LG – 34WL500-B 34″ IPS LED UltraWide FHD FreeSync Monitor with HDR (HDMI) – Black

When you upgrade to an UltraWide display you won’t ever want to go back. I desperately needed the additional desktop space on my work laptop to help improve my general productivity. I usually have 15-30 windows open at any time and having to switch back and forth, or worse yet go hunting for individual windows can be an incredible productivity drain. This display only has a max resolution of 2560 x 1080 but that’s fine for my aging eyes and provides me all the desktop real estate I need to work efficiently. The included stand isn’t overly large and brightness levels from the display are great. This monitor is currently on-sale at BestBuy for $300, a great price for a 34″ wide monitor. The 29″ version LG 29WL500-B is an even better deal at BestBuy for $200. I would recommend either of these for a work from home environment. I don’t play any games on this display so I can’t comment about game performance.

Logitech – G PRO X Wireless DTS Headphone:X 2.0 Gaming Headset for Windows with Blue VO!CE Mic Filter Tech and LIGHTSPEED Wireless – Black

I’ve traditionally used relatively cheap Plantronics headsets on my home desktop but I decided it was time to cut the cord and go with a premium wireless headset that would allow me to move around on long conference and video calls. Having the ability to move it around between my personal desktop and my corporate laptop was also extremely beneficial. I’m not yet sold on the Blue VOICE feature, I didn’t particularly like how I sounded with that feature enabled so I need to-do some additional testing and validation. I’m still up in the air about this headset, I’ll need a little more time before I decide if it was a good purchase.

Bose – Companion 2 Series III Multimedia Speaker System (2-Piece) – Black

I’ve often opt for the cheap Insignia speakers but this time I wanted a quality set of speakers to use when I wasn’t using my wireless headset and so I chose the Bose Companion 2 Series III speakers. I’m not a high-fidelity guy but these sound incredibly better than any other computer speakers I’ve ever owned and easily rival the sound put out from the Onkyo receiver and speakers in my basement surround sound system. These speakers get a solid buy rating from me. There are likely better options available for the audiophiles out there but I couldn’t justify spending $200 or $300 on desktop speakers.

Have you made any purchases lately? Anything fun?

Cheers!

I had another opportunity to try my hand at a point to point wireless solution albeit somewhat reluctantly. In this case the distance that we needed to span was about 1,500 ft. The construction costs to pull fiber into this building was in excess of $50,000 so I reluctantly starting looking at wireless solutions. Ultimately I landed on the Ubiquiti NanoBeam AC Gen2 (NBE-5AC-GEN2-US) solution. It was relatively inexpensive and wouldn’t cost much to actually install and see if it would work. That was 18 months ago… and that sucker hasn’t dropped a packet since [knock knock].

In real world iPerf testing we get about 350 Mbps through the link which is pretty awesome considering the solution was essentially under $1000 with the surge arresters and installation.

I can’t say that everyone will have this level of success… but seeing how relatively inexpensive these devices are it seems well worth the gamble given that you might pay $1,500/monthly for a 500Mbps Ethernet circuit… that’s $18,000/yearly. If it works the solution will essentially pay for itself in the first month of operation.

Now don’t go all crazy… you’ll need line of site between the two locations and growing trees can present interesting problems. And if a new building or structure pops up between your wireless endpoints, well you’ll be out of luck.

You might be asking so what did I do to resolve the issues with the infrared cameras 10 years ago? We were able to contract with Sunesys, now Crown Castle to lease 4 fiber strands between the two buildings. The local electrical utility wanted $40,000 to replace two telephone polls when I tried to pull the fiber myself so we went with Sunesys who had the fiber installed and running in 2 weeks – no new telephone polls required.

Are you running any point to point wireless solutions?

Cheers!

The Aruba notification cited the following two articles;

• Aruba products contain compromised HTTPS certificate
• Cryptographic Key Reuse Remains Widespread In Embedded Products

In summary, a third party named SEC Consult posted a large number of private keys to GitHub including the private key for securelogin.arubanetworks.com which they had extracted from an Alcatel-Lucent OmniAccess Wireless Access Point. It just happens that Aruba is the OEM for the Alcatel-Lucent OmniAccess product line. With the private key public, it’s fairly easy for anyone to perform a man-in-the-middle attack and eavesdrop on supposedly secure traffic. Shortly afterwards GeoTrust revoked the certificate which will now cause browsers to throw an error when using the certificate for guest registration or captive portal.

This will only happen for browsers which have recently updated their CRL list. If we check the CRL we’ll find the certificate with serial number 01DA52.

[root@centos ~]# wget http://gtssldv-crl.geotrust.com/crls/gtssldv.crl
--2016-09-28 20:15:01--  http://gtssldv-crl.geotrust.com/crls/gtssldv.crl
Resolving gtssldv-crl.geotrust.com... 2600:1400:a:18f::1abd, 2600:1400:a:18b::1abd, 23.50.69.163
Connecting to gtssldv-crl.geotrust.com|2600:1400:a:18f::1abd|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5150 (5.0K) [application/pkix-crl]
Saving to: `gtssldv.crl'

100%[======================================>] 5,150       --.-K/s   in 0s

2016-09-28 20:15:01 (189 MB/s) - `gtssldv.crl' saved [5150/5150]

[root@centos ~]# openssl crl -inform DER -text -noout -in gtssldv.crl
Certificate Revocation List (CRL):
        Version 2 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: /C=US/O=GeoTrust Inc./OU=Domain Validated SSL/CN=GeoTrust DV SSL CA
        Last Update: Sep 28 23:43:00 2016 GMT
        Next Update: Oct  8 23:43:00 2016 GMT
        CRL extensions:
            X509v3 Authority Key Identifier:
                keyid:8C:F4:D9:93:0A:47:BC:00:A0:4A:CE:4B:75:6E:A0:B6:B0:B2:7E:FC

            X509v3 CRL Number:
                164147
Revoked Certificates:
...
    Serial Number: 01DA52
        Revocation Date: Sep  7 17:04:44 2016 GMT
...
    Signature Algorithm: sha1WithRSAEncryption
         58:20:83:3f:5c:cf:31:0f:69:9b:e5:af:dd:ca:2f:b9:e1:42:
         b0:bb:68:f3:b8:e8:8c:e2:b1:17:0b:bf:5a:d0:a2:65:3c:1f:
         18:bf:93:3a:55:ea:25:c9:da:ba:3b:ed:b6:c7:67:ae:33:b2:
         34:40:27:b9:5c:76:8a:3a:8d:4e:8a:9c:d3:61:a7:ed:01:a0:
         94:fe:ab:7d:96:79:cb:4e:a5:bb:2e:fb:3c:96:52:3e:ae:e9:
         9a:d9:0b:59:3a:c0:f6:45:10:3e:f2:b4:d1:79:63:0b:41:ed:
         d4:70:d6:26:67:1d:ab:7a:6e:c8:8d:6a:0e:df:17:ff:b3:e6:
         a7:dd:6c:5f:fe:41:79:0c:09:51:cd:6d:7d:33:2a:0b:48:a2:
         5c:5c:5c:06:f3:6b:d6:b9:af:14:34:3d:7d:b9:85:36:32:38:
         c1:70:50:9d:13:01:ab:b1:de:78:0d:10:24:f2:56:3d:d2:77:
         93:d1:70:b8:47:78:a6:22:aa:6a:95:af:49:cb:bc:f6:1e:dd:
         1b:0e:bd:10:54:09:39:93:4a:10:a3:1f:76:99:12:47:35:0d:
         37:95:6e:fc:a1:b5:e1:f0:d4:f7:96:3e:52:44:e4:69:d9:64:
         37:ec:15:50:fd:e8:f3:06:3b:ee:c1:6a:ee:0a:01:fc:fc:e0:
         7e:92:d8:0c

We had to replace the certificate, but how do you replace the certificate on almost 600+ Aruba Instant AP Virtual Controllers? That’s where we looked at utilizing Airwave Management Platform (AMP), and the process appeared to be pretty straight forward although like almost everything with technology we quickly ran into problems. We started by getting a new public certificate and combined the certificate, intermediate certificate and root certificate all into a single file. We uploaded that file to AMP and then went through the multiple groups within Airwave to enable the new certificate.  And we quickly thought, that was too easy and it was.  While a number of groups worked and the VCs in those groups were getting the new certificate, a large number of groups were not working and those VCs were not getting the new certificate. We turned to Auba TAC should guided us through the following steps 1) upgrade of AMP from 8.0.9.2 to 8.0.10, 2) upgrade of the IAPs from 6.3.1.2-4.0.0.4  to 6.4.2.6-4.1.3.1, 3) second upgrade of AMP from 8.0.10 to 8.2.2. We finally discovered that the following was missing from the template; %captive_portal_cert_checksum%. Without this line in the configuration template AMP will not push down the certificate to the IAPs.

Cheers!

References:

ArubaOS Default Certificate Revocation FAQ – Instant

Image Credit: Eliseeva Ekaterina

The laptop would often connect to the SSID but the laptop would be unable to get a webpage to render with all IP traffic essentially stalling. ICMP ping times would jump from 1 ms to 3,900 ms with multiple dropped packets scattered all about the constant ping. Without any load you could occasionally get 1 ms response times for a couple of minutes at a time but the instant you opened a web page the traffic would stall and the ICMP pings would start timing out.

The Intel engineer that was assisting me provided the hint, letting me know that Cisco IT had actually stumbled across this very same issue the week earlier internally with their own employees. Cisco had intentionally disabled A-MPDU on their WLCs, the workaround was to enable A-MPDU for 802.11n on their WLCs. I went ahead and checked our WLCs and sure enough we also had A-MPDU disabled – not exactly sure who or why it was disabled.

802.11n Status: 
    A-MPDU Tx: 
        Priority 0............................... Disabled 
        Priority 1............................... Disabled 
        Priority 2............................... Disabled 
        Priority 3............................... Disabled 
        Priority 4............................... Disabled 
        Priority 5............................... Disabled 
        Priority 6............................... Disabled 
        Priority 7............................... Disabled 
        Aggregation scheduler.................... Enabled 
        Frame Burst.............................. Automatic 
            Realtime Timeout..................... 10 
    A-MSDU Tx: 
        Priority 0............................... Enabled 
        Priority 1............................... Enabled 
        Priority 2............................... Enabled 
        Priority 3............................... Enabled 
        Priority 4............................... Enabled 
        Priority 5............................... Enabled 
        Priority 6............................... Disabled 
        Priority 7............................... Disabled 
    Rifs Rx ..................................... Enabled 
    Guard Interval .............................. Any 

I used the following CLI commands to enable A-MPDU; (note that I had to temporarily disable the 802.11a network to make the change – you’ll want to schedule this off-hours)

config 802.11a disable 
y 
config 802.11a 11nsupport a-mpdu tx priority 0 enable 
config 802.11a 11nsupport a-mpdu tx priority 1 enable 
config 802.11a 11nsupport a-mpdu tx priority 2 enable 
config 802.11a 11nsupport a-mpdu tx priority 3 enable 
config 802.11a 11nsupport a-mpdu tx priority 4 enable 
config 802.11a 11nsupport a-mpdu tx priority 5 enable 
config 802.11a enable 

Why doesn’t the Intel AC 8260 wireless adapter negotiate using A-MSDU?

I hope to be able to bring you that answer from either Cisco or Intel.

I hope you enjoyed the article Tim.

Cheers!

Update: December 7, 2016

Intel has released a new driver for the AC 8260 that is designed to address the issue.
https://downloadcenter.intel.com/download/26465/Intel-PROSet-Wireless-Software-and-Drivers-for-Windows-10
https://downloadcenter.intel.com/download/26469/Intel-PROSet-Wireless-Software-and-Drivers-for-IT-Admins

I’m currently testing the driver but haven’t had enough time to comment yet.

If you are going to be adding new APs you had better make sure that you upgrade the software on your WLC first.

Cheers!

Update: Thursday September 8, 2016

It turned out we had to disconnect the APs for about 5 minutes to allow the DTLS cache on the controller to age out before the APs would join properly after upgrading the WLC.

I had to make a quick purchase and I was limited by the dimensions that the wall hutch would allow, a width of 38 3/4″. I did some research and landed on the Vizio 39″ LED TV sold by Best Buy – yes, I still frequent Best Buy and enjoy having a brick and mortar store that I can run down to in a pinch and pickup an item. I decided to pickup a third Google Chromecast already having two others elsewhere in the house.

HDMI-CEC

With Consumer Electronics Control (CEC) you can simultaneously turn on your TV and Chromecast and even change the TV to the correct HDMI input without ever touching your TV remote. I had to enable this feature in the Vizio TV, it was automatically enabled in my 40′ Samsung LED TV, but it makes using the Chromecast very user friendly. You just select the Chromecast on your smart phone, tablet or laptop and it turns on the TV, changes to the correct HDMI input and starts showing your content.

The Chromecast supports 2.4Ghz 802.11bg wireless networks although a 5Ghz version is rumored to be in the works. There’s a deployment guide from Cisco that details how the Chromecast works and what settings are needed in an enterprise wireless network. There’s a little known tidbit about which data rate Multicast traffic is transmitted at;

Multicast applications, such as Chromecast, require special consideration when being deployed over a wireless network because a multicast in 802.11 is sent out as a broadcast so that all clients can hear it. The actual data rate used by the AP in order to transmit the Chromecast frames is the highest mandatory rate configured within that band. For 2.4 GHz, the default rate is 11 Mbps.

In order to optimize the delivery of these frames, it is important to tune the 802.11 data rates within the controller to allow multicast to be delivered at the highest rate that the coverage model of the network can support. For networks with a low density of APs, it may be necessary to keep the data rates at the default. For a network that does not have any requirement to support 802.11b clients, tuning the data rate to 12 Mbps mandatory and lower rates disabled will help to reduce multicast airtime utilization.

I’ve run into similar issues in my enterprise wireless network with Apple TVs as opposed to Google Chomecast, but the same issues apply.

There’s a great article from How-To Geek that details how you can stream your browser tabs and even your entire desktop to the Chromecast. There’s also a dizzying array of applications that now support Chromecast.

Cheers!

Note: This is a series of posts made under the Network Engineer in Retail 30 Days of Peak, this is post number 28 of 30. All the posts can be viewed from the 30in30 tag.

Nov 20 18:21:59 2014: LED state message WIOS_LED_NO_COUNTRY_0_24G from module DOT11 : %DIAG-6-NEW_LED_STATE:
Nov 20 18:21:59 2014: LED state message RADIO_ALL_LED_OFF from module DOT11 : %DIAG-6-NEW_LED_STATE:
Nov 20 18:21:59 2014: Radio 'ap650-981XXX:R1' changing state from 'Initializing' to 'Off(no country-code)' : %RADIO-5-RADIO_STATE_CHANGE: ff(no country-code)'
Nov 20 18:21:49 2014: RFS-4000 : %AP-6-ADOPTED: Access Point('ap650-981XXX'/'AP650'/5C-0E-8B-98-XX-XX) at rf-domain:'default' adopted and configured. Radios: Count=1, Bss: 5C-0E-8B-31-XX-XX|

I finally realized that the AP650s I had were US models and not WW models. I was able to take an AP300 (WSAP-5110-100-WW) and configure it to connect to the RFS 4000 via DHCP option 189 and ultimately solve the puzzle around the captive portal issue (future blog post).

You can't adopt an AP-0650-60010-US Access Port to a RFS 4K in GB, you need the AP-0650-60010-WW Access Port to do that – SO MUCH TIME LOST!

— Michael McNamara (@mfMcNamara) November 20, 2014

Cheers!

Update: Sunday June 2, 2013 Motorola has responded with the following analysis and explanation of the problem.

The Association Request from the Samsung Galaxy S4 phone has the RRM (Radio Resource Management/802.11k) capability element missing, but the Capabilities Info Bitmap in the Association Request says that the client can do RRM, so there is a mismatch and we deny association in WiNG4.x. In WiNG5.x, the RRM implementation is different and we don’t enforce such a strict check to avoid situations such as these where clients might not be following the 802.11k specification properly. In WiNG 3.x, there is no support for RRM, so there are no such checks enforced.

Thanks to Motorola for providing the quick analysis and explanation. Just to summarize the problem is not present in WiNG 3.x or WiNG 5.x but is definitely present in WiNG 4.x. As for a workaround or fix I’m still waiting to hear if Motorola will issue a patch (software release) or if they will leave it to Samsung and Google to resolve.

Update: Thursday May 30, 2013 It seems that the problem is not evident when the Samsung Galaxy S4 associates with a Motorola WS5100 (v3.3.2.0-010Ri) with AP300s as access ports.

It would seem that the recently released Samsung Galaxy S4 is having difficulty connecting to our public wireless network which is provided by a pair of Motorola RFS 7000 Wireless LAN Switches (v4.4.2.0-001R) with about 24 AP650s (v2.2-1592R). While I’ve personally observed this problem in our office, I’ve also received similar reports from users in our hospitals which are running RFS7000s with either AP300s or AP650s for Access Ports/Points.

Our public wireless network has no authentication or encryption, however, the Samsung Galaxy S4 will display “Authentication error occurred” when it tries to connect. I performed a quick wired packet trace on the captive portal server and found no frames with the associated MAC address of the Galaxy S4 so I setup WireShark with 3 AirPcap adapters, one for each channel in the 802.11b/g  2.4Ghz range, to perform a wireless packet trace.

I was able to observe the Galaxy S4 making repeating probe requests and association requests but every association attempt appears to fail with an Unspecified error. As a reference I also captured my Motorola Droid 3 connecting to our public network for comparison.

WireShark AirPcap Captures

• First run of Samsung Galaxy S4 – failed to connect
• Second run of Samsung Galaxy S4 – failed to connect
• Working run of Motorola Droid 3 – working

Looking at the wireless packet trace I can see where the Galaxy S4 is failing to associate to the network. In frame 341 we can see “Unspecified failure” in the Association Response from the Access Port. I’m not an expert here but I’m going to guess that there’s something in the Association Request that is causing the wireless infrastructure to choke on the response.

Looking at the last wireless packet trace of the working Motorola Droid 3 we can see that it quickly probes, associates and makes a DHCP request without any problems or issues.

My Thoughts

As I’ve mentioned before I’m no expert here but I can see quite a few additional tags in the Association Request from the Samsung Galaxy S4. I’m going to guess that it’s one of these tags that is causing the wireless infrastructure to choke. Looking at the screenshot below you can see all the tags.

I’m hoping some wireless experts can step up here, or perhaps Motorola with an explanation and workaround/fix?

Cheers!

You’ll notice in the example below that I’m using two RADIUS servers, actually two Microsoft Internet Authentication Servers running Windows 2003. I created a SSID (or WLAN) of “love” and bridged it to VLAN 802. I had to utilize bridge group 254 because the bridge groups only go from 1-255. I also only configured the WLAN on the 802.11b/g radio (Dott11Radio0) and not the 802.11a radio (Dott11Radio1). I also utilized a RADIUS secret of “radiuspass” in the example below.

aaa group server radius acme_eap
 server 10.1.4.21 auth-port 1812 acct-port 1813
 server 10.2.4.21 auth-port 1812 acct-port 1813

aaa authentication login acme_methods group acme_eap

dot11 ssid love
   vlan 802
   authentication open eap acme_methods
   authentication network-eap acme_methods
   authentication key-management wpa 

interface Dot11Radio0

ssid love

encryption vlan 802 mode ciphers aes-ccm

interface Dot11Radio0.802
 encapsulation dot1Q 802
 no ip route-cache
 bridge-group 254
 bridge-group 254 subscriber-loop-control
 bridge-group 254 block-unknown-source
 no bridge-group 254 source-learning
 no bridge-group 254 unicast-flooding
 bridge-group 254 spanning-disabled

interface FastEthernet0.802
 encapsulation dot1Q 802
 no ip route-cache
 bridge-group 254
 no bridge-group 254 source-learning
 bridge-group 254 spanning-disabled

interface Dot11Radio0

ssid love

encryption vlan 802 mode ciphers aes-ccm

radius-server host 10.1.4.21 auth-port 1812 acct-port 1813 key radiuspass
radius-server host 10.2.4.21 auth-port 1812 acct-port 1813 key radiuspass
radius-server deadtime 5

If you need to debug the AAA or RADIUS process here are the commands that can help provide additional detail from the Access Point. It should be noted that some of the commands below are software and version dependent and might throw you an error.

debug dot11 aaa manager keys
debug dot11 aaa authenticator state-machine
debug dot11 aaa dot1x state-machine
debug dot11 aaa authenticator process
debug dot11 aaa dot1x process
debug radius authentication 

terminal monitor

While this example won’t translate directly for @fryguy_pa it might help others trying to deploy 802.1x WPA2 Enterprise with AES encryption in an enterprise network.

Cheers!

Our initial tests showed no problems in connecting to our Motorola RFS7000 with AP300 (802.11a/b/g) radios utilizing 802.1x (WPA/TKIP). A few weeks later though we learned we had a problem with the combination and we eventually discovered that the problems revolved around roaming. We noticed that the DWL-160 didn’t want to roam until it had lost complete signal to the AP it was associated to and then only after about 10 – 15 seconds would it roam to another APl. We had a really large project and the time frame was extremely tight so we decided to run out and pick-up a different adapter. So we purchased a Cisco Linksys (WUSB600N) Wireless-N USB Network Adapter with Dual-Band. We decided to simplify our testing environment by removing the Windows XP Embedded (Thin Client) and test on a simple Windows XP SP2 laptop. We also removed the authentication (802.1x) and encryption (WPA/TKIP) and just test using an open network. We quickly noticed that the problem was not only evident at the 2.4Ghz frequency (802.11b/g) but also evident at the 5 Ghz frequency (802.11a). The big surprise came we noticed that the Linksys behaved exactly like the D-Link in that it would not roam which would lead to poor connectivity. We started to peel back the onion and almost immediately found that both products were based on the Ralink Technologies chipset (RT-2870).

We’ve performed multiple wireless packet traces using AirPCAP and WireShark and they don’t show any issues with the wireless access points, however, they do show a lack of probing and some odd behavior by the wireless adapters (STA).

We’re in contact with both Motorola and Ralink Technologies and we have tried Ralink’s reference drivers (1.4.1) along with a beta driver they have provided but we haven’t seen any real improvement. We did find that if you enable “Fast roaming”, which can be found the in the Advanced Properties of the RA utility the STA behaves much better but it’s still a world apart from the roaming performance that we’re accustom to.

Has anyone else seen any issues with either the D-Link DWL-160 or the Linksys WUSB600N in a corporate network with respect to roaming? I can’t imagine that we’re the first folks to stumble upon this issue given that Ralink Technologies chipsets are in all these products.

Cheers!

Wireless networking has definitely brought its own set of distinct challenges. Channel and power management are among the too big problems with wireless networking. And let’s not forget the whole security issue with WEP, WPA and WPA2. Interoperability issues can also create a lot of headaches. And the never ending discussions over which band is better, the 2.4Ghz (802.11b/g) or 5Ghz bands (802.11a).

What vendor are you using for your wireless LAN?

Thanks for the feedback!

Cheers!