Access to WLAN password

[KetchupBomb]

When you load the Unifi Controller > Network web UI, you can navigate to WiFi, load an individual network, and peek at the password in plain text:

---

Within the Unifi API Browser, the closest Collection I can find is list wlan configuration, but there is no reference to the WLAN password in the output.

Is there another Collection I should be viewing? Is this field something the Unifi API Browser can gain access to?

[malle-pietje]

The key to look for is x_passphrase.

[KetchupBomb]

@malle-pietje , there is no x_passphrase key in the list wlan configuration Collection. Is it in another Collection? The only key in list wlan configuration that has "pass" in its name is radius_macacl_empty_password.

Is this field only accessible through the Unifi API Client?

Edit: The Unifi API Client also doesn't list this field with the ->list_wlanconf() call. I'll keep searching other API Collections, but I think this question needs another answer since x_password isn't seemingly available.

[malle-pietje]

@KetchupBomb it should actually be there if the SSID is protected with a WPA2 password/passphrase.

[malle-pietje]

@KetchupBomb If this is password to be entered through the captive portal you can find it in the guest_access section of the list site settings output.

I personally find the new interface very confusing when it comes to setting up guest networks and always switch to the classic interface to get access to all controls.

[KetchupBomb]

@malle-pietje, this is a WPA2 network that I made on the UDM-Pro web UI. It is not associated with any captive or guest portals. And the "x_passphrase" is definitely not present -- both the API Browser web UI, and the API Client do not list this key for any of my WiFi networks.

Is there a PHP recipe I can run to convince you? Is there additional information I can provide to debug why it's not showing when it seems like it should be?

[malle-pietje]

No need to convince me😉 Can you share a screenshot of the list of wireless networks using the classic interface?

[malle-pietje]

Also, which version of the Network Application are you running and which UDM firmware version?

[KetchupBomb]

UDM-Pro Unifi OS Version: 1.10.4
Unifi Network Version: 6.4.54

The WiFi in question is "Aperture Science" (though they're all configured the same, save the network/VLAN with which they're associated). Images attached.

---

Here's the JSON WLAN configuration for Aperture Science in the API Browser (the API Client seems to be very similar, if not exactly the same):

    {
        "_id": "REDACTED",
        "ap_group_ids": [
            "REDACTED"
        ],
        "enabled": true,
        "fast_roaming_enabled": false,
        "hide_ssid": false,
        "name": "Aperture Science",
        "networkconf_id": "REDACTED",
        "pmf_mode": "disabled",
        "usergroup_id": "REDACTED",
        "wlan_band": "both",
        "wpa_enc": "ccmp",
        "wpa3_support": false,
        "wpa3_transition": false,
        "wpa3_fast_roaming": false,
        "wpa3_enhanced_192": false,
        "group_rekey": 0,
        "uapsd_enabled": false,
        "mcastenhance_enabled": false,
        "no2ghz_oui": false,
        "bss_transition": true,
        "proxy_arp": false,
        "l2_isolation": false,
        "b_supported": false,
        "dtim_mode": "default",
        "minrate_ng_enabled": true,
        "minrate_ng_data_rate_kbps": 6000,
        "minrate_ng_advertising_rates": false,
        "minrate_na_enabled": false,
        "minrate_na_data_rate_kbps": 6000,
        "minrate_na_advertising_rates": false,
        "mac_filter_enabled": false,
        "mac_filter_policy": "allow",
        "mac_filter_list": [],
        "radius_mac_auth_enabled": false,
        "radius_macacl_format": "none_lower",
        "security": "wpapsk",
        "wpa_mode": "wpa2",
        "radius_das_enabled": false,
        "site_id": "REDACTED",
        "iapp_enabled": true,
        "auth_cache": false,
        "bc_filter_enabled": false,
        "bc_filter_list": [],
        "country_beacon": false,
        "dpi_enabled": false,
        "element_adopt": false,
        "is_guest": false,
        "p2p": false,
        "p2p_cross_connect": false,
        "radius_macacl_empty_password": false,
        "rrm_enabled": false,
        "sae_groups": [],
        "sae_psk": [],
        "sae_psk_vlan_required": false,
        "schedule": [],
        "schedule_enabled": false,
        "schedule_reversed": false,
        "schedule_with_duration": [],
        "tdls_prohibit": false,
        "vlan_enabled": false,
        "optimize_iot_wifi_connectivity": true,
        "dtim_ng": 1,
        "dtim_na": 3
    }

[malle-pietje]

OK, I fired up the UDM PRO in our test lab and can see the password for a newly created SSID using the API Browser tool:

    {
        "_id": "6187d73ff392af04e887cac5",
        "enabled": true,
        "wpa3_support": false,
        "wpa3_transition": false,
        "security": "wpapsk",
        "wep_idx": 1,
        "wpa_mode": "wpa2",
        "wpa_enc": "ccmp",
        "pmf_mode": "disabled",
        "pmf_cipher": "auto",
        "usergroup_id": "6107bdff7fe01f067b62b78e",
        "wlan_band": "both",
        "ap_group_ids": [
            "6107bdff7fe01f067b62b798"
        ],
        "dtim_mode": "default",
        "dtim_ng": 1,
        "dtim_na": 3,
        "minrate_ng_enabled": false,
        "minrate_ng_advertising_rates": false,
        "minrate_ng_data_rate_kbps": 1000,
        "minrate_na_enabled": false,
        "minrate_na_advertising_rates": false,
        "minrate_na_data_rate_kbps": 6000,
        "mac_filter_enabled": false,
        "mac_filter_policy": "allow",
        "mac_filter_list": [],
        "bc_filter_enabled": false,
        "bc_filter_list": [],
        "group_rekey": 3600,
        "hotspot2conf_enabled": false,
        "bss_transition": true,
        "auth_cache": true,
        "schedule_enabled": false,
        "name": "My test WPA SSID",
        "x_passphrase": "dezeisgeheim",
        "networkconf_id": "6107bdff7fe01f067b62b78d",
        "radius_das_enabled": false,
        "site_id": "6107bdf97fe01f067b62b77a",
        "iapp_enabled": true,
        "x_iapp_key": "40c5a28515861cc58685abfe39db3942",
        "optimize_iot_wifi_connectivity": false,
        "dtim_6e": 3,
        "wlan_bands": [
            "2g",
            "5g"
        ]
    }

The SSID was created through the Classic interface like so:

Versions are:

• UDM firmware: 1.11.0-16
• Network Application: 6.5.50

[malle-pietje]

The same applies to our software-based controller running version 6.4.54.

[malle-pietje]

The only remaining thing I can think of is the permissions of the admin account you're using to connect through the API.

[KetchupBomb]

The only remaining thing I can think of is the permissions of the admin account you're using to connect through the API.

You're right. I set the account to be "View Only" initially. When I switch it to "Administrator" (or "Site Admin"), I am able to see the x_password field. I may have missed documentation that points this out (sorry!). It's strange that this nuance of read vs write permissions causes some fields to display or not. 🤷‍♂️

Thanks for your patience and help.

[malle-pietje]

Thanks for the feedback, good to hear. Will add a note to the README for the PHP API client to reflect your findings (not something I’d seen before myself).

[KetchupBomb]

@malle-pietje, btw, I bet this is exactly what was happening in Art-of-WiFi/UniFi-API-client#129.

cc @NickDunas

[malle-pietje]

Yes, correct. I've added a note on this to the README files for both the API Client and the API Browser. Thanks for your help with this!