Category Archives: Networking

Networking

U6 Pro Unifi Not Updating

I’ve had many access points from Unifi over the years. Updating from the controller is generally a painless operation, and only rarely have I ever needed to utilize the CLI to make any changes (mostly set-inform related).

However, when attempting to update the firmware of my Unifi systems (U6-Pro, US-24-250W, US-8-60W, UAP-nanoHD, and U6-Pro), I got stuck on the U6-Pro. I would click on upgrade the firmware and then the access point would get stuck on the blue/white blinking LED for hours. I even let it sit there overnight just to see. For the record, I was attempting to upgrade from 6.0.14 to 6.0.15 at the time, and it was not happy. Unplugging from power and then plugging back in would get me back to the 6.0.14 version, so no harm no foul.

I figured it would get fixed with a new release of the controller as well as a firmware release to 6.0.18. Wrong. Same issue. I even attempted to CLI it by logging in via SSH and running the “upgrade https://dl.ui.com/unifi/firmware/UAP6MP/6.0.18.13660/BZ.ipq50xx_6.0.18+13660.220413.1958.bin” command. No dice. Hard reboot and it’s back on 6.0.14.

Swannman had the same issue posted on the unifi forms, and UI-Glenn gave an updated command for me to try:

curl https://dl.ui.com/unifi/firmware/UAP6MP/6.0.18.13660/BZ.ipq50xx_6.0.18+13660.220413.1958.bin -o /tmp/fwupdate.bin && fwupdate.real -m &

Magically this worked and the controller reads it just fine. Posting for future sake of my sanity.

Unifi Linux and Windows Certificates

I thought I knew it all about certificates, but then I was humbled once again.

I needed to “secure” an internal linux webserver using our Windows 2016 CA as to remove the “this is an unverified site” messages that liked to pop up when browsing the various sites.

The process I had done in the past was to create the CSR using openssl, then copy the encryption data, open up my trusty http://certserverhere/certsrv/ site and go through the process of making a webserver certificate. Then, when finished, just download the certificate and the CA + chain, import on linux, and profit.

Well, the new versions of the templates (V3 and V4 specifically) no longer allowed the web enrollment using my trusty http://certserverhere/certsrv site. Booo.

I could probably get it to work by just requesting my own certificates using the MMC, but I’m still leaning towards the whole CLI phase of life. I should also note that I find the performance and management of Unifi on Linux to be significantly better and easier than that on Windows. YMMV.

By the way, this is technically how I published a certificate on our Unifi wireless controller. The CA Certificate Authority is a 2016 Windows Server that’s been published in AD. The unifi machine is running Ubuntu 17.10 and unifi version 5.6.29. I also used WinSCP, Putty, and my base machine is Win10 (not super applicable).

SSH to the Unifi Machine
(I did this as root, so add “sudo” before commands if you’re not the root god)
cd /usr/lib/unifi
java -jar lib/ace.jar new_cert unifi.domain.tld CompanyName Town State Country
This creates unifi_certificate.csr.der and unifi_certificate.csr.pem – the DER is encrypted and the PEM is what we need.

Get the PEM over to your CA Server
I just used nano to view all the data and then copy pasted, but feel free to WinSCP it over as well
nano unifi_certificate.csr.pem
Copy this text, then on the CA create a new text file and paste the data there. Save.

Certreq
Open an administrative Command Prompt on your CA server
certreq -submit -attrib "SAN:dns=unifi.yourdomain.tld&dns=unifi" -attrib "CertificateTemplate:WebServer2018" unifi_certificate.csr.pem
By default your Certificate Template will be “WebServer” instead of the one I listed above – I created my own template with the year it’s valid for the sake of record keeping.

Save the Certificate
Assuming the request went through, you’ll be able to name and save your signed certificate. In my case I named it unifi_withSAN.domain.tld.cer. I also navigated to the http://certserverhere/certsrv site and downloaded the CA certificate, Certificate chain, or CRL (I just downloaded the CA Certificate as it’s a single host with no subs).

Copy it back to Unifi
I used WinSCP to copy both the signed certificate as well as the CA Certificate I downloaded back to my /home directory on the Unifi server.

Final Touches
Back on your Unifi SSH session (in the /usr/lib/unifi directory)
java -jar lib/ace.jar import_cert /home/unifi_withSAN.domain.local.cer /home/srv-cert01-ca.cer
Replace srv-cert01-ca with the name of your CA certificate.
If successful, restart the unifi services
service unifi restart

Close your browser and open back up to https://unifi:8443 and no more error!

Tmobile Band 12

Tmobile bought up quite a bit of the 700MHz spectrum, but I wanted to see where it was being deployed.

Map of Deployments and other Information
http://maps.spectrumgateway.com/t-mobile-700-mhz-spectrum.html

How to find current band on iPhone
Open the Dialer
*3001#12345#*
Press Dial/Talk
This enables Field Test Mode
Navigate to LTE > Service Cell Info
Where it says Freq_band_ind that’s the band you’re currently utilizing. In my case it’s Band 2

http://www.radio-electronics.com/info/cellulartelecomms/lte-long-term-evolution/lte-frequency-spectrum.php

LTE BAND
NUMBER DOWNLINK UPLINK WIDTH_OF_BAND DUPLEX_SPACING BAND_GAP
1 1920 – 1980 2110 – 2170 60 190 130
2 1850 – 1910 1930 – 1990 60 80 20
3 1710 – 1785 1805 -1880 75 95 20
4 1710 – 1755 2110 – 2155 45 400 355
5 824 – 849 869 – 894 25 45 20
6 830 – 840 875 – 885 10 35 25
7 2500 – 2570 2620 – 2690 70 120 50
8 880 – 915 925 – 960 35 45 10
9 1749.9 – 1784.9 1844.9 – 1879.9 35 95 60
10 1710 – 1770 2110 – 2170 60 400 340
11 1427.9 – 1452.9 1475.9 – 1500.9 20 48 28
12 698 – 716 728 – 746 18 30 12
13 777 – 787 746 – 756 10 -31 41
14 788 – 798 758 – 768 10 -30 40
15 1900 – 1920 2600 – 2620 20 700 680
16 2010 – 2025 2585 – 2600 15 575 560
17 704 – 716 734 – 746 12 30 18
18 815 – 830 860 – 875 15 45 30
19 830 – 845 875 – 890 15 45 30
20 832 – 862 791 – 821 30 -41 71
21 1447.9 – 1462.9 1495.5 – 1510.9 15 48 33
22 3410 – 3500 3510 – 3600 90 100 10
23 2000 – 2020 2180 – 2200 20 180 160
24 1625.5 – 1660.5 1525 – 1559 34 -101.5 135.5
25 1850 – 1915 1930 – 1995 65 80 15
26 814 – 849 859 – 894 30 / 40 10
27 807 – 824 852 – 869 17 45 28
28 703 – 748 758 – 803 45 55 10
29 n/a 717 – 728 11
30 2305 – 2315 2350 – 2360 10 45 35
31 452.5 – 457.5 462.5 – 467.5 5 10 5

Powershell Add Certificates to Firefox User

As we recently implemented a MITM SSL inspection web filter, I needed a way to install the locally signed certificate into the firefox stores on managed devices.

Firefox, by default, does not use the built-in certificate store and instead chooses to utilize its own. Chrome/IE/Edge do not have this same issue and the GPO setup to publish an internal certificate to domain computers is working wonderfully. Firefox, on the other hand, is not so helpful.

After some research it was obvious the best solution was to use powershell/certutil to force an import of the certificate into the local profile’s store. I must admit it took me about 10 minutes to realize that Mozilla/Firefox has its own version of certutil that IS NOT the same as the windows certutil… SMH.

I’ve zipped up the required files as of 02/2017 here.

And here is the ps1 script I used which assumes you installed the OS on the C:\ drive with most of the defaults:

#Script adds Radius Certificate to independent Firefox certificate store since the browser does not use the Windows built in certificate store

#list all Firefox profiles so we can push the certificate to ALL
$ProfilePath = “C:\Users\” + $env:username + “\AppData\Roaming\Mozilla\Firefox\Profiles\”
$ProfilePath = $ProfilePath + (Get-ChildItem $ProfilePath | ForEach-Object { $_.Name }).ToString()

#Update for untangle
certutil.exe -A -n “Name of Certificate” -t “CT,C,C” -i “certificate_from_content_filter_or_UTM.crt” -d $ProfilePath

Add Self-Signed Certificate to Ubuntu

I’m currently running Untangle as my firewall/router UTM and recently enabled SSL Inspection. Unfortunately apt-get was breaking on my linux boxen, so I had to import the certificate.

On my linux box I ran the following and it worked fine:
wget http://firewallURL/cert
mv cert cert.crt
sudo cp cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Securing Enterprise Wireless

Our small business is growing into a medium sized business rather quickly. What was acceptable before (BYOD, honor system, etc) is no longer able to be sustained.

I’ve been at this same company since we had a single Linksys WRT54GS access point with ~40 employees to a 7x Meraki APs (MR18 and MR24’s) with 3 locations and 200+ employees.

Originally we had a standard WPA/TKIP with a pre-shared key (PSK) that was given out to those who needed it. Unfortunately this PSK ended up in the hands of so many people that it was difficult to control. I rolled out an NPS server (Windows RADIUS) to allow only those with domain credentials to connect; this alleviated the issue of having non-employees on the network (for the most part), but individuals quickly realized they could add their iPad/Tablet, phone, and other laptops to the company network.

If that’s OK with you, here’s my NPS configuration (I have this on two different NPS servers for redundancy):
RADIUS Clients

Friendly name: SuiteNumber_DeviceModel
IP Address: The statically assigned IP of the device
Device Manufacturer: RADIUS Standard
NAP-Capable: No (for now)
Status: Enabled

wireless_01

Connection Request Policies

Policy Name: I picked “Secure Wireless Connections” and Enabled the policy
Conditions: NAS Port Type of Wireless-Other OR Wireless-IEEE802.11
Settings: I left these as the defaults as I wanted the Network Policy to dictate the authentication methods

wireless_02

Network Policies

Policy Name: I once again picked “Secure Wireless Connections” and enabled the policy
Conditions: NAS Port Type of Wireless-Other OR Wireless-IEEE802.11 / Windows Groups of domain\domain computers and domain\domain users
Since I don’t feel like typing it all out, look at the picture.

wireless_03

Just point your wireless device(s) to your NPS/RADIUS server IP with the default port and away you go.


Now to get it with certificate-based security it was a bit more work:

I am assuming that you’re using an on-premise Certificate Authority and that it’s already up and running. In my case we have a 2008R2 CA already published in Active Directory. If it’s not published in AD, you can always have a GPO that pushes the trusted root certificate authority to all domain members.

Anyway, I needed to set it so that every domain joined computer would enroll with a computer certificate against this CA, so I created a GPO called Wireless Settings (I don’t really like adding things to the default domain policy, so I end up creating new).
Under Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies / Certificate Services Client – Auto-Enrollment Settings
wireless_04

From this I verified that computers had the appropriate certificates installed by looking at my MMC:
start, run, MMC
Add Certificates (Computer account) for the local machine
Verify there’s a certificate issued to your computername.yourdomainname.tld from the Certificate Authority with hooks into AD
wireless_05

Now I finished up my Wireless Settings GPO with some Wireless Network (802.11) Policies. See the picture. Lazy.
The Profile Name will be the one displayed when people search for available wireless networks and, to the end-user, they will be connecting to this access point. You can actually publish multiple SSID’s under this name (I only have the “Linksys47532” name available currently).
wireless_06

You’d have to run
netsh, wlan, show interfaces
with an administrative command window to actually see the network being connected to.

When I get around to publishing a computer certificate that can be imported on an iPhone, I’ll update this post.

Cisco NTP Timezone

I needed to set the NTP, change the time, and verify everything was all set on a few of the switches around the office. I also changed the timezone.

#show clock
18:36:39.993 UTC Mon Dec 10 2012

conf t
clock timezone CST -6
exit
clock set 18:36:39 CST 10 Dec 2012
#show clock
18:36:39.993 CST Mon Dec 10 2012

conf t
ntp server 0.north-america.pool.ntp.org
ntp server 1.north-america.pool.ntp.org
exit
show ntp associations
show ntp status