networking

Using NetScaler Responder policies to log source ip-address

Sometimes you need to decomission services, and move them to new servers. Sometimes this requires the change of the IP address. This is no big deal as long as accessing clients use DNS, or until you can change the IP address to connect to the services using a central mechanism. DNS and LDAP are two of these services. They come often as part of Microsoft Active Directory Domain Controllers. Sometimes customers use the IP address of a DC and put this IP address hard coded into other IT systems or config files.

ArubaOS: Encrypt credentials in config files

By default, credentials such as RADIUS or TACACS authentication keys, are stored separately from the switch configuration, and are not shown when saved or running configurations are displayed or copied using TFTP or SSH. You can change this behavior using the include-credentials command. This clearly seems to be a security issue, because the displays credentials are unencrypted. You can check the current status using show include-credentials. HP Switch(config)# show include-credentials Stored in Configuration : Yes Enabled in Active Configuration : Yes Include ClearPass Keys : No If you want to encrypt these credentials, you can use the encrypt-credentials command.

Using dnsforge.de on your homenetwork

Many of you might know Pi-hole and use it for blocking ADs. I also used it for a long time in my homenetwork, running it on a Raspberry Pi. A customer of mine then drew my attention to dnsforge.de. What is dnsforge.de? dnsforge.de is a censorship-free, secure and redundant DNS resolver without logging, but with an ad blocker. The server are hosted in Germany. dnsforge.de also offers clean.dnsforge.de, which offers parental control blocklists and Safe Search for search engines and YouTube.

Failed to connect to IKEv2 VPN using iPhone USB tethering

Usually I tend to use the iPhone WiFi hotspot feature. But lately, I had to switch to USB tethering, because I had to work a whole workday using the hotspot feature. USB tethering saves battery and the connection was more reliable for me. Please note, that you need to install iTunes to use USB tethering, because the necessary Ethernet driver is only available with iTunes. Without this driver, Windows won’t recorgnize the iPhone as an Ethernet connection.

Windows NPS - Authentication failed with error code 16

Today, a customer called me and reported, on the first sight, a pretty weired error: Only Windows clients were unable to login into a WPA2-Enterprise wireless network. The setup itself was pretty simple: Cisco Meraki WiFi access points, a Windows Network Protection Server (NPS) on a Windows Server 2016 Domain Controller, and a Sophos SG 125 was acting as DHCP for different WiFi networks. Windows clients failed to authenticate, but Apple iOS, Android, and even Windows 10 Tablets had no problem.

EAPoL forwarding on NEC VoIP phones

A customer is running their PCs behind their VoIP phones. Nothing unusual, most VoIP phones I know have an embedded ethernet switch, so that you only need one cable to connect PC and VoIP phone to your network. As part of a network security project, my colleague and I implemented IEEE 802.1X port-based Network access control at one of our customers networks. The setup consists of multiple Alcatel-Lucent Enterprise OmniSwitches (6450-P10 and 6860/E) and Aruba ClearPass.

Windows Network Policy Server (NPS) server won't log failed login attempts

This is just a short, but interesting blog post. When you have to troubleshoot authentication failures in a network that uses Windows Network Policy Server (NPS), the Windows event log is absolutely indispensable. The event log offers everything you need. The success and failure event log entries include all necessary information to get you back on track. If failure events would be logged… Today, I was playing with Alcatel-Lucent Enterprise OmniSwitches and Access Guardian in my lab.

Bypass stateful firewall on a Sophos XG

Usually, bypassing a firewall is not the best idea. But sometimes you have to. One case, where you want to bypass a firewall, is asymmetric routing. What is asymmetric routing? Imagine a scenario with two routers on the same network. One router offeres access to the internet, the other router provides access to other sites with site-2-site VPN tunnels. Patrick Terlisten/ vcloudnine.de/ Creative Commons CC0 Host 1 uses R1 as default gateway.

DOT1X authentication failed on HPE OfficeConnect 1920 switches

The last two days, I have supported a customer during the implementation of 802.1x. His network consisted of HPE/ Aruba and some HPE Comware switches. Two RADIUS server with appropriate policies was already in place. The configuration and test with the ProVision based switches was pretty simple. The Comware based switches, in this case OfficeConnect 1920, made me more headache. The customer had already mac authentication running, so all I had to do, was to enable 802.

HPE Networking expert level certifications

A couple of days ago, I took the HP0-Y47 exam “Deploying HP FlexNetwork Core Technologies”. It was one of two required exams to achive the HPE ASE - Data Center Network Integrator V1, and the HP ASE - FlexNetwork Integrator V1 certification. It was a long planned upgrade to my HP ATP certification, and it is a necessary certification for the HPE partner status of my employer. You might find it confusing that I’m talking about an HP ASE and a HPE ASE.