GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION; GRANT ALL PRIVILEGES ON database.* TO 'user'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION; FLUSH PRIVILEGES;
Connect to DNA-C CLI
ssh maglev@dnac-ip -p 2222
Check that all package is deployed
When DNAC-C is reinstalled there is a lot of package that is deployed in the background.
maglev package status
Undeploy a package
For trying to fix issue 😉
maglev package undeploy --force assurance https://www.nefkens.net/updating-dna-center-experiences/
I use this tool to estimate how many hours I will need to perform a Wi-Fi Site Survey. If you work like me you might be able to use it.
It’s VERY important that the correct and complete blueprint of the buildings involved in the survey is delivered up front. Changes to blueprints or what is to be surveyed breaks any estimate.
A survey performed on an already installed network. Either as an assessment as part of a network review or as a test report for a newly installed network.
Predictive Pre-Install Survey
A survey performed by doing simulations based on a model of the building. The model is built from blueprints with added walls, doors, and other objects. How these walls, doors and other objects affect the wireless network can be calculated either from general figures provided by the survey software or by doing onsite measurements of commonly used type of walls and doores in the building. It is recommended to used the measured model. Especially with lager building where most building components are the same type for many areas. For minor sites or sites far away an estimated survey might be the most reasonable choice.
AP-on-a-stick Pre-Install Survey
A survey performed by setting up measurement access point and measuring the coverage using a professional survey tool. This provides the most precise survey as the surveyed network will be exactly like the installed one. This survey is very time consuming and is recommended what the requirements for the network are high, or where it just needs to be 100% perfect first time.
At time of writing BUG CSCvi02106 “Repeated CDP-4-DUPLEX_MISMATCH is observed when Cisco Wave 2 APs are connected to a Cisco switch” is still unresolved in current WLC releases. The bug is cosmetic but very annoying. Look for bug in the “Resolved” section in future release notes to see if I is expected to be resolved.
ncs run test iops
When testing and debugging Wi-Fi networks it can be handy do be able to select what AP a client is connected to and maybe force a roam between AP.
Using a Linux configured with spa_supplicant this can be done using the wpa_cli tool. I often use a Raspberry PI running Rasibian for this
Start by running wpa_cli on the correct interface ie.
wpa_supplicant -i wlan0
Then to make sure wpa_supplicant knows about all Aos, run a scan
Then force a roam to the desired BSSID
Hopefully all readers on the dot11 blog will know SSH as the text console interface to servers and network equipment. Many will thing of it as an encrypted telnet alternative. But there is a lot more to SSH than that. One very handy function is port forward.
When opening a SSH connection it is possible to forward one or more TCP or UDP port from the client to the server or the other way. If the client and server is separated by a firewall or proxy it can be very handy to reach devices or application not available through the normal route.
In this post I will give a few very practical examples. Google “ssh port forward” to learn much more 😉
Browsing remote servers through a ssh jumphost
A very common setup for getting access to a remote network is that you are provided with an account to log in to a remote ssh server. This is fine for doing command line work, but if you need access to web application read on. We take advantage of the socks proxy function that is build in to many ssh servers. If you jumphost is a Linux box is very likely to be possible. A separate proxy do not need to be installed. Start by opening a ssh connection to the jumphost with
ssh username@jumphost -D 8080
Now TCP port 8080 on your own computer has become a socks proxy to the remote network. Cool right. To connect to a remote website configure your browser to use localhost port 8080 as socks proxy. I use my firefox as my “remote” browser since it has it own proxy configuration. Now I can browse remote in firefox and normal in my default browser. If I connect to another jumphost my firefox is now on the new remote network. Without any reconfiguration.
If you need to use DNS names a little more configuration is needed. Asuaming that DNS is configured on the jumphost you just need to have your firefox to put the DNS through the proxy using the setting “network.proxy.socks_remote_dns”. Write about:config in the addressbar and search for the setting.
SSH through the same jumphost
If you need to access a ssh CLI through a ssh jumphost, the same proxy as used web can be used for ssh. If using MAC or Linux the command is
ssh -o ProxyCommand='nc -x localhost:8080 %h %p' <hostname or IP>
To simplify this I have created a script on my laptop called pssh (proxy ssh)
ssh -o ProxyCommand='nc -x localhost:8080 %h %p' $1
Escape a (restrictive) proxy server
Sitting on a network behind a proxy server that blocks your work is a pain. Luckily again ssh port forward got you covered. This tip requires a little preparation, since you need your own ssh jump host with ssh enabled on port 443. If you jumphost is a Linux server this can be enabled by adding
To the file /etc/ssh/sshd_config and restart the ssh service. Ensure that port 443 is not allready on use for i.e. a web server.
Once you have the jumphost in place configure your computer to use a proxy server to connect to your jumphost. For each of use create an alias for the connection. Edit (or create) the file
More about this
defaults write com.apple.finder CreateDesktop false
defaults write com.apple.finder
If your network uses 802.1x validation on the wireless ports you will need some mechanism to enable the AP to authenticate on the port.
The default Cisco solution is to configure the AP with a EAP-FAST username and credential and enable a policy for this in ISE
The process is described in Configure Lightweight Access Point as an 802.1x Supplicant
Just for quick reference here is the CLI that can be used on the AP console interface to configure the credential
debug capwap console cli capwap ap dot1x username <username> password <password>
Since WLC software version 8.7 it is possible to use EAP-TLS (certificates)
Read about this in 802.1X EAP Supplicant on COS AP. Be aware that 8.7 is a very new release and there are many AP models not supported.
Nice collection of Cisco ISE articles