Adding Read-Only Credentials To Ubiquiti APs and CPEs

There are two cases where Preseem requires HTTP login credentials for Ubiquiti APs / CPEs

  1. To properly map subscribers to the network topology (Tower / AP) when the CPE is running in bridge mode
  2. When the Preseem Plus tier functionality is enabled

In both of these cases, HTTP credentials are required because the information required is not accessible through SNMP. 

What type of HTTP credentials are required?

Preseem only requires a read-only credential to log in to the AP or CPE directly. 

Preseem can use an admin credential, however, we recommend adding a read-only credential.  By default, there is no read-only credential added to Ubiquiti APs.

How do I add a read-only credential to a Ubiquiti AP / CPE?

You can add credentials to your Ubiquiti AP in one of two ways:

  1. Manually by logging in to the AP and creating or enabling a read-only admin account
  2. Using the "enable read-only user" script that Preseem has created to assist with this task

How do I get and use the Enable Read Only User script?

The enable_ubnt_rouser script is provided on an as-is-where-is basis.  Preseem makes no warranties and does not support this script beyond the following instructions.  We suggest you test this script before using it at scale to ensure that it accomplishes the task intended in your environment.

Download the script

To make this easier for networks that do not already have a read-only user setup on its Ubiquiti radios, we have developed a script to automate the process.

The script is linked here: https://static.preseem.com/tools/enable_ubnt_rouser

Input file

This script takes a space separated input file where each line contains the following information for each radio the read-only user should be created on.

management_ip admin_username admin_password

This is the information needed for the script to login to the radio

For example:

192.168.1.200 admin my-admin-password
192.168.1.201 admin my-admin-password
192.168.1.254 ubnt @d31n!

Executing the script:


The script is invoked like this:

./enable_ro_user {inputfilename} {readonly_username} {readonly_password}

Where

{inputfilename}:  the name of the input file that contains the IP Admin Account and Password for each of the radios (AP/CPE)

{readonly_username} & {readonly_password}:  the read-only username and password that you wish to create on each of the APs/CPEs listed in the input file

 

For example:

./enable_ro_user /tmp/radios preseem 9r3533m!

The script will go through each radio, try to SSH into it with the administrative username and password and create the read-only username and password.  This should be a hitless operation; no reboot will be done, and the change will be persistent.