All posts by bsdman

Currently working as an IT Manager. Worked for an OIT company as a Network Engineer in 2011. Worked for a Medical IT company as the Network Administrator 2009-2011. Worked as the Senior Systems Administrator at a computer reseller from 2005-2009. Worked as a Computer Consultant for several small companies from 2007-2009. Worked as a Computer Technician at a computer reseller from 2002-2004.

Microsoft, Networking

Securing Enterprise Wireless

May 13, 2015 bsdman Leave a comment

Our small business is growing into a medium sized business rather quickly. What was acceptable before (BYOD, honor system, etc) is no longer able to be sustained.

I’ve been at this same company since we had a single Linksys WRT54GS access point with ~40 employees to a 7x Meraki APs (MR18 and MR24’s) with 3 locations and 200+ employees.

Originally we had a standard WPA/TKIP with a pre-shared key (PSK) that was given out to those who needed it. Unfortunately this PSK ended up in the hands of so many people that it was difficult to control. I rolled out an NPS server (Windows RADIUS) to allow only those with domain credentials to connect; this alleviated the issue of having non-employees on the network (for the most part), but individuals quickly realized they could add their iPad/Tablet, phone, and other laptops to the company network.

If that’s OK with you, here’s my NPS configuration (I have this on two different NPS servers for redundancy):
RADIUS Clients

Friendly name: SuiteNumber_DeviceModel
IP Address: The statically assigned IP of the device
Device Manufacturer: RADIUS Standard
NAP-Capable: No (for now)
Status: Enabled

wireless_01

Connection Request Policies

Policy Name: I picked “Secure Wireless Connections” and Enabled the policy
Conditions: NAS Port Type of Wireless-Other OR Wireless-IEEE802.11
Settings: I left these as the defaults as I wanted the Network Policy to dictate the authentication methods

Network Policies

Policy Name: I once again picked “Secure Wireless Connections” and enabled the policy
Conditions: NAS Port Type of Wireless-Other OR Wireless-IEEE802.11 / Windows Groups of domain\domain computers and domain\domain users
Since I don’t feel like typing it all out, look at the picture.

Just point your wireless device(s) to your NPS/RADIUS server IP with the default port and away you go.

Now to get it with certificate-based security it was a bit more work:

I am assuming that you’re using an on-premise Certificate Authority and that it’s already up and running. In my case we have a 2008R2 CA already published in Active Directory. If it’s not published in AD, you can always have a GPO that pushes the trusted root certificate authority to all domain members.

Anyway, I needed to set it so that every domain joined computer would enroll with a computer certificate against this CA, so I created a GPO called Wireless Settings (I don’t really like adding things to the default domain policy, so I end up creating new).
Under Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies / Certificate Services Client – Auto-Enrollment Settings

From this I verified that computers had the appropriate certificates installed by looking at my MMC:
start, run, MMC
Add Certificates (Computer account) for the local machine
Verify there’s a certificate issued to your computername.yourdomainname.tld from the Certificate Authority with hooks into AD

Now I finished up my Wireless Settings GPO with some Wireless Network (802.11) Policies. See the picture. Lazy.
The Profile Name will be the one displayed when people search for available wireless networks and, to the end-user, they will be connecting to this access point. You can actually publish multiple SSID’s under this name (I only have the “Linksys47532” name available currently).

You’d have to run
netsh, wlan, show interfaces
with an administrative command window to actually see the network being connected to.

When I get around to publishing a computer certificate that can be imported on an iPhone, I’ll update this post.

Linux, Miscellaneous

Android Playstore

May 7, 2015 bsdman Leave a comment

I have an android phone now for only the second (third) time in my life:
1.) working for an MSP they required me to have their phone and it was a terrible motorola piece of garbage
2.) I bought a freedompop Samsung SII which had a battery that would last ~2 hours and was terribly slow
3.) I bought another freedompop LG Optimus F3 which has an awesome (so far) battery and is iPhone4-or-iphone5-peppy

I’ve been on the iPhone since the 3G came out, so it’s still somewhat different for me.

During updates on the LG phone I noticed that it was rather difficult to install new applications; I’d have to play around with rebooting it, turning the wifi off and on, laughing at it, and singing songs just to get a new app to install. In the play store I saw that google maps was constantly “downloading” but never finishing. I tried to stop it, didn’t work.

A day later, and growing more weary of how slow it was to download apps, I googled.

http://forums.androidcentral.com/samsung-galaxy-tab-10-inch/202017-google-play-store-not-working.html

btswein gave the answer:
“Clear the data and cache for google play”
Settings > Applications > All > Google Play > Clear data
or, on the LG
Settings > Apps > Google Play services (AND google play store) > Clear data

Then it magically worked much better! Thanks, guy.

Miscellaneous

Cord Cutting

April 28, 2015 bsdman Leave a comment

So I “Cut the cord” back in 2013 after having ATT Uverse for a couple years. ATT had just informed me that my TV and internet rates would both be going up by a combined $30 a month, but that my internet speed had doubled (6Mbps up to a blazing 12Mbps)! Yay! So the service was cancelled.

An antenna was purchased from Crutchfield (Channel Master 4221HD)
While this antenna says “Mid-Range outdoor rooftop” I ended up just setting it up in the attic of the house and I get great signal strength (Channels 2 through 67+ all come in crystal clear)
I live roughly 30 miles away – line of sight – from the closest major city with broadcast towers
If I had a need (or more money) I probably would have settled on the Channel Master 4228HD for extended ranges
The antenna requires no power and I ended up re-using the existing coax run from the basement to the attic

Netflix and Amazon Prime apps on the TV. An AppleTV for connectivity to the mobile phones. Chromecast. XBMC (now Kodi) running on a raspberry pi is a major provider of entertainment as well.

The only complaint, after about a year of antenna TV, was the lack of a DVR function. I priced it out running MythTV/XBMC combo, but the cost of the computer in addition to the 30-35 watts of power used (about $3.50 a month in electricity) wasn’t ideal.

Then I read about the Channel Master DVR+ and was amazed! This is going to sound like a CM ad, but this is my experience so far.
I received the DVR+ and set it up with HDMI, power, and a wireless USB. I ran through the initial setup wizard and then updated the firmware. I could now pause live TV! But something was missing; it wasn’t automatically recording what I was watching so I couldn’t rewind. I grabbed an old laptop and a USB to SATA enclosure, did a little work, and then had a 250GB SATA drive external to the DVR+. After formatting all functionality was as it should be! $250 for this isn’t bad, although I had a USB wireless and external HD laying around already.

Microsoft

Manage Wireless Networks Windows 8

March 5, 2015 bsdman Leave a comment

I guess this is actually 8.1, but you get the idea. In 2000/XP and even Vista/7 it was fairly easy to remove old wireless network profiles in case there was something wrong (ie bad credentials saved). Windows 8, unfortunately, made it significantly more difficult and requires the use of an elevated command prompt (start > cmd > right-click run as administrator).

Show all profiles
netsh wlan show profiles

Delete a profile
netsh wlan delete profile name ="PROFILEHERE"

Display the security key (if applicable)
netsh wlan show profile name="PROFILEHERE" key=clear

Stop auto-connecting to a profile
netsh wlan set profileparameter name="PROFILEHERE" connectionmode=manual

Microsoft

Remote Management Exchange Mailbox Rules

March 5, 2015 bsdman Leave a comment

CEO of the company had a rule to auto forward his calendar items to his personal secretary. Unfortunately, after about a year of service, this person was moving to another position.

The new IT rules stipulate that unless written permission from the VP of IT, President of the company, or CEO is provided that under no circumstances should IT actively connect to another user’s email box.

This makes it harder since the old way was to grant full permissions to their mailbox, attach it as a non-cached account, and then make any necessary changes.

The CEO was also travelling out of the country, so getting him on a phone call would prove difficult.

Powershell to the rescue! I did the following commands from the Exchange admin server, but this will work just as well right on the Exchange servers themselves, or even if you load the PS1 for exchange.
Get-inboxrule -mailbox USERNAME | fl > c:\text\outlookrules.txt
I opened this text file and searched for the name of the secretary – found one rule “If the message is meeting, forward to”

We can disable or remove the outlook rule as well.
disable-inboxrule -mailbox USERNAME -identity "THELONGNUMBERIDENTITYFROMPREVIOUSSTEP"
or
remove-inboxrule -mailbox USERNAME -identity "THELONGNUMBERIDENTITYFROMPREVIOUSSTEP"

Linux

Rancid Ubuntu 14.04 LTS

February 9, 2015 bsdman Leave a comment

Recently upgraded the Rancid server from 12.04.3 to 14.04 (and it started as 10.04 from my rancid on ubuntu 10 install page).

Not everything went flawlessly: the upgraded killed the configuration file that said drancid is to be used for my dell switches. Not a big deal, just calling it out. I just following my “drancid” post somewhere else on this blog.

Then I noticed that some of the switches were EOF prematurely; turned out it was due to the fact that the exec and login banners on these cisco devices had the character “#” in them and the new version of having an issue parsing those out. Another easy fix.

Final problem was an error 500 on the web interface. In my brief research this was due to the fact that perl was upgraded to 5.18.x from 5.14.x
It should be noted that I learned about the rmadison packagenamehere command (installed with devscripts) which was fairly helpful. It should also be noted that there was not a lot of information on this error which leads me to believe that not many are using rancid on a 14.x or above system.

Troubleshooting this issue I ran (change depending on the user you’re running rancid under)
sudo login -f root
source /etc/rancid/rancid.conf
NOPIPE=yes;export NOPIPE
rancid -d switchname
nano *.new
nano *.raw
The full logs are the *.new and the *.raw files in the directory you ran the commands in.

So someone (a netbsd op) pointed out that there is a fix for this issue. In my case I’m running debian/ubuntu, so I actually found this article by Mark Kamichoff.

nano /usr/lib/cgi-bin/cvsweb
I searched for “legend” to get to the following:

 <legend>General options</legend>
 <input type="hidden" name="copt" value="1" />
 EOF
-    for my $v qw(hidecvsroot hidenonreadable) {
+    for my $v (qw(hidecvsroot hidenonreadable)) {
       printf(qq{<input type="hidden" name="%s" value="%s" />\n},

Searched again for “mytz”:

   print '<i>';
-  if (defined @mytz) {
+  if (@mytz) {
     my ($est) = $mytz[(localtime($date{$_}))[8]];
     print scalar localtime($date{$_}), " $est</i> (";
   } else {

Linux

Nas4Free Smartctl

December 14, 2014 bsdman Leave a comment

Running 9.2.0.1 – Shigawire (revision 972) on some supermicro server with an Intel Xeon.

Noticed that I wasn’t receiving my weekly status emails so I finally got around to checking it out (system is running as a backup of a backup for my personal files, so not the end of the world if it doesn’t work right).

Logged in via the web interface and didn’t notice anything really going on except that out of the 4 available cores on the processor 2 were maxing out at 100%. Process listing showed smartctl was the culprit. Went into the ZFS settings (forgot no smart settings in there), and then tried to load up the Disk > Management area. No go – spinning and spinning.

Logged in using SSH to restart the web services
/etc/rc.d/lighttpd restart

Back in business, but then the Disk > Management area was once again crashing it out.

Issued a kill -s HUP thePIDhere. They came right back.

Rebooted the server. Smartctl was still coming up eating all of my available CPU time for reports.

I ended up renaming the smartctl bin file and then killing the processes.
It’s located /usr/local/sbin, then mv smartctl to smartctl.old or something

From there I could load the Disk > Management page again and disable smart monitoring.

And yes, the disks have all checked OK.

IT.TheLibrarie.Com