MikroTik CAPsMAN and CAP Basic Configuration

Centralised access points deployment and management are very common nowadays. The most common implementation in SoHo is UniFi where we host the controller in VM or Cloud Key. Recently I was working on a project where I needed to deploy a few access points and was looking for centralised deployment and management features for Mikrotik Access Points. Come to know about CAPsMAN. Controlled Access Point system Manager (CAPsMAN) allows applying wireless settings to multiple MikroTik AP devices from a central configuration interface. It was a pretty cool technique with lots of features. 

For details please check: https://help.mikrotik.com/docs/pages/viewpage.action?pageId=1409149

The following configurations to configure CAPsMAN and how can we hook the Mikrotik AP with that. 

A. Configure CAPsMAN in Router:

First create datapath and security:

/caps-man datapath
add bridge=bridge1 local-forwarding=no name=datapath
/caps-man security
add authentication-types=wpa-psk,wpa2-psk encryption=aes-ccm name=security \
    passphrase="RandomPa$$word"

Next create configuration for SSID. I am creating two different SSID. One for 2.4GHz and one for 5GHz

/caps-man configuration
add country=australia datapath=datapath datapath.bridge=bridge1 mode=ap name=\
    configuration2GHZ security=security ssid="MY WiFi-2"
add channel="5Ghz-a/n/ac 5180/20" country=australia datapath=datapath \
    datapath.bridge=bridge1 mode=ap name=configuration5GHZ security=security \
    ssid="MY WiFi-5"

Create the provisioning profile

/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
    configuration2GHZ name-format=prefix-identity name-prefix=2.4g
add action=create-dynamic-enabled hw-supported-modes=an master-configuration=\
    configuration5GHZ name-format=prefix-identity name-prefix=5g

Continue reading →

Python Script – Credentials stored in Hashicorp Vault

Tags

API Key, Hashicorp Vault, python, Python Client for Hashicorp Vault, scripting

In previous post [How to hide Password / API Key in Python Script] I have used “keyring” to store API Key for Python script. We can also use Hashicorp Vault to store those credentials. There is python module named hvac (Python Client for Hashicorp Vault) which can be used to retrieve API key/Credentials from the vault.

First we need to make sure Vault is working properly and we have our API key stored in the vault. In this example I have stored my Meraki API key:

root@lxd-home:/home/fakrul# vault kv get secret/meraki
====== Metadata ======
Key Value
--- -----
created_time 2020-06-05T15:13:18.320931138Z
deletion_time n/a
destroyed false
version 1
========== Data ==========
Key Value
--- -----
MERAKI_API_VALUE de300b8b9xxxxxxxxxxxxxxxxxxxxxxxxx40fb4391c

Now install python havc module

python3 -m pip hvac

Finally we modify our python script accordingly

import requests
import hvac

client = hvac.Client(url='http://192.168.99.252:8200')
read_response = client.secrets.kv.read_secret_version(path='meraki')

MERAKI_API_KEY = 'X-Cisco-Meraki-API-Key'
ORG_ID='123456'
MERAKI_API_VALUE = read_response['data']['data']['MERAKI_API_VALUE']

url = 'https://api.meraki.com/api/v0/organizations/{}/inventory'.format(ORG_ID)

response = requests.get(url=url,
           headers={MERAKI_API_KEY : MERAKI_API_VALUE,
                   'Content-type': 'application/json'})

switch_list = response.json()

switch_serial = []
for i in switch_list:
    if i['model'][:2] in ('MS') and i['networkId'] is not None:
    switch_serial.append(i['serial'])

print(switch_serial)

How to hide Password / API Key in Python Script

Tags

automation, keyring, python

It’s common to use Python script for device configuration, backup or automation. And to do that we usually put credentials, API Key in the script itself. It creates a whole lot of problem with sharing scripts with others; store/share it public repository. There are few options to overcome the issue like storing credentials, API Key’s in separate file and not share that file with others. We can also use “keyring” which will store the password in operating system’s credential store.

The keyring package is a library designed to let you access your operating system’s credential store. In summary, it let us to store and retrieve passwords in operating system, which allows you to avoid having a password in plaintext in the script.

“keyring” is by default installed in our linux operating system. We need to install related python modules only. To check keyring installation try “keyring --help” or “keyring --list-backends” for list of supported backends. The common one is to use

keyrings.cryptfile - Encrypted text file storage.

Now install the keyring and keyrings.cryptfile python module. I am using python3

pip3 install keyring
pip3 install keyrings.cryptfile

We can use keyring set command to store the credentials and keyring get command to retrieve it. Lets store some credential and API key

keyring set meraki MERAKI_API_VALUE
keyring set meraki ORG_ID

Continue reading →

LXD containers get IP addresses from LAN DHCP Server

Tags

lxc, lxc profile, lxd

By default, all containers run hidden in a private network on the host. The containers are not accessible from the local network, nor from the Internet. However, they have network access to the Internet through the host.

It would be great to have LXC containers getting from local DHCP server so that anyone from the network can connect to the container.

1. First we will create a bridge interface and add our physical interface (in the example it’s enp1s0) to the bridge:

sudo vi /etc/netplan/00-installer-config.yaml

network:
  version: 2
  renderer: networkd

  ethernets:
    enp1s0:
      dhcp4: false
      dhcp6: false

  bridges:
    bridge0:
      interfaces: [enp1s0]
      addresses: [192.168.99.252/24]
      gateway4: 192.168.99.1
      nameservers:
        addresses:
          - 1.1.1.1
          - 8.8.8.8
      parameters:
        stp: true
        forward-delay: 4
      dhcp4: no

Next apply the config

sudo netplan apply

Continue reading →

cloud-init: Automatically import your public SSH keys into LXD Instances

Tags

automation, cloud-init, lxc, lxc profile, lxd, SSH, ssh-key, ubuntu, YAML

While provisioning LXD instance; we can define post deployment task using cloud-init. This will help us to import your public SSH keys, add new user, update packages and install new packages if required. To do that we use lxc profile.

First check what lxc profile you have. There should be one default profile.

# lxc profile list

Copy default profile and create new one

# lxc profile copy default production

Edit newly created profile

# lxc profile edit production

Use the following configuration. This is YAML file and for better formatting please download it from here

Continue reading →