Getting MORE! Free Airport / Hotel Free Wi-Fi

KB ID 0001278 

Problem

I was at the Airport the other day, and was pleased to find they had free Wi-Fi. So I opened my Email and started doing some work. The problem was, it was only free for 45 minutes and, (as is usually the case) I was going to be in the airport for a couple of hours.

Not only that, you are expected to sign up for airport related spam and marketing materials?

So 45 minutes later, I was dumped off the WiFi, and was asked to pay? With a sigh I fired up VLC and watched a film, (productivity over). Though I did notice there was a reference to my ‘device ID’ on the captive portal page that was asking for money, (not shown on diagram).

How was the system maintaining my ‘device ID’ to stop me simply reconnecting and getting more free WiFi? This turned out to be a moot point, because my flight was cancelled, but on the drive home I resolved to work out how it was done, and see if it could be bypassed.

Solution

Well when I returned to the Airport the next day it let me have more time so either it was keeping a hash of my laptop name and MAC address, (this would seem to be the most secure method,) or was it simply caching my MAC address? If it was the latter then that’s painfully easy to defeat (On a Windows Laptop you can change your MAC address on the advanced properties of your network card, or with a registry key). With my MackBook, (which is essentially Linux in a pretty dress. I just need to drop to command line.

Spoofing / Changing macOSX MAC address

Open a terminal session and generate a RANDOM MAC address with the following command.

[box]openssl rand -hex 6 | sed ‘s/\(..\)/\1:/g; s/./0/2; s/.$//'[/box]

Take a copy of the MAC address it gives you;

Now, for you own piece of mind, take a look at your actual current MAC address, (so you know when it’s changed).

[box]ifconfig en0 | grep ether[/box]

Note: On some macOSX machines your wireless network card may be en1.

The next bit tripped me up for  a while, you CAN’T change your MAC address while its associated with a wireless network. So you need to disassociate, change the MAC address then rescan the interface. Execute each of these three commands one at time, after the first one, you will need to enter your password.

[box]

sudo /System/Library/PrivateFrameworks/Apple80211.framework/Resources/airport -z
{ENTER PASSWORD}
sudo ifconfig en0 ether f0:99:80:a1:b4:d6
networksetup -detectnewhardware

[/box]

To prove its changed simply run, the following command again;

[box]ifconfig en0 | grep ether[/box]

Connect back to the wireless and enjoy.

Related Articles, References, Credits, or External Links

NA

Mac OSX – GNS3 Connecting To the Internet

KB ID 0001170 

Problem

I have a love hate relationship with GNS3, I appreciate it’s brilliant, (when it works). I also appreciate that it’s free, and people put a lot of effort into its development for very little reward. But when I try to do simple things, like connect my projects/labs to the internet and it’s massively overcomplicated I get pretty exasperated.

With Windows this is easy, (I’ve probably blogged about it before), drag a cloud onto the workbench and connect it to a network card, job done! On a Mac however it’s a whole different ball game, as I found out last year when I swapped from Windows to Mac. The documented method of doing this, is to use tun tap interfaces and run GNS3 as root and connect things together. But I cannot get this to work at all.

Kudos and credit for this solution goes to my colleague Steve. When I swapped to Mac he was my ‘go-to-guy’ for ‘how does this work’ and ‘what’s the Mac equivalent of {insert name of software}’ questions. I could not connect my new mac GNS3 labs to the internet, so he gave me a VM that did the hard work for me. Despite my efforts to find a better way of doing this, it remains the easiest, simplest, solution, and works over wireless/wired connections etc.

Solution

Requirements:

  • GNS3 (obviously). I’m using version 1.4.4
  • Virtualbox (This wont work with VMware Fusion unfortunately, I’ve tried). I’m using Version 5.0.16 r105871
  • M0n0firewall (download GW1)

Procedure;

Download the GW1 appliance (link above) and extract the files, then from within Virtualbox >  Machine > Add > Locate the extracted GW1 appliance > Open.

Now in GNS3 > Preferences > Virtualbox > Virtualbox VMs > Add > Add in the GW1 appliance > Edit > Give it TWO network cards > Ensure ‘All GNS3 to use any configured Virtualbox adapter’ is NOT ticked > OK.

Now drag the GW appliance onto your GNS3 work area, and connect to a router (or anything you can configure an IP on). Make sure the appliance is started.

Now back in Virtualbox > Look at the NIC settings for the GW1 appliance, the one connected to GNS3 should say ‘Generic  Driver’ and UDP Tunnel
Now manually set the other NIC to be connected to your NAT Network, this network will nat the VM’s NIC out to the the internet connection being used by the Mac (either wired or wireless). Make sure you tick ‘Cable Connected’

Note: This is why I still use Virtualbox for this, in VMware Fusion any changes you make to the NICs are hijacked by GNS3 when you add and start the VM, with Virtualbox they are not.

You will know when you have the network cards right, as the ‘WAN’ will get an IP from your NAT Network.

Use option ‘6’ and make sire the virtual machine has a good connection to the internet.

Above you can see the appliance has a LAN IP of 192.168.1.1. Back in GNS3 give an IP address on the same range to the device you connected to the virtual appliance.

The network is directly connected, so you should not need to add a static route, I just do this out of habit.

First make sure you can ping the appliance, then make sure you can ping a public IP address.

Troubleshooting

While setting this up, you may have to ‘reset the appliance to factory settings’ (options 4), this should re-detect all the interfaces. You may also get the interfaces the wrong way round, ensure the right NIC is presented into GNS3.

Related Articles, References, Credits, or External Links

NA

XBMC ‘Gotham’ – Network Manager is Incompatible

KB ID 0001014 

Problem

I’ve just replaced my XBMCbuntu media PC (an Acer Revo 3700) with a newer machine, and I was rebuilding the old one for my neighbour. I’m not sure if he has a wired connection where his TV is so I wanted to use Network Manager to setup the wireless connection. But when I tried to add it, this happened;

XBMC 13.0 (Compiled May 4 2014)

Solution

1. To get round this you need to install the add-on from a .zip file, so download the following file and put it on a USB drive.

NetworkManager-0.1.4.zip

2. Present your USB drive to the XBMC machine > System > Settings > Add-ons > Install from zip File.

3. Your USB drive should be listed, double click it.

4. Select NetworkManager-0.1.4.zip and it will be installed and enabled.

5. Now when you go to ‘Programs’, you will see Network Manager.

Related Articles, References, Credits, or External Links

NA

Playstation 3 – Error ‘A DLNA protocol error (2104) has occurred’ When streaming from Windows Media Player

KB ID 0000696

Problem

My Windows 7 Media Center can’t stream to my PS3, but the Windows Media Player that’s built into the same PC can, (well it should be able to!) However when I tried, this is what the Playstation told me.

Media Server Error:
A DNLA protocol error (2104) has occurred.

Solution

Note: Your local firewall on the Windows 7 machine can also cause this problem. I have a decent firewall at home, so I disabled the local firewall on the Media Center, (Start > Run > firewall.cpl).

1. On your Windows 7 Machine open Windows Explorer (Windows Key+E) > Select Homegroup > View homegroup settings.

2. Make sure you’re set to location type Home, if not change it (mine was set to public!).

3. Now “choose what you want to share…”.

4. Select as appropriate > Next.

5. Choose Media Streaming options.

6. Allow All, (or if you know the MAC address of the Playstation it will be listed as “Unknown Device” and, (if you can see it on the list), you can add that in on it’s own, and allow).

7. Accept the warning.

8. If you allowed all, this is what you should see.

9. Finally open the services (Start > Windows key+R > services.msc {enter}) and ensure that the “Windows Media Player Network Sharing Service” Service is started > Set to Automatic > and set to logon as either the Network Service, or the Local System.

Related Articles, References, Credits, or External Links

NA

Beware “Free Public WiFi”

KB ID 0000338 

Problem

Ever sat in a train station, cafe, or airport, and seen “Free Public Wifi”? It’s a well known fact that my personal motto is “there’s nothing better than free things”, sadly in this case your not going to get what you were expecting 🙁

Solution

There’s nothing particularly sinister about it, it’s caused by a bug that was in Windows XP. This particular bug was fixed with service pack 3, but not everyone has installed service pack 3.

The more technically astute of you will see on some of the screen shots above, that this network is NOT an access point it’s an “Ad Hoc” network, this basically means you’re going to connect to to another computer. The whole thing started because when Windows XP could not connect to its favourite/stored wireless sites/connections, it sets up an “Ad Hoc” network with the name of the last network it connected to. The “Free Public Wifi” network spread like wildfire as machines were all connecting to each other on wireless connections that were not what they was purporting to be. It seems that (like me) everybody likes free stuff.

The same problem can occur with machines advertising popular access point names like linksys, netgear, default, tmobile, hpsetup etc as well.

Learn the difference between “Infrastructure Networks” and “Ad Hoc Networks”

 

Related Articles, References, Credits, or External Links

NA

Windows – Backing up, Transferring, and Restoring Wireless Network Settings

KB ID 0000626

Problem

If you have a machine setup and working on your wireless network, sometimes it’s easier to set other machines up by simply migrating the settings. Either because you don’t want your child to try and type in a 64 bit WPA key, or you might simply have forgotten the WEP/WPA key,and don’t want to go through all the hassle of setting it up again.

In a small business environment you can give your colleagues their wireless settings in an XML file, or on a USB thumb drive. When using XML files you can even script the deployment of wireless settings to your users.

Solution

Option 1: Export/Import wireless Networks to XML File.

This is quick and easy, and if you are feeling adventurous enough, could be used to script the deployment of wireless networks.

1. On your working wireless machine, open a command window, the following command will list all the wireless profiles that are installed on this machine, )in the example below there is just one).

[box]netsh wlan show profiles[/box]

2. Now we know the name of the profile (Note: Typically it will be the SSID), we can export it to a folder. Be aware if the folder does not exist, the process is liable to fail.

[box]netsh wlan export profile name={profile name} Folder=c:{folder name}[/box]

3. This will produce an XML file, containing the settings.

4. Copy the folder containing your XML file to the destination machine, and issue the following command;

[box]netsh wlan add profile filename=”c:{folder name}{file name}.xml”[/box]

5. Your wireless profile will be restored.

Option 2: Export/Transfer/Import wireless Settings via USB.

1. On the source machine open ‘Control Panel’.

2. Select ‘Network and Sharing Center’.

3. Select ‘Manage wireless networks.

4. Locate the wireless profile you want to migrate, (in the example below there is just one), double click it > select ‘copy this network profile to a USB flash drive’.

5. Assuming you already have a USB drive plugged in, the wizard will detect it > Next.

6. Close.

7. Take the drive to a destination machine, and plug it in, Windows 7 has autorun disabled, with older versions of Windows you can simply choose ‘Connect to wireless network” from the autorun menu. If not open the drive and run the setupSNK.exe file.

8. Yes to confirm.

9. OK to close.

10. Your network is setup and ready to go.

Related Articles, References, Credits, or External Links

NA

Configure Wireless Network Stings via Group Policy

KB ID 0000923 

Problem

If you have a corporate wireless network, you can send the settings out to your clients, rather than have them all ask you what the wireless settings are, and how do they connect.

Here I’m going to use Domain group policies, but the procedure is the same for local policies (just run gpedit.msc instead). And the dialog boxes are exactly the same as if you were configuring them on the client machine. (You can import the settings form a working client if you like).

Solution

1. On a Domain Controller > Administrative Tools > Group Policy Management Console > Navigate to an OU that contains your computer objects and either create a new GPO, or edit an existing one.

2. Navigate to;

[box]

Computer Configuration >
Policies > Window Settings > Security Settings > Wireless Network (IEEE 802.11) Policies > Create A New Wireless Network Policy for Windows Vista and Later Releases

[/box]

3. Give the policy a name and add in an ‘Infrastructure’ type network profile.

4. Name the profile > Add in the SSID of the wireless network > Security Tab.

5. Set your authentication type, here I’m using WPA2/AES.

Optional

6. Here I want my client computers to see the wireless network, before the users log on (so that their logon scripts will run and their drives get mapped) Advanced > Enable Single Sign On > OK.

7. Properties > Remove the tick from ‘Validate server certificate’ > OK.

Note: I’m configuring for use with an HP MSM controller, if I leave this option ticked, I will have to upload the CA Cert from my domain, into the controller, or clients cannot join the wireless network.

8. I’m not making any changes to the Network Permissions tab > Apply > OK.

9. Now either wait a couple of hours, run gpupdate /force on a client, (or reboot it).

Related Articles, References, Credits, or External Links

NA

Deploying Certificates via ‘Auto Enrollment’

KB ID 0000919

Problem

SHA CERTIFICATE WARNING: Note This article was written some time ago, ensure your CA environment does NOT use SHA1 for your certificates, if it does, Please visit the following link for migration instructions;

Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

I need to setup wireless authentication based on computer certificates, I’ve done similar jobs before by manually issuing certificates for Cisco AnyConnect, but this will be for NAP/RADIUS authentication to MSM. I’ll be working with Server 2008 R2 and Windows 7 clients. So task one was getting my head round ‘auto enrollment’. As stated I’m deploying Computer certificates but the process is practically the same for issuing User certificates (I’ll point out the differences where applicable).

Solution

Prerequisites: A Windows domain environment, with working DNS.

Setup a Certification Authority

1. Launch Server Manager (Servermanager.msc) Roles > Add Roles > Active Directory Certificate Services > Next > I’m going to accept all the defaults.

2. The only thing I’m going to change is the lifetime, I usually change that from 5 to 10 years (force of habit, after 5 years it will probably still be my problem, in 10 years it will be replaced, or in a skip!)

Create a Computer Certificate Template and Issue it.

3. Start > Administrative Tools > Certification Authority > Certificate Templates > Manage.

4. Locate and make a copy of the Workstation Authentication template. If you were using User certificates the you would copy the User template.

Note: I got an email a few months ago form someone who had an argument about whether to make copies or edit the originals, and was asking what I thought was best practice. Well I would ALWAYS copy a template and edit that copy. Then if you ‘stuff it up’ you still have the original. It’s always best practice to avoid looking like a cretin!

5. If you still have Server 2003 servers choose the default, if not pick 2008 > OK.

6. General Tab > Give the template a sensible name.

7. Subject Name Tab: Tick User principle name (UPN).

8. Security Tab: Ensure Domain Computers have the rights to Read and Autoenroll > OK > Close the template console.

9. Certificate templates > New > Certificate Template to Issue.

10. Pick the one you just created > OK.

11. Make sure it’s listed > Close the Certificate Authority management console.

Deploy Auto-enrolled Certificates via Group Policy

Note: You could just add this to the to the default domain group policy, and all computers would get a certificate, but for this exercise I’ve created an OU, and I’m going to create a new policy and link it there.

12. Select an OU or container that contains the computer objects you want to send certificates to.

Note: Obviously if you are sending out User certificates then link it to a user OU, (you would be surprised!)

13. Navigate to;

[box]

Computer Certificate Auto-Enrollment

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrollment

User Certificate Auto-Enrollment

User Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Services Client - Auto-Enrolment

[/box]

WARNING: If deploying user certificates read this article.

14. Enable the policy > Select the two options available > Apply > OK > Close the GPO management editor.

Test Windows Certificate Auto-Enrollment

15. Before we do anything else, you can see there are no certificates on the Windows 7 client machine, and there are no certificates ‘issued’ from the server.

Note: To see a computers certificates, you need to be logged in with administrative rights, run mmc and add in the certificates snap-in for ‘local computer’.

16. Now if I move this machine into the OU that I’ve linked the GPO to.

17. And then force that client to refresh its group policies, (or reboot it).

18. Now when you check, you can see it has received a certificate, and the server is now showing one certificate issued.

Now I’ve got to work out NAP and RADIUS and force them to use the certificates, but I’ve got a headache and I need a brew, watch this space….

Related Articles, References, Credits, or External Links

Certificate Services Error – ‘The Email name is unavailable and cannot be added to the Subject or Subject Alternate name’

HP E Series Wireless – Cannot Access Local LAN

 

KB ID 0000486

Problem

You have an HP HP E-Series Mobility E-MSM460, 466 & 430 Access Point, and you cannot access resources on your local LAN (though internet access works fine).

This is default “Out of the box” behavior, a lot of consumers want to provide wireless access but DONT want the wireless clients having access to their local servers. That’s fine but what if you do?

Solution

1. Log into the web management console of the access point, select VSC (Virtual Service Communities) > Locate your wireless VSC and click its name.

2. Scroll to the bottom of the page, Locate the “Wireless security filters” section. Make sure this section is NOT enabled (un-ticked), then click save.

Related Articles, References, Credits, or External Links

NA

Setup and Configure HP Wireless E-MSM720 Wireless Controller with HP E-MSM430 Access Points

KB ID 0000692 

Problem

We got some ‘demo stock’ in the office this week, I don’t do a lot of wireless, so I thought I would get it setup and have a look to see how easy/difficult it was.

Hardware used

HP E-MSM720 Premium Mobility Controller (J9694A)
HP E-MSM 430 Wireless N Dual Radio Access Point (J9651A)
HP HP 2915-8G-P-o-E Switch (J5692A)

The switch and controller are ‘tiny’ so if you want to put them in a cabinet you will need some ‘big brackets’, (or a shelf). I was disappointed that the controller didn’t have PoE on it (hence the reason we were supplied the switch). I was also disappointed the Access Point didn’t come with a network cable (seriously these things are pennies – and if a client buys hundreds of these things, someone will forget they also need an equal amount of network cables). In addition they are PoE, so you don’t get a power cable (or power injector) – so you cant even power them on without the network cable. That said all the gear is typical good quality HP Stuff. The documentation consists of a “quick setup sheet” for each piece of hardware and all the manuals are Online. I’m not a fan of manufacturers documentation at all, and HP’s is the same as most major vendors, to long, too complicated and to difficult to find what I’m looking for – I spent half a day reading pdf documents just trying to get the guest network working (a feat I will accomplish below with about three sentences and the same amount of pictures!)

Also See: Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks

Solution

Initial Setup E-MSM720 Wireless Controller

1. Connect the controller to your network (Note: Don’t use the two dual personality ports 5 and 6).

2. The controller sets itself up on 192.168.1.1 put yourself on the same network range (see below).

3. Connect to https://192.168.1.1.

4. The MSM720 Default username and password are both admin.

5. Accept the EULA > Skip Registration > Set country > Save > Set the new password > Save.

6. Configure Initial Controller Settings > Start.

7. Set System name > Location > Contact > Login Message > Next > We’ve just set the Password so leave it blank > Next.

8. Enable/disable management interfaces > Next > Configure the network interfaces > Next.

These are allocated as follows, (out of the box!)

And are controlled by these two settings,

9. Set the time and timezone > Next > Apply.

Configure a Corporate WLAN with the E-MSM720 Wireless Controller

1. If not already there, select ‘Automated Workflow’ > Configure a wireless network for employees > Start.

11. Create an SSID > Next > Set the WPA Key > Next.

12. Choose what access points to apply these settings to > Next > Apply.

Note: At this point I had not powered on or touched the access points, so I just selected ‘All’.

Configure a ‘Guest’ WLAN with the E-MSM720 Wireless Controller

I had a nightmare getting this running, until I fully understood the VLAN, IP address and interface allocation, but if you set things up as specified above it will just work.

1. Automated Workflows > Create a wireless network for guests > Start.

2. Create and SSID > Next > Configure guest authentication (or leave open) > Set IP Settings for clients > Next.

3. Select APs to apply to > Next > Apply.

Setup the HP E-MSM 430 Wireless N Dual Radio Access Point

Well you have already done all the work! Simply connect the AP to a POE capable network outlet.

By default the AP is in ‘Controlled’ mode, so it will start looking for a controller as soon at it powers on, it can take a little while to boot (go get a coffee), you will see it appear in the controllers web interface when its pulled its configuration down.

Updating Firmware MSM70 and MSM430

Very slick! update the firmware package on the controller, and it will update all the access points for you.

Final thoughts

This is good quality gear, it has built in support for IPSEC, SSL, RADIUS and a myriad of other features that you would expect to find on an enterprise class wireless solution. HP might be concerned by their lack of wireless sales, but they could make the experience with these things better by making the web interface easier to navigate, (ask someone who has never used it before to delete a wireless network! – over 90 minutes it took me to locate the VSC bindings section to remove that!) I’ve already mentioned the documentation, I appreciate that it needs to be comprehensive but come on!

Related Articles, References, Credits, or External Links

HP E Series Wireless – Cannot Access Local LAN

Manually Configuring HP Wireless (MSM 720 controller) for Public and Private Wireless Networks