Apple TV

While playing around with SL server this morning, I noticed that it includes a RADIUS option under services in ServerAdmin.   Naturally, I decided to investigate further.   To my utter amazement,   SL server has the ability to automagically setup Apple Extreme base stations with WPA2 Enterprise!!   I have wanted to get WPA2 Enterprise up and running on my home network for a while now, but lacked the desire to download FreeRADIUS and go through the hassle of configuring it.   So, I was immediately excited to get this service running.

I couldn’t believe how easy it was to setup this service.   SL Server walks you through the entire process quickly and easily.   It also automatically configures each Airport Extreme to use WPA2 Enterprise.   Inside of 5 minutes, I had the service running, all base stations configured, and authenticated to my wireless network with WPA2 Enterprise.   It was extremely cool.

Then I got to thinking…what does WPA2 Enterprise mean to all the other devices on my network?   I wasn’t worried about our iphones or laptops, but what about the AppleTVs?!   I couldn’t recall if I’d ever seen a configuration setting for WPA2 Enterprise in the AppleTV software.   I quickly ran to the AppleTV in the living room and was not surprised when it began to complain about the lack of network connectivity.   So,   I figured I only needed to run through the wireless setup once again to bring it back online.   To my utter disappointment,   AppleTV (as of this writing) does NOT support WPA2 Enterprise! Total.   Fail.

Your only options are to wire the device into your LAN using CAT5/6 cable or to create another wireless network with WEP/WPA/WPA2 Personal encryption.   My solution was the latter.   I truly hope Apple adds this functionality in future updates.   I really don’t like having a separate wireless network just for AppleTV.

-Tim

Cisco NAC Agent, a component of Cisco NAC, is a piece of software that is run on your computer and checks whether or not your computer meets all the criteria set by administrators for network access. If your computer passes assessment, the NAC agent will refresh your IP address and thereby granting you network access. Keep in mind, there is A LOT more going on behind the scenes. Without going into extreme detail, I wanted to share an interesting experience I had while working with this technology lately.

So, here was the situation. I had some laptops connecting to docking stations (port replicators) running the NAC agent. The weird thing was that every time a laptop would dock and then power up, it would retain the IP address it had while docked the last time. This was problematic because the NAC agent wasn’t communicating with the Clean Access Server (L3 OOB mode). After some thinking, I ended up concluding that hardware profiles had something to do with it. To make a long story short, modifying the hardware profiles didn’t fix the problem. I had finally reached the bottom of the idea barrel when I thought the DHCP lease might be the answer. So I lessened the lease time for DHCP clients and the laptops got the appropriate DHCP addresses at start up. Although, I still think that docking station had something to do with it…

-Tim

I’m always looking for new things to do with the Cisco router I have at home. One of the things I’ve been playing around with lately is IOS IPS. Starting with IOS Release 12.4(15)T3, you have the ability to configure an IOS enabled router as an Intrusion Prevention System (IPS) device. Yes, there are other solutions available that are solely dedicated for this purpose, but I thought it was interesting that I could set this up with gear I already had up and running. Here is a sample config:


!
! Omitted...
!
ip ips config location flash:ips/ retries 1
ip ips deny-action ips-interface
ip ips name IPS list IPS-ACL
!
ip ips signature-category
category all
retired true
event-action produce-alert
category ios_ips advanced
retired false
event-action produce-alert
category attack
event-action deny-packet-inline deny-attacker-inline produce-alert
!
! Omitted...
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip ips IPS in
ip ips IPS out
!
! Omitted...
!
ip access-list extended IPS-ACL
permit ip any any
!


There are a couple things I should mention that aren’t in the configuration example. First, you will need a CCO login and subscription to obtain the IPS signature packages available from the Cisco website. These packages are definitions the router uses to identify malicious traffic. Second, you must load the signatures onto the router:


IPS_Router#copy tftp://x.x.x.x/ips.pkg idconf


Lastly, if you refer to the first block of code, you will notice that the “category all” signature category is “retired” and “advanced” is not. The rational is that if you enable all signatures, you run the risk of crashing the router due to lack of memory. Best practice is that you select a set of signatures. In closing, this is not a complete configuration by any means. There is a lot more you can do with IOS IPS. Check out Cisco’s website for more information.

-Tim

In addition to tons of documentation, Cisco has a couple of really good resources available over at cisco.com.   Two of my favorites are the SAFE and  SRND resources.   The SAFE resources   provides Cisco recommended best practices for network security.   There are guides for the data center, branch office and WAN just to name a few.   The SRND resource is a design guide for networking technologies.   There are videos, white papers and other technical references.   I highly recommend visiting both sites.

-Tim