Reply
Highlighted
New Member
Posts: 2
Registered: ‎01-13-2018

AP-AC-Lite: Hotspot, controller, encryption, management VLAN, WPA-PSK key change scheduler

I'm installing multiple AP-AC-Lite devices and having the following questions:

1) Is it possible to use tagged VLAN for management network of the access point? The consern is if someone remove the AP and connect directly to the ethernet cable it will get access to management network without any problem because the management network VLAN is untagged.

2) Normally AP is initiating connection the controller IP, is there any way to make controller initiate connection to the AP (controller is behind nat & firewall)?

 

3) If I use hotspot voucher with guest portal which is located on the controller - is it safely enough? I mean that any person can access PC that is managing the entire network without any authorization, and all the software is running under java which requires frequent updates because of security issues.

 

4) By default if guest portal (controller) is unavailable AP goes to standalone mode and grants access to all guest clients without authorization? This can be changed only by SSH connection directly to each AP?

5) If I use hotspot mode - wireless traffic is never encrypted, is anything can be done about it?

6) If I use WPA-PSK key authorization is it possible to make some kind of task scheduler that will change the password every 2 weeks for example?

 

7) Is there any kind of DHCP protection, so that wifi clients cannot use static IPs only provided by DHCP server?

Emerging Member
Posts: 61
Registered: ‎01-05-2018
Kudos: 19
Solutions: 4

Re: AP-AC-Lite: Hotspot, controller, encryption, management VLAN, WPA-PSK key change scheduler

1) Yes. We have our APs on a completely separate VLAN than anything else.... infact the only other device in that subnet is the Cisco core switch that's acting as DHCP and gateway for that VLAN. I can go more in depth for setting that up on a Cisco network if needed, though I seem to recall seeing the required commands in another post.

 

2) I think you have to have a handful of ports always accessible from the AP's network to the controller at all times (at least inform and STUN, but I think there's 1 or 2 more)

 

3) I'm not sure about the voucher side, but I think the primary security flaws updated in Java tend to be in the web plugins, not locally running services... but I'm occassionally wrong (except in those cases wherein I reject reality and substitute my own. At that point it's the whole of the rest of the universe that's gotten it wrong!)

 

4) I know that this is changeable at the AP level, but I'm not sure if there's a file on the controller that is pushed at adoption that can automate the changes. Worst case, you can prep the file locally and scp it after adoption.

 

5) ???

 

6) https://community.ubnt.com/t5/UniFi-Wireless/Unifi-SSID-Key-Change-Schedule/td-p/1279994

 

7) Not being sure about your setup, but for my guest network at home, I've set a rather tight subnet for that DHCP scope (/28), and then my filter is set to just drop packets from any host outside that range.

New Member
Posts: 2
Registered: ‎01-13-2018

Re: AP-AC-Lite: Hotspot, controller, encryption, management VLAN, WPA-PSK key change scheduler

1) I mean that management VLAN is untagged by default and there is no (visible in the controller interface) way to make it tagged. The problem is that if you disconnect ethernet cable from AP and connect it to notebook you will get straight into the management network, that is not secure.

3) There is some kind of java virtual machine and all the stuff if working under it.

5) In hotspot mode the connection between AP and clients is not encrypted because no WPA keys are provided.

6) So no way to do it only with controller software?

7) But if manually set ip from that /28 scope it will work, right?

Emerging Member
Posts: 61
Registered: ‎01-05-2018
Kudos: 19
Solutions: 4

Re: AP-AC-Lite: Hotspot, controller, encryption, management VLAN, WPA-PSK key change scheduler

1) Only thing I can think of then is port security to only allow the MAC address of that AP to be directly plugged into the switch. Also thinking that there shouldn't be that much physical access to the core infrastructure. Physical access == no security.

 

5) I understood, I just meant that I didn't have a comment on that. Maybe have in your TOS a blurb reminding the user that it's an open network and they have no reasonable assumption of security? Standard CYA kind of thing.

 

6) I would think the controller would still have to be involved in some way since it sets the PSK in the site settings. Otherwise, it would reprovision the APs with the old PSK everytime it was brought back online.

 

7) Sure, if the IP is available. I specifically used a smaller scope so that I could set a decent speed for the guest clients (5/1), but not have so many guests that my own LAN traffic lost out. In my experience, the only time static IPs are set is for neccessity (admins doing so) or trying to get on when you aren't getting DHCP (admins to fix something, slightly more advanced end user to get around a full scope). If it's the end user doing it b/c the scope is full, they won't get anywhere by virtue of the fact that it'll just create an IP conflict. Further, if it's a network with guest restrictions turned on, and they're abusing their acess in that way, you can block them in the controller. Sadly, there's no way to enforce DHCP only for a device you're not the direct (or only) admin of. All you can do is punish those using statics when they're caught.

Veteran Member
Posts: 4,420
Registered: ‎06-13-2015
Kudos: 1152
Solutions: 203

Re: AP-AC-Lite: Hotspot, controller, encryption, management VLAN, WPA-PSK key change scheduler


Dude97 wrote:

1) I mean that management VLAN is untagged by default and there is no (visible in the controller interface) way to make it tagged. The problem is that if you disconnect ethernet cable from AP and connect it to notebook you will get straight into the management network, that is not secure.

3) There is some kind of java virtual machine and all the stuff if working under it.

5) In hotspot mode the connection between AP and clients is not encrypted because no WPA keys are provided.

6) So no way to do it only with controller software?

7) But if manually set ip from that /28 scope it will work, right?


@Dude97

5) not necessarily; a WLAN with guest controls applied can either be open or WPA2 secured

6) not out of the box, but you can script this through the API per my last post in the linked thread. See my signature and this example code: https://github.com/Art-of-WiFi/UniFi-API-client/blob/master/examples/change_wlan_password.php

Art of WiFi
Check out our UniFi API browser tool on GitHub. The PHP API client which it uses, can be found here on GitHub.
Details on our UniFi Device Search tool can be found here.
Reply