technology, networking and IP telephony
Posts tagged WLAN
Motorola Switch Password Recovery
8November 22, 2007
If for whatever reason you’ve lost the Web UI or “admin” password your only recourse is to factory default the wireless switch.
To access the switch using a password recovery username and password:
1. Connect a terminal (or PC running terminal emulation software) to the serial port on the front of the switch. The switch login screen displays. Use the following CLI command for normal login process:
WS5100 login: cli
2. Enter a password recovery username of “restore” and password recovery password of “restoreDefaultPassword”.
User Access Verification Username: restore Password: restoreDefaultPasword WARNING: This will wipe out the configuration (except license key) and user data under "flash:/" and reboot the device Do you want to continue? (y/n):y
3. Press Y to delete the current configuration and reset with factory defaults.
Once the switch has complete it’s reboot you should be able to login with the default userID or “admin” and the default password of “symbol”. If you had previously backed up the configuration of the switch you could restore your old configuration.
WiFi Hotspot Portal
1November 19, 2007
by Michael McNamara in Scripting
A few years ago I had a request to design a public WiFi hotspot portal for the patients and visitors within our five major facilities. I did a fair amount of research and found a number of interesting commercial and open-source solutions. Unfortunately none of them really filled our requirements or caught my fancy. So I embarked on building/coding our own solution using a wide array of open-source software that was already available. Since I was most familiar with Perl at the time I chose to code the solution using Perl and Javascript (browser side) using Linux as the operating system of choice.
I needed to provide a public WiFi hotspot across our existing corporate wireless infrastructure at our five major sites. It obviously needed to be secure from our internal network, it needed to be 100% automated (there were no resources available to support this offering) and it needed to work (there’s a surprise requirement). We also needed to keep internal (corporate) laptops and wireless devices from connecting to the unencrypted network and circumventing current Internet access policies.
Because of security concerns I decided to only allow HTTP (TCP 80) and HTTPS (TCP 443) traffic from the public wireless network. I also tabled any ideas of content/URL filtering from the original design. Instead we would reliable on Blue Coat ProxySG/ProxyAV appliances and Websense to perform content filtering and AV scanning of the traffic in a later upgrade.
How did we do it?
We carved out an ESSID (“public”) from our Motorola Wireless LAN infrastructure at each facility. We setup the wireless network without any encryption or security so as to minimize any end-user difficulties in connecting to the wireless network. We took CentOS and built a WiFi portal server/gateway/firewall/router using an HP Proliant DL360. We essentially turned our Linux server into a cheap and very efficient firewall/gateway for the WiFi Hotspot. We connected one NIC of the Linux server to the wireless WLAN and the other to our internal network. This allowed use to use the Linux server to provide IP addresses to the wireless devices through DHCP. It also allowed use to have the Linux server provide DNS for name resolution. And most importantly it allowed use to use IPtables to provide firewalling between the wireless network and our internal network. This solution also allowed us to implement bandwidth shaping/throttling to prevent the public WiFi Hotspot wireless users from utilizing too much of our Internet link (DS-3 ~ 45Mbps).
Once a device associates with the wireless network the Linux portal server will issue the device a DHCP address from the 192.168.16.0/20 network. When the user opens their web browser they will be redirected to the Linux portal web server and the registration page as it appears below;
Once the user clicks on the “I AGREE” button the Linux server will kick off the “register.pl” script to check the IP/MAC address and decide if they should be granted access. If they are granted access they will be redirected to our Internet homepage after which they’ll be free to surf to any URL. If the user is denied access they will be directed to an error page.
It is also possible that the user may attempt to register multiple times due to their web browser caching the portal page contents as the contents of a legitimate Internet website. Example: A user opens their web browser to www.cnn.com and is greeted with the portal page. User registers that is then re-directed to www.acme.org. The user then types www.cnn.com back into the browser address bar, but instead of getting the legit content for the CNN website the user is greeted again by the portal page. The user not knowing any better clicks the “I AGREE” button for the second time in as many minutes. Previously this problem would have gone on and on over and over, now the system will detect that the user is already registered and will through an error alerting the user to “refresh” their web browser. In order to refresh the browser the user should just type in the URL of the website they are attempting to visit and click “Go” (or hit “enter”). If they are greeted with the portal page they should click the “refresh” button from the browser button bar. That will instruct the web browser to ignore any cached content and attempt to retrieve all the data direct from the source website.
Every night at midnight the firewall rules will be reset to the defaults. Requiring any that wishes to access the WiFi Hotspot to agree to the AUP again. This is done to prevent folks from continually sitting/camping on the WiFi Hotspot.
Initially I thought we might be able to use a VPN or GRE tunnel to connect the five public WLANs to a single Linux server. Unfortunately I was a little ahead of the times and VPN/GRE tunnels were just starting to be supported in the various wireless switches (Motorola in this case). So I decided to take an easier approach and installed five HP Prolaint DL360 servers, one for each site.
I’m very happy to report that the solution works very well and virtually supports itself.
The only issue that we’ve seen is the need to continually update the blacklist file to keep corporate wireless devices from connecting to the public network. Thankfully I’ve written a small Bash Shell script to help with that process.
I hope to write a more detailed account of how to set this up on my website sometime in the future. If your interested in hearing more or have questions please drop me a line.
Cheers!
802.11 Dissassociation Codes
4November 7, 2007
These codes can be extremely useful in troubleshooting wireless issues.
Value | 802.11 or Symbol/WPA Reason Code | Description |
0 | REASON_CODE_80211_SUCCESS | Reserved internally to indicate success |
1. | REASON_CODE_80211_UNSPECIFIED_ERROR | Unspecified Reason |
3. | DISASSOCIATION_REASON_CODE_STATION_LEAVING_ESS | Deauthenticated because sending station has left or is leaving IBSS or ESS |
4. | DISASSOCIATION_REASON_CODE_INACTIVITY | Disassociated due to inactivity |
5. | DISASSOCIATION_REASON_CODE_STATION_LIMIT_EXCEEDED | Disassociated because AP is unable to handle all currently associated stations |
6. | DISASSOCIATION_REASON_CODE_CLASS_2_PKT_FROM_NON_AUTH | Class 2 frame received from non-authenticated station |
7. | DISASSOCIATION_REASON_CODE_CLASS_3_PKT_FROM_NON_ASSOC | Class 3 frame received from non-associated station |
8. | DISASSOCIATION_REASON_CODE_STATION_LEAVING_BSS | Disassociated because sending station has left or is leaving BSS |
9. | DISASSOCIATION_REASON_CODE_STATION_NOT_AUTHENTICATED | Station requesting re-association is not authenticated with responding station |
13. | DISASSOCIATION_REASON_CODE_INVALID_INFORMATION_ELEMENT | Invalid Information Element |
14. | DISASSOCIATION_REASON_CODE_MIC_FAILURE | Michael MIC failure |
15. | DISASSOCIATION_REASON_CODE_4WAY_HANDSHAKE_TIMEOUT | 4-Way Handshake timeout |
16. | DISASSOCIATION_REASON_CODE_GROUP_KEY_UPDATE_TIMEOUT | Group key update timeout |
17. | DISASSOCIATION_REASON_CODE_4WAY_IE_DIFFERENCE | Information element in 4-Way Handshake different from Re-associated request/Proberesponse/Beacon |
18. | DISASSOCIATION_REASON_CODE_MULTICAST_CIPHER_INVALID | Multicast Cipher is not valid |
19. | DISASSOCIATION_REASON_CODE_UNICAST_CIPHER_INVALID | Unicast Cipher is not valid |
20. | DISASSOCIATION_REASON_CODE_AKMP_NOT_VALID | AKMP is not valid |
21. | DISASSOCIATION_REASON_CODE_UNSUPPORTED_RSNE_VERSION | Unsupported RSN IE version |
22. | DISASSOCIATION_REASON_CODE_INVALID_RSNE_CAPABILITIES | Invalid RSN IE Capabilities |
23. | DISASSOCIATION_REASON_CODE_8021X_AUTHENTICATION_FAILED | IEEE 802.1X Authentication failed |
44. | DISASSOCIATION_REASON_CODE_PSP_TX_PKT_BUFFER_EXCEEDED | Symbol defined (non 802.11 standard) code. The Wireless Switch has exceeded it’s time limit in attempting to deliver buffered PSP frames to the Mobile Unit without receiving a single 802.11 PS Poll or NULL data frame. The Wireless Switch begins the timer when it sets the Mobile Unit’s bit in the TIM section of the 802.11 beacon frame for the BSS. The time limit is at least 15 seconds. The Mobile Unit is probably gone (or may be faulty). |
77. | DISASSOCIATION_REASON_CODE_TRANSMIT_RETRIES_EXCEEDED | Symbol defined (non 802.11 standard) codes. The Wireless Switch has exceeded it’s retry limit in attempting to deliver a 802.1x EAP message to the Mobile Unit without receiving a single 802.11 ACK. The retry limit varies according to traffic type but is at least 64 times. The Mobile Unit is either gone or has incorrect 802.1x EAP authentication settings. |
