Shut it down

After three weeks of random errors, I had to shut down the Cisco NAC installation.  I hated to do it but it had to be done.  The errors were so inconsistent that it made fixing them almost impossible.  Here’s a quick run down of some of the problems:

• Users that worked fine one day would stop having access the next day even though the Clean Access Agent showed them logged on and in the proper role.
• Printers would randomly drop off the network but still show up in their role/VLAN.
• Moving a laptop from a docked, wired network, connection to undocked, wireless connection, was hit or miss. If the user just undocked, they definitely would lose network connection. If the user clicked Start and then Undock Computer, they would get network connection about 60% of the time.
• Logon scripts would randomly fail to run.

The last issue was (somewhat) fixed by doing two things. One, changing the script so that it would ping multiple servers and only initiate the script when a ping was successful (i.e. the user was placed into the proper user role). Two, pushing out a registry change for Windows XP that would introduce a group policy timeout (GpNetworkStartTimeoutPolicyValue). The timeout made it so that the group policy would keep trying to run the logon script for up to 60 seconds, trying to contact the server every two seconds, before failing.

The company we purchased the equipment from is supposed to send some of their technicians out next week in order to try and fix the problems. They are also supposed to send out a Cisco technician. I hope they can get it to work. If they don’t, this is going to look really bad on the IT department because of all of the issues the users are having to deal with during the installation.

There is no failure except in no longer trying. – Elbert Hubbard

18.Sep.08 Networking, Security Comments (0)

Do not buy the Cisco NAC

Short story: It sucks.  I have been struggling for over two weeks to just get ONE location up and running.  Every thing I’ve done is being done according to how the Cisco documentation says it needs to be done.  I’m having to get a Cisco representative on the phone at least every other day in order to fix a problem with the setup.

Long story: Coming soon.

16.Aug.08 Networking, Security Comments (3)

Same switch, different location

A friend called me a few days ago and told me about a problem where he works. The company was combining their two office locations into one in order to save money. It was a good idea anyway because the two locations were only a block apart. They (friend’s employer) had hired some contractors to install 15 new network drops. When the contractors finished connecting the new drops to the shiny new Linksys SD216 16-port switch, the computer and printer moves began.

Quick background: The CEO of this company is tight with money. They have 15 workstations (old PIII systems), 1 server (newer P4 system) and 5 laser printers so they have no need for an IT department. An IT support contract? HA! Those cost too much. They would just call someone (read: cheapest price) if the needed help.

Now that everything was moved and set up, they were having a problem with one of the printers. No one could print to it. My friend said it worked fine at the other location and the CEO was ready to dock someones pay for “destroying a perfectly good printer”. That’s why my friend called in a favor* and asked me to look at it.

The first thing I did was print out the config sheet for the printer. When I did that, I saw that the IP address was set to 192.168.11.114. I asked my friend what IP range was the office network using and he wasn’t sure so we looked on his workstation. His workstation was set to 192.168.10.90. Aha! I told my friend that the printer IP was set up incorrectly and that it needs to be set to a free IP on the 192.168.10 network.

My friend told the CEO, who was watching nearby, about the easy fix. “Impossible!” I heard. “One of my neighbors is an IT guru and he said the printer was damaged in the move. He even checked the connection and said that it should work because it’s on the same switch as all the other computers.” I told the CEO that I would bet lunch on the fix. The winner would choose the restaurant. He liked that idea and said, “I hope you’ve saved up a couple of months salary because I don’t eat cheap.”

Long story short: I reset the printer so that it would pull a DHCP address, set my friend’s workstation to print to the printer by creating a new TCP/IP port using the printer name and ate the best free (for me) lunch ever. Sweet, sweet victory.

*Be careful when you tell a friend “I owe you one”. This is one of the rare times it actually worked out for me.

The manner of giving is worth more than the gift. – Pierre Corneille

09.May.08 Networking Comment (1)

Ubuntu home LAN server: Dynamic DNS & DHCP

Ok, I know I said in the last post that I was going to post these configs “later”. Well, it’s now 12 days later so I think it’s time to post them. Without further ado:

• dhcpd.conf
• named.conf
• named.conf.options
• named.conf.local

If you’re wondering “Why the hell didn’t he just put everything into a single named.conf file?”, I have a good reason. It’s Ubuntu’s fault! The BIND installation split the configs and I just stuck with that! Sure, I could just combine it all but I just went with the flow.

To help understand what some of the IP settings in the configs mean, here is my network setup:

• Network: 192.168.10.0
• Domain: home.lan
• Server IP: 192.168.10.20 (DNS, DHCP & Domain Auth)
• Router (Gateway) IP: 192.168.10.1
• DHCP Range: 192.168.10.241 – 192.168.10.250
• Dynamic DNS updates require the TSIG key (SecDNS). The DHCP server uses the key to authenticate with BIND and update the local network zones. Client updates are ignored.
• The DNS server forwards unknown host request to OpenDNS.

I know it’s not “perfect” but it’s still being tweaked. See something I’m missing? Let me know in the comments!

I wish I would have gotten this posted sooner. Unfortunately, work has really picked up since the Chri….Winter Break. Things won’t be getting any better in February. That’s when my big project starts up. That project involves implementing the Cisco NAC in several schools. I can’t wait to get started on it because it will be a lot of fun learning how to operate it.

The urge to save humanity is almost always only a false-face for the urge to rule it. – H.L. Mencken

19.Jan.08 Linux, Networking Comments (3)

The Ubuntu domain controller lives!

This is just a quick update, more will be written later. I was able to get the Ubuntu 7.10 server set up as my home domain controller. Here is the current set up:

• Samba is running as the domain controller. It handles all domain logins. Machines joined to the domain, including Windows XP, are added to the Unix Users & Groups on the fly. No manual set up of the machine trust accounts.
• BIND9 handles all DNS request. A TSIG key is required in order to dynamically update records.
• DHCP3 handles, what else, DHCP. DNS records are dynamically updated by the DHCP server using a TSIG key.
• Remote administration is mostly handled through SSH. Password authentication, as well as root login, is disabled. Only RSA/DSA authentication is allowed.
• Webmin is installed to aid in some remote administration task.

It took a couple of days to make Samba work right. I used pieces of several How-To’s in order to get the configuration correct. Some of the guides said to enable the root login but I didn’t do that. I either would just use sudo to run the commands or I’d run sudo -s to switch to the root login. I’ll post all of the server service configs later in case they could help anyone else.

I know, I shouldn’t run all those services on a single box. I wouldn’t except for the fact that this is for a home LAN and not a corporate environment.

It behooves a father to be blameless if he expects his child to be. – Homer

07.Jan.08 Linux, Networking Comments (3)