Friday, February 14, 2014

OpenDaylight on Windows - Hydrogen

A couple weeks ago OpenDaylight released Hydrogen, which is the first production release of code. This is a pretty significant milestone as it wasn't that long ago that ODL started.

Now I have detailed getting the controller up and running on windows in a previous post, that was actual building from source.

After a bit of try and fail of running the controller on x86 32-bit windows, I remembered that the Java seemed to run better on x64 version of Windows.

My test system:

Dell 2850 - 4 gig of ram running Windows Server 2008 R2


Install Java SE 1.7.0_51

Set JAVA_HOME Environment Variable on system.

 ** Important note ** Use the 8.3 path name  This comes into play when starting the controller from the batch file.

Download pre-built zip file from

Unzip into a directory

Open a Command Prompt as Administrator

Change to opendaylight directory in the folder extracted from the zip file.

Type run -start  to start the controller in the background. It takes a little bit before it is ready. If you are impatient like I am, run netstat -a in another command window. When you see localhost is listening on port 8080 you are ready to go.

Then point a web browser to http://localhost:8080

Login as on previous builds:

Saturday, December 14, 2013

Where did the time go? - December 2013 Edition

The other day in reading a few blog posts I notice that some of my favorites were a little neglected. I was about to give them a little jab over twitter, then I thought when was your last post? Umm, Umm, Yeah got myself. August 25th. It's December, where did the time go?

I realize that I am not the master of content, churning out daily posts or even weekly posts. But I think it was time for something.

I could go down a list of thing of how we got to this point but let me filter out the more technical highlights.

Things that have kept me busy since the last post:

  • Fall Semester started - now is almost over, couple more days.
    • Limited packetfence work other that keep it running. FreeRadius issue - patched with restart script
    • Cloud storage vendor change
      • Twinstrata implementation - Lots of data move from one provider to another
    • Office 365 Implementation - Still in process
      • Initial setup was contracted, production migrations up to us
      • Migrations scheduled into early next year (2014)
    • Personal device Printing - Still in process
      • IOS/AirPrint - Papercut
        • Bonjour over Cisco controller based wireless
  • Family - busy with activities for the kids
With Christmas break coming up, unlike some who get a change freeze, I get a change window, including some during the middle of the day.

Looking forward past the current items: 
  • Testing of new gear
    • Airtight AP - received that in late November, have to dig into the interface to see all the nerd knobs
    • Brocade switches
      • Received 2 - 6610 and 2 - 3450 switches to evaluate uses as campus switches
      • The 6610 has the potential to be used as a core replacement, with the stacking and L3 features. 
  • Getting back to OpenDaylight. 
  • Writing a few more posts. The list above has more than enough topics to write on, just have to do it.

If anyone picked up on that little tidbit a few lines back, yes my core switch is slated for EOS in a couple years, so I think it is time to evaluate what is out in the market. 

Sunday, August 25, 2013

PacketFence 4.0.x Game System Registration

I came across a little snafu in the Gaming System registration in Packetfence 4.0.X. In PacketFence you can have a page that allows users to register systems that don't have web browsers on them. You can access it by https://<packetfence ip>/gaming-registration .

Great since Xbox's are notorious for not getting registered, due to collision in the OS fingerprinting. This is a well documented problem. In my previous install they would fingerprint to OEM Wireless Router, this time it seems RIM BlackBerry. Either way they miss my auto-registration violation rule, which I may just get rid of.

So trouble started when several students tried to register their Xbox's using the registration page.
 They would authentication to the first page then enter the MAC address:
 Then it would throw this error:

So what gives looks valid. Turns out there is a file: <PF install dir>/lib/pf/web/ Which has a list of the first part of MAC addresses allowed to be entered into this page. Added the first 3 octets of the address to the file in the correct spot. Save the file and you are back in business.

I recommend that you verify the manufacturer  of the mac. I use this site: this allows you to verify that it is a microsoft mac. Hope this helps if you come across this problem.

Sunday, August 18, 2013

Packetfence 4.0.5 - Notes

Packetfence 4.0.5 was released on 8-12-2013. Slight bit of craziness, since there were a couple problems with it. But Inverse issued patches within hours. Now the downloaded version is stable and works fairly well.

I however ran into a couple bumps with that upgrade/patch.

First one was I ran into this bug:
Which basically the radius server was throwing SOAP errors and would not return the correct vlan, and then after a few hours just stop running. The patch listed here:  Was missing/didn't apply to the update. So I found the line in the source and edited it to reflect the change. This resolved the issue and the radius server has been running since.

The other was the retrieval for role for gaming device registration. This was a quick two lines added to module described here:

At this point I have to freeze the code, no more updates as this is completely in production. And the students are back on campus. The only changes I think we be made are page edits to fix the wording or add more information to the pages.

Update to this post:

After experiencing some problems, I found that my installation is still at 4.0.1 - which is why these patches were not there. Only a certain part of PF was upgraded. Not anything to make it matter.
 {Link to new post when done}

Friday, August 9, 2013

7Signal - Thoughts [Pre-WFD5]

[I have received a Webex presentation and in-person demo of the 7Signal product. This is also a stream of thought post.]

7Signal is a wireless performance and optimization company. Their products do not provide wifi, they monitor and test your wireless network, so that you can optimize it and get the best potential out of your investment.

There solution is listed below- [straight from the data sheet]
Solution components
Sapphire consists of three elements that measure, record, report, alarm, analyze, troubleshoot and verify 
1. Sapphire Eye: Unobtrusive ceiling-mounted scanners that measure large wireless coverage areas.
2. Sapphire Sonar Server: Sonar test servers are located in close proximity to application servers. 
Sonar Server is the endpoint for user experience measurements performed by the Eye units. Sonar 
reports results back to Eye units and then forwards those reports to the Carat Management Server.
3. Sapphire Carat Management Server: A centrally located Carat server stores, manages and 
analyzes the collected data from the Eyes. It provides reports and alarms and includes analyzer 

So there is the Sapphire Eye which you mount on the ceiling in your environment in the area in which you want to monitor and test. The Eye has 7 directional antennas which are utilized in all of the test. To say that it is "unobtrusive" I will beg to differ. It looks like a upside down flower pot. I know that I have some areas in which if I hung it from those ceilings, someone would hit their head. With that said, I understand the reason why it it so big, the antennas are not your cheap usb adapter 1.5 db antennas. They are big! There is a compass feature in the unit so that you can always know the direction of the antennas no matter how you mount it. 

The software is in two pieces, server software which runs/controls the test that the Eye performs, collects data and such. Second piece is the management console which you can access the reports and data that has been collected and processed. Graphs and charts and all sorts of data is displayed.
Since I didn't drive the console and have only a limited feel for it. Watch the videos and read the data sheets for a better look.

My explanation of the product is: "Hang a wireless engineer from the ceiling with all his tools 24/7 and get data. Giving you a real time site survey and analysis"

As explained, you can go with a CAPEX model, OPEX, or hybrid of the two. These models allow some flexibility depending on your organization.

My feelings without naming price, is it is on the expensive side. (I'm pretty cheap so take that how you will... Actually just contact a partner and find out for yourself.) If you take the offering and break it down into what a professional wireless engineer would bring to the job, then if think they are on par.

The OPEX model has a lot of intrigue. The list price is like buying an mid-level AP per month per Eye.

Include or not depending on options is a start-up analysis/recommendations from their engineers.

I was ask if I thought is was worth it from a colleague. I believe it has value and great potential for me, not sure that I can justify the price for my organization. The costs used in their calculator seem not to be in my ballpark as ROI and such. (If I could plug my own values in, might change a bit.) Now there is flexibility to move the EYEs around into spots that are having trouble and then work through that area.   

Currently I am thinking more about the product and the value. I will be watching the WFD5 stream to see what they present. I hope to update this post in the coming weeks as I will have flushed out some ideas further.

Tuesday, July 23, 2013

Packetfence Guest Email Domains Check - Updated

So in my quest for latest version of Packetfence 4.0.x I am enabling the guest access. This is done so that guest account creation for wireless will be reduced to only the special cases. The user contact info is captured so I know who is on the network from a rough perspective.

Inside of Packetfence the guest module check the email against the local domain of the packetfence server so you can block your normal users from getting guest accounts. Since they expire in a short fashion and a limited network access it really does the trick.

I ran into a little problem, multiple email domains which need to be blocked. After a post to the listserv and a response that indicated to look in the module here is what I did:

my $email_type = pf::Authentication::Source::EmailSource->meta->get_attribute('type')->default;
    my $source = &pf::authentication::getAuthenticationSourceByType($email_type);
    if ($source) {
        unless (isenabled($source->{allow_localdomain})) {
            # You should not register as a guest if you are part of the local network
            my $localdomain = $Config{'general'}{'domain'};

# Added explicated second domain for check below 

my $localdomain1 = ‘second domain name’;

            if ($cgi->param('email') =~ /[@.]$localdomain$/i) {
                return ($FALSE, $GUEST::ERROR_EMAIL_UNAUTHORIZED_AS_GUEST, [ $localdomain ]);

if ($cgi->param('email') =~ /[@.]$localdomain1$/i) {
                return ($FALSE, $GUEST::ERROR_EMAIL_UNAUTHORIZED_AS_GUEST, [ $localdomain1 ]);

I added a second check for another explicitly defined domain $localdomain1 yes I could change that but it was quick and dirty. Added is the code in orange. 

Tested and this does exactly what I wanted it to. Just thought I would share.

Updated: 7-25-2013

On the advice of Inverse, I took the above code blob with the surrounding sub and transferred it to the and changed the section to reference the pf::web::guest so that this new sub would take precedence.

Thanks again to the Inverse Team.

Tuesday, June 25, 2013

Packetfence 4.0.1 - First load

As the summer window of working on projects before the day students return is rapidly shrinking, I needed to start on my Packetfence upgrade. If you read my blog before you may know I am a pretty big user of it.

As I wrote back in May it is a fresh install, no direct upgrade path. Getting started, I loaded up a vm with CentOS 6.4 and started down the PacketFence Admin Guide to install. The install guide is fairly straightforward to follow. There is a section on install which on RHEL/CentOS system you have to add additional repos to get things going.

Great been here, not sure I remember the last one from the last install. Ok no big deal, right? I hit a small roadblock with this one. There is only 1 copy of that repo, and it was down. Argh!

Read some more into the doc:

 Debian and Ubuntu
All the PacketFence dependencies are available through the official repositories.

Ok scrap the CentOS 6 install, load up Debian and lets rock. Everything went smooth after that.

PacketFence install within 15 minutes of Debian system being up.

Initial Impressions:

Web Configurator: Awesome to help get things setup.
New Admin Portal: Awesome, leaps and bounds better than 3.5x, the amount you can change inside the interface is great.  I was editing the AUP_Text and save and refreshing the captive portal with the changes live. (Couldn't do that before.)

System performance: Not in production yet so can't say.

The interface is snappy. The search is great with the ease that you can add on more rules to search for to narrow down the person/node that you are looking for.

Guest management is just what I was looking for.

This is NAC that Excites. Hats off to the team for this work.