Defining multiple RADIUS servers for Aruba Wi-Fi

Wi-Fi logo (via Pixabay)

I’ve spent some time over the last few months working with a customer who is building a complete greenfield IT infrastructure, in preparation for launching a new business. It’s been a rare privilege to work without piles of technical debt (of course, it’s never completely that simple – there is data to bring across and there are some core systems that will tie back into the parent organisation) but there have been some challenges along the way too.

One of these was when the customer’s network partner asked for a RADIUS server to be added to our identity solution (to support 802.1x based authentication for Wi-Fi clients). In itself, that wasn’t too big an ask – we could use Windows Servers running Microsoft Network Policy Server (NPS), across two Azure regions. Unfortunately, we also needed to provide resilience and the network partner was suggesting that they could only configure one IP address in their HP-Aruba cloud controllers. Azure Load Balancers only work within region and DNS round robin is not exactly smart, so myself and the other Consultants working on the solution were left scratching our heads.

Luckily, for me, having a reasonably large Twitter network meant I could ask for help – and the help came (thanks to @Tim_Siddle and others)!

We were able to take the information about server groups to our networking partner, who advised us that the cloud controllers lacked the server groups capability until recently (it was only a feature on physical controllers) but that it had now been added.

Other people responded to say they had had similar issues in the past, so this might be useful for others who are trying to configure a certificate-based authentication solution for Wi-Fi with Microsoft NPS servers.

Further reading

Enabling RADIUS Server Authentication [Aruba]

Fixing iPass and Virgin Trains Wi-Fi authentication issues


Connected to Virgin Trains Wi-Fi using iPassAlthough I travel on Virgin Trains pretty frequently, it’s usually only from Milton Keynes to London Euston and not worth getting my laptop out of my bag. Now, I’m finding myself travelling to Manchester more often and working on the train is a major advantage over driving.

Virgin has Wi-Fi on its trains, which is complementary in first class but chargable (at the usual extortionate rates) for those of us in the cheap seats. The company I work for provides me with an iPass client though, so I can use that to connect without hefty credit card fees and expense claims (at least on Windows I can, it wasn’t working for me on iOS last time I tried).

Lately though, I’ve found that the iPass client would connect to the VirginTrainsWiFi network and then present a pop-up asking me to pay for access.  That didn’t seem right, so I logged a call with our IT helpdesk… I’ll spare readers the details of that particular experience but I also spoke to Virgin’s Wi-Fi support team, who suggested I download an updated “phonebook” for the iPass client.  The client version that I’m using (2.3, I think) doesn’t have an option for a phonebook download but, with the help of some of the guys in our IT department, I found that the phonebook can get corrupted sometimes and the resolution is to remove and re-install the iPass client.

We don’t have a huge sample but I’m now told my fix (I’m connected on iPass, on the train right now) makes it a 100% success rate from 3 people with the problem.  Maybe it will help someone else out there on the ‘net too…

iPhone Wi-Fi connectivity via BT Openzone


Last year I wrote about O2 giving UK-based iPhone users free access to BT Openzone Wi-Fi hotspots but the last few times I’ve tried to connect all I’ve managed to hook up to is a login page.

I’ll be spending most of the next couple of days at Microsoft’s customer and partner launches for Windows 7 and, even though I have the option of Vodafone 3G access from my netbook, I thought I’d investigate further and at least give myself another connectivity option via the iPhone (at another recent event I found that O2’s 3G coverage is virtually non-existent inside the hospitality suite at Wembley Stadium so Wi-Fi would be a major step forward and I know it works in the Hilton a couple of hundred yards away…).

This is what you need to do in order to get an iPhone hooked up to BT Openzone if you’re presented with the BT Openzone login screen:

  1. Select a service provider of O2 from the Openzone login prompt (no need to enter a username).
  2. When prompted, enter your phone number and wait for registration to complete.
  3. If, like me, you’ve had multiple iPhones on your account (i.e. you have upgraded or had warranty replacements), then you may need to send an SMS message to 2121 containing the word WiFi and wait up to an hour (although, in practice, I didn’t find that it took that long).

After this, you should be able to connect to the ‘net from your iPhone over Wi-Fi. Right, let’s hope Steve Ballmer doesn’t spot me using the iPhone

More on the BT Home Hub


Last year I blogged about the dangers of BT Home Hub users using WEP for “Wi-Fi Security”, pointing out that WEP is generally considered insecure and that WPA or WPA2 should be used instead. Then I set up my Dad’s Home Hub for him (just as an ADSL router/modem at this time… possibly with some of the other features later) and this is what I found:

  • The Home Hub is an elegant piece of hardware and BT have made cabling straightforward with colour-coded cables.
  • Following the instructions (which is what I did) involved installing a lot of software on the PC… just to connect to a router. I imagine that most of it can be disregarded (Customised browsers, BT Yahoo! sidebar etc.).
  • The setup failed to recognise that there was already an ADSL modem connection and that I was replacing that with a LAN-based connection (eventually I found a setting deep on the BT Broadband Help system to change that, after which uPnP jumped into life and the router was located).
  • The supplied password for BT Yahoo! Broadband didn’t work, resetting it required answering a security question that had never been set (chicken… egg…) and calling for support involved speaking to a well-intentioned but not very efficient call centre operative somewhere on the Indian subcontinent (who apologised for the quality of the phone line… ironic given that this service was on behalf of one of the World’s largest telecommunications providers)

Returning last week to finish the job, I found that BT have been updating the router firmware automatically for him and now he has options for WPA/WPA2 (which I duly configured). I also found a great link for information on the home hub (a rebadged Thomson device) – the The Frequencycast Home Hub FAQ – which told me useful things like to access the configuration via http://bthomehub.home/ and that the authentication prompt for administrator access does not requires the BT Broadband username and password but the username admin and password of admin (or the serial number of the device) until it is reset to something more memorable. If you need to know something about the BT Home Hub, the chances are it’s in this FAQ. Also worth a look (particularly if you have a Mac that’s not playing nicely with WPA-TKIP – although my OS X 10.5.5 MacBook seemed to be fine with Home Hub software 6.2.6.E) is the BT Home Hub page on hublog – and there is also a command line interface reference for the Home Hub.

Failed power supply causes impromptu wireless network upgrade


Two-and-a-half years ago, I upgraded my wireless network in order to move to 802.11g and to implement some half-decent Wi-Fi security but, last Friday, just as I was packing up the car for a weekend away, I noticed that my PC had lost contact with the mail server. Then I saw there were no lights on my wireless access point. This was not good news.

I couldn’t fix it quickly and running a cable was not an option either as it would have meant leaving the house unsecured all weekend. So, I just had to accept that I had no DNS, no DHCP, and that the mail server would be offline for the weekend.

When I got home last night, I set up a temporary (wired) connection and thought about how to fix the Wi-Fi – it seemed I had a few options:

  • Buy a new DC power adapter for my D-Link DWL-2000AP+ – inexpensive but the D-Link was a cheap access point – a new DC adapter could cost almost as much as the unit is worth and if the power adapter has blown up, the main unit could be next.
  • Buy a new access point (and optionally move up to 802.11pre-n) – a new access point could be good, but pre-n equipment is still quite expensive – and I’ve never been that happy with pre-anything standards, even back in the days of 56Kbps modems. Add to that the fact that I have a mixture of 802.11g and 802.11n equipment (mostly built in to computers) – and the “g” kit would slow an “n” network down to 54Mbps.
  • Replace my individual router and access point with a combined wireless-modem-router (like the Netgear DG834G that one of my friends lent me – a left-over from his disastrous encounter with Virgin Media’s ADSL “service” – or one of the Draytek devices that I’ve heard so many good things about) – but my Solwise ADSL router is still going strong (aside from the occasional reboot) and I’d have to reconfigure all my firewall rules.
  • Dump Wi-Fi in favour of HomePlug AV technologies – potentially faster (at least faster than 802.11g) but also quite expensive, still a relatively immature technology and, based on most of the reviews I’ve seen, highly dependant upon the quality of the wiring in the house.

In the end, I decided to splash out on a new access point – and this time I got the one that I thought about in 2005 but didn’t want to spend the money on – a Netgear ProSafe WG102. I got mine from BroadbandBuyer for a touch over £80 (the added bonus was that they are only 7 miles away from my house, had them in stock, and I could collect) so by late morning my Wi-Fi was back online and the temporary cables down the stairs were gone and the garage door was closed again.

Netgear ProSafe WG102After having set this up, I realised that this is what I should have done first time around – Netgear’s ProSafe range is aimed at small businesses but is still reasonably inexpensive – and so much better than the white plastic consumer rubbish that they churn out (or the D-Link access point that I’ve been using). The WG102 is well built, has a really straightforward web interface for management (as well as SNMP support) and supports all the wireless options that I would expect in a modern access point, including various security options and IntelliRF for automatic adjustment of power transmission and channel selection. I’m using WPA2 (PSK) but the WG102 does include RADIUS support. It’s also got a nice big antenna and I’ve switched off 802.11b to prevent the whole network from being slowed down by one old “b” device. I also use MAC address filtering (easy enough to get around but nevertheless another obstacle in the way of a would-be attacker) but the best features are the ones I haven’t implemented yet – like multiple SSIDs and VLANs for granular user access. If I put a VLAN-capable switch between the access point and my router, I could provide a hotspot for my street but still run my own traffic over it’s own VLAN. I guess VLAN-hopping would be a potential attack vector but my Wi-Fi traffic would be encrypted anyway and there’s another firewall between the wireless network and my data. If that switch supported Power over Ethernet (PoE) then I could even manage if the WG102 lost it’s power supply (it has PoE support too).

The WG102 is certainly not the least expensive access point I could have bought but it seems to be money well spent. It includes a bunch of features that are generally only found devices intended for the enterprise market but comes at a small business price. I should have bought this years ago.

Now you can use a UK-registered iPhone at BT Openzone hotspots for free


BT Openzone logoEarlier this evening, I was trawling through the fine print on the O2 website (hey, I have to do something whilst I’m eating alone in a hotel restaurant) and I found a reference to free Wi-Fi access from BT Openzone hot spots. Hang on – BT Openzone… that’s new! When did that happen?

Well, according to O2’s Wi-Fi FAQ it hasn’t happened yet but it will soon:

Wireless Hotspots
O2 has partnered with The Cloud to provide you with unlimited access to over 7500 public Wi-Fi hotspots across the UK on your iPhone. Excessive usage policy applies. From 11 July, you will also get access to 2000 Wi-Fi hotspots from BT Openzone.
Find the hotspots closest to you

O2 start page for iPhoneI tried to use the BT Openzone at the Hilton East Midlands hotel last night (7 July) with my iPhone and it worked. Just like at The Cloud, all I had to do was enter my mobile number, wait for the site to recognise my iPhone and then I was redirected to the O2 iPhone start page – which is a pretty good portal for iPhone users and even includes a hotspot finder.

O2 can be pretty shoddy at times but this is A Good Thing.

Overseas roaming advice for UK iPhone users


As this post goes live on the blog, I’ll be on my way home from what should (hopefully) have been a great two weeks in France with my family (banned from the Internet – hence the need to set up some posts in advance and keep the site alive whilst I’m away).

My iPhone is a quad-band GSM phone so I can use it pretty much anywhere in the world (subject to coverage); however international roaming can get a bit pricey, so I checked out the best way to avoid excessive charges before I left the UK.

AT&T don’t allow US iPhone users to roam internationally unless they ask for it but UK iPhones are automatically enabled for O2’s International Traveller Service (ITS). Any calls are in addition to the monthly charge but the rates are not too bad – after all, I’m not going to be chatting for hours, this is really just for emergencies. There’s the usual overseas rules about having to pay to receive calls (which complicates the visual voicemail functionality and can result in additional charges, so O2 recommended I turned off voicemail divert before leaving the UK by dialling 1760 and then using 1750 to turn it back on again when I get home).

The real killer could have been data roaming. You see, whilst the EU has been putting pressure on mobile operators to reduce their charges for roaming across networks, very little has been done about data charges, which for O2 users are currently priced at £3 per MB in the EU (and £6 outside the EU).

I called O2 before I left the UK and their advice was to switch off data roaming (Settings, General, Network, Data Roaming, Off). They also recommended that I turn off automatic e-mail checking (Settings, Mail, Auto-Check, Manual) – although accessing Mail and Safari from a Wi-Fi network will not result in any charges (other than whatever wireless hotspot charges apply – there are no roaming arrangements between The Cloud – O2’s UK Wi-Fi partner – and overseas Wi-Fi providers). They also advised me that SMS is the most efficient method of communicating without extra charges as receiving a text costs nothing and, when sending, O2 take them from the normal allowance but at four times the rate (each text will count as 4 messages, so the 500 texts in my tariff become 125 for use overseas).

Hopefully, by following this advice, my next bill will just be for the standard £35… although if all I want is texts and the odd phone call, I could just put my SIM in another handset – as the BBC’s Rory Cellan-Jones found when he turned off data roaming on his iPhone:

“I turned off data roaming – and immediately found that what I was left with was a not very smart phone.”

Accessing unsecured Wi-Fi – is it a crime?


Whilst I was researching my earlier post about WiMax in Milton Keynes, I came across an article on The Register about a couple of guys who got themselves arrested for accessing someone’s open Wi-Fi connection.

The comments make interesting reading – I recommend a read but will warn you that there are 111 of them, so you’d better be good at skim reading!

There are lots of useful analogies there (and the general consensus seems to be that, if a Wi-Fi access point is open, then you are inviting people to come in – especially with most wireless cards configured to connect to the strongest available signal – and that, if it’s secured, then it is clearly a private computer system) but I found a few of them particularly interesting after reading Section 1 of the Computer Misuse Act, 1990 (I’m sure other laws can equally be applied):

Unauthorised access to computer material
(1) A person is guilty of an offence if—
(a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer;
(b) the access he intends to secure is unauthorised; and
(c) he knows at the time when he causes the computer to perform the function that that is the case.
(2) The intent a person has to have to commit an offence under this section need not be directed at—
(a) any particular program or data;
(b) a program or data of any particular kind; or
(c) a program or data held in any particular computer.
(3) A person guilty of an offence under this section shall be liable on summary conviction to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale or to both.

[Computer Misuse Act, 1990]

Based on this it could be argued that, if anaccess point is broadcasting SSIDs and is unencrypted, then a person cannot know that the access that they intend to secure is unauthorised. It could also be argued that, by broadcasting its presence, the access point accessed any computers with wireless cards in the area without their respective owners’ permissions. Or consider, as another commenter highlighted, what happens when pinging a computer’s IP address – is that not requiring the other computer to perform an action (even if that action is to reject ping responses, it still has to read the packet)? What about accessing a web server – did I explicitly give you permission to come here and read this article? No, but by publishing this website, I gave implicit permission, which is expanded further in my legal notice. Ergo, by leaving wireless access point open and broadcasting it’s SSID, I would be giving implicit permission to access it.

I know there’s at least one Copper who reads this blog and I’m sure he has an opinion. As of course, do I. And that’s why I locked down my Wi-Fi.

Usual caveats apply: I am not a lawyer; don’t interpret anything you read here to be legal advice; etc., etc..

WiMax in Milton Keynes – not at that price, thank you!


Last year, I wrote a post about free Wi-Fi provision in central Milton Keynes. I wasn’t very impressed (although I’d like to see the service prosper) but have to admit that I haven’t tried it since. In the same post, I also mentioned that there was a WiMax trial planned for Milton Keynes and a few weeks back, after hearing nothing for over a year, I received an e-mail to tell me that it is now available in my area.

This sounded good – I have “up to 8Mbps” ADSL at home and my router tells me that I get about 7.2Mbps downstream with about 448Kbps upstream, but if I could get good upstream bandwidth too then that would be an advantage. Then I noticed two things that put me off.

Firstly, the service is provided by Connect MK – who claim to be:

“A Council company created to provide better broadband services for Milton Keynes”

WTF! Milton Keynes Council appears to me to be incapable of managing anything of any substance (of course, that is purely a personal opinion, based on my experience as a Council Tax payer). In the small town where I live (under the control of the unitary authority that is Milton Keynes Council) we have: a secondary school that opened 8 months late and £3m over budget [source: political propaganda for the upcoming local elections], with design changes that mean it stands out like a blot on our (pleasant) landscape; a backlog of road repairs; short-sighted planning decisions with councillors supporting further expansion without any of the supporting infrastructure (including the grid road system that has worked so well for the last 30 years in urban Milton Keynes); etc., etc. (my list could go on and on, but let’s stop here – you get the idea). Now the same council wants to provide network infrastructure services. It’s not 1 April is it? Not according to my calendar anyway.

Secondly, the price: a 1Mbps downstream/512Kbps upstream package with a 10GB download limit is advertised for £20 a month; 2Mbps down and 512Kbps up with a 20GB allowance is £25; but 2Mbps down and 1Mbps up with a 40GB allowance is a staggering £50 a month! Are they joking?

I pay around £30 for my small business ADSL service and I have no issues with bandwidth allowances (my current ISP operates a system of peak and off-peak usage, and the off-peak usage really is unlimited, with peak usage rates depending upon the tariff). If I wanted a residential service I could pay a lot less than that. For that matter, I can get HSPA mobile broadband Internet for £15 a month on an £18 month contract.

As it happens, Connect MK is a reseller for the infrastructure provided by FREEDOM4 (formerly Pipex Communications). Interestingly, despite having supplied my home address and postcode details to Pipex and Connect MK having e-mailed me to say “Great news – You can now receive a WiMAX Broadband Service”, neither the current FREEDOM4 coverage map nor the coverage checker on their website indicates that I can receive the service – at this time it only seems to cover urban areas of Milton Keynes. It’s not a very good indictment of Connect MK’s ability to provide a reliable service when they haven’t even worked out that I live 10 miles outside their coverage area.

Regardless of the network coverage, I fail to see who would even consider the Connect MK WiMax service as an alternative to ADSL or cable. At the prices quoted, I can’t imagine much of Milton Keynes’ population getting connected with Connect MK.

Hyper-V and networking


For those who have worked with hosted virtualisation (Microsoft Virtual PC and Virtual Server, VMware Workstation and Server, Parallels Desktop, etc.) and haven’t experienced hypervisor-based virtualisation, Microsoft Hyper-V is fundamentally different in a number of ways. Architecturally, it’s not dissimilar to the Xen hypervisor (in fact, there are a lot of similarities between the two) and Xen’s domain 0 is analogous to the parent partition in Hyper-V (effectively, when the Hyper-V role is added to a Windows Server 2008 computer, the hypervisor is “slid” underneath the existing Windows installation and that becomes the parent partition). Subsequent virtual machines running on Hyper-V are known as child partitions.

In this approach, a new virtual switch (vswitch) is created and the physical network adapter (pNIC) is unbound from all clients, services and protocols, except the Microsoft Virtual Network Switch Protocol. The virtual network adapters (vNICs) in the parent and child partitions connect to the vswitch. Further vswitches may be created for internal communications, or bound to additional pNICs; however only one vswitch can be bound to a particular pNIC at any one time. Virtual machines can have multiple vNICs connected to multiple vswitches. Ben Armstrong has a good explanation of Hyper-V networking (with pictures) on his blog.

One exception relates to the connection of virtual machines to wireless network adapters (not a common server scenario, but nevertheless useful when Windows Server 2008 is running on a notebook PC). The workaround is to use Internet connection sharing (ICS) on the wireless pNIC and to connect that to a vswitch configured for internal networking in Hyper-V. Effectively, the ICS connection becomes a DHCP server for the 192.168.0.0/24 network, presented via the internal vswitch and I’m pleased to find that the same principle can be applied to mobile data cards. Interestingly, Hyper-V seems quite happy to bind directly to a Bluetooth connection.

Hyper-V network connection example

Using this approach, on my system, the various network adapters are as follows:

  • Dial-up adapters, including an HSDPA/HSUPA modem which I have shared to allow a VMs to connect to mobile networks in place of wired Ethernet.
  • Local Area Connection – the pNIC in my notebook PC, bound only to to the Microsoft Virtual Network Switch Protocol.
    Wireless Network Connection – the WiFi adapter in my notebook PC (if there was WiFi connectivity where I am today then this could have been shared instead of the data card.
  • Local Area Connection 3 – the Bluetooth adapter in my notebook PC.
  • Local Area Connection 4 – the external vswitch in my Hyper-V installation, connected to the external network via the pNIC.
  • Local Area Connection 5 – another vswitch in my Hyper-V installation, operating as an internal network, but connected using the method above to the shared HSDPA/HSUPA modem.

This gives me plenty of flexibility for connectivity and has the useful side-effect of allowing me to circumvent the port security which I suspect is the cause of my frequent disconnections at work because the physical switches are configured to block any device presenting multiple MAC addresses for the same port.