Is there a way to automate entire process to a point where it is easier to set-up devices galore?
Have you tried Cap mode ?
Of course, but that is pretty rudimental. I have some 50 APs here, and I am aware that I need to lock them up, but the Q is how much... It is a lot of work, so I have to think stuff over in advance.
For example - do I set firewall? And if I set it, how much to lock stuff up? Same with services. - What is safe to leave, and what to kill? Etc...
Currently I have following workflow in mind:
1. Reset device to CAP mode
2. log into device and set Identity manually (important for channel and power setting)
3. plug some kinf od config thru terminal
4. done, move on
As for services that I was thinking about leaving on, off:
1. leave cap settings, brdige, etc default
2.
kill: telnet, ftp, www, www-ssl and api and
leave ssh and winbox
3. kill bw server
4. Leave MAC winbox on (MAC winobox) - I know this might be stupid, but I am thinking of leaving it on because it saved my bacon many times (
the idea of leaing on ssh and winbox is that if anyone is about to try and break 128 char key, be my guest
5. allow login into router only from wired subnet
6. create main admin user and backup admin user and pass and delete default admin / END OF SESSION, kicked off, move to another box
I would do update to latest ROS over capsman, with auto upgrade turned on on the caps. (I would not set auto updating of the equipment, only over capsman.)