Convert Cisco Aironet LAP1142n to Autonomous Mode

I recently acquired a handful of Cisco LAP1142n access points. I was excited to have Cisco APs as I have been having trouble with WiFi at home and was limited to the number of clients, range, and worst of all, 2.4GHz only. The 1142n model, while quite old, supports all those things and will do it far better than the Sophos AP10 devices I was using.

There is just one problem… the L portion of the model number stands for “lightweight”. This means that it isn’t running much code on it and requires the use of a controller. While I’ve got a lot of gear at home, I’m not planning on running one of those.

While researching what I could do with these APs, I discovered that it is possible to upload the autonomous firmware (autonomous somehow meaning you manually configure them) onto a lightweight AP. Most of the information I was reading however mentioned logging into the AP and TFTPing it over to load it.

The problem is, I don’t have the credentials to get onto it. Digging a little deeper, I found an article by a blog name Reggle. It mentions it is possible to reset the AP and in doing so, it will automatically attempt a download via TFTP. The article was useful, but appeared to be missing a few key pieces, or at least spelling it out.

So I’ve laid out the steps out here I took to change over these APs to autonomous mode.

  1. Get the correct firmware
    This part was a little difficult. Since Cisco likes your money, you have to have a Cisco account, and have the appropriate licensing for these APs. I don’t happen to have that licensing. So a little trick was to find the name of the firmware I wanted to use and then head over to Google. The firmware file I choose (autonomous version) was named c1140-k9w7-tar.153-3.JD11.tar. Do a Google search for that name, and maybe throw in FTP, and you’re sure to find someone hosting the file. I know, your first thought is what if the file is hacked. For a little piece of mind, Cisco provides the MD5SUM for their firmware, so I just checked that against the file I downloaded.
  2. Get Putty and tftpd64
    You should already have Putty. I chose tftpd64 because they have a portable version. Run tftpd64 and point the folder to where you have the firmware file download. For good luck, I made a copy of the file and named it c1140-k9w7-tar.default as this appears to be the file referenced.
  3. Get a 48V Cisco Power Adapter
    Showstopper for some I’m sure. I tried to do this through my switch, but it didn’t appear to work. Maybe VLANs got in the way. Maybe I should have just used a dumb-switch. I chose a power adapter because I just happened to come across one.
  4. Connect the console cable and Ethernet
    Connect up your console cable and your computer’s Ethernet port to the AP. It’s important that there is nothing else in the middle. The AP is going to send out a broadcast and you want your computer to respond. Go ahead and open up Putty using serial to the associated COM port of your console cable. Change the IP address on your PC to something in the 10.0.0.1/24 range, but don’t use .1. I used .10. Subnet should be 255.255.255.0, leave the rest blank.
  5. Power up the AP
    Hold down the MODE button and plug in the power (if you are trying PoE, hold the MODE button before you plug in the Ethernet cable). Keep holding it down until the light turns orange. In a few moments, you will see the AP console output default to the AP to 10.0.0.1 and then do a broadcast for TFTP. One thing I did here, based on the comments in the article, was to add a static ARP entry. I’m not 100% sure this was necessary, since I was using a direct cable, but if you need to try it, here is the command:

    netsh interface ipv4 add neighbors "<network adapter name>" 10.0.0.1 <mac address of ap, dashed>
  6. Install the Firmware
    Really nothing to do here, just watch it go through it all. Takes about 10 minutes. When it is done, you’ll see a final boot sequence and some syslog type output. From here, I hit enter, and then went into enable and tested the default password of “Cisco” (case-sensitive).
  7. Configure the AP
    From here, you can now put the AP on your network (it has DHCP enabled, so I just set a MAC reservation). You can then telnet or go through the web interface. The default username and password are both Cisco.

NTC C.H.I.P. Battery Tip

I really love the C.H.I.P. computers by NTC. Unfortunately, it appears they’ve stopped selling them as they are developing a new model. I currently have 6 of them and have some future projects coming up. While perusing the forums looking at battery options (the CHIP has a built-in LiPo battery charging controller), someone mentioned that the PS3 controllers used LiPo batteries. I just happened to have one sitting on a shelf so I cracked it open. Sure enough, the battery and connector is compatible with the CHIP. However, you have to switch the pins to correct the polarity! This is easy enough to do by yanking out the pins by lifting up the plastic connector.

I’ve also noticed that battery.sh, which gives you details about the battery, doesn’t actually give you the percentage. All the code is there at the end for it, except the output. I added this line to the end of the battery.sh file to get the percentage:

echo "Battery percent = "$BAT_GAUGE_DEC"%"

Sophos UTM with Wireless VLAN and Cisco Switch

That title is a mouthful. Since putting a layer 3 Cisco switch into my home, I’ve been slowly moving off the legacy default VLAN and segementing the network. Clients, servers, cameras (with no external access), and VOIP phones all have their own VLAN. Until recently, the multiple WiFi networks were still on the legacy default VLAN. I could have gone a little crazy and put the wireless devices on it’s own VLAN, but then my various casting devices wouldn’t work correctly. At a minimum, I put the APs themselves on their own VLAN. I spent quite a bit of time and wanted to share my experience with others in case they are trying to do the same thing. I won’t turn this into much of a story, but just share some of the bits of configuration.

Cisco Switch Config:

interface GigabitEthernet1/0/20
description Sophos AP10
switchport trunk encapsulation dot1q
switchport trunk native vlan 15
switchport mode trunk
spanning-tree portfast

interface Vlan100
ip address 10.0.100.1 255.255.255.0
ip helper-address 10.0.0.1

The big part above that no one has mentioned on the Sophos forums is the native VLAN piece. They talk about setting them on the legacy VLAN, then moving them over, changing the VLAN tagging option, then waiting. If you do the native VLAN, you don’t need to worry about tagging before or after.

When it comes to your wireless networks, make sure you do the following in this general order (going from memory here):

  1. Remove all of your wireless networks from all of the APs so they aren’t being broadcast anymore.
  2. Change the networks to use Bridge to VLAN and set your VLANs as approriate.
  3. Modify each access point and enable the VLAN tagging option. Set the AP VLAN to that of the VLAN you want the APs to operate on. In the example above, I used 100. I also turned on STP.
  4. Power-cycle the APs after change the VLAN as above and wait for them to come back online (assuming you have DHCP on that VLAN).

I did use Sophos at the DHCP provider. I think there is some sort of hidden DHCP option that gets broadcast for the APs, so it’s best to use Sophos as the DHCP provider. If you know more about this, let me know.

Depending on your configuration between the UTM and the switch, you may need to add an allowed interface into the Global Settings for Wireless Protection. I am using my switch to do the IP routing internally, so everything goes over the primary “Internal” interface. If you need help configuring your Cisco switch as the layer 3 routing device and don’t want a new Interface for every VLAN, let me know. I’ll write another post for that. That one took me about two days to figure out.

Gingerbread House WiFi Hotspot

While I’m not much of one for the holidays, I do like to participate in the events. I especially enjoy the ones where I get to integrate technology with traditional items. For example, a few years back there was a pumpkin decorating contest. I “decorated” our team’s (I was the only one on our team that was interested) pumpkin with a Raspberry Pi inside and a monitor connected to the back of it while playing through a slideshow. I won a place that year and got a bunch of free food as a result.

Fast-forward to fall of 2017 and I’ve been told that the team I now reside in will be participating in the gingerbread house contest. Since my team is me and my boss, it looks like its completely up to me. I’ve never made a gingerbread house, so I thought I would have a little fun and throw in some technology… a WiFi hotspot that lets you control Christmas music!

Continue reading Gingerbread House WiFi Hotspot

Disable Windows Firewall Permanently

There may come a time when you want to turn off Windows firewall and ensure that it doesn’t come back on. Windows appears to do this randomly (I’m sure there is a reason). To ensure that it is disabled, you can use Group Policy when on a domain. However, when you are off the domain, you need to do it locally. Using GPEDIT.MSC, you can do this on a machine.

Open up GPEDIT.MSC and browse to Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall. In there, you will see several profiles. Under each profile, change the “Windows Firewall: Protect all network connections” to disabled. This will effectively disable the Windows Firewall and not allow anyone/anything to turn it back on. You should repeat this for all profiles that it makes sense on.

GPEDIT - Disable Windows Firewall
The location in Group Policy to disable Windows Firewall for good.

VMware Customization Template

So one of my pet peeve statements is “That’s the way we’ve always done it.” In my current position, I was shown how to use our template images in VMware to produce new machines and what options to click in. I always felt something was missing in the process. Recently, I was reading an article on VMware and sysprep as I was considering redoing the image and taking out a lot of manual work. Then I learned about customization templates which I never knew existed because I did it the way it was always done! Here are a few things I learned about using the customization templates, and I’ll keep adding as I find more.

What is it?

The customization template is basically applying sysprep to a Windows box after it is cloned or deployed. You don’t have to do the process yourself before the last shutdown. VMware Tools will do it for you. It will join the domain, apply a license, run scripts, setup a NIC, etc. Don’t do this yourself. Let VMware do it for you.

Post Install Scripts

I could not find any documentation detailing this. From what I can tell, this creates a “RunOnce” key after the sysprep is complete. When you set your auto-login reboot count to at least one, on the first login, VMware Tools will run a script. This will be running as the local Administrator user in the user-context after the WinLogon startup process, but before the desktop loads. I added a batch file that asks a few questions during the login and then reboots the machine one last time. I also setup a RunOnce key to delete the folder after it was done. Here is the interesting thing though. I’ve seen other RunOnce keys run before the reboot. So it may be deleting it sooner. Keep that in mind… adding new RunOnce keys manually during this process may result on them running right after, not on the next reboot.

VLAN

You can specify network settings in the template and have it ask you for the IP when you apply the customization later. If you do this and use different VLANs, make sure you change the VLAN to the matching subnet range that you specified in the template. If you don’t and it can’t get to the network during the cutomization, it will not apply correctly, such as joining the domain. You’ll find yourself doing everything manually or starting over again.

How Google (or others) Can Get Ahead of the NFC Curve

In recent news, it has come to light that CurrentC by MXC may have a contract with many of the big retailers that prohibits them from using other mobile payment operators. This became big news because of the introduction of Apple Pay using NFC. The reasoning behind CurrentC is for merchants to avoid credit card transaction fees by doing ACH transactions directly to a bank account. All security issues aside, I understand retailers desire to get rid of these fees. However, I also realize that it is part of doing business and the convenience for the customer. As Apple is heavily invested with banks and credit card processors right now, I think this is the perfect opportunity for Google to get ahead of the NFC war. Google currently has Google Wallet where a user can put money into, much like a bank account. Using this, Google could potentially offer a much lower transaction fee to merchants as a credit card company does not have to be involved at this point. In return, the merchant could provide more detailed information about the purchase which Google could data mine. While many consumers would be concerned about Google knowing their purchase history, I personally would love for Google to mine my purchase data. A whole new service line could be opened where Google finds better prices on the items you commonly buy and integrated into their current shopping services. NFC isn’t dead just yet, it’s really just beginning.

Adobe Flash on Windows Server 2012

I was presented with a question from a user the other day. They needed to be able to use Adobe Flash on a Windows 2012 R2 server while using Internet Explorer. Apparently, they have regular users logging into the server to grab information from the web server application it was running. Aside from the blatant security issues of using Flash in IE and why they don’t access it remotely via HTTP, I don’t know, but I will be looking into it. So I started looking into installing Flash. The installer that they had downloaded, presumably from their machine, told me “Your Microsoft Internet Explorer browser includes the latest version of the Adobe Flash Player built-in.” Well, I went to the Adobe Flash test page, and it didn’t load Flash. So where was it? Well, after some digging, I finally discovered that while IE 11 does indeed contain Adobe Flash, it does not contain it on Windows Server 2012 unless you install the Desktop Experience. I only found one other webpage that appeared to mention this, so I thought I would help spread the word. If you need Adobe Flash on Server 2012, make sure you install the Desktop Experience feature. Keep in mind however that it will require not one, but two reboots. After you install the feature and reboot, it will apply settings at bootup, then reboot again.

Remove Whitespace with VBScript

So I had a line of text in a variable in which I needed to remove some extra whitespace as Split(String,” “) will split at every space. I didn’t want to remove every space, I wanted to leave at least one space. I’ve seen some complicated examples by which they recursively go over the string until they are all gone, or split the array and create a second array removing the empty elements. I found a much simpler method however. It is using our good old friend, regular expression.

sWPString = "This is      a    string        with    extra        whitespace."
Set oRegEx = CreateObject("VBScript.RegExp")
oRegEx.Global = True
oRegEx.Pattern = "\s+"
sNoWPString = oRegEx.Replace(sWPString," ")

Now this will leave a space at the beginning if there was already a space there. You can of course just LTrim that off. And RTrim wouldn’t hurt. Or just Trim it.

Java Security Warning on Citrix

With the newer versions of JRE (specifically as it relates to this writing, 1.7_60), the security prompts included have become quite a bit more intrusive. Normally, you can click on the check box to always remember the decision to Run or Allow a Java applet. However, on Citrix this can be difficult if the user’s profile is built out on logon then removed upon logoff. After having searched through Java’s documentation for hours, I was unable to find a way to turn off these prompts globally, either completely, or just for certain signers or codebases. If you know of a way to do this, please let me know. Since I couldn’t find anything, I decided to do it for the user upon logon.

Continue reading Java Security Warning on Citrix

Technology tips and musings in the eyes of a nerd.