MySQL cheat sheet

Posted on
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION;
GRANT ALL PRIVILEGES ON database.* TO 'user'@'%' IDENTIFIED BY 'password' WITH GRANT OPTION;

FLUSH PRIVILEGES;

What I wrote down about DNA-C

Posted on

Random reading

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/TECNMS-2900.pdf 

https://www.cisco.com/c/dam/m/ru_ua/training-events/2018/cisco-forum-kyiv/pdf/4-1_001_dna-c_aovrashk_12-dec-2018.pdf

Connect to DNA-C CLI

ssh maglev@dnac-ip -p 2222

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/dna-center/213926-how-to-generate-and-extract-root-cause-a.html

Check that all package is deployed

When DNAC-C is reinstalled there is a lot of package that is deployed in the background.

maglev  package status

Undeploy a package

For trying to fix issue 😉

maglev  package undeploy --force assurance

https://www.nefkens.net/updating-dna-center-experiences/

Wi-Fi Survey Estimator

Posted on

I use this tool to estimate how many hours I will need to perform a Wi-Fi Site Survey. If you work like me you might be able to use it.

It’s VERY important that the correct and complete blueprint of the buildings involved in the survey is delivered up front. Changes to blueprints or what is to be surveyed breaks any estimate.

Post-Install Survey

A survey performed on an already installed network. Either as an assessment as part of a network review or as a test report for a newly installed network.

Predictive Pre-Install Survey

A survey performed by doing simulations based on a model of the building. The model is built from blueprints with added walls, doors, and other objects. How these walls, doors and other objects affect the wireless network can be calculated either from general figures provided by the survey software or by doing onsite measurements of commonly used type of walls and doores in the building. It is recommended to used the measured model. Especially with lager building where most building components are the same type for many areas. For minor sites or sites far away an estimated survey might be the most reasonable choice.

AP-on-a-stick Pre-Install Survey

A survey performed by setting up measurement access point and measuring the coverage using a professional survey tool. This provides the most precise survey as the surveyed network will be exactly like the installed one. This survey is very time consuming and is recommended what the requirements for the network are high, or where it just needs to be 100% perfect first time.

Test roaming using wpa_cli on Linux

Posted on

When testing and debugging Wi-Fi networks it can be handy do be able to select what AP a client is connected to and maybe force a roam between AP.

Using a Linux configured with spa_supplicant this can be done using the wpa_cli tool. I often use a Raspberry PI running Rasibian for this

Start by running wpa_cli on the correct interface ie.

wpa_supplicant -i wlan0

Then to make sure wpa_supplicant knows about all Aos, run a scan

scan

Then force a roam to the desired BSSID

roam <bssid>

 

That’s it!

 

 

Doing magic with SSH port forward

Posted on

Hopefully all readers on the dot11 blog will know SSH as the text console interface to servers and network equipment. Many will thing of it as an encrypted telnet alternative. But there is a lot more to SSH than that. One very handy function is port forward.

When opening a SSH connection it is possible to forward one or more TCP or UDP port from the client to the server or the other way.  If the client and server is separated by a firewall or proxy it can be very handy to reach devices or application not available  through the normal route.

In this post I will give a few very practical examples. Google “ssh port forward” to learn much more 😉

Browsing remote servers through a ssh jumphost

A very common setup for getting access to a remote network is that you are provided with an account to log in to a remote ssh server. This is fine for doing command line work, but if you need access to web application read on. We take advantage of the socks proxy function that is build in to many ssh servers. If you jumphost is a Linux box is very likely to be possible. A separate proxy do not need to be installed. Start by opening a ssh connection to the jumphost with

ssh username@jumphost -D 8080

Now TCP port 8080 on your own computer has become a socks proxy to the remote network. Cool right. To connect to a remote website configure your browser to use localhost port 8080 as socks proxy. I use my firefox as my “remote” browser since it has it own proxy configuration. Now I can browse remote in firefox and normal in my default browser. If I connect to another jumphost my firefox is now on the new remote network. Without any reconfiguration.

If you need to use DNS names a little more configuration is needed. Asuaming that DNS is configured on the jumphost you just need to have your firefox to put the DNS through the proxy using the setting “network.proxy.socks_remote_dns”. Write about:config in the addressbar and search for the setting.

SSH through the same jumphost

If you need to access a ssh CLI through a ssh jumphost, the same proxy as used web can be used for ssh. If using MAC or Linux the command is

ssh -o ProxyCommand='nc -x localhost:8080 %h %p' <hostname or IP>

To simplify this I have created a script on my laptop called pssh (proxy ssh)

ssh -o ProxyCommand='nc -x localhost:8080 %h %p' $1

Escape a (restrictive) proxy server

Sitting on a network behind a proxy server that blocks your work is a pain. Luckily again ssh port forward got you covered. This tip requires a little preparation, since you need your own ssh jump host with ssh enabled on port 443. If you jumphost is a Linux server this can be enabled by adding

port 443

To the file /etc/ssh/sshd_config and restart the ssh service. Ensure that port 443 is not allready on use for i.e. a web server.

Once you have the jumphost in place configure your computer to use a proxy server to connect to your jumphost. For each of use create an alias for the connection. Edit (or create) the file

 

More about this

https://www.digitalocean.com/community/tutorials/how-to-route-web-traffic-securely-without-a-vpn-using-a-socks-tunnel

 

Cisco AP wired 802.1x supplicant

Posted on

If your network uses 802.1x validation on the wireless ports you will need some mechanism to enable the AP to authenticate on the port.

The default Cisco solution is to configure the AP with a EAP-FAST username and credential and enable a policy for this in ISE

The process is described in Configure Lightweight Access Point as an 802.1x Supplicant

Just for quick reference here is the CLI that can be used on the AP console interface to configure the credential

debug capwap console cli
capwap ap dot1x username <username> password <password>

Update:

Since WLC software version 8.7 it is possible to use EAP-TLS (certificates)

Read about this in 802.1X EAP Supplicant on COS AP. Be aware that 8.7 is a very new release and there are many AP models not supported.