Save yourself from insanity: Aruba Captive Portal RADIUS Accounting

raidusI’ve been meaning to post this one for a while but got there in the end! Recently we changed our content filtering provider and one of the aims of the new system was to ensure tighter integration between the Wi-Fi controller and filter for authentication \ identification of users.

We particuarly needed the framed-ip-address attribute as that’s used to tie a device to a user on our particular filtering product. In theory the setup sounds fairly straightforward:

  • set up Windows Network Policy Server to handle RADIUS authentication
  • set up RADIUS authentication profile against a new Wi-Fi SSID
  • set up RADIUS accounting on the wireless controller
  • set up RADIUS accounting on the filtering server

Initially all went well and we were able to authenticate users smoothly onto the Wi-Fi network via the existing captive portal… but (and isn’t there always a but!) we saw nothing on the filtering server, just an empty void of white space where user account activity should’ve been😦

Initial troubleshooting steps

So I checked the simple things first…

  1. Check RADIUS Interim Accounting option is enabled on the AAA profile
  2. Check if shared secret is too complex \ typo when entering it into various config pages
  3. Ensure accounting server options in Windows NPS are configured correctly
  4. Confirm configuration of accounting server details on Wi-Fi controller
  5. Ensure ports for accounting information are set as they should be

Everything checked out correctly and authentication still worked fine despite me trying to break it, which made accounting failing even more strange. With that in mind it was time to move onto some more in-depth troubleshooting.

Delving deeper

Next step was to try and see if any accounting traffic was actually being sent so trusty Wireshark was spooled up to watch traffic for anything on port 1813. We saw plenty on 1812 for authentication but consistently nothing on 1813. At one stage I was beginning to wonder if the NPS server had something to do with it but replies to my posts to TechNet forums suggested otherwise.

A case was then opened with Aruba support which involved upgrading the controller to latest firmware 6.4.2.12 before further troubleshooting could be performed. A few useful commands came out of this process, which should be ran before upgrading to ensure the controller has enough resources to run the upgrade:

show memory
show storage

As an aside the upgrade did give us a nice new(er) feature called AppRF that basically brings application-level monitoring to the Aruba UI. It saves going through the firewall to find the same information and allows us to see at-a-glance where the bandwidth is going on the wireless network and to which user(s):


image credit: Aruba Networks

The update also made packet captures on the controller a bit simpler, which further proved our theory that no accounting traffic was being sent as the controller itself didn’t log anything on 1813 in its direct captures. However despite the upgrade we were still no closer to resolving the accounting issue.

The breakthrough

After escalating through various levels of Aruba support and product management one of the technical team finally found our issue, which turned out to be a deceptively simple fix. It’s a sneaky little setting squirrelled away named Captive Portal Check for Accounting

The setting in question lives within the Misc. Configuration section of Security > User Roles.

You need to edit the settings of the role that is assigned as the 802.1X User Default Role for the the AAA Profile associated with your RADIUS-enabled VAP (what a sentence that is!)

aruba role misc settings

Basically untick that box and everything starts working…

By default the Captive Portal Check for Accounting box is ticked and therefore accounting won’t work if the user has authenticated via a captive portal. The Aruba documentation has this to say about it:

The check-for-accounting parameter is introduced in ArubaOS 6.3.1.7. If disabled, RADIUS accounting is done for an authenticated users irrespective of the captive-portal profile in the role of an authenticated user. If enabled, accounting is not done as long as the user’s role has a captive portal profile on it. Accounting will start when Auth/XML-Add/CoA changes the role of an authenticated user to a role which doesn’t have captive portal profile. This parameter is enabled by default.

As soon as the box was cleared accounting information came flooding in and I was pleasantly surprised to see how quick the interim updates were also processed, as some vendors’ interpretations of the RADIUS accounting standards aren’t quite so amiable from what I read during my research.

Was certainly a voyage of discovery to get to the solution but we have gained a few new features along the way and I’ve also become well acquainted with the ArubaOS CLI for troubleshooting purposes, so the process has added some valuable knowledge too:)

Video streaming update and a visit to BVE 2016

Print

This week I was able to visit the BVE expo to have a look for the next generation of video mixing and streaming equipment for our media block. There was plenty on show, including an interesting talk on using drones in TV production that drew quite a crowd!

It’s really interesting to see how networking and video technologies are converging and definitely something I’d like to do more work with in the future.

Our equipment is used by students in their classes for as well as projects such as HC Radio and our yearly Havering Asks TV programme. The visit also reminded me to write a little about some of the new kit we used in our recent productions.

vMix updates

After using the free version of vMix for the video stream of HC Radio we decided to purchase the vMix HD edition for video production use. The additional inputs and extra features such as Video list were what we needed to add pre-recorded content into the live show production.

Ref: http://www.vmix.com/purchase/

One thing we found with the video list is that the UI started to lag when we loaded 20+ videos into vMix. A workaround from the support team was to use VLC to generate a playlist and load the content in that way instead. End output was the same but this method seemed a lot more CPU friendly. We’ll need to check this again as new versions of vMix are released.

We’ve also since found out about the free vMix Social plugin which will allow live updates to be posted as on-screen graphics so will be trying that out next time round as well.

vmix-logo-large  Planet-eStream

For those wanting to record the output to Planet eStream use either of these methods, credit to eStream support for the below as they were testing vMix around the same time we did. Great minds and all that:)

1) On vMix there is an option for ‘External’ at the bottom, if you go to the settings next to ‘External’ then go to ‘Outputs’ make sure that Recording/External is set as output and all overlays selected. Now when you click ‘External’ and it goes red you can open an instance of the encoding application, on the same machine and there will be a video device called ‘vMix Video’ this will allow you to record the output window on vMix.

2) Stream it through eStream by editing the settings next to ‘Stream’ at the bottom. You can create a custom RTMP server. The settings will be:
Server: rtmp://svrestream/HCBcast
Stream Key: vMix

Now you can go to the encoder machine on another pc and use a network video source. Use the URL rtmp://svrestream/HCBcast/vMix please note capitalisation is important.

vMix GO

vmix-goThis is one of the new (to me anyway!) products I spotted at BVE today. It’s a self-contained, portable production system with all the inputs etc. you need integrated with a suitably powerful PC and vMix Pro included. It provides an interesting alternative to the Blackmagic Design kit I also went to see today, which is hardware-based rather than vMix’s software approach.

Streaming across multiple locations

One of the new requirements for Havering Asks 2015 was to provide an additional video source so we could transition between the live show taking place in our performance area “The Space” as well as our TV studio in the media block. vMix would then be used to mix the inputs and provide the stream to our YouTube channel.

Given that the two buildings are at opposite ends of the college it was a pretty simple decision required that we needed to use the network to get video from one place to the other. The question was how best to do it. We also wanted to use whatever solution we found for future events so it needed to be robust and easy to set up going forward.

From a cost perspective we thought of using a PC \ laptop but after adding an external capture card the solution seemed rather clunky. There’s also a fair bit to go wrong and once you put all the hardware prices together it’s not particularly cost-effective either. We then moved onto dedicated streamers to see what was available and looked at a couple of different products:

I liked the look of the Teradek and the output LCD would made it easy to use with DHCP as we could easily spot what address it had obtained as it gets moved around. Unfortuately it’s HDMI only and was the most expensive of the three options. It also turns out not to be supported with Planet eStream so we continued onto the other options.

The unbranded Chinese device did its basic job of streaming but, as is often the case with these no-name products had some odd firmware issues that meant we couldn’t 100% trust it. The main one was with DHCP, where the stream output link seemed to stick with the previous address it had been assigned, rather than the current lease. This presented a problem for us as setting up a static port each time we wanted to stream would add an extra administrative burden.

Now we come to the NVS-25, which does a great job of offering lots of flexibility at a great price:

  • SDI, HDMI and composite video inputs
  • RCA and XLR audio inputs
  • multiple streaming protocols
  • USB port for recording of video stream

The multiple inputs are particularly good as it means we can use our current hardware over SDI \ CVBS and then in future have the flexibility to move to HDMI should we want to.

I had a look around BVE for similar devices and was rather pleased to see one of the suppliers rate it as the best devices for feature set in its price range, always a relief to hear we chose wisely!

Experiences with the NVS-25

We learnt a few things from setting up and using the Datavideo device so here’s a few lessons learned to save anyone else the trouble:

Networking

The IP scanner utility is very handy and helps get up and running quickly.
I hear that an NVS-30 is on the cards and if Datavideo can get a screen on the new product it’ll be even better!

Storage

The front USB port should only be used with USB sticks or, at a push SSD drives on an adapter. It won’t run USB hard drives that don’t have their own external power and the side effect is that the encoder will freeze up until you do a hard power off and disconnect the offending drive. The media should also be formatted as FAT32.

Firmware

Update the firmware to the latest version as there are bugs in previous versions relating to how streams are presented. We had problems getting an RTSP stream into vMix due to incorrect header information in the stream. Apparently from what I was told at BVE an update has since been released to resolve this. As a workaround we changed over to RTMP instead, which worked OK.

IMAG1029
Datavideo NVS-25 in action connected up to our mixing desk

Whilst on the Datavideo stand their tablet-oriented autocue caught my eye. Again rather reasonably priced it syncs the script with multiple devices and allows central control from another station wirelessly. Perhaps one for the 2016 productions:)

IMAG1198

Activate Office 365 Education email encryption using your free Azure RMS licenses

ome-iconIn order to meet Data Protection requirements for sending data to external recipients we needed to find a method of providing encrypted email functionality for our users. In Office 365 this is provided as a native feature via Azure Rights Management Services.

I vaguely remembered seeing something a while back about these licenses being available at zero cost and sure enough soon found a link confirming this as part of the plan changes that also brought us eDiscovery features.

Ordering licenses

In a similar vein to how the Student Advantage licenses were made available you’ll need to ask your EES reseller to get them activated against your O365 tenancy. For reference here’s the names and part numbers of the licenses you’ll need:

azure-rms-order

Assigning licenses

Once the order has been assigned you’ll need to add the license to any user you want to be able to use the RMS features i.e. in our case anyone who needs to send an encrypted message. If you’re using the GUI look for this:

azure-rms-o365-license

Given the number of users to assign licenses to the quickest way was via PowerShell, using a variation on the script that originally assigned our student licenses.

Tip: I initially scared the living daylights out of myself when checking which licenses were assigned after I’d ran the update script as it appeared users no longer had their Office 365 licenses.
The script (below) uses column position [0] to search the field AccountSkuID, which is all well and good until your users have multiple licenses assigned and for whatever reason they aren’t all listed in the same order (!)

I ended up having to run this code twice, once with Licenses[0] and again with Licenses[1] to pick up all the staff accounts, then checked a few random samples in the GUI for good measure:

Get-MsolUser -All | select UserPrincipalName,Licenses | Where-Object {$_.Licenses[0].AccountSkuID -eq "YOURORG:STANDARDWOFFPACK_FACULTY"} | Set-MsolUserLicense -AddLicenses "YOURORG:RIGHTSMANAGEMENT_STANDARD_FACULTY"

Once done I then ran GetMsolAccountSku and confirmed the numbers match up.
The number of office 365 licenses assigned to each staff user is now 3:

  • Office 365 Education
  • Office 365 ProPlus
  • Azure RMS

I’ve since found this very handy looking GUI license assignment tool via the Office 365 Yammer group which may make any further bulk maintenance tasks a bit less scary:)

https://gallery.technet.microsoft.com/office/Office365-License-cfd9489c

Usual disclaimer applies, be very careful running license update scripts, especially in bulk!

Configuring Azure RMS and Office 365 Message Encryption (OME)

Now your users are licensed jump into the Admin Portal > Service Settings > Rights Management then follow this excellent guide to switch on Azure RMS, then configure Office 365 Message Encryption.

http://office365support.ca/setup-and-enable-office-365-message-encryption/

There’s not much else to say for this step as the guide is spot on:)

Once you’ve set up a Transport Rule in Exchange settings sending yourself a test email with the keyword(s) you specify will generate this at the recipient’s end (sample screenshot of the message arriving in a GMail inbox).

ome-email

OneDrive storage saga.. Microsoft sees sense at last

9550939064_bf4b0be0bc_zAfter making a monumentally stupid decision to claw back storage space from consumer OneDrive accounts it seems Microsoft have finally seen the light and relented on their decision… in part anyway.

Logging in this evening I spotted an interesting looking email from the Uservoice forum. Basically Microsoft have done what they should’ve in the first place and left long-term users’ current storage alone.

The backtrack on “unlimited” space has stayed in place though, which isn’t surprising really given how it was being used.

Unfortunately Microsoft have done themselves a lot of reputational damage in what they had left of the consumer space. This announcement is the first step in getting some pride back but judging by the comments it may be a bit too late to regain the trust of many contributors on the site.

Like most I signed up to Google Photos after the announcement but now end up in a better position having backups across both services so in a roundabout way it’s worked out well!

Many said that Microsoft wouldn’t go back on their policy but it just goes to show if enough people speak up it can make a difference… unless you take the more cynical view that this whole show is just a way of managing opposition to the reversal of the “unlimited” promises of barely a year ago😉

onedrive email

If you currently have 15GB loyalty and \ or 15GB camera roll storage make sure you visit the link below asap to claim back your storage. Once done you should see the screens below:)

http://aka.ms/onedrivestorage

onedrive-storage

onedrive-storage2

For more commentary on the climbdown head over to the links below:

Ref: http://www.theregister.co.uk/2015/12/11/microsoft_onedrive_reduces_free_storage/
Ref: http://arstechnica.com/information-technology/2015/12/microsoft-to-give-back-some-of-the-free-onedrive-storage-its-taking-away/

Header image credit – Chris Marquardt
https://www.flickr.com/photos/nubui/9550939064

Office 365 service outage

7612.Office-365-logo_thumb_58DAF1E4

As many of you are experiencing right now Microsoft have had a major issue in Azure AD that has affected the Office 365 platform.

We can’t get to the Service Status page as it’s stuck behind the login page (!) but the Azure status seems to be best source of information at present:

Ref: https://azure.microsoft.com/en-us/status/#current

azure status

The outage seems to have some relation to the random issues we were seeing on DirSync in the last day or so, receiving messages stating “The following errors occurred during synchronization:” but with an empty Error Description field.

Ref: https://social.msdn.microsoft.com/Forums/en-US/2050fdd2-2392-4a93-aeb2-ac0c1120d314/aadconnect-identity-synchronization-error-report?forum=windowsazuremanagement

More to follow…

Not the best week for my Android

Although I’m a huge Android fan the past week or so hasn’t been too kind to my HTC One M8, which up until now has been spot on in terms of both hardware and software.

Just in case anyone else experiences the same issues I decided to post this to at least make the problem solving process a bit less painful…

OK Google? O… K Google? Oh…

12605596705_75921dc70eMy favourite feature since getting the M8 (just pipping the IR remote) is Google Now and particularly the “OK Google” voice activation. Having an almost-natural voice interface with the device is something that makes me feel like “the future” has arrived, as well as coming in very handy for in-car use for navigation, music playback etc.

Unfortunately the Play Store forced down a bunch of updates recently and now the activate from any screen system has stopped working😦

Ref: https://productforums.google.com/forum/#!topic/websearch/jvUlugguDBY

Seems like I’m not the only one it’s affected judging by the slew of comments on the Google forums. The last couple of posts suggesting it’s fixed in the latest beta look promising at least – hurry up Google and get this fixed!

Wi-Fi in slow-motion

Around the same time I’d also noticed loading web pages on my home Wi-Fi had gone back to 56k speeds, or even worse just timing out. For a day or so I just switched to 4G as a workaround but tonight had to try and figure out what was going wrong. After a bit of Googling this struck a chord:

Ref: http://forums.androidcentral.com/htc-one-m8/565952-app-causing-slow-wifi.html

Indeed as soon as I disabled the Bluetooth connection everything went back to normal. I don’t usually have it turned on but since using Android Auto (more on that soon) Bluetooth tends to get left on when I get out the car. May need to invest in some NFC tags and use the Trigger app to control this.

BlinkFeed replacement

One HTC-specific feature I’ve grown to like is BlinkFeed. Initially I dismissed it as a nuisance taking up precious home screen space but as content started rolling in I started spotting some interesting content that I wouldn’t normally see through traditional browsing methods.

With social network updates mixed in as well it became a really useful at-a-glance content consumption method. Needless to say I don’t like the sound of the replacement if the article below about ad-related content is true:

Ref: http://forums.androidcentral.com/htc-one-m9/607607-news-republic-app-replacing-blinkfeed-awful.html

The joys of continuous updates and a quick word on OneDrive

At least two of the issues above come as a result of the continual release cycle we now find ourselves in these days with cloud-first software and services. On one hand getting new features is good but when the releases break (or even worse remove) key functionality then it’s a very different end-user experience.

It would be nice if Google etc. held their hands up when bugs are found to remove the uncertainty over whether it’s one particular device \ installation at fault or if users are suffering from update-related issues; I for one would value the honesty of saying “it’s broken but we’re fixing it” over saving face and staying silent. Fortunately blogs and forums often step in to fill the gap.

Still at least none of these issues are in the same league as Microsoft’s ludicrous bait-and-switch OneDrive retrospective storage downgrade on it’s consumer user base. I’m moving all my backups onto Google Photos right now then dispensing with OneDrive for personal use once the storage limits are applied early next year.

It’s a real shame as I’ve been using the product right from its early SkyDrive days so in my case the reversal from 40GB (15GB + 10GB loyalty + 15GB camera roll) down to 5GB is a real kick in the teeth. At the start of the year I was likely to move up to the paid plan once I went over my last couple of GB but there’s no chance of that now.

40GB
enjoy it while you can…

Fortunately the same stupidity hasn’t been applied to Education (OneDrive for Business) users, which is probably the only bit of good news to come out of the debacle. Ironically all this happened the same week the much-improved (and long overdue) new UI arrived on our O365 tenancy. A real shoot-yourself-in-the-foot moment from Microsoft I feel (as do many, many others).

Ref: https://onedrive.uservoice.com/forums/262982-onedrive/suggestions/10524099-give-us-back-our-storage

Microsoft still has time to reverse this before they lose whatever goodwill they had left among consumers but the clock is ticking…

2016… the year of monetisation of the cloud?

What is interesting the the OneDrive move is that Microsoft have effectively blinked first in the game of which provider stops giving more to consumers. In this case MS have gone one step further and will be actively taking away what we already have.

With enhanced ad-blocking features moving across platforms onto iOS and suchlike I wonder if 2016 may be the year the big cloud players start pushing the boundaries to see how far they can go with monetising their services. This is one prediction I’ll be very happy to see turn out wrong!

Tools of the trade

ToolkitBecause the list of all the best little tools and utilities only gets larger over time I’ve decided to take it out of my head and starting writing them out on a post here.

Works well for me as there’s somewhere to refer back to and works well for anyone reading this to discover something very handy that may not yet have crossed your path.

I’ve tried to split into categories so skip to the one that’s most relevant. The list is by no means exhaustive so I’ll keep adding more as I remember or discover them:)


 

Construction Worker-50Hobbyist

like to create your own electronics? Look no further…


 

Speaker-50Multimedia

tools for video, audio etc.


 

Network-50Network & Server

Local and online utilities for your day-to-day networking needs


 

Console-50Scripting

Development tools and reference


 

System Task-50System

An assortment of tools for your local machine


 

Domain-50Web

Web development tools

 

Disclaimer: although I’ve used all the tools in the list and recommend them due to their effectiveness and usually zero cost be aware that they may not stay that way forever! Keep a local copy of any program you find especially useful and always watch installers carefully in case the developer decides to go down the adware-supported route at some point in the future. Forewarned is forearmed…

Image credit: Icons8 https://icons8.com

Follow

Get every new post delivered to your Inbox.

Join 62 other followers