I was troubleshooting some replication issues for a client, and carried out a dcdiag on one of their domain controllers, and saw this;
Starting test: SystemLog
A warning event occurred. EventID: 0x000016AF
Time Generated: xx/xx/xxxx xx:xx:xx
Event String:
During the past 4.21 hours there have been {xxx} connections to this Domain Controller from client machines whose IP addresses don’t map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client’s site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file ‘%SystemRoot%\debug\netlogon.log’ and, potentially, in the log file ‘%SystemRoot%\debug\netlogon.bak’ created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text ‘NO_CLIENT_SITE:’. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize’; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
Solution
On the DC in question, Windows Key+R > %Systemroot%\debug\netlogon.log > OK > There’s you missing subnet!
Go to Active Directory Sites and Services, add the missing subnet, and allocate it to the correct site.
Related Articles, References, Credits, or External Links
Activation occurs over TCP 80 and 443, so usually this will not trip you up. However if you are on a site with a very restrictive firewall config, then you might want to add the following.
Solution
I’ll break with the norm, and just post the config in its entirety, (just remove the comments in red.)
[box]
!The Firewall needs a domain name of its own.
!
domain-name petenetlive.com
!
!Setup DNS Lookups so the firewall can resolve the FQDNs we are going to use.
!
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 8.8.4.4
!
!Create objects for each of the activation FQDN's.
!
object network Obj-go.microsoft.com
fqdn go.microsoft.com
object network Obj-wpa.one.microsoft.com
fqdn wpa.one.microsoft.com
object network Obj-crl.microsoft.com
fqdn crl.microsoft.com
object network Obj-wwwtk2test1.microsoft.com
fqdn wwwtk2test1.microsoft.com
object network Obj-wwwtk2test2.microsoft.com
fqdn wwwtk2test2.microsoft.com
object network Obj-db3.sls.microsoft.com
fqdn db3.sls.microsoft.com
!
!Create objects for each of the activation subnets.
!
object network Obj-MS-Activation-Subnet-1
subnet 64.4.0.0 255.255.192.0
object network Obj-MS-Activation-Subnet-2
subnet 65.52.0.0 255.252.0.0
!
!Create an object group that holds all the objects.
!
object-group network Obj-GP-MS-Activation
network-object object Obj-go.microsoft.com
network-object object Obj-wpa.one.microsoft.com
network-object object Obj-crl.microsoft.com
network-object object Obj-wwwtk2test1.microsoft.com
network-object object Obj-wwwtk2test2.microsoft.com
network-object object Obj-db3.sls.microsoft.com
network-object object Obj-MS-Activation-Subnet-1
network-object object Obj-MS-Activation-Subnet-2
!
!Create a service object for the activation ports.
!
object-group service Obj-SVC-MS-Activation tcp
port-object eq www
port-object eq https
!
!Allow the traffic Out (SEE THE WARNING BELOW!)
!
access-list outbound extended permit tcp any object-group Obj-GP-Microsoft-Activation object-group Obj-SVC-MS-Activation
[/box]
Warning: Before Executing the access-list command, make sure the ACL name matches your existing ACL. In the example above I’ve used outbound, See the following article for clarification;
We got some ‘demo stock’ in the office this week, I don’t do a lot of wireless, so I thought I would get it setup and have a look to see how easy/difficult it was.
Hardware used
HP E-MSM720 Premium Mobility Controller (J9694A)
HP E-MSM 430 Wireless N Dual Radio Access Point (J9651A)
HP HP 2915-8G-P-o-E Switch (J5692A)
The switch and controller are ‘tiny’ so if you want to put them in a cabinet you will need some ‘big brackets’, (or a shelf). I was disappointed that the controller didn’t have PoE on it (hence the reason we were supplied the switch). I was also disappointed the Access Point didn’t come with a network cable (seriously these things are pennies – and if a client buys hundreds of these things, someone will forget they also need an equal amount of network cables). In addition they are PoE, so you don’t get a power cable (or power injector) – so you cant even power them on without the network cable. That said all the gear is typical good quality HP Stuff. The documentation consists of a “quick setup sheet” for each piece of hardware and all the manuals are Online. I’m not a fan of manufacturers documentation at all, and HP’s is the same as most major vendors, to long, too complicated and to difficult to find what I’m looking for – I spent half a day reading pdf documents just trying to get the guest network working (a feat I will accomplish below with about three sentences and the same amount of pictures!)
1. Connect the controller to your network (Note: Don’t use the two dual personality ports 5 and 6).
2. The controller sets itself up on 192.168.1.1 put yourself on the same network range (see below).
3. Connect to https://192.168.1.1.
4. The MSM720 Default username and password are both admin.
5. Accept the EULA > Skip Registration > Set country > Save > Set the new password > Save.
6. Configure Initial Controller Settings > Start.
7. Set System name > Location > Contact > Login Message > Next > We’ve just set the Password so leave it blank > Next.
8. Enable/disable management interfaces > Next > Configure the network interfaces > Next.
These are allocated as follows, (out of the box!)
And are controlled by these two settings,
9. Set the time and timezone > Next > Apply.
Configure a Corporate WLAN with the E-MSM720 Wireless Controller
1. If not already there, select ‘Automated Workflow’ > Configure a wireless network for employees > Start.
11. Create an SSID > Next > Set the WPA Key > Next.
12. Choose what access points to apply these settings to > Next > Apply.
Note: At this point I had not powered on or touched the access points, so I just selected ‘All’.
Configure a ‘Guest’ WLAN with the E-MSM720 Wireless Controller
I had a nightmare getting this running, until I fully understood the VLAN, IP address and interface allocation, but if you set things up as specified above it will just work.
1. Automated Workflows > Create a wireless network for guests > Start.
2. Create and SSID > Next > Configure guest authentication (or leave open) > Set IP Settings for clients > Next.
Setup the HP E-MSM 430 Wireless N Dual Radio Access Point
Well you have already done all the work! Simply connect the AP to a POE capable network outlet.
By default the AP is in ‘Controlled’ mode, so it will start looking for a controller as soon at it powers on, it can take a little while to boot (go get a coffee), you will see it appear in the controllers web interface when its pulled its configuration down.
Updating Firmware MSM70 and MSM430
Very slick! update the firmware package on the controller, and it will update all the access points for you.
Final thoughts
This is good quality gear, it has built in support for IPSEC, SSL, RADIUS and a myriad of other features that you would expect to find on an enterprise class wireless solution. HP might be concerned by their lack of wireless sales, but they could make the experience with these things better by making the web interface easier to navigate, (ask someone who has never used it before to delete a wireless network! – over 90 minutes it took me to locate the VSC bindings section to remove that!) I’ve already mentioned the documentation, I appreciate that it needs to be comprehensive but come on!
Related Articles, References, Credits, or External Links
Private SSID will be on the normal corporate LAN (In this case 172.16.254.0/24).
Public SSID will get its IP addressing from the controllers DHCP Server. (10.220.0.0/16).
The Wireless traffic will traverse the corporate LAN (After being natted on the controller) as 10.210.0.0/16.
My LANDNS Servers are 172.16.254.1 and 172.16.254.2.
Solution
HP Switch Configuration.
1. The switch must be performing LAN routing, if the LAN’s default gateway is a firewall that needs rectifying first. (where 172.16.254.200 is the firewall).
[box]ip routing
ip route 0.0.0.0 0.0.0.0 172.16.254.200[/box]
[box]ip dns server-address priority 1 172.16.254.1[/box]
3. Declare a VLAN for the guest VLAN (210), name it, and give it an IP address > Add a Port (A1) to that VLAN which will connect to the Internet Port of the MSM Controller (Port5).
[box]vlan 210
name WIRELESS-TRAFFIC
ip address 10.210.0.1 255.255.255.0.0
untagged A1 [/box]
4. Tag This VLAN on the ‘Inter Switch’ Links from the core switch to the firewall/perimeter device.
[box]tag D24[/box]
5. Save the Switch changes with a write mem command.
Configure the Cisco ASA To Allow the Wireless Traffic out.
Actions for different firewall vendors will vary but you need to achieve the following;
Make sure that a client on the 10.210.0.0/16 network can get access to the Internet
To do that you will need to achieve the following;
Make sure that the 10.210.0.0/16 network has http and https access allowed outbound on the firewall.
Make sure that 10.210.0.0/16 is getting NATTED through the firewall to the public IP address.
1. Connect to the firewall > Allow the Wireless Traffic out.
[box]
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any
Note: this permits ALL IP traffic you might prefer
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any eq http
access-list outbound extended permit ip 10.210.0.0 255.255.0.0 any eq https
Note2: This also assumes you have an ACL called outbound applied to traffic that is destined outbound (show run access-group will tell you)
[/box]
2. Perform NAT on the new wireless outbound traffic.
5. At this point plug a PC/Laptop into the core switch (Port A1) and make sure you can get Internet access (‘you will need a static IP on the 10.210.0.0 range).
Configure the HP MSM 720 Controller
MSM 720 Initial Setup and IP Addressing.
1. Connect to to the MSM 720 controller (Port 1) 192.168.1.1 (username admin, password admin).
2. Go though the initial setup > Stop when you get to the Automated workflows screen (simply press Home).
3. Setup Access Network: Home > Network > Access Network > Set the Addressing and Management IP addresses like so;
Addressing 172.16.254.115/24
Management address 172.16.254.116/25
Save.
Note: There’s two because you can separate the management traffic off to another subnet if you wish.
4. Connect Port 1 on the MSM controller to ANY normal port on the Switch (which will be untagged in VLAN 1) >Then connect to the Controller on its new IP https://172.16.254.115.
5. Setup Internet Network: Home > Network > Internet Network > Static.
6. Configure > IP = 10.210.0.2 > Address Mask 255.255.0.0 > Save (don’t worry if you get a warning about DNS).
7. Connect Port 5 on the MSM to Port A1 on the switch (the one you untagged in VLAN 210).
8. Setup DNS: Home > Network > DNS > Enter the Primary LANDNS servers (172.16.254.1 and 172.16.254.2).
9. Tick DNS Cache > Tick DNS Switch over > Tick DNS interception > Save.
10. Setup Default Route: Home > Network > IP Routes > Add.
11. Enter 10.210.0.1 with a Metric of 1 > Add.
12. Setup DHCP (Note: you will create the scope later)
Obviously only complete this step if you want the Controller to act as a DHCP server for your ‘Public’ Wireless network.
13. Enter the domain name > change Lease tome to 1500.
Note: At this point it automatically fills in DHCP Settings (these will NOT be used don’t panic!)
14. REMOVE the tick form Listen for DHCP Requests on ‘Access Network’
15. MAKE SURE there is a tick in the ‘Client data tunnel’ box > Save.
HP MSM 720 Configure Wireless Access Public and Private
For this procedure we will rename the default VSC which is called HP.
1. Home > Controller (on the left) > VSCs) > HP > Change the Profile name for HP to “Private” > Untick Authentication > Untick Access control.
2. Change the SSID from HP to ‘Private’ > Tick Broadcast Filtering.
3. Ensure Wireless security filters is unticked.
4. Tick Wireless Protection > Set the mode to WPA2 (AES/CCMP) > Change Key Source to ‘Preshared Key’ > Enter and confirm the WPA Password > Save (at the bottom of the screen).
5. Setup Public/Guest VSC: Home > VSC’s > Add New VSC Profile.
6. Set the profile name to ‘Public’ > MAKE SURE authentication and access control ARE ticked.
7. Change the SSID to Public > Tick broadcast filtering.
8. Change Allow Traffic between wireless clients to NO > Expand Client Data Tunnel > Tick ‘always tunnel client traffic’.
9. Ensure Wireless Protection is unticked.
10. If you require HTML based logins, tick that (Note: You will need to create a user later, if you enable this).
11. If using the controller for DHCP > Enable the DHCP Server and specify;