WI-FI

I’m continually amazed by how many large enterprise organizations don’t have out-of-band access to the critical pieces of their infrastructure. I’m speaking about the console ports of key routers, switches, firewalls, application switches, etc in their network infrastructure and iLO (HP) or RSA (IBM) for their critical server infrastructure. In this day and age of 24 x 7 x 365 up-time, waiting any amount of time for folks to physically respond is just plain wasteful and counter productive. There are occasions where you’ll still need to physically respond but the troubleshooting process can be exponentially expedited with out-of-band access to the actual equipment. I’m currently working in healthcare so up time and reliability are critical to our day to day operations, and more so to the actual health and well being of our patients and customers.

We count downtime in minutes and seconds not hours or days and so we need to ensure that we have access to the necessary tools to maintain the infrastructure. I’ve personally gone years without needing console access to a few specific sites but that once or twice that I quickly needed access easily justified the capital and operating costs of having the solution available. It’s not difficult to design highly available and redundant network, server and facility infrastructures. However, even with all that redundancy you can find yourself desperately seeking that console access at the most inopportune times (2:00AM comes to mind).

I’ve really taken a liking to the Opengear products. They have multiple models including 1, 3, 4, 8, 16 and 48 port options and offer access via Ethernet, Wi-Fi, 3G, 4G LTE and v.92 modem. You can actually send the 3G unit an SMS text message to wake it up, so it’s not constantly online drawing needlessly against your monthly 3G bandwidth allocation, and they all support Dynamic DNS registration so you don’t need a static public IP address. The latest models also support USB, so you can connect to those Cisco USB console ports.

Here are my notes for configuring an ACM5003-W, the model we’re deploying in our edge closets. I have yet to figure out how to make use of the wireless interface as a back-up to the LAN interface. Apparently the current software doesn’t support that configuration but hopefully that will change in the future.

You’ll be able to connect to the Opengear console server on port 1 using 115200-8-N-1.

The default username is root while the default password is default.

Once you are logged in the following commands will configure the Opengear via the CLI interface. You can also launch the web interface to verify your configuration at a later point in time.

We start the process by configuring the name and location of the console server. The last command below will prompt you to change the root password – I’ve had issues where the change doesn’t seem to be working.

config -s config.system.name=ts-og1-rack2.testlab.acme.org
config -s "config.system.location=ACME Testlab (Rack 2)"
config -P config.system.password

Let’s set the IP addressing. If we were using the wireless LAN interface as opposed to the Ethernet interface any references below to wan would be replaced with wlan.

config -s config.interfaces.wan.address=10.1.255.11
config -s config.interfaces.wan.netmask=255.255.255.0
config -s config.interfaces.wan.gateway=10.1.255.1
config -s config.interfaces.wan.dns1=10.1.16.40
config -s config.interfaces.wan.dns2=10.7.16.40
config -s config.interfaces.wan.mode=static
config -s config.interfaces.wan.media=Auto

Let’s enable NTP and set the date and time on the device;

config -s config.ntp.enabled=on
config -s config.ntp.server=tick.acme.org
config -s config.system.timezone=US/Eastern

Let’s set the date and time to something close, NTP will give us the precision we want.

# date Format is MMDDhhmm[[CC]YY][.ss]
date 121009472013.00
/bin/hwclock --systohc

Let’s set the serial ports. In this case we will skip port 1, the port we are using it to configure the device. If we need all three ports we can configure it but the changes don’t take effect until we issue a “config –a”.

# This is the port we are currently using to configure the Opengear so let's skip it right now.
#config -s config.ports.port1.speed=9600
#config -s config.ports.port1.parity=None
#config -s config.ports.port1.charsize=8
#config -s config.ports.port1.stop=1
#config -s config.ports.port1.label=’Other Device’
#config -s config.ports.port1.loglevel=0
#config -s config.ports.port1.protocol=RS232
#config -s config.ports.port1.flowcontrol=None
#config -s config.ports.port2.mode=portmanager
#config -s config.ports.port2.ssh=on
#config -s config.ports.port2.telnet=on
#config -s config.ports.port2.webshell=on

Let’s configure serial port 2 and 3;

config -s config.ports.port2.speed=9600
config -s config.ports.port2.parity=None
config -s config.ports.port2.charsize=8
config -s config.ports.port2.stop=1
config -s config.ports.port2.label='Juniper SRX210H'
config -s config.ports.port2.loglevel=0
config -s config.ports.port2.protocol=RS232
config -s config.ports.port2.flowcontrol=None
config -s config.ports.port2.mode=portmanager
config -s config.ports.port2.ssh=on
config -s config.ports.port2.telnet=on
config -s config.ports.port2.webshell=on

config -s config.ports.port3.speed=9600
config -s config.ports.port3.parity=None
config -s config.ports.port3.charsize=8
config -s config.ports.port3.stop=1
config -s config.ports.port3.label='Other Device'
config -s config.ports.port3.loglevel=0
config -s config.ports.port3.protocol=RS232
config -s config.ports.port3.flowcontrol=None
config -s config.ports.port3.mode=portmanager
config -s config.ports.port3.ssh=on
config -s config.ports.port3.telnet=on
config -s config.ports.port3.webshell=on

Let’s create a user account called admin and set the proper privledges;

config -s config.users.total=2 (assuming we already have 1 user configured)
config -s config.users.user2.username=admin
config -s config.users.user2.description=AdministrativeUser
config -s config.users.user2.port1=on
config -s config.users.user2.port2=on
config -s config.users.user2.port3=on
config -s config.users.user2.groups.group1='admin'
config -s config.users.user2.groups.group2='dialin'
config -s config.users.user2.groups.group3='pmshell'
config -s config.users.user2.groups.group4='ftp'
config -s config.users.user2.groups.group5='users'
config -s config.users.user2.groups.group6='pptpd'
config -P config.users.user2.password

Let’s set the SMTP settings, not sure that we will really use them though;

config -s config.system.smtp.server=smtp.acme.org
config -s config.system.smtp.encryption=none
config -s config.system.smtp.sender=opengear@acme.org
config -s config.system.smtp.subject=Opengear Alerts

Let’s set the SNMP settings;

config -s config.system.snmp.protocol=UDP
config -s config.system.snmp.trapport='162'
config -s config.services.snmp.syslocation='ACME Testlab (Rack 2)'
config -s config.services.snmp.syscontact='ACME Technology Team'
config -s config.system.snmp.address='10.1.1.125'
config -s config.system.snmp.community='public'
config -s config.services.snmp.rocommunity='public'
config -s config.services.snmp.rwcommunity='private'
config -s config.system.snmp.version=2c

Let’s enable the various system services;

config -s config.services.http.enabled=on
config -s config.services.https.enabled=on
config -s config.services.telnet.enabled=on
config -s config.services.ssh.enabled=on
config -s config.services.snmp.enabled=on
config -s config.services.pingreply.enabled=on
config -s config.services.tftp.enabled=on
config -s config.services.webshell.enabled=on

Let’s enable the modem (if we have one);

config -s config.modem.ddns.provider=none
config -s config.modem.flow=Hardware
config -s config.modem.ppp.enabled=no
config -s config.modem.speed=9600

The last step we must take is to activate and sync all the changes to flash memory.

config -a

PLEASE MAKE SURE YOU DIDN’T SKIP THE STEP ABOVE – VERY IMPORTANT

When you are at the $ or # shell prompt you can launch the Port Manager Shell with the command;
pmshell

You should be give a list of ports you can connect to such as the following;

# pmshell
2: Juniper SRX210H 3: Other Device
Connect to port >

You only need to enter the number for the selection you would like.
The break command is ~. or ~? for help

If you don’t have any out-of-band access I’d suggest that you make that a new year resolution!

Cheers!

Update: Monday August 26, 2013 Verizon has released a software update for the Samsung Galaxy S4 which resolves this problem.

Update: Sunday June 2, 2013 Motorola has responded with the following analysis and explanation of the problem.

The Association Request from the Samsung Galaxy S4 phone has the RRM (Radio Resource Management/802.11k) capability element missing, but the Capabilities Info Bitmap in the Association Request says that the client can do RRM, so there is a mismatch and we deny association in WiNG4.x. In WiNG5.x, the RRM implementation is different and we don’t enforce such a strict check to avoid situations such as these where clients might not be following the 802.11k specification properly. In WiNG 3.x, there is no support for RRM, so there are no such checks enforced.

Thanks to Motorola for providing the quick analysis and explanation. Just to summarize the problem is not present in WiNG 3.x or WiNG 5.x but is definitely present in WiNG 4.x. As for a workaround or fix I’m still waiting to hear if Motorola will issue a patch (software release) or if they will leave it to Samsung and Google to resolve.

Update: Thursday May 30, 2013 It seems that the problem is not evident when the Samsung Galaxy S4 associates with a Motorola WS5100 (v3.3.2.0-010Ri) with AP300s as access ports.

It would seem that the recently released Samsung Galaxy S4 is having difficulty connecting to our public wireless network which is provided by a pair of Motorola RFS 7000 Wireless LAN Switches (v4.4.2.0-001R) with about 24 AP650s (v2.2-1592R). While I’ve personally observed this problem in our office, I’ve also received similar reports from users in our hospitals which are running RFS7000s with either AP300s or AP650s for Access Ports/Points.

Our public wireless network has no authentication or encryption, however, the Samsung Galaxy S4 will display “Authentication error occurred” when it tries to connect. I performed a quick wired packet trace on the captive portal server and found no frames with the associated MAC address of the Galaxy S4 so I setup WireShark with 3 AirPcap adapters, one for each channel in the 802.11b/g 2.4Ghz range, to perform a wireless packet trace.

I was able to observe the Galaxy S4 making repeating probe requests and association requests but every association attempt appears to fail with an Unspecified error. As a reference I also captured my Motorola Droid 3 connecting to our public network for comparison.

WireShark AirPcap Captures

First run of Samsung Galaxy S4 – failed to connect
Second run of Samsung Galaxy S4 – failed to connect
Working run of Motorola Droid 3 – working

Looking at the wireless packet trace I can see where the Galaxy S4 is failing to associate to the network. In frame 341 we can see “Unspecified failure” in the Association Response from the Access Port. I’m not an expert here but I’m going to guess that there’s something in the Association Request that is causing the wireless infrastructure to choke on the response.

Looking at the last wireless packet trace of the working Motorola Droid 3 we can see that it quickly probes, associates and makes a DHCP request without any problems or issues.

My Thoughts

As I’ve mentioned before I’m no expert here but I can see quite a few additional tags in the Association Request from the Samsung Galaxy S4. I’m going to guess that it’s one of these tags that is causing the wireless infrastructure to choke. Looking at the screenshot below you can see all the tags.

I’m hoping some wireless experts can step up here, or perhaps Motorola with an explanation and workaround/fix?

Cheers!

Opengear Console Servers – Never leave the office without one!

Samsung Galaxy S4 and Motorola Wireless LAN Switches

WireShark AirPcap Captures

My Thoughts

Recent Posts

Categories

SUBSCRIBE BY EMAIL