Save yourself from insanity: Aruba Captive Portal RADIUS Accounting

raidusI’ve been meaning to post this one for a while but got there in the end! Recently we changed our content filtering provider¬†and one of the aims of the new system was to ensure tighter integration between the Wi-Fi controller and filter for authentication \ identification of users.

We particuarly needed the framed-ip-address attribute as that’s used to tie a device to a user on our particular filtering product. In theory the setup¬†sounds fairly straightforward:

  • set up Windows Network Policy Server to handle RADIUS authentication
  • set up RADIUS authentication profile against a new¬†Wi-Fi¬†SSID
  • set up RADIUS accounting on the wireless controller
  • set up RADIUS accounting on the filtering server

Initially all went well and we were able to authenticate users smoothly onto the Wi-Fi network via the existing captive portal… but (and isn’t there always a but!) we saw nothing on the filtering server, just an empty void of white space where user account activity should’ve been ūüė¶

Initial troubleshooting steps

So I checked the simple things first…

  1. Check RADIUS Interim Accounting option is enabled on the AAA profile
  2. Check if shared secret is too complex \ typo when entering it into various config pages
  3. Ensure accounting server options in Windows NPS are configured correctly
  4. Confirm configuration of accounting server details on Wi-Fi controller
  5. Ensure ports for accounting information are set as they should be

Everything checked out correctly and authentication still worked fine despite me trying to break it, which made accounting failing even more strange. With that in mind it was time to move onto some more in-depth troubleshooting.

Delving deeper

Next step was to try and see if any accounting traffic was actually being sent so trusty Wireshark was spooled up to watch traffic for anything on port 1813. We saw plenty on 1812 for authentication but consistently nothing on 1813. At one stage I was beginning to wonder if the NPS server had something to do with it but replies to my posts to TechNet forums suggested otherwise.

A case was then opened with Aruba support which involved upgrading the controller to latest firmware 6.4.2.12 before further troubleshooting could be performed. A few useful commands came out of this process, which should be ran before upgrading to ensure the controller has enough resources to run the upgrade:

show memory
show storage

As an aside the upgrade did give us a nice new(er) feature called AppRF that basically brings application-level monitoring to the Aruba UI. It saves going through the firewall to find the same information and allows us to see at-a-glance where the bandwidth is going on the wireless network and to which user(s):


image credit: Aruba Networks

The update also made packet captures on the controller a bit simpler, which further proved our theory that no accounting traffic was being sent as the controller itself didn’t log anything on 1813 in its direct captures.¬†However despite the upgrade¬†we were still no closer to resolving the accounting issue.

The breakthrough

After escalating through various levels of Aruba support and product management one of the technical¬†team finally found our issue, which turned out to be a deceptively simple fix. It’s a sneaky little setting squirrelled away named¬†Captive Portal Check for Accounting

The setting in question lives within the Misc. Configuration section of Security > User Roles.

You need to edit the settings of the role that is assigned as the 802.1X User Default Role for the the AAA Profile associated with your RADIUS-enabled VAP (what a sentence that is!)

aruba role misc settings

Basically untick that box and everything starts working…

By default the¬†Captive Portal Check for Accounting box is ticked and therefore accounting won’t work if the user has authenticated via a captive portal. The Aruba documentation has this to say about it:

The check-for-accounting parameter is introduced in ArubaOS 6.3.1.7. If disabled, RADIUS accounting is done for an authenticated users irrespective of the captive-portal profile in the role of an authenticated user. If enabled, accounting is not done as long as the user’s role has a captive portal profile on it. Accounting will start when Auth/XML-Add/CoA changes the role of an authenticated user to a role which doesn’t have captive portal profile. This parameter is enabled by default.

As soon as the box was cleared accounting information came flooding in and I was pleasantly surprised to see how quick the interim updates were also processed, as some vendors’ interpretations of the RADIUS accounting standards aren’t quite so amiable from what I read during my research.

Was certainly a voyage of discovery to get to the solution but we have gained a few new features along the way and I’ve also become well acquainted with the ArubaOS CLI for troubleshooting purposes, so the process has¬†added some valuable knowledge too ūüôā

Office 365 DirSync experiences: synced OUs and user deletion

DirSync

We experienced an interesting situation the other day with DirSync that doesn’t seem to be documented elsewhere, so thought I’d write it up here for future reference in case anyone hits the same issue…

Our Active Directory is set up to sync users to Office 365 via specific OUs, rather than the entire directory (that includes system users and so on).

In our case we sync staff, students and a spare holding container. This has worked well for us until now with no need for any intervention and users appear in Office 365 once created in AD.

Ref: http://office365support.ca/directory-synchronization-filtering-ous-to-synchronize-to-office-365/

Deletion threshold

We also set up the “prevent accidental¬†deletes” threshold to ensure we had a safeguard in place should a mass deletion event occur. In our case we went for 50 as our limit, which in day-to-day use tends to be about right.

Set-PreventAccidentalDeletes -Enable ‚ÄďObjectDeletionThreshold 50

Sometimes we have to temporarily raise (then reset) the threshold if a batch of student accounts expire at once but it’s something we¬†don’t need to do that often.

Ref: http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=596

Our situation

The trigger for our particular issue was related to a scheduled database job experiencing an error, which led to a batch of users¬†being moved from a synced OU¬†in Active Directory to one that holds expired accounts and as such wasn’t ticked in the Management Agent in DirSync.

As a result on the next run DirSync acted as you’d expect it to and tried to delete the affected accounts from Office 365. Fortunately the PreventAccidentalDeletes threshold kicked in as it should and stopped the action from taking place, then sent a warning to our Network Support email group.

What happens next?

Microsoft have a lot of documentation on setting up the threshold to prevent accidental deletes but don’t expand on the various situations that could cause sync deletions and how to resolve them. For instance, the link below talks only about accounts being deleted from the source Active Directory but this didn’t apply to us; our accounts were still there but had ended up out of scope due to being moved.

Ref: http://social.technet.microsoft.com/wiki/contents/articles/24544.dirsync-how-to-avoid-syncing-accidental-deletes-to-the-cloud-directory.aspx

We resolved the initial issue and moved the affected accounts back into scope via their original OU; however DirSync still wanted to remove the accounts. We ran the standard sync command line…

Start-OnlineCoexistenceSync

…but to no avail. After each run the warning email was still being sent, with the same number of users to be deleted. We also noticed that any new account creation seemed to be stuck in limbo until we either resolved the situation or raised the threshold (second choice wasn’t an option!)

Searching around for suggestions didn’t give much away, although this older article did spark a thought in my head

Ref: https://exitcodezero.wordpress.com/2013/04/29/how-to-force-dirsync-to-perform-full-synchronization/

The point about DirSync running Delta syncs made sense in our context; basically the sync engine was no longer looking for the affected accounts because on the next Delta sync it would assumed they’d been deleted. What I suspected we needed was some sort of Full Sync that would look at all accounts and then decide what to do with each one.

Resolution

At this point although the theory made sense I didn’t want to take any chances so raised a ticket with Microsoft Support to explain the issue. To be fair to Microsoft the speed of response from their support team was excellent and we were soon on a remote session with an engineer.

Initially the suggestion was to re-run the DirSync configuration wizard and start¬†a Full Sync that way. However I didn’t want to do this as we’d made quite a few custom attribute mappings (for GAL separation etc.) and I didn’t want to re-do all of that¬†if at all possible.

The Microsoft support engineer then said he’d trigger a Full Sync another way and opened up PowerShell to run a slight variation on the usual command…

Start-OnlineCoexistenceSync -FullSync

The process took about 10-15 minutes to complete but the next email we received showed the deletion threshold had gone right down, to a level we’d expect. We were able to verify that the accounts left to be deleted were expected (expired accounts) so we then raised the threshold, ran another sync and set it back to 50. New users in the queue were then created as expected and all was calm again in the office ūüôā

1427666199_WarningDisclaimer: the information and commands above worked in our situation but¬†are¬†provided for reference only. Given the business-critical nature of mass user account¬†changes in Office 365 I’d always recommend opening a case with Office 365 support before doing anything that could have potentially nasty side-effects!

Dropbox and WPAD auto proxy detection

dropbox-1We recently changed our proxy configuration method from manual settings to auto detect to fix some issues we were having with an Outlook bug affecting Office 365 Autodiscover, unfortunately around the same time Dropbox seemed to stop working.

After doing some testing I found that I could do either of the following to get it to work using version 2.6.2 from the Dropbox website:

  1. Set proxy manually in Windows, Dropbox set to auto
  2. Leave proxy as auto detect in Windows, set Dropbox manually

In the latter situation a valid login has to be made after the proxy configuration otherwise Dropbox will reset itself back to default (auto) settings and any further logons will fail.

A bit of research led me to the Dropbox forums where it turns out there’s another build available with new features that haven’t yet made it to the stable branch. Version 2.7.38 contains WPAD support. The Dropbox staff on there are helpful and replied quickly which is always good to see if you have any other queries.

I downloaded the slightly updated version 2.7.39 and deployed it via ZENWorks using the /S switch to make the installation (mostly) silent. Users still have to accept a UAC prompt which is a pain but can’t be helped. Logging in with the updated version brings up a login screen straight away with Windows and Dropbox proxy set to auto and we’re away ūüôā

We also add an explicit entry in our WPAD file to ensure Dropbox goes via the proxy, it might not be absolutely necessary but removes all doubt about where the traffic is going which can never be a bad thing (replace X.X.X.X with your proxy server IP address)

/* Exclude Dropbox from proxy here */
	if (shExpMatch(url, "*dropbox.com*"))
	{ return "PROXY X.X.X.X:8080";}

What does 2011 have in store?

Merry New Year to all, hope you all had good break ūüôā

Just been thinking about what this year has in store… as always it seems to get busier than ever!

  • moving to Moodle 2.0 probably in the summer (hopefully might be on the 2.1 release by then) This is going to need a lot of work beforehand though to get a theme to match \ improve on our current one. I also want to start from a fresh base so will have to recreate all our website content on there as well
  • teaching materials repository for Moodle, probably fits in with 2.0 with its repository feature. Alfresco seems to be a name popping up a lot at the moment so will keep an eye out on that front
  • Mahara integration, looking to get this set up soon with Moodle SSO to see how we can use it with our tutors
  • making the decision on the future of Live@Edu on our VLE… depends very much with what Microsoft come up with at our next education meeting with them. If there’s no Moodle 2.0 support promised then I guess it’ll be bye bye to Live@Edu and hello Google Apps…

That’s quite a list just on the e-Learning side of things, on the tech side it’s just as busy…

  • Server virtualisation project to go ahead in summer, deciding on VMWare vs Hyper-V, which SAN etc plus the small matter of migrating everything over. At the same time we also need to decide whether to continue with our dual networks or if the time has come to merge it all together
  • Move to Server 2008 R2 from 2003… after the virtualisation is done this will be on the cards, we can’t move as yet due to lack of driver support but once we’re virtualised we can move upwards, which also helps with…
  • …looking at Windows 7 on the desktop for our classroom and admin machines and probably an Office 2007 > 2010 update as well
  • Once servers are virtualised VDI will be the next thing to keep an eye on, some machines coming up to 5yrs old could be a candidate for testing VDI as a replacement

So all in all not much to do then!

And finally…

Just bought myself the first new toy of 2011

Time to see just how quick it is when I get home… should make startup speeds lightning fast!

SCCM Installed

Finally beginning the transition from trusty SMS 2003 to a new shiny SCCM R2 setup, moving over so we have a supported way of deploying Windows 7 when it comes to it plus a few other enhancements and the option of multicast imaging (although only once we move to Server 2008)

SCCM is going on a new server with a new site code so we can keep SMS right up until the moment we switch the boundaries over. Install went pretty smoothly yesterday apart from one or two well trodden issues…

  • Extending the schema, went well apart from 3-4 items that were giving an 8202 error. Nice easy fix for this… force a replication between DCs in AD Sites and Services then re-run extadsch.exe and all is good.
  • System Management container rights… new server computer account needs access here, sometimes SCCM still moans and you have to look for the objects inside it that are giving the errors and set the security manually there as well.

Now at the point where I need an image to capture to continue the testing process and set up the Task Sequences etc.

This very well written step by step guide is probably the ultimate for SCCM imaging…

http://blogs.technet.com/b/configurationmgr/archive/2009/07/27/a-step-by-step-for-using-osd-through-system-center-configuration-manager-2007.aspx

And this looks very handy to emulate the function in SMS 2003 OSD asking for the computer name for new bare metal systems…

http://blogs.catapultsystems.com/javery/archive/2009/01/23/have-os-deployment-ask-for-a-computer-name.aspx

We’ve enabled Unknown Computer support as we want quick and easy bare metal builds without creating Computer Associatons so if all goes fine we’re well away. Then it’s time to play with MDT and a single Windows 7 image for multiple HALs and hardware types Hot