radios. This isn’t a big deal if you only have a few radios. Simply log into each device and make the changes. There’s really nothing to it until you grow your network to hundreds or thousands of devices. After one round of changing passwords, you’ll quickly decide automating this task is a high priority.
While there are a few ways to automate the task of changing passwords, this post focuses on using configuration import. Here’s how to do it…
Things you’ll need:
- A server to host the configuration file. I prefer a web server, but FTP or TFTP will work just as well.
- A method for sending SNMP SETs to the radios. A simple MIB browser will work for a small number of radios, but a method for sending to all radios will be needed.
- A little guidance from Cambium Networks.
Getting Started:
The first step is to create a configuration file containing the user accounts and passwords. Since PMP450 radios don't require complete configuration files, this becomes quite simple. Create a file that looks something like this...
{
"userParameters": {
"authenticationConfig": {
"accounts": [
{
"userName": "admin",
"level": 3,
"readOnly": false,
"passwordEncrypted": "40b491d60000042f09c7950d27563018"
},
{
"userName": "root",
"level": 3,
"password": "newpassword",
"readOnly": false
}
]
}
},
"swVersion": "CANOPY 14.1.1 SM-DES",
"cfgFileString": "Canopy configuration file",
"cfgFileVersion": "1.0"
}
You'll notice there are sections for each account. Feel free to add or remove accounts. You may set the password with either the "password" (not encrypted) or "passwordEncrypted" attributes. I prefer to use "passwordEncrypted" so the password isn't exposed as plain text.
If you choose to use encrypted passwords in the configuration file, you'll first need to encrypt the password. To do this, log into any radio and go to Configuration->Unit Settings. On this page you'll find a section for encrypting passwords. Simply type the new password into the field and click "Encrypt the password". The radio will show the encrypted version just below where you typed the password.
Copy the output and paste it in the appropriate location of the configuration file.
Hosting the Confugation File:
Now that you've created the configuration file, it's time to put it where the radios can access it. I named my file newpass.cfg and uploaded it to the public folder on my web server. This made is accessible from http://192.168.110.103/public/newpass.cfg. You could certainly use an FTP, TFTP or secure web server. Just change the URL for the appropriate protocol (ie: tftp://, ftp://).
Commanding the Radios to Get the Change:
Now that a configuration file exists on a server, it's time to tell the radios to import the configuration. By setting the "importConfigFile" OID with SNMP, we can tell the radios to immediately import the configuration and apply the changes. The actual OID is 1.3.6.1.4.1.161.19.3.3.3.7.0. I used Ireasoning's free MIB browser to test this. For production, I would create a script to push this OID to every radio on my network.
To see if this was successful, log into the radio. The first indication of success is that you have to use the new password to log in. Should the new password not work, log in using the old password. No go to Configuration->Unit Settings. At the bottom of the page you will see message indicating why the import failed.
My first attempt failed because I didn't add the cfgFileString section in the configuration file I created. Once I corrected that, I successfully performed two password changes.
Conclusion:
Hopefully using this method will save countless hours of logging into radios to change passwords. If it seems a bit too complicated, fear not. cnMaestro, which will support PMP450 radios soon, will have the ability to perform this task using a very nice, simple user interface.