IT.TheLibrarie.Com Ramblings Of An IT Person

January 29, 2018

Unifi Linux and Windows Certificates

Filed under: Linux,Miscellaneous,Networking — bsdman @ 9:49 am

I thought I knew it all about certificates, but then I was humbled once again.

I needed to “secure” an internal linux webserver using our Windows 2016 CA as to remove the “this is an unverified site” messages that liked to pop up when browsing the various sites.

The process I had done in the past was to create the CSR using openssl, then copy the encryption data, open up my trusty http://certserverhere/certsrv/ site and go through the process of making a webserver certificate. Then, when finished, just download the certificate and the CA + chain, import on linux, and profit.

Well, the new versions of the templates (V3 and V4 specifically) no longer allowed the web enrollment using my trusty http://certserverhere/certsrv site. Booo.

I could probably get it to work by just requesting my own certificates using the MMC, but I’m still leaning towards the whole CLI phase of life. I should also note that I find the performance and management of Unifi on Linux to be significantly better and easier than that on Windows. YMMV.

By the way, this is technically how I published a certificate on our Unifi wireless controller. The CA Certificate Authority is a 2016 Windows Server that’s been published in AD. The unifi machine is running Ubuntu 17.10 and unifi version 5.6.29. I also used WinSCP, Putty, and my base machine is Win10 (not super applicable).

SSH to the Unifi Machine
(I did this as root, so add “sudo” before commands if you’re not the root god)
cd /usr/lib/unifi
java -jar lib/ace.jar new_cert unifi.domain.tld CompanyName Town State Country
This creates unifi_certificate.csr.der and unifi_certificate.csr.pem – the DER is encrypted and the PEM is what we need.

Get the PEM over to your CA Server
I just used nano to view all the data and then copy pasted, but feel free to WinSCP it over as well
nano unifi_certificate.csr.pem
Copy this text, then on the CA create a new text file and paste the data there. Save.

Certreq
Open an administrative Command Prompt on your CA server
certreq -submit -attrib "SAN:dns=unifi.yourdomain.tld&dns=unifi" -attrib "CertificateTemplate:WebServer2018" unifi_certificate.csr.pem
By default your Certificate Template will be “WebServer” instead of the one I listed above – I created my own template with the year it’s valid for the sake of record keeping.

Save the Certificate
Assuming the request went through, you’ll be able to name and save your signed certificate. In my case I named it unifi_withSAN.domain.tld.cer. I also navigated to the http://certserverhere/certsrv site and downloaded the CA certificate, Certificate chain, or CRL (I just downloaded the CA Certificate as it’s a single host with no subs).

Copy it back to Unifi
I used WinSCP to copy both the signed certificate as well as the CA Certificate I downloaded back to my /home directory on the Unifi server.

Final Touches
Back on your Unifi SSH session (in the /usr/lib/unifi directory)
java -jar lib/ace.jar import_cert /home/unifi_withSAN.domain.local.cer /home/srv-cert01-ca.cer
Replace srv-cert01-ca with the name of your CA certificate.
If successful, restart the unifi services
service unifi restart

Close your browser and open back up to https://unifi:8443 and no more error!

September 13, 2017

Tmobile Band 12

Filed under: Miscellaneous,Networking — bsdman @ 11:22 am

Tmobile bought up quite a bit of the 700MHz spectrum, but I wanted to see where it was being deployed.

Map of Deployments and other Information
http://maps.spectrumgateway.com/t-mobile-700-mhz-spectrum.html

How to find current band on iPhone
Open the Dialer
*3001#12345#*
Press Dial/Talk
This enables Field Test Mode
Navigate to LTE > Service Cell Info
Where it says Freq_band_ind that’s the band you’re currently utilizing. In my case it’s Band 2

http://www.radio-electronics.com/info/cellulartelecomms/lte-long-term-evolution/lte-frequency-spectrum.php

LTE BAND
NUMBER DOWNLINK UPLINK WIDTH_OF_BAND DUPLEX_SPACING BAND_GAP
1 1920 – 1980 2110 – 2170 60 190 130
2 1850 – 1910 1930 – 1990 60 80 20
3 1710 – 1785 1805 -1880 75 95 20
4 1710 – 1755 2110 – 2155 45 400 355
5 824 – 849 869 – 894 25 45 20
6 830 – 840 875 – 885 10 35 25
7 2500 – 2570 2620 – 2690 70 120 50
8 880 – 915 925 – 960 35 45 10
9 1749.9 – 1784.9 1844.9 – 1879.9 35 95 60
10 1710 – 1770 2110 – 2170 60 400 340
11 1427.9 – 1452.9 1475.9 – 1500.9 20 48 28
12 698 – 716 728 – 746 18 30 12
13 777 – 787 746 – 756 10 -31 41
14 788 – 798 758 – 768 10 -30 40
15 1900 – 1920 2600 – 2620 20 700 680
16 2010 – 2025 2585 – 2600 15 575 560
17 704 – 716 734 – 746 12 30 18
18 815 – 830 860 – 875 15 45 30
19 830 – 845 875 – 890 15 45 30
20 832 – 862 791 – 821 30 -41 71
21 1447.9 – 1462.9 1495.5 – 1510.9 15 48 33
22 3410 – 3500 3510 – 3600 90 100 10
23 2000 – 2020 2180 – 2200 20 180 160
24 1625.5 – 1660.5 1525 – 1559 34 -101.5 135.5
25 1850 – 1915 1930 – 1995 65 80 15
26 814 – 849 859 – 894 30 / 40 10
27 807 – 824 852 – 869 17 45 28
28 703 – 748 758 – 803 45 55 10
29 n/a 717 – 728 11
30 2305 – 2315 2350 – 2360 10 45 35
31 452.5 – 457.5 462.5 – 467.5 5 10 5

February 14, 2017

Powershell Add Certificates to Firefox User

Filed under: Microsoft,Networking — bsdman @ 9:05 am

As we recently implemented a MITM SSL inspection web filter, I needed a way to install the locally signed certificate into the firefox stores on managed devices.

Firefox, by default, does not use the built-in certificate store and instead chooses to utilize its own. Chrome/IE/Edge do not have this same issue and the GPO setup to publish an internal certificate to domain computers is working wonderfully. Firefox, on the other hand, is not so helpful.

After some research it was obvious the best solution was to use powershell/certutil to force an import of the certificate into the local profile’s store. I must admit it took me about 10 minutes to realize that Mozilla/Firefox has its own version of certutil that IS NOT the same as the windows certutil… SMH.

I’ve zipped up the required files as of 02/2017 here.

And here is the ps1 script I used which assumes you installed the OS on the C:\ drive with most of the defaults:

#Script adds Radius Certificate to independent Firefox certificate store since the browser does not use the Windows built in certificate store

#list all Firefox profiles so we can push the certificate to ALL
$ProfilePath = “C:\Users\” + $env:username + “\AppData\Roaming\Mozilla\Firefox\Profiles\”
$ProfilePath = $ProfilePath + (Get-ChildItem $ProfilePath | ForEach-Object { $_.Name }).ToString()

#Update for untangle
certutil.exe -A -n “Name of Certificate” -t “CT,C,C” -i “certificate_from_content_filter_or_UTM.crt” -d $ProfilePath

February 6, 2017

Add Self-Signed Certificate to Ubuntu

Filed under: Linux,Networking — bsdman @ 9:18 pm

I’m currently running Untangle as my firewall/router UTM and recently enabled SSL Inspection. Unfortunately apt-get was breaking on my linux boxen, so I had to import the certificate.

On my linux box I ran the following and it worked fine:
wget http://firewallURL/cert
mv cert cert.crt
sudo cp cert.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

May 13, 2015

Securing Enterprise Wireless

Filed under: Microsoft,Networking — bsdman @ 9:50 am

Our small business is growing into a medium sized business rather quickly. What was acceptable before (BYOD, honor system, etc) is no longer able to be sustained.

I’ve been at this same company since we had a single Linksys WRT54GS access point with ~40 employees to a 7x Meraki APs (MR18 and MR24’s) with 3 locations and 200+ employees.

Originally we had a standard WPA/TKIP with a pre-shared key (PSK) that was given out to those who needed it. Unfortunately this PSK ended up in the hands of so many people that it was difficult to control. I rolled out an NPS server (Windows RADIUS) to allow only those with domain credentials to connect; this alleviated the issue of having non-employees on the network (for the most part), but individuals quickly realized they could add their iPad/Tablet, phone, and other laptops to the company network.

If that’s OK with you, here’s my NPS configuration (I have this on two different NPS servers for redundancy):
RADIUS Clients

Friendly name: SuiteNumber_DeviceModel
IP Address: The statically assigned IP of the device
Device Manufacturer: RADIUS Standard
NAP-Capable: No (for now)
Status: Enabled

wireless_01

Connection Request Policies

Policy Name: I picked “Secure Wireless Connections” and Enabled the policy
Conditions: NAS Port Type of Wireless-Other OR Wireless-IEEE802.11
Settings: I left these as the defaults as I wanted the Network Policy to dictate the authentication methods

wireless_02

Network Policies

Policy Name: I once again picked “Secure Wireless Connections” and enabled the policy
Conditions: NAS Port Type of Wireless-Other OR Wireless-IEEE802.11 / Windows Groups of domain\domain computers and domain\domain users
Since I don’t feel like typing it all out, look at the picture.

wireless_03

Just point your wireless device(s) to your NPS/RADIUS server IP with the default port and away you go.


Now to get it with certificate-based security it was a bit more work:

I am assuming that you’re using an on-premise Certificate Authority and that it’s already up and running. In my case we have a 2008R2 CA already published in Active Directory. If it’s not published in AD, you can always have a GPO that pushes the trusted root certificate authority to all domain members.

Anyway, I needed to set it so that every domain joined computer would enroll with a computer certificate against this CA, so I created a GPO called Wireless Settings (I don’t really like adding things to the default domain policy, so I end up creating new).
Under Computer Configuration / Policies / Windows Settings / Security Settings / Public Key Policies / Certificate Services Client – Auto-Enrollment Settings
wireless_04

From this I verified that computers had the appropriate certificates installed by looking at my MMC:
start, run, MMC
Add Certificates (Computer account) for the local machine
Verify there’s a certificate issued to your computername.yourdomainname.tld from the Certificate Authority with hooks into AD
wireless_05

Now I finished up my Wireless Settings GPO with some Wireless Network (802.11) Policies. See the picture. Lazy.
The Profile Name will be the one displayed when people search for available wireless networks and, to the end-user, they will be connecting to this access point. You can actually publish multiple SSID’s under this name (I only have the “Linksys47532” name available currently).
wireless_06

You’d have to run
netsh, wlan, show interfaces
with an administrative command window to actually see the network being connected to.

When I get around to publishing a computer certificate that can be imported on an iPhone, I’ll update this post.

December 10, 2012

Cisco NTP Timezone

Filed under: Networking — bsdman @ 7:43 pm

I needed to set the NTP, change the time, and verify everything was all set on a few of the switches around the office. I also changed the timezone.

#show clock
18:36:39.993 UTC Mon Dec 10 2012

conf t
clock timezone CST -6
exit
clock set 18:36:39 CST 10 Dec 2012
#show clock
18:36:39.993 CST Mon Dec 10 2012

conf t
ntp server 0.north-america.pool.ntp.org
ntp server 1.north-america.pool.ntp.org
exit
show ntp associations
show ntp status

Enable SSH Cisco IOS

Filed under: Networking — bsdman @ 3:05 pm

So I wanted to disable telnet and enable SSH only on the switches – take my 2950 and 3560 switches and change the following:
Change the hostname and generate the crypto keys
conf t
hostname HOSTNAMEHERE
ip domain-name HOSTDOMAINHERE
crypto key generate rsa
If this command does not work then you need to update to a K9 or crytographic IOS!
end
show ip ssh
wr mem

Enable the AAA authentication
conf t
service password-encryption
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa authorization network default local
exit

Create the User
conf t
username CISCO password PASSWORD
end

Create passwords
conf t
enable secret PASSWORD
line con 0
password PASSWORD
line vty 0 4
no password
transport input ssh
line vty 5 15
no password
transport input ssh
exit

Set SSH arguments
conf t
ip ssh version 2
ip ssh time-out 60
ip ssh authentication-retries 2

Older Posts »

Powered by WordPress