Backup and Restore

Protecting your IronWiFi configuration ensures you can recover quickly from accidental changes, account issues, or compliance requirements. This guide covers what to back up, how to automate exports, restore procedures, and rollback strategies.

What to Back Up

IronWiFi is a cloud service -- your user data and configuration are stored on IronWiFi's infrastructure. However, maintaining your own backups provides:

Protection against accidental deletions -- Recover users or groups deleted by mistake
Configuration rollback -- Revert policy changes that cause problems
Compliance documentation -- Maintain historical records of your RADIUS configuration
Disaster recovery -- Recreate your setup if needed

Backup inventory

Data	Backup Method	Priority
Users (accounts, attributes)	API export	High
Groups (policies, attributes)	API export	High
Network settings (IPs, ports, secrets)	Manual documentation	High
Captive portal configuration	Manual documentation + API	Medium
Voucher batches	API export	Medium
Access point RADIUS settings	Network management tool	High
Identity provider integration settings	Manual documentation	Medium

Manual Backup via Console

For quick, one-time backups of smaller deployments:

Documenting Network settings

Navigate to Networks in the IronWiFi Console
For each Network, record:
- Network name and region
- Primary and backup RADIUS server IPs
- Authentication and accounting ports
- Shared secret

Store these details in a secure location (password manager or encrypted document).

Exporting user data

Navigate to Users
Use the export function to download user data
Save the exported file with a date-stamped filename

Documenting Group policies

Navigate to Users > Groups
For each Group, record:
- Group name and description
- Check attributes and their values
- Reply attributes and their values

Automated Backup via API

For production deployments, automate backups using the REST API.

Backup script

#!/bin/bash
# IronWiFi Configuration Backup Script
# Schedule with cron: 0 2 * * 0 /path/to/ironwifi-backup.sh

API_KEY="YOUR_API_KEY"
BASE_URL="https://console.ironwifi.com/api"
BACKUP_DIR="/backups/ironwifi"
DATE=$(date +%Y-%m-%d)
BACKUP_PATH="${BACKUP_DIR}/${DATE}"

mkdir -p "${BACKUP_PATH}"

# Export users
curl -s -X GET "${BASE_URL}/users" \
  -H "Authorization: Bearer ${API_KEY}" \
  -o "${BACKUP_PATH}/users.json"

# Export groups
curl -s -X GET "${BASE_URL}/groups" \
  -H "Authorization: Bearer ${API_KEY}" \
  -o "${BACKUP_PATH}/groups.json"

# Export vouchers
curl -s -X GET "${BASE_URL}/vouchers" \
  -H "Authorization: Bearer ${API_KEY}" \
  -o "${BACKUP_PATH}/vouchers.json"

# Export networks
curl -s -X GET "${BASE_URL}/networks" \
  -H "Authorization: Bearer ${API_KEY}" \
  -o "${BACKUP_PATH}/networks.json"

# Verify files are not empty
for file in users.json groups.json vouchers.json networks.json; do
  if [ ! -s "${BACKUP_PATH}/${file}" ]; then
    echo "WARNING: ${file} is empty or missing"
  fi
done

# Remove backups older than 90 days
find "${BACKUP_DIR}" -type d -mtime +90 -exec rm -rf {} +

echo "Backup completed: ${BACKUP_PATH}"

Scheduling backups

Add the script to your cron schedule:

# Weekly backup at 2:00 AM every Sunday
0 2 * * 0 /path/to/ironwifi-backup.sh >> /var/log/ironwifi-backup.log 2>&1

tip

Run backups from a server with reliable network access to IronWiFi's API. If the API call fails, the backup file will be empty -- the script above checks for this.

Python backup script

For more control over the backup process:

import requests
import json
import os
from datetime import datetime

API_KEY = os.environ.get("IRONWIFI_API_KEY")
BASE_URL = "https://console.ironwifi.com/api"
BACKUP_DIR = "/backups/ironwifi"

HEADERS = {
    "Authorization": f"Bearer {API_KEY}",
    "Content-Type": "application/json"
}

def backup_endpoint(endpoint, filename):
    """Export data from an API endpoint to a JSON file."""
    response = requests.get(
        f"{BASE_URL}/{endpoint}",
        headers=HEADERS
    )
    response.raise_for_status()
    data = response.json()

    with open(filename, "w") as f:
        json.dump(data, f, indent=2)

    print(f"Backed up {len(data)} records from /{endpoint}")
    return data

def backup_user_attributes(users, backup_path):
    """Export attributes for each user."""
    all_attributes = []
    for user in users:
        response = requests.get(
            f"{BASE_URL}/attributes?userid={user['id']}",
            headers=HEADERS
        )
        if response.status_code == 200:
            attrs = response.json()
            all_attributes.extend(attrs)

    with open(os.path.join(backup_path, "attributes.json"), "w") as f:
        json.dump(all_attributes, f, indent=2)

    print(f"Backed up {len(all_attributes)} user attributes")

def main():
    date_str = datetime.now().strftime("%Y-%m-%d")
    backup_path = os.path.join(BACKUP_DIR, date_str)
    os.makedirs(backup_path, exist_ok=True)

    # Back up core data
    users = backup_endpoint("users",
                            os.path.join(backup_path, "users.json"))
    backup_endpoint("groups",
                    os.path.join(backup_path, "groups.json"))
    backup_endpoint("vouchers",
                    os.path.join(backup_path, "vouchers.json"))
    backup_endpoint("networks",
                    os.path.join(backup_path, "networks.json"))

    # Back up user attributes
    backup_user_attributes(users, backup_path)

    print(f"Backup complete: {backup_path}")

if __name__ == "__main__":
    main()

warning

Store your API key as an environment variable or in a secrets manager. Never hard-code API keys in backup scripts that are committed to version control.

Restore Procedures

Restoring users from backup

Use the API to recreate users from a backup file:

# Read the backup file and create each user
cat users_backup.json | jq -c '.[]' | while read user; do
  curl -s -X POST "https://console.ironwifi.com/api/users" \
    -H "Authorization: Bearer YOUR_API_KEY" \
    -H "Content-Type: application/json" \
    -d "$user"
done

Python restore script:

import requests
import json
import time

API_KEY = "YOUR_API_KEY"
BASE_URL = "https://console.ironwifi.com/api"
HEADERS = {
    "Authorization": f"Bearer {API_KEY}",
    "Content-Type": "application/json"
}

def restore_users(backup_file):
    """Restore users from a backup JSON file."""
    with open(backup_file, "r") as f:
        users = json.load(f)

    restored = 0
    errors = 0

    for user in users:
        response = requests.post(
            f"{BASE_URL}/users",
            headers=HEADERS,
            json={
                "username": user["username"],
                "email": user.get("email", ""),
                "fullname": user.get("fullname", "")
            }
        )

        if response.status_code in (200, 201):
            restored += 1
            print(f"Restored: {user['username']}")
        else:
            errors += 1
            print(f"Failed: {user['username']} - "
                  f"{response.status_code}: {response.text}")

        time.sleep(0.5)  # Respect rate limits

    print(f"Restore complete: {restored} restored, {errors} errors")

restore_users("/backups/ironwifi/2024-01-15/users.json")

note

Restored users will need new passwords set unless you also backed up and restore their password attributes. If users authenticate via an identity provider (AD, Okta, Google), their credentials are managed externally and do not need to be restored.

Restoring Group policies

Open your Groups backup file
For each Group, navigate to Users > Groups in the IronWiFi Console
Create the Group with the saved name and description
Add check and reply attributes matching the backup

Or automate via the API:

# Create a group
curl -X POST "https://console.ironwifi.com/api/groups" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "Standard Employee", "description": "Default employee access policy"}'

Restoring access point configuration

Access point RADIUS settings are configured on your network equipment, not in IronWiFi. Restore these from your network management tool's backup:

Meraki: Configurations are cloud-managed and backed up automatically
UniFi: Restore from UniFi Controller backup
Aruba Central: Restore from Aruba Central configuration backup
MikroTik: Restore from RouterOS backup file

Rollback Strategies

Rolling back a policy change

If a Group attribute change causes authentication problems:

Identify the problematic change in the IronWiFi Console
Navigate to Users > Groups > select the affected Group
Modify the attribute back to the previous value (from your backup documentation)
Test authentication with a test user to verify the fix

Rolling back a user bulk operation

If a bulk user import or modification goes wrong:

Stop the operation immediately if it is still running
Assess the damage -- Check which users were affected
Restore from backup -- Use the most recent backup to restore affected users via the API
Verify -- Test authentication for restored users

Rolling back a Network change

Network settings (RADIUS IPs, ports, secrets) are assigned by IronWiFi and generally do not change. If you accidentally delete a Network:

Create a new Network in the same region
Note the new RADIUS server details
Update all access points with the new RADIUS configuration
Reassign captive portals to the new Network

warning

Deleting a Network requires updating all access points that reference it. This is disruptive, so be cautious when deleting Networks. IronWiFi may prompt for confirmation before deletion.

Backup Best Practices

Automate backups -- Manual backups are unreliable. Use scheduled scripts.
Test restores regularly -- A backup is worthless if you cannot restore from it. Test quarterly.
Store backups securely -- Backup files contain usernames and configuration details. Encrypt at rest.
Use versioned storage -- Keep multiple backup versions so you can restore from any point in time.
Back up before changes -- Run an on-demand backup before making bulk modifications.
Monitor backup success -- Alert if a scheduled backup fails or produces empty files.
Document the restore process -- Your team should know how to restore without guessing.
Include AP configuration -- Back up your network equipment configuration alongside IronWiFi data.

Backup Retention Schedule

Backup Type	Frequency	Retention
Full export (users, groups, attributes)	Weekly	12 weeks (rolling)
Pre-change snapshot	Before bulk operations	30 days
Configuration documentation	After changes	Indefinite (versioned)

REST API -- API reference for data export and import
High Availability -- Redundancy and disaster recovery planning
Monitoring and Alerting -- Detect issues before they require a restore
Operational Runbooks -- Step-by-step procedures for common operations
Groups -- Group policy configuration
Users -- User management

Was this page helpful?

What to Back Up​

Backup inventory​

Manual Backup via Console​

Documenting Network settings​

Exporting user data​

Documenting Group policies​

Automated Backup via API​

Backup script​

Scheduling backups​

Python backup script​

Restore Procedures​

Restoring users from backup​

Restoring Group policies​

Restoring access point configuration​

Rollback Strategies​

Rolling back a policy change​

Rolling back a user bulk operation​

Rolling back a Network change​

Backup Best Practices​

Backup Retention Schedule​

Related Topics​