Tuesday, September 24, 2013

Cisco AP1141N (Aironet 1140 series) Access Point With 3 SSIDs and VLANs

N.B. The Cisco AP1141 access point will be end of life very soon

I had a scenario recently where I had to set up one of these access points to service three different SSIDs with one VLAN per SSID - with two SSIDs using WPA personal and the third un-encrypted.
Each SSID/VLAN was on a subnet with a DHCP server, so I did not need to use DHCP pools or DHCP relay on the access point.

Here's the config I came up with (I'm skipping the non-relevant configuration) - note that the single gigabit interface on this access point was plugged into a Dell PowerConnect 3448P PoE switch in a trunk port with 501 set to the native vlan (switchport trunk native vlan 501)

SSID1 = myssid1 running on VLAN 501 (bridge group 1)
SSID2 = myssid2 running on VLAN 601 (bridge group 60)
SSID3 = myssid3 running on VLAN 701  (bridge group 70)

! Build the first SSID on VLAN 501
dot11 ssid myssid1
   vlan 501
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 myReallyComplexKeyHere
!
! SSID 2 - this SSID has no encryption
dot11 ssid myssid2
   vlan 601
   authentication open
   mbssid guest-mode
!
dot11 ssid myssid3
   vlan 701
   authentication open
   authentication key-management wpa
   mbssid guest-mode
   wpa-psk ascii 0 myReallyReallyComplexKey
interface Dot11Radio0
 no ip address
 no ip route-cache
 !
 encryption vlan 501 mode ciphers aes-ccm

 !
 encryption vlan 701 mode ciphers aes-ccm
 !
 ssid myssid1
 !
 ssid myssid2
 !
 ssid myssid3
 !
 antenna gain 0

 


! We need to broadcast multiple SSIDs
mbssid
 station-role root


! now the interfaces, remember that VLAN 501 is the native VLAN on the trunk port on
! the switch

interface Dot11Radio0.501
 encapsulation dot1Q 501 native
 no ip route-cache
 bridge-group 1
!
interface Dot11Radio0.601
 encapsulation dot1Q 601
 no ip route-cache
 bridge-group 60
!
interface Dot11Radio0.701
 encapsulation dot1Q 701
 no ip route-cache
 bridge-group 70

! remember, no IP for the actual ethernet interface. Save the IP for the BVI interface
interface GigabitEthernet0
 no ip address
 no ip route-cache
 duplex auto
 speed auto
 no keepalive

 ! here's our native VLAN 501, untagged - myssid1
interface GigabitEthernet0.501
 encapsulation dot1Q 501 native
 no ip route-cache
 bridge-group 1
! and here is myssid2
interface GigabitEthernet0.601
 encapsulation dot1Q 601
 no ip route-cache
 bridge-group 60
! and now, myssid3
interface GigabitEthernet0.701
 encapsulation dot1Q 701
 no ip route-cache
 bridge-group 70

! Now, we set the management address:

interface BVI1
 ip address 10.1.1.240 255.255.255.0
no shut


That's basically it. I highly recommend testing by isolating this on a stand alone switch. Plug a DHCP server into another port, access mode, and switch VLANs on that port and see if your wireless devices get a DHCP address. Of course, you may want to enable more complex authentication methods.


Wednesday, September 18, 2013

Restarting Remote Desktop on Windows 2003

N.B. This entry pertains to the 2 seat terminal services instance that is enabled by allowing remote access in the system applet and not regular terminal services

In order to do this, you really need to restart the terminal services service, but it will be grayed out. You'll need to kill the appropriate svchost entry for terminal services.

1. tasklist /svc | findstr /I termserv

(note the process ID of the entry above)
an example output listing:

svchost.exe       8760  TermService

You'll need to forcefully kill the process with /F:

2. kill off the service using the PID above (in this instance, 8760 - your PID will vary!)

taskkill /F /PID 8760

3. Now, you can start it again:

net start TermService



Sunday, September 8, 2013

Enable SNMP Traps on VMware ESXi 5.x

1. Make sure you have the VMware CLI tools installed

  - from the command line prompt in the CLI tools directory, enable the SNMP service:


C:\Program Files (x86)\VMware\VMware vSphere CLI>vicfg-snmp.pl --server my.servername.or.ip
 --username root --enable

2. Set up a target (or two)

C:\Program Files (x86)\VMware\VMware vSphere CLI>vicfg-snmp.pl --server my.servername.or.ip
. --username root -t mysnmptraptarget@162/snmptrapcommunity

3. Send a test message

C:\Program Files (x86)\VMware\VMware vSphere CLI>vicfg-snmp.pl --server my.servername.or.ip
 --username root --test

Setting Up an RPM Installed Java as the Primary Java in Rhel

1. install the new Java

2. Tell alternatives about it:

sudo alternatives --install /usr/bin/java java /usr/java/latest/bin/java 1

sudo alternatives config java


and set the /usr/java/latest/bin/java as the default java.


sudo alternatives --display java | head 3

should show the correct info.


Thursday, September 5, 2013

Errors Running yum on RedHat 5 Enterprise Server

I was updating some third party RPMs on some old servers and I received an error from yum that ended like this:

up2date_client.up2dateErrors.SSLCertificateVerifyFailedError: The certificate is expired. Please ensure you have the correct certificate and your system time is correct.










The host was no longer set to tie into the RHN. Doing a yum info:


Loaded plugins: rhnplugin, security

My hunch was that the rhnplugin was causing the issue. The solution was to run yum like so:

yum --disableplugin=rhnplugin   update