In this guide I am going to show how to perform a very basic setup of a HP ProCurve 2610 Layer 2 network switch using a serial to console cable.
First up you will need a serial to console cable and a PC that has a serial port. If you don’t have a PC with a serial port (old HPs are great for this purpose) then you can get a USB to serial adapter – a point to note here is watch out for the super cheap ones, quite often you will find that they use counterfeit chips meaning USB drivers don’t work reliably.
Anywhos on with the guide!
First up the network switch that I have has been previously protected with a password, in addition I want to configure the switch from scratch. To do this I am going to perform a factory reset and clear…
Now its time to configure the switch, for the configuration I will be using PuTTY which can be downloaded from here – http://www.chiark.greenend.org.uk/~sgtatham/putty/.
Thanks go to http://fediafedia.com/prank/ for the original code.
This final network is quite possibly the ones that most Schools will shy away from on grounds of ‘security’ – where I work however that just isn’t an option as we have paying users of the school facilities right the way through the evening and weekends. Indeed the weekend after we put this public network in place we have ~110 users on the network all of which were taking part in a chess competition that was being held at the Academy.
James stop rambling and get on with the guide…
So for the Public WiFi network the objective is to provide guests with a shared key (which is changed regularly) to access the network and to be able to use the internet without putting in any web proxy settings.
As per with the BYOD network you must have the Smoothwall configured with a virtual adapter which sits in the Public VLAN (details here -http://myworldofit.net/?p=6473) before carrying on with this guide. The screen shots below cover the configuration required…
Windows DHCP Server
Next up you must configure your Windows DHCP server to provide the clients with their IP addresses…
The configuration on the HP MSM for this network is as easy as setting up the Mac Wi-Fi VLAN as I will just be using a pre shared key that is changed regularly. However there are plenty of other options available like a captive web portal or single use keys (Meraki have a pretty funky option where you are forced (or just directed to) to ‘like’ a Facebook page before you are authenticated onto the network).
Finally as part of the configurations for the BYOD and Public networks because we are using the Smoothwall (and not our internal router) as the default gateway we need a method to allow what are 3 separate networks (BYOD/Public/Internal) to communicate with each other. On Smoothwall firewalls this is called Zone Bridging. N.B. – To configure zone bridging you need to have the Zone feature installed as a module (System > Maintenance > Modules).
That’s all folks!
Here ends this series of posts; hopefully they have given you an interesting insight into one (of many) ways to configure a WiFi network inside a School (or indeed any workplace). Please note that for specific help on the Smoothwall side your best bet will be to get a hold of Smoothwall direct and for support on HP wireless networks you will probably need to get a VAR involved.
The BYOD network is quite possibly the hardest to setup (and thanks to the Smoothwall support guys for spotting an obvious mistake I made on my DHCP config the first time round!) of all 4 of the SSIDs by also the most rewarding when you see 300+ students and staff connected on their Phones, Laptops and Tablet PCs. In a typical school BYOD network setup you will have two hoops to jump through, authenticating onto the SSID and then authenticating against the schools web filter. However using the neat WPA Enterprise authentication mode on Smoothwall firewalls its possible to both authenticate onto the SSID and the web proxy at the same time making life much easier for your users.
So time to get the configuration going…
First up you must have configured a VLAN for the exclusive use of the BYOD network (as per the guide here – http://myworldofit.net/?p=6473) taking special note of setting the IP Helper Address to a virtual network adapter on your Smoothwall firewall which sits in the BYOD VLAN. Take a look at the screen shots below for more info…
NB – in this configuration the Smoothwall firewall will allow connectivity to the internet at the users policy level, if you want to allow BYOD guests to access your internal resources you will need to configure the Smoothwalls DNS and Zone Bridging features. I will touch on this in the next article.
The configuration on the HP MSM is similar to setting up the Domain WiFi network in that a RADIUS server is configured and the VSC is configured to use that RADIUS server.
To help you get started with your own user guides feel free to download and modify the ones that I have used at my establishment below.
OSA-BYOD - Android (498.4 KiB, 28 hits)
OSA-BYOD - iOS (3.3 MiB, 28 hits)
OSA-BYOD - Windows 7 (796.7 KiB, 28 hits)
OSA-BYOD - Windows 8 (2.1 MiB, 27 hits)
OSA-BYOD - Windows Phone (206.9 KiB, 15 hits)
OSA-BYOD - Windows Vista (1.5 MiB, 13 hits)
You will note that Windows XP is omitted as it is no longer a Microsoft supported operating system (although XP does work with this configuration).
Make no mistake I’m all for PRTG as my preferred Network Monitoring software so when I was asked to be featured in a case study I jumped at the chance.
That study is now live and can be seen here – http://www.paessler.com/company/casestudies/oxford_spires_uses_prtg
Another similar article can also be seen here – http://www.networkingplus.co.uk/case-study-details?itemid=351
When setting up an installation of Microsoft Forefront Identity and Lifecycle Manager 2010 R2 going through the initial setup phase to configure common services I was getting the error message
The service account could not be found. This could be due to an incorrect password. Please check the service account and try again.
As it turns out I was getting this error message as I had entered the fully qualified domain name in the ‘Service Account Domain’ box instead of the shorter NETBIOS name.
Putting in the NETBIOS name allowed me to proceed to the next screen and finish the setup normally. See the screen shots below for a little more information-
By comparison to the Domain WiFi setup the configuration for the Apple network is much simpler.
The one tiny little exception is that the Apple Discovery Protocol (Bonjour) is by design unable to traverse VLANs. In many networks this wouldn’t be a problem however we have a item of software called AirServer on our Windows clients that ties into the AirPlay feature on iPads to project the iPad screen onto the PC screen. To get this feature working the Bonjour discovery packets need to move from the Windows VLAN to the Mac VLAN.
So first up the configuration for the SSID on our HP MSM controller-
To get the Bonjour packets to traverse the VLAN we need a ‘Bonjour Gateway’; to get this going I will be using a Virtual Machine with 3 network adapters running Ubuntu Client (if you are confidant with Linux then feel free to use the server edition!) and a bit of software called Avahi.
The guide here – http://community.spiceworks.com/how_to/show/38251-build-your-own-bonjour-gateway shows very well how to setup the Avahi software; in my case I went without the VLANs and just used native NICs sitting in the Server, Windows Clients and Mac Clients VLANs.
A few more details in the screen shots below-
Next up is an article on the BYOD SSID which uses a very cool feature on our Smoothwall firewall to make logins really easy.
If you have a shiny new AudioCodes Mediant 1000 E-SBC with a CRMX-C CPU module and a need to factory reset it then this is the guide for you!
Looking at the front of the SBC (photo above) just to the right hand side of the second network port status light is a tiny little hole – perfect for a paperclip. Push and hold the button inside there down for roughly 10 seconds and you will see the fourth network port status light turn red to indicate something interesting is happening. After 10 seconds let go of the button and give the E-SBC time to reboot and restore its settings to factory default (I have found about 8 minutes should be enough time).
One the restore is complete the device will set its management IP address to 192.168.0.2; once you reach the web based management console the default username and password is Admin and Admin.
Now that we have the basics configured its time to setup the first SSID (shown here as OSA-WiFi). This SSID will be used for Windows computers that are domain joined, this could be desktop PCs with wireless adapters as well as laptops and tablet PCs with built in wireless.
To complete this section you will need a Windows Server with the Network Access Protection role installed on it as well as a valid SSL assigned to it (the SSL cert must be ‘in date’ as otherwise your clients won’t connect to the network). If you don’t have a valid SSL certificate issued by a 3rd party you can use this guide here which shows you how to use the Active Directory certificate services to provision your own – http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html.
One of the great things about using this kind of authentication in a domain environment is that you don’t need to manage individual passkeys for your clients (in a school it can be a massive time saver if you have a class set of 30 new laptops to roll out) as all the settings required to connect can be pushed down via Group Policy Object.
Network Access Protection Server
First to be setup is the Windows Network Access Protection Server; this server hosts a service called RADIUS which receives authentication requests from the HP MSM and then checks the credentials (in this case the fact that the computer wishing to connect is indeed a member of the Windows Active Directory Domain) against Active Directory and in turn allows/prevents the client from connecting to the network.
Now that we have the backend service together its time to get the HP MSM Controller to use the RADIUS/NAP server and present a SSID to the clients.
Group Policy Setup
As previously mentioned by using this Wireless authentication model you can easily pass out the settings to your domain joined Windows Computers without having to manually tap in a passkey on each machine. Ok so maybe it take a while to setup and maintain but in the long run shouldn’t we be nice to our technicians and get them doing something more important?
In the next part of this guide I’ll look at the setup of the Apple Mac wireless network as well as give you some pointers on how to get Bonjour packets to traverse between your Windows Wireless and Apple Network (great for the modern craze of Airplay).
Its VLANs time! In this part of the guide I am going to look at the VLAN configuration required to get all of this up and running. For the whole setup we have the following VLANs being used-
172.16.8.0/21 – VLAN 2 Services which includes 172.16.8.4 as our Windows DHCP server, 172.16.8.39 as the Wireless Controller and 172.16.15.254 as the Smoothwall firewall
172.16.24.0/21 – VLAN4 APs just a DHCP range (powered by Windows Server) that the APs sit in, once they have their first IP address it gets converted to a reservation
172.16.72.0/21 – VLAN10 Windows clients another DHCP range (powered by Windows Server)
172.16.104.0/21 – VLAN14 Apple clients another DHCP range (powered by Windows Server)
172.16.128.0/21 – VLAN17 BYOD clients another DHCP range (powered by the Smoothwall firewall)
172.16.136.0/21 – VLAN18 Public clients just one more DHCP range (powered by Windows Server)
The Windows DHCP server serves up IP addresses for various services as listed in the screen shot below.
Core switch configuration
The core switch provides Layer 3 routing (required to get VLANs to talk to each other) and also houses the Wireless Controller as an expansion module. The Smoothwall firewall actually sits on a separate switch in this configuration which can be found on port number K8.
Edge switch configuration (includes Smoothwall Firewall)
The edge switch config below shows how the switch talks back to the Core switch and which VLANs the Smoothwall sits in.
HP MSM Controller
This next part shows how the IP configuration is setup on the HP MSM wireless controller; click through the screen shots for more info.
HP MSM Access Points
This time its the turn for the access points, again just click through the screen shots.