Hi, I have two RB532 with R54H pci card and my question is… I have created a file with random WPA keys like “OGNERKSZGL”… for a whole year (365 keys)… how I can make to mikrotik changes every day the WPA key of the AP?
Thank you in advance!!
It’s probably going to be better if you use a random password generator, such as those in this topic (e.g. the one that’s entirely self sufficient in the router).
But if you insist on having the passwords pre generated…
I suggest you write them out as a global variable, perhaps one that’s auto imported on startup (to make sure it’s all OK in case of power failure). Then also have a secondary variable that starts at 0 and is incremented daily, after the password is changed with the one indicated.
In other words, run the following
/file print file="pass.txt";
/file set "pass.txt" contents="0";
:delay 2s;
/system scheduler add name=REGISTER_WPA start-time=startup on-event={
:global wpaPasswords ({
"OGNERKSZGL";
"LGZSKRNGO";
...
});
:global wpaPassword [:tonum [/file get "pass.txt" contents]];
};
/system scheduler add name=CHANGE_WPA interval=1d on-event={
:local newPassword [:pick $wpaPasswords $wpaPassword];
/interface wireless security-profiles set "default" wpa-pre-shared-key="$newPassword" wpa2-pre-shared-key="$newPassword";
:set wpaPassword ($wpaPassword + 1);
:if ($wpaPassword >= [:len $wpaPasswords]) do={
:set wpaPassword 0;
}
/file set "pass.txt" contents="$wpaPassword";
};
And reboot your router (or “manually” run REGISTER_WPA).
This will be a lot more efficient than the alternative you’re proposing. If you were to parse an entire file, then every day, the script would take quite a while, and will probably peak your CPU during the time of the password change. The approach above only has a more serious impact on startup (which presumably will happen rarely, since this is a router), after which it’s as efficient as the “post parsing” phase of the alternative. The whole “parsing” part is the heavy thing that’s eliminated here.
Hi, thank you so much for your reply, I say a pre generated password list for that: I load the lists on all clients bridge (with openwrt) and pre generated on the mikrotiks… then they change with the same password every day, that is my idea…
Do you have any idea to make this? change wpa2 pass ever day (to avoid unwanted “hackers”) and the password update on all clients routers?
I am thinking in this security and add pppoe (I think this two make “un-violable” my wisp)
Thanks in advance!!
Hi, my idea is to make a rotate WAP password… on the clients I has routers with openwrt and the AP has mikrotik RB
Do you know any way to generate a key and send it to all clients routers (openwrt installed)?
Or with a password database on all AP - Clients and get a day password for each day?
I see a idea for DD-WRT forum, but it´s for DD-WRT, I think the code will be valid for openwrt but I don´t know how fix it on Mikrotik
I hope you can help me
Thanks!!
I forgot to put the link for DD-WRT rotating password manual (not mine) http://goo.gl/k7G1m5
Regards!!
You could perhaps make all APs connect to a RADIUS server, and just change the password on the RADIUS server once a day.
(In most routers, I think OpenWRT included, this is what the “WPA Enterprise” thing means)
Distributing (or even having) pre-generated passwords is a potential security problem, because if an attacker gets a hold of ONE of your routers, they know all of your current AND future passwords. If you distribute the same list, they’d know your passwords for ALL of your routers, making the damage of an intrusion even higher.
If you have a RADIUS server, then if an individual router is hacked, an attacker won’t learn a thing, other than the location (IP and port) of your RADIUS server. They could only get access to the other routers if they hack the RADIUS server itself. And even if they do get read access to the RADIUS server’s file system (and thus learn your current password), if you generate a new password on the fly, they wouldn’t know your future passwords, unless they can get read access to the RADIUS server again (at which point, you have a bigger problem than a single router having been hacked…).
The downside of having a RADIUS server is that it’s a single point of failure - if it goes down, all routers go down. Sure, you can set up multiple RADIUS servers, and make routers fallback to them, but the point is you need an additional device to be online for the router itself to become online.
One alternative that doesn’t have this downside is one mentioned in the topic I linked to above - a single server with an API application. The API application will daily generate a new password, and change all routers to have that new password. The API application doesn’t need to be online for the routers to connect to the internet. It just needs to be online when it’s modifying the password. Worst case scenario is that all of your routers will keep their password since the last modification.
The downside of THAT approach is that it requires all involved routers to be with RouterOS, so OpenWRT or DD-WRT won’t work here. Also, the device where the API application runs needs to be able to access the individual routers. If they’re behind a NAT, this creates a problem. To solve it, you can set up a VPN server, and make all routers and the API application be VPN clients.