WLAN Monitoring – Splunking on Pi

Beacon Sandwich

The Caveat/Disclaimer

I’m going to start with some caveats that completely undermine myself and this blog, but I feel it is needed and I need to be completely honest:

1. I am by no means an expert in Splunk
2. I am not an expert in Wi-Fi
3. I am not an expert in any of the tools we talk about here, including Linux

Why did I feel that was necessary? Well, some of the things I talk about here are simply my own way of discovering how to use these tools and how to get these tools to interface with each other, and they probably do not follow any industry standards or best practices.
This for me is a learning journey, and some of the documentation is lacking or out of date so I have found my own ways to overcome these challenges. To make things easier for myself, where the documentation…

View original post 1,550 more words

Guest Blog on Aruba SIte

I was asked to write a short blog for Aruba as part of a new “Hear from the Experts” campaign. Feast your eyeballs on it here.

ClearPass – Custom Guest MAC Auth Expiry

Another ClearPass post for you lovely, lovely readers.

Setting the scene

Imagine if you will that a customer has an “open” guest SSID and wanted to authenticate all guest accounts via a ClearPass captive portal using the same static guest user. They also didn’t want the guest to have to log back in for 12 hours following the initial captive portal authentication.

Gotcha 

Sounds pretty simple right? Well, it is very simple but there’s a gotcha in there that you should be aware of. You’ll have to read my ramblings or skip to near the end to find out.

Config

To achieve what the customer wanted I did the following:

• Created a guest user with no expiry
• Created a guest user auth with MAC caching service with corresponding enforcement
• Created a guest user MAC auth service with corresponding enforcement
• Created a guest login page
• Configured the SSID, AAA & roles on the controller

I used the wizard to create the services (I’ll probably get some stick for that). So, you can use the ClearPass service wizard to create service to auth guest and cache their MAC address. 

When you do this it’ll create quite a few enforcement policies that you probably don’t need so remember to delete them or remove them from your enforcement profiles.

The wizard create a enforcement profile which sets the MAC auth expiry time to 1 day. That means after a guest logs into the captive portal, they can disconnect and reconnect to the guest SSID and gain network access without logging back into the captive portal for 24 hours.

ClearPass does this by keeping a record of the device that the guest user logged in from in the endpoint repository. Along with the endpoint device, ClearPass writes an attribute call “MAC-Auth Expiry” and populates it with a value which is 24 hours from date the guest user authenticated. Note the format of the date and time in the image of the endpoint attributes below.

OK, so all we need to do now is change the expiry to 12 hours.

Custom Time Config

ClearPass has a time source SQL database. By default the following time attributes are available.

• current time
• 2 hours time
• 1 days time
• 1 weeks time
• 1 months time
• 6 months time

I just used the “2 hours time” attribute as a template and created a “12 hours time” attribute as in the image below.

Next I updated my enforcement profile which sets the MAC-Auth Expiry to reference this new time attribute.

Awesome! Whoa there cowboy. Don’t celebrate prematurely. After making this change guests could MAC auth after authenticating via the captive portal days after the initial auth. Clearly the MAC Auth Expiry wasn’t working.

Troubleshooting

There were no errors anywhere. The times on all network devices were synced from the same NTP servers and were definitely not out of sync.

I double checked my custom time attribute and noticed there there were duplicates of the same time values but with different names. Probably should have noticed that when I was adding my custom attribute.

A little more digging around and I discovered one time format was in EPOCH and the other in Date/Time. Now we’re getting somewhere. The 12 Hours custom time attribute I created was a integer EPOCH time format.

My Guest MAC Auth service was checking the current time (Now DT) in date/time format to see if it was less than the endpoint device MAC-Auth Expiry which I’d specified in EPOCH format… and current time was always coming out less.

I check the time source and noticed 2 current time attributes:

• Now
• Now DT

Now is in EPOCH format and Now DT in date/time format.

I changed my Guest MAC Auth service role mapping policy from referencing Now DT to Now.

Now we’ve got both the time source and the MAC-Auth Expiry in EPOCH format and testing showed that the solution now worked.

Improvements

Happy to hear if there are other ways to implement this.

FYI I know that using a static guest account isn’t ideal but this was a customer requirement.

ClearPass – Sending TACACS+ Audit log to Syslog Server

ClearPass – TACACS+ Audit logs

So you’ve got ClearPass and have wisely decided to utilise it to secure and monitor your switching infrastructure. You’ve setup TACACS+ on the switches & configured a service on ClearPass (possibly following the awesome guide on the Aruba Solution Exchange). If you’re having problems setting it up head over to the Airheads community and you’ll get some great help over there.

Just a second, if you’re not aware of the Aruba Solution Exchange (ASE) you should really check it out. In fact go there now. Come back when you’ve had a good browse of what’s on offer. Ok, back now?

Right, back on track. TACACS authentication and accounting is now setup and working. You should see the authentication requests in the access tracker and when clicking on the Authorizations tab you’ll see the commands as in the image below:

Now, if you select the accounting record that associated with these requests and go to the Details tab you’ll see the commands again but with a few more details including the privilege level. See below:

If you have your own syslog server and you want (or need) to export these audit trail details you need to head down to the “Syslog Export Filters” under Administration / External Servers. You can manually setup some filters using the pre-defined options and dropdown lists or create custom SQL queries to decide what gets sent to your syslog server.

I couldn’t find exactly what I needed from the pre-defined options.

I wanted to export the following:

• Device changes are being made on
• User making the changes
• Commands being run
• Where the user logged in from
• Timestamp

I could see the details I wanted to export but they were in a couple of different tables. Turns out it’s fairly trivial to generate a query which searches a couple of tables..

Here’s the resulting SQL query:

SELECT tips_tacacs_accounting_records.nas_ip,tips_tacacs_accounting_records.user_name,tips_tacacs_accounting_records.remote_address,tips_tacacs_accounting_details.attr_value,tips_tacacs_accounting_details.timestamp FROM tips_tacacs_accounting_details 
JOIN tips_tacacs_accounting_records on tips_tacacs_accounting_details.session_id=tips_tacacs_accounting_records.id 
WHERE ((tips_tacacs_accounting_details.timestamp >= --START-TIME--) 
AND (tips_tacacs_accounting_details.timestamp <= --END-TIME--))
AND (tips_tacacs_accounting_details.attr_name = 'cmd');

You can download a copy of the ClearPass Export Filter from here. You could import it into your ClearPass server(s) and modify the syslog target if you wished. The SQL query is also available here.

Disclaimer

I’m by no means a DBA and only provide the information in this blog as a reference. I accept no responsibility if you decide to copy anything off this blog an use it any way. Also I wouldn’t be surprised if there were a more elegant way to achieve this so please post in the comments if you know one.

Using RADIUS to secure your switches

Maybe you’re thinking of securing your switches with RADIUS? Whilst you can certainly authenticate admin users using RADIUS you cannot “log the commands used. It will only log the start, stop, and interim records of that session. This means that if there are two or more administrators logged at any one time, there is no way of telling which administrator entered which commands.”. Plus TACACS+ has been designed for this purpose, RADIUS however has not. More TACACS+ reading.

Links/References

Aruba Airheads Community
Aruba Solution Exchange
ASE Splunk Syslog Export
ASE CPPM / Cisco TACACS+ Setup
The Advantages of TACACS+ for Administrator Authentication

So I went to HPE Discover London and…

I’ve gotta say, I had a lovely time at HPE Discover London. If you couldn’t make it to the event or just want to re-cap there’s a load of on-demand videos from the event here.

I’ve been to lots of Aruba Networks events but never HP/HPE. I was pretty impressed by the size of the event.. over 16000 attendees! But when an event is that huge you can’t really see everything, well I couldn’t anyway, it’s just too big. I know you can pick and choose the bits you’re most interested in (wireless I assume?) but I like to soak up as much info as I can and see what’s new in all areas.

It was good to see the Aruba Networks presence there. It wasn’t a huge presence in terms of floor space but they (Dominic Orr) featured in the keynote speeches which surprisingly a large number of people walked out on. Dom did stumble a little in his delivery, which is uncommon for him, so I guess this is why?? Anyone who walked out reading this, please comment why! Maybe it was when HPE tried to give away American Football tickets and were met with.. *tumbleweed*

In terms of technology, presentations etc. I found it really interesting hearing from the HPE Labs team. They’re working on “The Machine” which discards the traditional computer architecture model in favour of a model where memory and storage are one and the same things (amongst other things). The benefits according to the Labs team are “quantum leap in performance and efficiency, while lowering costs over the long term and improving security”.

It was good to see Aruba release their Aruba Beacons management product Aruba Sensor. I would imagine it was a bit of a nightmare
managing Beacons without this… The Sensor will manage 10 or so Beacons and piggy back on your existing wireless. It should be noted that your existing wireless needn’t be from Aruba.

Here’s a Sensor in the wild at the event.

To sums things up I really enjoyed my time at the event. It was great to see the direction that the company is heading & their new products. I hope Aruba features more heavily at the next event.

I feel I must add… In the interest of full disclosure, HPE invited me to go to this event as an Independent Industry Influencer and paid for travel, accommodation and a few little treats but this hasn’t influenced my opinions.

HPE Discover London

I was disappointed that Aruba Networks Atmosphere 2015 EMEA was cancelled so was glad when I got the opportunity to go to HP Enterprise – Discover London!

Its running for 3 days, 1st – 3rd December, and as you’d expect the seminars and speakers are covering a huge range of technologies.

I’m most interested in the hearing from the wireless speakers but will definitely be checking out as much as possible!

Are you going? What’s your must see seminar?

Guest wireless certificate issue on mobile devices

Not sure if this is an issue with all certificate authorities but I saw this particular issue with GoDaddy.

Issue:

Guest wireless captive portal is secured using a certificate from GoDaddy. When mobile devices get redirected to the captive portal they get a certificate error like the one shown below.

This does not occur on laptops though.

Resolution:

The resolution for me was to include the intermediate certificate in the issued certificate.

Open the certificate in a text viewer such as notepad. Also open the intermediate cert in notepad. Now copy the intermediate cert text and paste it after the issued cert text. It’ll look something like this….

Lync 2013 Mediation Server Direct SIP with Gamma Telecom & Sonicwall

This post is about how to set up a Lync Server Mediation server to support Direct SIP whilst utilising Gamma Telecom SIP and a Sonicwall Firewall.

This is the way that I did it, you may choose to do it differently. Leave a comment if you got this working another way.

The reason why you need to configure 2 NICs on the Mediation server is because Gamma require the external IP address to be present in the SIP OPTIONS. Normally this isn’t a problem as many firewalls have a SIP ALG. In simplified terms this means that they NAT the SIP traffic so that it appears to come from your external IP address. Sonicwall can do this for SIP over UDP but not for SIP over TCP. Because of this and the requirements from Gamma it’s necessary to have an external public IP address on your mediation server.

There’s a great post here about how to setup Lync Mediation server with “Duel homed” NICs. You’ll need to do this, and as it’s such a good post I’m not going to re-create it.

You’ll also need to stick one leg of your Mediation server in a DMZ on the Sonicwall and configure the DMZ in Transparent mode. Another good post here detailing how to setup your Sonicwall DMZ to support this.

Here’s how your mediation server should look in the topology builder.

Here’s the Gateway.

And here’s the Trunk.

That should get you going.

Bye for now.

How to configure Lync 2013 QoS

This is the way that I did it. You may not want to use the same ports, but they’re the standard ones mentioned on Technet. Also I’m aware that you can push out the registry setting via GPO so I’ll leave you to sort that bit out.

Lets go…..

Configuring Port Ranges for Your Conferencing, Application, and Mediation Servers

To implement Quality of Service, you should setup the same port ranges for audio, video, and application sharing on your Conferencing, Application, and Mediation servers.

Property	Conferencing Server	Application Server	Mediation Server
AudioPortStart	49152	49152	49152
AudioPortCount	8348	8348	8348
VideoPortStart	57501	—	—
VideoPortCount	8034	—	—
ApplicationSharingPortStart	49152	—	—
ApplicationSharingPortCount	16383	—	—

 

Configuring a Quality of Service Policy for Your Conferencing, Application, and Mediation Servers

 

1. In Group Policy Management, locate the container where the new policy should be created. For example, if all your Lync Server computers are located in an OU named Lync Server then the new policy should be created in the Lync Server OU.
   
2. Right-click the appropriate container and then click Create a GPO in this domain, and Link it here.
   
3. In the New GPO dialog box, type a name for the new Group Policy object in the Name box (for example, Lync Server QoS) and then click OK.
   
4. Right-click the newly-created policy and then click Edit.
   
5. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, right-click Policy-based QoS, and then clickCreate new policy.
   
6. In the Policy-based QoS dialog box, on the opening page, type a name for the new policy (e.g., Lync Server QoS) in the Name box. Select Specify DSCP Value and set the value to 46. Leave Specify Outbound Throttle Rate unselected, and then click Next.
   
7. On the next page, make sure that All applications is selected and then click Next. This simply ensures that all applications will match packets from the specified port range with the specified DSCP code.
   
8. On the third page, make sure that both Any source IP address and Any destination IP address are selected and then click Next. These two settings ensure that packets will be managed regardless of which computer (IP address) sent those packets and which computer (IP address) will receive those packets.
   
9. On page four, select TCP and UDP from the Select the protocol this QoS policy applies to dropdown list. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two networking protocols most-commonly used by Lync Server and its client applications.
   
10. Under the heading Specify the source port number, select From this source port or range. In the accompanying text box, type the port range reserved for audio transmissions. For example, if you reserved ports 49152 through ports 57500 for audio traffic enter the port range using this format: 49152:57500. Click Finish.
    

 

Do the same for Video but set DSCP to 34 and use ports 57501:65535.

Again for Application sharing, DCSP 24 and ports 40803:49151.

Here’s what it should look like:

Apply the new GPO to your Lync 2013 servers and run gpupdate/force on the Lync servers to apply them or wait for them to apply automatically.

Apply this registry setting to ensure that Windows obeys the QoS settings.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS]

“Do not use NLA”=”1”

If your QoS is being applied correctly you will see the following entries in the Registry on your Lync servers.

 

Configuring Port Ranges for Your Edge Servers

 

Packet Type	Starting Port	Number of Ports Reserved
Application sharing	40803	8348
Audio	49152	8348
Video	57500	8034
Totals	—	24730

 

This will configure all Edge servers to use the above range of ports.

Get-CsService -EdgeServer | ForEach-Object {Set-CsEdgeServer -Identity $_.Identity -MediaCommunicationPortStart 40803 -MediaCommunicationPortCount 24730}

 

 

Configuring a Quality of Service Policy for Your A/V Edge Servers

1. Click Start and then click Run.
   
2. In the Run dialog box, type gpedit.msc and then press ENTER.
   
3. In the Group Policy Management Editor or the Local Group Policy Editor, expand Computer Configuration, expand Policies, expand Windows Settings, right-clickPolicy-based QoS, and then click Create new policy.
   
4. In the Policy-based QoS dialog box, on the opening page, type a name for the new policy (e.g., Lync Server Audio) in the Name box. Select Specify DSCP Value and set the value to 46. Leave Specify Outbound Throttle Rate unselected, and then click Next.
   
5. On the next page, make sure that All applications is selected and then click Next. This setting instructs the network to look for all packets with a DSCP marking of 46, not just packets created by a specific application.
   
6. On the third page, make sure that both Any source IP address and Any destination IP address are selected and then click Next. These two settings ensure that packets will be managed regardless of which computer (IP address) sent those packets and which computer (IP address) will receive those packets.
   
7. On page four, select TCP and UDP from the Select the protocol this QoS policy applies to dropdown list. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two networking protocols most-commonly used by Lync Server and its client applications.
   
8. Under the heading Specify the destination port number, select From this destination port or range. In the accompanying text box, type the port range reserved for audio transmissions. For example, if you reserved ports 49152 through ports 57500 for audio traffic then enter the port range using this format: 49152:57500. Click Finish.
   

Do the same for Video but set DSCP to 34 and use ports 57501:65535.

Again for Application sharing, DCSP 24 and ports 40803:49151.

Apply this registry setting to ensure that Windows obeys the QoS settings.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS]

“Do not use NLA”=”1”

 

Configuring Port Ranges for Your Microsoft Lync Clients

 

Client Traffic Type	Port Start	Port Range
Audio	50020	20
Video	58000	20
Application sharing	42000	20
File transfer	42020	20

 

Enabled client media ports and set them to the above:

Set-CsConferencingConfiguration -ClientMediaPortRangeEnabled $True -ClientAudioPort 50020 -ClientAudioPortRange 20 -ClientVideoPort 58000 -ClientVideoPortRange 20 -ClientAppSharingPort 42000 -ClientAppSharingPortRange 20 -ClientFileTransferPort 42020 -ClientFileTransferPortRange 20

 

Configuring Quality of Service Policies for Clients Running on Windows 7 or Windows 8

 

1. In Group Policy Management, locate the container where the new policy should be created. For example, if all your client computers are located in an OU named Clients then the new policy should be created in the Client OU.
   
2. Right-click the appropriate container and then click Create a GPO in this domain, and Link it here.
   
3. In the New GPO dialog box, type a name for the new Group Policy object in the Name box (for example, Lync Audio) and then click OK.
   
4. Right-click the newly-created policy and then click Edit.
   
5. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, right-click Policy-based QoS, and then clickCreate new policy.
   
6. In the Policy-based QoS dialog box, on the opening page, type a name for the new policy (e.g., Lync Audio) in the Name box. Select Specify DSCP Value and set the value to 46. Leave Specify Outbound Throttle Rate unselected, and then click Next.
   
7. On the next page, make sure that All applications is selected and then click Next. This setting instructs the network to look for all packets with a DSCP marking of 46, not just packets created by a specific application.
   
8. On the third page, make sure that both Any source IP address and Any destination IP address are selected and then click Next. These two settings ensure that packets will be managed regardless of which computer (IP address) sent those packets and which computer (IP address) will receive those packets.
   
9. On page four, select TCP and UDP from the Select the protocol this QoS policy applies to dropdown list. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two networking protocols most-commonly used by Lync Server and its client applications.
   
10. Under the heading Specify the source port number, select From this source port or range. In the accompanying text box, type the port range reserved for audio transmissions. For example, if you reserved ports 50020 through ports 50039 for audio traffic enter the port range using this format: 50020:50039. Click Finish.
    

Do the same for Video but set DSCP to 34 and use ports 58000:58019.

Again for Application sharing, DCSP 24 and ports 42000:42019.

Finally for File Transfers, DCSP 14 and ports 42020:42039.

 

Apply this registry setting to ensure that Windows obeys the QoS settings.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS]

“Do not use NLA”=”1”

 

Switch and Firewall QoS

There no use setting all this up if your switches and firewall aren’t configured in the same way, or at least to preserve and adhere to the settings you’ve set.

QoS & the Internet

Hah. Good luck with that.

Lync 2013 Front End Service Fails to Start

After installing Lync 2013 the front end service may fail to start. I got the following error:

Log Name: Lync Server
Source: LS User Services
Event ID: 32178
Task Category: (1006)
Level: Error
Keywords: Classic
User: N/A
Computer: lync.jrw.local
Description:
Failed to sync data for Routing group {5A65CDB2-3DB5-5C72-9E7D-416A09E3FB97} from backup store.

Cause: This may indicate a problem with connectivity to backup database or some unknown product issue.

Resolution:
Ensure that connectivity to backup database is proper. If the error persists, please contact product support with server traces.

This looked like the fix: http://support.microsoft.com/kb/2795828/en-us

Had to remove all non root certificates from the trusted root certificates store. However after removing them all and rebooting for good measure I was still unable to start the front end service.

Should have known really.. Run windows updates and install the Lync 2013 cumulative updates kb 2809243 package from here and you’ll be golden.

Lync 2013 Cumulative updates http://www.microsoft.com/en-us/download/details.aspx?id=36820