18 May 2021

Home WiFi QR code

So I happened across an article the other day which described how to do something that I thought was kind of cool. It walked you through how to create a QR code so that visitors to your house (or business) could simply use the camera in their smart phone to quickly and easily access your guest WiFi network. Yes, it may, be nerdy… But it’s still cool. Here’s how you can do it too!

The greatness of this solution is that scanning the QR code will basically work from any iOS or Android device. However, since I only have Apple mobile devices, I can only show you how easily it is done on an iPhone.

Make the QR code

Get the ‘shortcut’ by clicking this link: https://www.icloud.com/shortcuts/796cd8de4e344ac6a5b6495a8a2fa333
(shortcut originally created by Stephen Robles for AppleInsider).

It will open the ‘Shortcuts’ app on your phone and display all the steps that will happen once you run the shortcut. Scroll all the way to the bottom of the screen and click the red button that is labeled “Add Untrusted Shortcut”. It will now get added to your “My Shortcuts”.

At the bottom of your screen tap on “My Shortcuts”. Run the shortcut called “Generate Wi-Fi QR”.
It will prompt you for a Wi-Fi network/SSID name, and it asks if you want to use the Wi-Fi network you are connected to, or it will let you specify another network and type it in. The next step will prompt you to enter the Wi-Fi password.

Once you hit ‘Done’, it will generate a QR code for you. Tap the icon in the upper right corner to save the QR code as an image.

Display & Connect

You now have an image that looks like this…

Print the image out and post it on your wall at home (or work).

When friends come over they can scan your QR code and connect seamlessly, without you ever having to do anything other than point a finger towards whereever you hang your QR code image.

28 May 2020

UDM FaceTime Issues

I have a habit, for better or worse, of spending [possibly too much] time on Reddit. It’s so easy to get lost scrolling through articles and comments on just about every topic.

I’ve recently started to follow the r/Ubiquiti sub-reddit and this was something that I found there. Some people report having issues using Apple’s FaceTime over their UDM based Unifi environment, whereas others seems to have no such issues. So take this suggestion at face value and use it if you need it…


Open your UDM’s controller in your browser.

Navigate to: Settings -> Wi-Fi -> Wi-Fi Networks -> Edit each of your network(s).

Scroll down to 802.11 RATE AND BEACON CONTROLS.

Set each network to use these settings:

  • Enable Override DTIM Period.
  • Set DTIM 2G Period to 3.
  • Set DTIM 5G Period to 3.
  • Save your changes.
  • Enable Auto Optimize Network.

Your iOS devices should now work and stay on 5G.

26 May 2020

DuckDNS on UDM

I have set up my Ubiquiti Dream Machine (UDM) and I am loving it. I’m diving into all of the settings that I can configure on my home network and one of the first things I’m setting up is Dynamic DNS (DDNS). This will allow me to reach my device/network remotely, regardless of the IP address that it has been assigned by my ISP.

The UDM can work with lots of different DDNS providers to accomplish this. Some DDNS services are free, whereas many are paid services. A quick google search will show you all the various sites that offer DDNS services. In this article, I am only going to cover how to use DuckDNS which is a free DDNS provider. Note: If you do use their service, I encourage you to support and donate to DuckDNS through any of the links at the bottom of their site.


Open your web browser and go to: https://www.duckdns.org/

Log into their site using your credentials from one of these sites: Twitter, GitHub, Reddit, or Google.

In the center of the page there is a spot to create a DuckDNS subdomain. This is where you will enter the unique name that you would like to use for your network, then click the green “add domain” button.

You will see your subdomain listed below.

In the upper part of the DuckDNS page, you should see a token listed.
Copy this token for later.

In your browser, open up your Unifi Contoller.

On your controller go to “Settings” -> “Gateway” -> “Dynamic DNS”

Click on the button to “Create New Dynamic DNS”.
Enter the following settings:

  • interface: WAN1
  • service: dyndns
  • hostname: <YourSubdomain.DuckDNS.org>
  • username: nouser
  • password: <yourDuckDNStoken>
  • server: www.duckdns.org

Then click on “Done” button to save your settings.

26 May 2020

My Ubiquiti Network

Ubiquiti makes some interesting gear and they are quite well known for their disrupting the status quo by offering top-notch grade network and wifi devices. Their gear ranges from prosumer to enterprise-grade. Depending on how far down the rabbit hole you go, it can become a bit of an expensive eco-system that you are buying into. On the plus side, if you ever decide to leave any Ubiquiti, it shouldn’t be hard to resell the gear as they have a large community of followers.

I was leaving one job and starting another and decided that it was time to upgrade my home network to allow for some more diverse home-lab options. I decided to jump on the Ubiquiti bandwagon and set-up on their Unifi product line. Being new to Ubiquiti and Unifi I have a lot to learn!

I’m starting off my Unifi environment with a Ubiquiti Dream Machine (UDM), a Unifi 8-port POE switch (US-8-60W), and a Unifi AP (UAP-AC-Lite). I’m starting small. 😂 But who knows how large it’ll grow!


Here are some things I’ve setup in my Unifi environment….

21 May 2020

Enabling SSH on Cisco iOS

While telnet and SSH are both allowed types of connections to Cisco gear, there is honestly no reason why you should be using telnet in today’s world. You should be using SSH for accessing all of your network devices. In very simplistic terms [and while the technologies are different], you can almost think of it as telnet being the equivalent to HTTP and SSH being the equivalent to HTTPS.

Telnet transfers all data in clear plain text and thus your passwords or other credentials are visible to anyone watching. Using SSH, means that all of your data is encrypted between the device and your computer, so no one else can see your sensitive bits like passwords. Anything used in production should be secured, and thus SSH is the obvious preference. So lets look at how to enable SSH on our device. Once SSH is enabled we can then disable telnet.

Open a console or telnet session on your device to get started.

The first thing we need to do is make sure that the device is configured with a hostname and a domain name.

CiscoDevice# conf t
CiscoDevice(config)# hostname PWWF
PWWF(config)# ip domain-name it.playswellwithflavors.com

The next step is to allow users that are configured on the switch to login with SSH or Telnet connections.

PWWF(config)# aaa new-model

Next we generate the cryptographic keys that the device will use.

PWWF(config)# crypto key generate rsa

We then want to enable SSH version 2 on the device.

PWWF(config)# ip ssh version 2

We will next set the desired SSH authentication timeout (in seconds). This is the amount of time you have to enter the correct user credentials after connecting. The default value is 120 seconds.

PWWF(config)# ip ssh time-out 60

Then we can change the number of allowed SSH authentication retries that are allowed.

PWWF(config)# ip ssh authentication-retries 3

Next up is to configure all of the line vty (virtual terminal).
We will configure the following :

  • set the input transport to SSH only
  • set the login type to local logins.
  • set the passwords to use strong encryption
  • set a timeout for inactive sessions (in minutes)
PWWF(config)# line vty 0 15
PWWF(config-line)# transport input SSH
PWWF(config-line)# login local
PWWF(config-line)# password 5
PWWF(config-line)# exec-timeout 10
PWWF(config-line)# exit
PWWF(config)# exit
PWWF#

The final step is to save our configuration changes with the following command.

PWWF# write

Now you can close your terminal session and connect to your device over SSH.


You can verify that SSH access is enabled on your device with the following command.

PWWF# sh ip ssh
SSH Enabled - version 1.99
Authentication timeout: 60 secs; Authentication retries: 3

If you have not yet created a user credentials, or if you wish to add a new user, here is the command.

In this example, the user name is “bob” and the password is “Aloha1234”

PWWF# conf t
PWWF(config)# username bob secret Aloha1234
Category: Cisco | LEAVE A COMMENT
16 May 2020

TEI_ASSIGNED

So I’ve had the unlucky experience of having to deal with the PRI connected to a T1 controller card on a Cisco 4321 Integrated Router that fails to come back up “online”, EVERY time the router gets power cycled.

Let me tell you… It is annoying! I don’t even want to try to tell you how many hours have been spent listening to hold music while getting in touch with the provider just to have them “run tests” from their side and say that the layer 1 connection is active, so it’s our problem, not theirs.

Basically, what has been happening is that after the router gets rebooted, the D-channel of the PRI gets locked up and doesn’t want to get in sync with the provider to allow inbound or outbound calls. Whenever we ran “show isdn status”, the layer 2 status would come back as “TEI_ASSIGNED” instead of the desired “MULTIPLE_FRAME_ESTABLISHED”. This PRI is connected to a MGCP gateway and in the end we basically either have to clear counters to reset the interface or rebind and rebuild the MGCP connection before it all comes back up.

Luckily since we have been able replicate the issue on every power cycle (whether or not it was an intentional power cycle), and I kept notes which I’m about to share, we have also been able to repeat the same steps to bring it back “online”.

My disclaimer: This worked for me, in the particular environment I referenced above. I have not tested this in any other environment. YMMV. You copy me at your own risk, and I am not responsible for any changes/damages you cause to your environment. These are purely just my notes for the previously mentioned environment.

From the console run the following command.

4321#show isdn status

Reading the output from the above command, summarized, the desired states are:

  • Layer 1 status: Active
  • Layer 2 status: MULTIPLE_FRAME_ESTABLISHED

If layer 1 is “Active” then it means that the circuit with your provider should be good. If it is not showing as “Active”, then first check that the physical cable is connected and isn’t damaged. If it looks okay, then get on your cell phone and call your provider.

If layer 2 status is “MULTIPLE_FRAME_ESTABLISHED” then you shouldn’t be having problems. Try another test call to verify that everything is working now, then go home. LOL.

However, if you’re in a situation similar to me, then you can’t make any calls and your layer 2 status is showing as “TEI_ASSIGNED”. The first, and easiest, thing to try is to clear the counters. This resets the interface. You can then recheck to see if the layer 2 status has changed. You can use the following command to clear the counters and recheck the ISDN status.

4321#clear counters
4321#show isdn status

If that did not work and your layer 2 status is still “TEI_ASSIGNED” then the next step is to try to restart the T1 controller. Then recheck the ISDN status. Use the following commands to do so.

4321#clear controller t1
4321#conf t
4321(config)#controller t1 0/1/0
4321(config-if)#shutdown
4321(config-if)#no shutdown
4321(config-if)#exit
4321(config)#exit
4321#show isdn status

Did that work for you? Hopefully it did. But if it did not work, then there is one more thing to try. Rebind the layer 3 to call manager and then teardown and rebuild the MGCP connection, and recheck the ISDN. Use the following commands to do so.

4321#conf t
4321(config)#interface serial 0/1/0:23
4321(config-if)#isdn bind-l3 ccm
4321(config-if)#no mgcp
WARNING: no mgcp: Teardown MGCP application may take a while to clean up resources
4321(config-if)#mgcp
4321(config-if)#exit
4321(config)#exit
4321#show isdn status

Okay, now the layer 2 status should be coming back as “MULTIPLE_FRAME_ESTABLISHED” after checking the ISDN status. If it does not, then you really should be beginning to open a TAC case with Cisco to figure out WTF is going on.

Hope this helps someone! Keeping these notes handy has definitely helped me, more than once. Also, FWIW, the one Cisco PDF that I did find somewhat helpful when troubleshooting this was: https://www.cisco.com/c/en/us/support/docs/wan/t1-e1-t3-e3/8131-T1-pri.pdf

Category: Cisco | LEAVE A COMMENT
7 April 2020

Home VPN with a Raspberry Pi

VPN actually stands for virtual private network. What that means is that when you connect to a VPN, you are essentially creating a secure encrypted tunnel from your device to the network on the other side. A VPN prevents “snooping eyes” from seeing the actual network traffic that crosses the wire, meaning that you only you and the other end know what you are doing. That traffic will be visible from the other end as it comes out there, but that is a network you “trust”, and that traffice is protected as it traverses across the Internet.

You’ve probably heard of VPN services before or you might already use one. They are common for work places to use, to connect back to your office. As well commercial VPN services for individuals looking to bypass geo-location filters when they are overseas to make it appear that you are in the U.S., or users as an attempt to anonymize their internet traffic. Those are all great examples of VPNs. But those are not what I am going to cover….

So what about if you want to access resources you have at home while you are away? (i.e. – printers, file storage or file backups, remote support of a non-tech-savvy family member)

Or what if you want to use the Pi-Hole adblocker you set up at home while your at school/work/traveling?

This is the type of “home VPN” that I am talking about. This “home VPN” will keep your browsing secure while you are hopping onto free WiFi hotspots all across town, but it will not anonymize your traffic at all. All of your traffic is [securely] going to go thru your VPN and it will be as if you are surfing the Internet from home. So don’t think that just because you setup a VPN on your Raspberry Pi at home that you can blindly surf the Internet and download illegal torrents without consequence, because you’d be wrong. You will however, be able to connect back home and retrieve those files you forgot to put on your thumb drive before walking out the door.

The magic that will make it happen is called PiVPN. It’s a small piece of software that can be installed on a Raspberry Pi with a single line of code, and can be configured, ready-to-go, in less time than it take to watch a sitcom episode on Netflix.

Follow the articles below to get setup.


19 March 2020

CUCM 10.5 – Updating VMtools

Cisco Call Manager is an integral part of any company that runs it for all of their “voice” or telephony services. I’ll be honest… I’m always a little afraid to console in and do stuff on a CUCM server because I don’t feel like I know enough to quickly troubleshoot issues I might cause.

However that doesn’t mean that I can avoid CUCM all together. I do have to jump into a CUCM server occasionally. Like when it’s been virtualized and it’s time to update the version of VMware Tools (VMTools) that is running on it. Thankfully, that task is a lot easier than it might initially seem. I’ll demonstrate how to upgrade the VMTools on a server running CUCM v10.5.2.

In vCenter, select your CUCM server. Dropdown the ‘Actions’ menu and select ‘Guest OS’. Then click on “Install VMware Tools…”.

You’ll see a pop-up message, click ‘Mount’. This will make vCenter mount the VMTools iso in your virtual machine so that the guest OS can access the installer.

Now, login into your CUCM vm’s console as an admin, and enter the following commands.

admin: utils os secure permissive
admin: utils vmtools refresh

You will be prompted that the tools install will reboot the machine twice. Press ‘y’ and hit ‘Enter’ to continue….

If vmtools has not ever been installed on this vm, or if the install didn’t complete, you might see a message that stating that you need to manually restart the server. If so, enter the command it shows to finish the intsall by rebooting the server.

admin: utils system reboot

After the reboots are finished, log back in as admin to your CUCM server. Enter the following command.

admin: utils os secure enforce

That’s it! Your VMtools have been updated. The updated guest OS info should now be visible when you look at this CUCM vm in your vCenter.

23 January 2020

Migrating NPS Configuration

I recently had to migrate some services from an old Windows 2008 server to Windows 2016. One of those services was a Network Policy Server (NPS) service, which is used by RADIUS to authenticate users into some more secure resources.

I was kind of dreading the task, as I had no recollection of how I had configured it, some five or more years ago. My initial search on the subject landed me on this Microsoft documentation site, which was very informative. Luckily, the task of exporting and migrating your NPS configuration to import onto another server is quite simple. It can all be done with a few lines at a command prompt and a single XML file.

In Windows 2008 or 2008 R2, you use ‘netsh’.
In Windows 2012 and above, you can use PowerShell or ‘netsh’.

Both methods are equally simple, it really just comes down to which version of Windows Server are you migrating from.

Export and Import the NPS configuration by using Netsh

Log into to your source NPS server with your Administrative credentials.

Open a ‘Command Prompt’ as an administrator, type netsh, and then hit Enter.

At the netsh prompt, type nps, and then hit Enter.

At the netsh nps prompt, type export filename="<path>\<filename>.xml" exportPSK=YES
Update <path> with the folder location where you want to save your configuraation file. The path can be relative or absolute, or it can be a UNC path.
Update <filename> with what you want to name your xml file.

After you press Enter, you’ll see a message showing whether the export was successful or not.

Copy the xml file you created to the destination NPS server.

Open a ‘Command Prompt’ as an administrator on the destinantion NPS. Type the following command, then hit Enter. netsh nps import filename="<path>\<file>.xml"
A message will appear to show whether the import was successful or not.

Export and Import the NPS configuration by using Windows PowerShell

Log into to your source NPS server with your Administrative credentials.

Open a ‘PowerShell window’ as an administrator, type the following command, and then hit Enter. Export-NpsConfiguration –Path c:\NPSconfig.xml

There is no message after the command completes, but if you check your path location, you should see your xml file.

After you have exported the NPS configuration to a file, copy the file to the destination NPS server. I’m copying mine to the root of the c:\ so it’s easy to find.

Open a ‘PowerShell window’ as an administrator on the destination server. Type the following command, and then hit Enter, to import your configuration.

Import-NpsConfiguration -Path "c:\NPSconfig.xml"

20 December 2019

File management – Cisco Flash

When working on Cisco devices, sometimes you have to delete files from the device. It’s moreless the same on all Cisco devices. While there are other file systems available to you on your device (see first command listed), Cisco devices use “flash:” as their default file system. My examples will also use the default “flash:” but note that the commands will work the same on any other available file system, such as “usb0:“.

Show Available File Systems
Device# show file systems

Show Files
Device# dir flash:

Create Directory
Device# mkdir folder

Step into Directory
Device# cd folder

Delete File
Device# delete /force flash:/filename
Device# delete flash:/filename

Delete Directory
Device# delete /force /recursive flash:/folder

Copy File
Device# copy usb0:[/directory]/filename flash0:[/directory]/filename

Category: Cisco | LEAVE A COMMENT