Microsoft, this is why people do not deploy NAP, NAC and other things like this, small little problems that take hours to fix – and then when something goes awry later on, people pull their hair out.

If you are running Windows 2012, with Windows 8 Desktops,  everything is happy in your world.

The same is true for Windows 2008, and Windows 7 Desktops.

However as Microsoft changes things, and starts to deprecate protocols, features and functionality we keep running into cross version funnies, here is one.

A typical wireless network with 802.1X Enterprise Auth requires a few things.

1. AP’s or a controller that knows where to go for authentication
2. Some kind of RADIUS server that can respond to auth requests
3. A certificate that is trusted by everyone involved — trusted and apparently formatted right.

The 1st and 2nd parts are pretty easy, but the 3rd, that’s where things get interesting.  First it’s not totally obvious that Microsoft NPS needs a certificate, and to add insult, you need to use PEAP instead of Password Authenication — but more on that later.

While configuring a clients Wireless for 802.1X authentication, I ran into clients who would refuse to connect, they were Windows 7 clients.    Windows 8 clients, mobile devices were all fine.

Ok….. So let’s go check our event log on the NPS server….   We see Error 6273 Reason 16

Ok..  so Authentication failed due to a user credentials mismatch.  Either the user name provided does not map to an existing user account or the password is incorrect.      This is easy…  Wait..  is it?     I clicked on the network, it used my WINDOWS CREDENTIALS..  I did log on to this laptop right?    Let’s do the logoff/logon dance, make sure we are wired, and we know the cred’s are right…  Did that.  Logon to another PC — check.  Logon to a DC directly with same test account — check.  Ok we know this user and password are fine.

I wish I could find something that proves why this isn’t working but I ran across this article
https://technet.microsoft.com/en-us/library/cc731363(v=ws.10).aspx

When selecting a certificate for NAP
“Certificates that do not contain a Subject name are not displayed.”

Oh, well in 2012 they are…  That’s because Windows 8 clients are OK with that…   Except Windows 7 clients ARE NOT.

I was also tossed the wrong way by multiple articles that claimed it was something to do with the “validate certificate” checkbox — which by the way, should be checked, why would you EVER turn off certificate validations checking!    If you do that, cred’s are easily stolen by nearby attackers.

http://blogs.catapultsystems.com/jstocker/archive/2013/12/13/mystery-solved-windows-7-and-windows-8-treat-validate-server-certificate-differently-in-802-1x/

So yes, this is a bit of a ranty post, but I want to get down to this…   Let’s make this work.

The key is when you request your machine certificate.

Start your enrollment

MAKE SURE YOU SELECT DOMAIN CONTROLLER — Not Authentication or Kerberos — as much as those might sound like what you want.  Those certs would be published, without a subject.   Click Enroll, no need to modify more

No go back and open the cert you just created…    Make sure the “Subject” line has something in there,  yes, the yellow bit that I have blacked out, should have the computer name in there.

Here is a good guide an example to RADIUS with NAP for Meraki.   It is the same for any other wireless provider.    Use this guide to finish up.

https://shabiryusuf.wordpress.com/2012/12/24/meraki-network-policy-server-nps-and-radius-with-wpa2-enterprise/

In the above guide it calls out the PEAP section, make sure you select the cert you just created.

Another common mistake…  In the box below you should see Protected EAP (PEAP)   DO NOT ADD MSCHAPv2 “secured password”  — again, it might sound like what you want, but it is not.

So that’s it, yes a little bit ranty.    This needs to be easier, if I was a powershell guy, I am certain I could write a script that just does this for me,  you can even add radius clients with New-NPSRadiusClient and create all the policies in PowerShell, but I am simply not a programmer.

Microsoft — this does not need to be this difficult.

Ran into an interesting issue today related to a Meraki MX deployment for a large multi site customer.

Normally in a Microsoft built network, you want all your clients and servers to use the Microsoft DNS infrastructure.    Let us be clear, it does make things a little easier when Microsoft machines just know about each other.

I ran into a problem where the Meraki MX block page was not showing when users attempted to use regular HTTP web sites.   On HTTPS sites, no block page is shown, that is by design, however non SSL sites should see a block screen.

A little background..  When you try to visit a page that is blocked by Content Filtering with Meraki – you will be greeted with a screen like this..

How do we get this page to display?    The Meraki MX intercepts the session and sends a HTTP 302 Moved Temporarily message to the browser and redirects the browser to a URL like this.

http://wired.meraki.com:8090/blocked.cgi?&blocked_server=&blocked_url=http%3A%2F%2Fwww.beretta.com%2F&blocked_categories=bc_036

If you resolve wired.meraki.com on the internet it resolves to an IP of 54.241.7.184

Locally the DNS for wired.meraki.com will resolve to your Meraki MX — that is if you were using your Meraki MX as your DNS.   In large Microsoft deployments that DNS server might use root hints or forward lookups somewhere else on the network,  so the response would be 54.241.7.184.

Why is this a problem?  If you look at the URL, you will notice that it opens port 8090,  a quick check of the internet IP 54.241.7.184 will show that port 8090 is not open on that IP, so if the client resolves wired.meraki.com and does not get an IP of an MX SOMEWHERE on the network — your client is greeted with

So how do we fix this?   You have two options

1) Make all your clients use a Meraki MX, or a DNS server that always sends forward lookups through a Meraki MX device  (Good luck, the Microsoft Server team is probably not going to want you to change your client DNS settings)

2) Add a host file entry to the workstation (No!)

3)  Add wired.meraki.com to your Microsoft DNS.

So going with option 3,  if your Microsoft DNS add a forward looking zone called “wired.meraki.com”  and then create an entry pointing towards your MX, like this.

1) Create a forward lookup zone called “wired.meraki.com”   — NOT MERAKI.COM  if you do this you will prevent your devices from contacting the Meraki Cloud Controller.

2) Create a Host (A) record like this – nothing under the name, as we want the wired.meraki.com domain to respond,  replace the IP address with the IP of your MX.

If you have multiple Meraki MX devices create multiple entries in your DNS,  the machines will always choose the device within their local subnet first, if for some reason they do not – it does not matter as the other devices will technically respond, but we do not want those responses from over the WAN.

Hopefully someone else runs into this problem and this can be of assistance.

We all look to optimize networks, none more than a geek like myself.    I also recall some of the design discussions I recently had at Cisco Live with @wifijanitor – Steve about how he optimizes wireless networks and decided perhaps I could speed things up.  I was having some issues with my media streamer strangely buffering sometimes, and an AppleTV that sometimes had to buffer,  strange things going on.

Typical geek, I have three AP’s at home, in various locations, I do find that even though I walk around, where I associated originally is where I tend to stay – which as we all know, this is not optimal.  Off I went to start disabling data rates on particular AP’s ( No controller for me 😦 all autonomous at home )

A great article on the topic of 802.11b disabling –  http://blogs.cisco.com/wireless/bring-out-yer-dead-5-steps-to-eliminate-802-11b-from-your-networks

Disabling 802.11b rates is well known to increase performance significantly.    How many 802.11b clients could I possibly have at home,  I checked, not a single device.   Right now.  So I disabled some rates, and things sped up, even some of my media streaming appeared to be running better.

If you have not disabled 802.11b rates on your networks, look into it, recently one of my customers went from 5-6 complaints daily about performance to “Wow the wireless is running great now!” simply by disabling “B” rates.   There is a significant performance increase and it is worth looking into.

After disabling the rates I received a report a week later our FitBit ARIA Scale pictured below was no longer communicating with the internet.      I spent awhile debugging the scale itself, thinking “This isn’t a wireless problem” — I was wrong.

A quick show command of my scales association to the AP shows me this.

Current Rate : 11.0 Capability : ShortHdr ShortSlot
Supported Rates : 1.0 2.0 5.5 11.0
Bandwidth : 20 MHz

802.11b only?   Really?    Well it turns out the “scale” would jump on and off the network occasionally, and when it did the “B” tax was just enough to slow things down momentarily.   File transfers would hiccup, videos streams would interrupt.

Another good article on the “B” tax..  http://blogs.cisco.com/wireless/wi-fi-taxes-digging-into-the-802-11b-penalty

Hey @fitbit – it’s 2015, and your device is being a nuisance to our networks.  We are trying to eliminate these 802.11b clients and you are running around selling one.    I’m just waiting for some executive who has one in their office to call IT and say “Why has my scale stopped connecting to the corporate WiFi”  — as disabling “B” rates is pretty standard in the enterprise world.

On the Fitbit web page they do “admit” to it – HERE – but no consumer knows the difference.   It doesn’t come with a warning label that says “May slow down the rest of your home network without warning”.  So if your home router is set to 802.11g only or anything other than 802.11b/g — your Fitbit ARIA Scale is not going to work.

What is my solution?   Well, for now it means turning the 802.11b rates back on, also creating a 5ghz specific SSID network for clients that are 5ghz capable.

The problem is Fitbit is using a $20 GS1011 SoC (System on a chip) from Gainspan, and that module only supports 802.11b  instead of the $25 GS2000 — these prices are QTY 1,  Yes I get it, if you product 1 million of these, even an extra dollar is 1 million dollars in extra cost.

Fitbit is creating a product that is a nuisance to networks and they should fix this as it is hurting thousands of home networks performance, and I am willing to bet 99% of consumers don’t even know.

One of the campaigns at the recent Cisco Live! in San Diego was “Security is Everywhere”.  During the keynote they even launched one of the new advertisements.  I am highly supportive of this type of advertising, simply because I think it delivers a very realistic message that is believable.     The lead actor actually LOOKS like a few professional penetration test guys I know (and yes, many pen-testers were hackers at some time).    The basis is “Think you’ll spot us?   You haven’t so far”   which is a very truthful and powerful message that will resonate with corporations.

On the other hand, recently I was sent a link to this.   Talk about a 180 degree swing,  this isn’t the message.   I get it, someone who used to work there, or knows someone stole a flash drive.   However it is all very “24”.

The biggest problem from a marketing perspective is that it is all very Hollywood, it does not feel believable even if it is.   Can I draw a comparison to probably the biggest technological “What the hell” moment on TV?   As I don’t think it’s far off.

The “room of geeks” is not totally off the mark for who is hacking, but are the rooms of geeks the ones that companies generally need to worry about?   Not even close, most hackers break in and leave a love note, or download a file listing to brag to their friends.   The professional, many times overseas hacker organizations who attack with financial intent are the ones you need to be concerned with.

Any professional knows that a real “SOC” – Security Operations Centre does not involve huge screens or 45 degree angled command centre desks but intelligently and continually updated software, resources and procedures.

The undertone of socially awkward geeks is very much unappreciated by me personally.   Suggesting that hackers are some kind of smelly fat huge glasses wearing fiend in a messy room full of wires wearing BAZINGA! shirts is a stereotype that we have been spending years to overcome and it didn’t help when they suggest that professional organizations are stupid without the “awkward guy from Cisco”.

This new video misses the mark pretty heavily on the corporate message and the social message in way off the mark.

After close to a week in San Diego at Cisco Live! – I was hooked on all forms of Uber.    Cisco really pushed digital revolution and digital disruption as a theme, and I couldn’t agree more.

Tesla – The apple of the car industry, disrupting the way cars are made, sold and fuel’d

Air BnB – Ok well, it seems like a revolution, and while I have no experience I know people that use it and are happy – except the few people who’s homes have been trashed.

So that brings us to Uber, and specifically UberX, and you can google/explore everything you want to know about it but for context let me explain it very simply.

1) Select source/dest on your phone

2) Watch as car comes to you

3) Get in

4) Talk to driver about their vehicle, or how awesome Uber is

5) Get out, payment is automatic, no tipping, receipt in inbox, for cheaper than a cab.

Disrupting taxi’s?  You bet, I wouldn’t ever take a cab again, They smell, they are impersonal, the payment is a pain – and receipts are horrible.

So what about Uber Eats?    In the catchment area below, I have the option of 2-3 dishes per day they can deliver.  A selection of the best restaurants (or rated anyway) in town delivering signature dishes hot to your door in minutes, think UberX, but you don’t get in – they hand you food.

The entire idea looks great – however what made UberX popular was delivering VALUE and I just don’t see Uber Eats delivering that.    The “Just Eat” people have been delivering food to my door with a better selection for some time – ok so it isn’t in 5 minutes, but we all know when lunch hour is.

The catchment area is pretty small, and choices for food in these areas, especially in Toronto is pretty plentiful.  I could step out to get many quality food options outside my door in minutes just as easily as Uber Eats.

http://ubereats.com/eats/toronto/

The ordering process was great, but $15 later I had 4 quarter sized bits of beef in some tomato sauce and 4 slices of bread.    $12 for the food, $3 for the delivery.   I expect to pay a premium, but this was less than an appetizer worth of food.   Oily like it had been sitting in a car in a heater bag, I didn’t get the cheese that was supposed to go with it – and I went and got another lunch snack later.

They generally do not deliver any kind of side, a sandwich is just a sandwich and no drink options except for the occasional “coconut water” for $7 type options which are eco chic but not popular amongst many.

I get what they are trying to do – however unless they can deliver must better value this is not going to work.   If my hot lunch option could be delivered with a regular type beverage, or a bag of kettle chips, or a bag of nuts or something on the side would be better.    Right now the service doesn’t deliver value or a complete lunch offering.

Perhaps they should focus on what works for them – UberX, because right now this does not work for me.

After a year off in 2014 and no trip to Cisco Live!, and a significant change in my career and personal life it was time to return to #CLUS.    It would appear many of my colleagues from the event also took 2014 off.  It was unfortunate to miss San Francisco.

How the landscape has changed, with a new “Cisco Champions” program and a modified Social Hub – everything didn’t feel as organic as it used to be.    Tom Hollingsworth @networkingnerd wrote a great article on some of the changes http://networkingnerd.net/2015/06/16/thoughts-on-cisco-live-2015/

This year my focus was on Security, WoS, DevNet, IoT and Wireless.  Trying to figure out the landscape and how technology is evolving as I re-enter the partner marketplace after a few years off.

The entire social experience felt different this year, sponsored scavenger hunts and yellow capes.   Is this really organic?    The same gang that I missed last year was still here – but now it feels like there is some kind of line in the sand – the group did not feel as inviting as it previously did, and I found myself feeling like a newbie all over again.    Is Cisco encouraging the type of engagement they want?    Cash and prizes for the most re-tweeted photo, or for visiting the most World of Solutions booths on the scavenger hunt.     Every time I went by the Social Media Hub the staff commented on the quality of my content, and the engagement I was receiving from the rest of the community.    However, I didn’t spend my time taking selfies in the World of Solutions.     My point is not to be dis-ingenious, but to look at the bigger picture.   In 2013 in Orlando – Cisco focused on online influencers and engagement, those with retweets and engagement on legitimate content, and not antics.    The message seems lost in social this year.

This year I was asked if I could provide some comments on the event, and how I felt about digital disruption.  If you watch the Chambers and tech keynotes, you will see me there.   Not sure if I was there to add some humanity or as the butt of a joke but it was my 15 seconds.  Like I said, they ended up with a good blooper reel.   The display was a genuine display of me that is for sure.

I did meet a few very influential people this year, one of note was “The Fish” @denisefishburne – www.networkingwithfish.com a team lead in the Cisco Customer Proof of Concept Lab and an expert troubleshooter.    I was introduced by @amyengineer and instantly something was different about “The Fish”, it was more that her addiction was troubleshooting, bring up a problem and her eyes light up like a teenager on redbull. A skill that I have always found sacred with any IT professional.   After listening to her session on being a “Network Detective” it was obviously that Denise was extremely skilled at her trade and I began to read everything I could on her blog.   I was honored to attend a social event where we were able to discuss at length various troublesome topics and I was a little star struck.   Denise if you are reading this – late on Thursday night (or was it Friday morning) I told you how important your work is to our industry, to the future of young professionals to learn from your experience.   I wasn’t kidding.    Thank you for sharing your experience and skill with the rest of us.

This comes back to “I don’t live on Social Media” – as much as I enjoy the interaction, I do not have time to scour the web, and read blog after blog, and keep up on twitter. We only have enough time in our days, and between family and other things – I wish I could dedicate more time.   Some say that if it was important to me I would make the time.

So why blog now?    I suppose as I get older it provides me with some kind of method of getting my thoughts down somewhere.     If you go back and look on the “Twitter List” published for the event, you will not see my previous account (@grinthock) mentioned anywhere.   As a bit of a social outcast, I have never been the person who signs up for these types of events.   I have always felt like a bit of the outsider, as someone who does technology for a living, and while technology is my life, I have many passions in life, performance rally,  amateur radio and community service.

This blog will contain mostly my musings, thoughts and opinions on technology subjects.   Will someone read them?   Maybe and maybe not.     I tried to cover the #CLUS event on twitter as best I could by providing insights to others on twitter about the event as best as I could.   Some people commented about my coverage in positive and negative, some attended sessions the next day based on my content.    For that I felt like I did the job right.

The organization I work for has over 500+ Cisco practice team members, and only a small number will go to Live! each year and while next year the company may not send me – I will be there either way.     I cannot miss the friends, people and influencers that I experience.

I figured, I can simply leave this “included” post on the blog.  After all it is a bit of a “hello world” post.    While the majority of the posts you will see here will be technology based, there are a few ground rules or guidelines that I would like to see the blog live by.

– Integrity

I will blog with integrity, opinions are my own, and my mistakes as well.   While no blogger, journalist, media or writer will ever write with perfection, I will already strive to.   Sometimes I will get it wrong, and when I do – I will call it out.  This also means there are

– Opinion

This blog is about tech, but more than that it is about my opinion, with close to 20 years in technology and working with many different industries I have seen much in my time.   That means, I tend to build my own opinions.   Sometimes people agree, sometimes people do not and sometimes they are controversial, but no matter what, they are my opinions.

– No Sponsorship, purchased opinion or suggested posts without disclosure.

Anyone that knows me, will tell you that I enjoy free expression, and as a result I will not accept remuneration for any form of post without full disclosure.    What does this mean?   As a writer we are given the opportunity to have early access to things, or we are given details before others in order to write our articles.    Even within other forums I have been offered everything from trips to free dinners – but the bottom line is, I will always disclosure any kind of vendor involvement in my posts.

– Topics

You might see it all here, sure I am a “Tech” guy but you might see it all.