Latest Posts

Raspberry Pi network monitoring wifi Smokeping

I finally deployed my wireless raspberry pi network monitoring device at the edge of our wireless network. I installed the smokeping app on the raspberry pi with wheezy via apt-get. I already had a smokeping running on a Linux server, so I setup the raspberry pi to run smokeping in client mode.

Client mode allows the raspberry pi to pull the config from the smokeping server in order to know what tests to run. I setup some fping, DNS, and tcpping tests. This is a great way to test the client’s wireless experience (latency) on the other side of campus. I stuck the raspberry pi behind a bundle of cables to provide for additional attenuation to simulate a user in a worse case scenario. The AP was a few rooms away on a different floor as well. Here are some of the smokeping graphs:

raspberryPi Smokeping monitoring wifi latency

The line with the higher latency is the raspberry pi to google and the lower line is the latency from the smokeping server to google via fping in the picture above.

Here’s a longer term graph painted vi rrdtool by smokeping. There’s some packet loss going on over the wireless interface on the raspberry pi. I may have to move it to a better spot and see how the graphs look afterward. I also want to install iperf and maybe tshark as well.

RaspberryPi smokeping long term wifi latency

Here’s the command to get the raspberry pi running in client mode:

/usr/sbin/smokeping –master-url=http://yoursmokepingcgiurl.com/smokeping.cgi –cache-dir=/var/smokeping/ –shared-secret=/var/smokeping/secret.txt

I also had to modify the permissions in the /tmp/smokeping-ms/data/ folder on the server in order to allow the rrds to be modified by apache.

If you’re looking for a small free solution or larger scale paid solution, take a look at netbeez.net. I would recommend giving their NetBeez free tier model a try.

 

Another round of great IT web resources

Check out the new list of great IT web resources below. I’ve also started to use twitter to get involved with the network/wifi community. I don’t really like how twitter works, but that’s where lots of tech enthusiasts are going. The user interface on my nexus 4 android is not very intuitive, but once you figure it out, it’s a great resource. The good thing is that there’s not too much to figure out.

The hardest thing is getting followers, but hey, start posting worthy comments and you might catch a few followers.

Sincerely,
@jhazesnooty

IT Resource list:
chinog.org Chicago Network Operators Group
http://packetpushers.net/ You can find some great podcasts here.
http://www.packetlife.net/ There’s an extensive list of tools in the armory section.
http://www.networkstatic.net/ Great info on SDN.
http://www.selil.com/ Purdue Prof, great insight.
http://www.shanekillen.com/ Shane blogs very often. Worth the visit.
http://www.revolutionwifi.net/ A great wifi gem.

Cisco ASA 5505

asa-5505-front

I was recently asked by a friend to help out with a config for a cisco ASA 5505. An additional network and VLAN had been added on the ASA 5505 and we needed anyconnect VPN users to be able to access devices on that new network. I’m used to working with checkpoint firewalls, but most firewalls function in a similar fashion. I first logged onto the ASA using the ASDM gui. I checked the firewall rules and access looked to be permitted between the vpn network and the new network. I was a little stumped because it seemed that I needed a little more than just a firewall rule to allow both networks to communicate. I then consoled into the ASA and looked at the routing table. All looked good there. The ASA management interface was able to communicate with devices on both networks, so something else was missing. I then looked at the log files in the ASDM gui and was receiving the following message when trying to rdp into a server after connecting to the VPN:

Asymmetric NAT rules matched for forward and reverse denied due to NAT reverse path failure. An attempt to connect to a mapped host using its actual address was rejected.

I searched cisco for a solution and found a few vague possible solutions. I then pinged Network guru Shane to see if he could point me in the right direction. He hinted that I might have needed a “no nat statement”. Bingo, that worked. Here’s the command that I needed:

Nat(vlan1) 0 access-list vlan1_nat0_outbound

In the ASDM gui, its called a nat exempt statement. This rule makes sure that the internal traffic from the new network going to the VPN network would not get nat’d on its way out.

Since then, I opened up my safari books account back up for $9.99 a month which includes 5 book slots a month. The first thing I checked out was a Cisco Press ASA book. Safari books is a great resource for low cost e-learning. I highly recommend you give it a try. They don’t really advertise the $9.99 subscription, but if you sign up for a free trial, you can still choose the $9.99 pricing. I’m not 100 percent sure if they are still offering this to new users, but its worth checking out. As a network administrator, its important to know the fundamentals. Don’t get stuck in the, “I only know cisco or juniper” mode. If you know the fundamentals, then learning a new syntax and a few different config parameters is not the end of the world. After all you don’t want to limit yourself by putting a vendor name in front of your title, i.e. Cisco Network Administrator or Brocade Network Administrator. Be (emphasis added) the “Network Administrator”.

 

asa-5505-back

IPplan – IPAM (IP address management)

For those of you looking to track your IP space in something other than a shared excel sheet, take a look at open source IPplan. All you need is a linux box with apache and a few other components. Installation is not too hard. I would recommend that you use https to access your build that way your authentication is encrypted. If you were using excel, format your columns to the correct format that IP plan will take and export your excel sheet to a tab delimited file. You can then import that file into IPPlan.

IP-plan ip address management

You can easily select multiple addresses to make bulk changes as shown above. You have all the fields you need. There’s even a MAC field that’s visible when you click on the IP link. I like how the change field is updated with a time stamp after a modification. This way you can see who made the latest change.

ipplan request

Another nice feature is the request an IP address page. You can point all your internal clients to this page in order to submit a request for a static IP if you don’t have a ticketing system. You can then be emailed. You can manage DNS as well, but I haven’t dug into that. NMAP can also be implemented into the system to check which IP’s are being used. You can also have the system email you when ip subnets exceed a certain utilization level.

If your interested in a fully supported paid IPAM platform, check out infoblox. You can try out their IPAM software for free. Its highly limited compared to IPPlan, but if your looking to expand your DDI (DNS,DHCP, IPAM) services and you have a budget, this may be a better option for you.

FreeRadius multiple domains

We use freeradius to 802.1x auth our wireless users. We need to authenticate users that may be on one of two domains. We have an issue with trying to authenticate to the global catalog because we have duplicate user account names that have been created on each domain. That wasn’t my idea and it can’t be fixed, so I have to work around the issue. One way to fix the issue is to have the user append the domain when they authenticate, but we don’t want to make things harder for end users.

With freeRadius, I was able to use some freeRadius unlang. I wanted to share some of the config with you. I’m assuming you have most of your freeradius running at a point where you can authenticate against one domain via mschap. Basically my config tries to auth the user by specifying one of the domains in one mschap module and specifies the other domain in a new mschap module. If the user fails on authentication to the first domain, then the second mschap module fires off with the second domain specified.

First, I modified my mschap module found in the following directory: /etc/raddb/modules/mschap

ntlm_auth = “/usr/bin/ntlm_auth –configfile=/etc/samba/smb.conf –request-nt-key –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –domain=YourFirstDomainName –challenge=%{%{mschap:Challenge}:-00} –nt-response=%{%{mschap:NT-Response}:-00}”

I then created another mschap module instance by editing radius.conf found in the following directory: /etc/raddb/radius.conf

add the following:

mschap NameOfNewModule {
with_ntdomain_hack = yes
ntlm_auth = “/usr/bin/ntlm_auth –configfile=/etc/samba/smb.conf –request-nt-key –username=%{%{Stripped-User-Name}:-%{%{User-Name}:-None}} –domain =YourSecondDomainName –challenge=%{mschap:Challenge:-00} –nt-response=%{mschap:NT-Response:-00}”
}

Modify your inner-tunnel file with some freeRadius unlang found in /etc/raddb/sites-available/inner-tunnel
Add the following in the authorize { section:

Authorize{
mschap
NameOfNewModule

Then add the following unlang in the authenticate { section:

Authenticate{

Auth-Type MS-CHAP {
mschap {
reject = 2
}
if (reject) {
NameOfNewModule
}
}

Show me your dashboard…

Zenoss Core open source dashboard

network admin zenoss dashboard

We use zenoss core (open source) to monitor our devices. We have tried zabbix, nagios, and cacti, but Zenoss seems to be the easiest to manage and maintain. I can create custom snmp templates with thresholds that can overlay our rrd graphs. Zenoss also allows you to create email notification triggers based on the severity and threshold set on each graph template. You can see two of these custom graphs in the zenoss dashboard image above. I’m monitoring our wireless dhcp pools and each of the Enterasys Extreme N7 chassis slot CPU’s.

I also have weathermap installed on our linux server that’s also hosting zenoss and the link to the PNG file is placed on the zenoss dashboard. Weathermap is a nice open source network visualization tool. You can create a custom network map that will draw link speeds and colors based on rrd files. I set the weathermap config to point to the zenoss rrd files that can be located under each sub folder in the /opt/zenoss/perf/Devices main directory.

Useful Network Admin Tools

My boss asked me to submit a list of “inexpensive” network admin tools that would be of value to assist us in managing and maintaining the wired and wireless network on campus. Here are a few tools that would be nice to have:

Throwing star (passive ethernet) LAN tap admin tool

Check out the throwing star
The design allows for inline tapping at 10/100 speeds only. Capacitors within the circuit force the speed down to 100Mbps. Wireshark, here I come.

“Cheap” 2.4Ghz/5Ghz wireless CPE w/spectrum analyzer

nanostation wifi bridge/analyzer
The ubiquiti nanostation AP/Client wireless device will provide you with a full blown spectrum analyzer. You would have to create your own POE battery pack to be mobile, but the price is right, its cheap. Remember, you pay for what you get. If you can afford something more expensive, try metageek’s wifi chanalyzer pro software.

Raspberry Pi Remote Wifi Network Monitoring

wifi admin tool
Buy yourself a raspberry pi from adafruit. It comes with everything you need to deploy a remote monitoring agent. Load up smokeping and put it in client mode. Connect it back to your smokeping server and monitor stats like DNS,web, mail, and a host of other services. You could also load tshark and use your throwing star tap for a remote packet capturing device. You can also use the included wifi adapter to and test your wifi network in remote buildings. This would make for a great wifi admin tool.

x86 based tablet

Everyone loves tablets, but in order to run wireshark effectively and a host of other applications natively, you need an x86 device running windows. There are a few nice tablet options out there. The MS surface pro 2 comes in at $899 plus the cost of the keyboard. The base model includes an i5, 64gb ssd, and 4gb ram coming in at 2lbs. HP just released the HP Pro x2 410 G1 tablet which comes in at $999 and includes a keyboard. You get the i5, 4gb ram, but a larger 128gb SSD. The weight without the keyboard comes in at 1.81lbs. The only downside is that your limited to 4gb of ram. I wish apple would come out with a tablet MacBook already. I would prefer apple because you can easily capture raw 802.11 frames without doing much work along with UNIX under the hood. Apple also gives you the ability to boot camp windows as well. They are just a tad bit expensive. We will most likely end up going with HP, as its our vendor of choice. Oh and don’t forget to buy an ethernet dongle as well.

Enterasys 802.3ad link aggregation

Since we saved some cash by purchasing more 2×2 3705i Enterasys AP’s instead of 3×3 AP’s during our AP upgrades, we were able to purchase a few other items. We picked up three c5g Enterasys 48 port POE switches, gbics, and a few other parts. The first thing I did after we deployed 96 AP’s in our dorm rooms was setup 802.3ad link aggregation with my extra gbic’s from our current N3 chassis to our g3 series switch. Phase two will be to install another DFE blade in the N3 chassis and spread the link aggregation between two DFE blades.

On with the Enterasys Extreme Networks switch commands:

1.) Egress all the proper vlan’s you want trunked across the additional physical port. We will be setting up a lag.0.x port and at that point, the physical port egress no longer matters, but if the lag breaks down for some reason, then the physical port will have the correct vlan’s trunked. You could also ensure that the single port lag command is set, but again I like to have the extra safety precautions in place.

Example ->set vlan egress ->set vlan egress 20 ge.4.24

2.) Egress all the proper vlan’s on the lag port. Use the “show lacp” command to view the available lags and to make sure that lacp is globally enabled.

Example ->set vlan egress
->set vlan egress 20 lag.0.1

3.) Create a unique lacp admin key to statically set which ports will be joined to the lag

Example ->set lacp aadminkey
->set lacp aadminkey lag.0.1 20

4.) Set the aadminkey to the physical port

->set port lacp port ge.4.24 aadminkey 20

5.) Perform the same commands on the other switch that you will be connecting to. The aadminkey can be different on the other switch, but I like to try and use the same admin key on the opposite end if possible. Make sure you also have lacp enabled on the physical interfaces as well.

-> show port lacp port ge.4.24 status detail
wpid-IMG_20140109_143458643.jpg

Extreme Networks Wireless AP3705i deployment

I’m working on deploying 96 wireless access points in our student dorm rooms. We originally started with an initial deployment of 40 wireless access points. We installed the original AP’s in the hallways, but had signal issues due to all the HVAC in the vertical walls. Hallway installation wasn’t the greatest idea to begin with, but at the time of the initial installation we had limited funding to run cables to every suite. In our new deployment, we required that contractors pull cables into certain suites. Each suite houses 4 rooms,so I decided to place an AP in every other room and staggered the AP’s from floor to floor. There wasn’t much HVAC or piping in the horizontal flooring above or below the rooms, so signal penetration worked a lot better between the floors.

ap3705i

For those of you asking why Enterasys (now Extreme Networks), well we’re already an Enterasys shop and house 2 enterasys 5110 wireless 10Gb capable controllers in our data center. Enterasys wireless also has a niche of now being able to push up to L4/QOS policies down to wireless users as they do on their wired gear. This makes redirecting blacklisted users through our NAC system a breeze.

wpid-IMG_20140102_111720.jpg

I also decided to go with the Enterasys ap3705i, which is a 2×2 dual radio mimo wireless access point versus the 3×3 model. We ended up being able to double our AP count because the 3×3 radio was almost double in cost. We typically see around 65% of 1×1 MIMIO mobile devices, so higher AP density just ends up making more sense for us right now.

wpid-IMG_20140102_111734.jpg

1 2 3 4 5 6