Just a little snippet before hitting September…..Having recently tried to update the Firmware on my Plantronics Voyager Legand at work (using a Windows 8.1 problem) I found that the MyHeadset Updater (http://www.plantronics.com/uk/product/myheadset-updater) tool cannot handle web proxies (without having the URLs it tries to reach out to being in a authentication bypass list).
As I only had one headset to update I turned to the simple solution of take it home and do it there!
After playing with Windows Phone 8.1 on my Nokia Lumia 1020 for the past few days (since general release in the UK) thus far my favourite feature has to be the ability for the phone to automatically turn back on WiFi (after a set period of time) after you turn it off.
Certainly where I live and work WiFi is plentiful and as such it makes much more sense to use than cellular data however on occasion I have found myself turning off WiFi (for any strange and interesting reason) but forgetting to turn it back on.
Still looking forwards to the UK version of Cortana if only to ask her what is going to happen in the next Halo!
The past few weeks at work have been filled up with going from what has been a very successful pilot of Moodle 2.6 to a fully featured install of Moodle 2.7.1. Hopefully as time allows I’ll be able to get out some posts about how each aspect of Moodle goes down with the staff and students but for now this post serves as a way for me to highlight some features (in no great detail) which I think deserve recognition.
Things to be covered include-
- Linking AD accounts to class lists in Capita SIMS (a Schools Information Management System)
- Using the auto login feature to put Moodle front and centre
- My home
- OneDrive, Google Drive and Dropbox integration
- Moodle updates (going from 2.7 to 2.7.1)
This final network is quite possibly the ones that most Schools will shy away from on grounds of ‘security’ – where I work however that just isn’t an option as we have paying users of the school facilities right the way through the evening and weekends. Indeed the weekend after we put this public network in place we have ~110 users on the network all of which were taking part in a chess competition that was being held at the Academy.
James stop rambling and get on with the guide…
So for the Public WiFi network the objective is to provide guests with a shared key (which is changed regularly) to access the network and to be able to use the internet without putting in any web proxy settings.
As per with the BYOD network you must have the Smoothwall configured with a virtual adapter which sits in the Public VLAN (details here –https://myworldofit.net/?p=6473) before carrying on with this guide. The screen shots below cover the configuration required…
Windows DHCP Server
Next up you must configure your Windows DHCP server to provide the clients with their IP addresses…
The configuration on the HP MSM for this network is as easy as setting up the Mac Wi-Fi VLAN as I will just be using a pre shared key that is changed regularly. However there are plenty of other options available like a captive web portal or single use keys (Meraki have a pretty funky option where you are forced (or just directed to) to ‘like’ a Facebook page before you are authenticated onto the network).
Finally as part of the configurations for the BYOD and Public networks because we are using the Smoothwall (and not our internal router) as the default gateway we need a method to allow what are 3 separate networks (BYOD/Public/Internal) to communicate with each other. On Smoothwall firewalls this is called Zone Bridging. N.B. – To configure zone bridging you need to have the Zone feature installed as a module (System > Maintenance > Modules).
That’s all folks!
Here ends this series of posts; hopefully they have given you an interesting insight into one (of many) ways to configure a WiFi network inside a School (or indeed any workplace). Please note that for specific help on the Smoothwall side your best bet will be to get a hold of Smoothwall direct and for support on HP wireless networks you will probably need to get a VAR involved.
The BYOD network is quite possibly the hardest to setup (and thanks to the Smoothwall support guys for spotting an obvious mistake I made on my DHCP config the first time round!) of all 4 of the SSIDs by also the most rewarding when you see 300+ students and staff connected on their Phones, Laptops and Tablet PCs. In a typical school BYOD network setup you will have two hoops to jump through, authenticating onto the SSID and then authenticating against the schools web filter. However using the neat WPA Enterprise authentication mode on Smoothwall firewalls its possible to both authenticate onto the SSID and the web proxy at the same time making life much easier for your users.
So time to get the configuration going…
First up you must have configured a VLAN for the exclusive use of the BYOD network (as per the guide here – https://myworldofit.net/?p=6473) taking special note of setting the IP Helper Address to a virtual network adapter on your Smoothwall firewall which sits in the BYOD VLAN. Take a look at the screen shots below for more info…
NB – in this configuration the Smoothwall firewall will allow connectivity to the internet at the users policy level, if you want to allow BYOD guests to access your internal resources you will need to configure the Smoothwalls DNS and Zone Bridging features. I will touch on this in the next article.
The configuration on the HP MSM is similar to setting up the Domain WiFi network in that a RADIUS server is configured and the VSC is configured to use that RADIUS server.
To help you get started with your own user guides feel free to download and modify the ones that I have used at my establishment below.
OSA-BYOD - Android (498.4 KiB, 1,010 hits)
OSA-BYOD - iOS (3.3 MiB, 1,061 hits)
OSA-BYOD - Windows 7 (796.7 KiB, 940 hits)
OSA-BYOD - Windows 8 (2.1 MiB, 810 hits)
OSA-BYOD - Windows Phone (206.9 KiB, 700 hits)
OSA-BYOD - Windows Vista (1.5 MiB, 745 hits)
You will note that Windows XP is omitted as it is no longer a Microsoft supported operating system (although XP does work with this configuration).
By comparison to the Domain WiFi setup the configuration for the Apple network is much simpler.
The one tiny little exception is that the Apple Discovery Protocol (Bonjour) is by design unable to traverse VLANs. In many networks this wouldn’t be a problem however we have a item of software called AirServer on our Windows clients that ties into the AirPlay feature on iPads to project the iPad screen onto the PC screen. To get this feature working the Bonjour discovery packets need to move from the Windows VLAN to the Mac VLAN.
So first up the configuration for the SSID on our HP MSM controller-
To get the Bonjour packets to traverse the VLAN we need a ‘Bonjour Gateway’; to get this going I will be using a Virtual Machine with 3 network adapters running Ubuntu Client (if you are confidant with Linux then feel free to use the server edition!) and a bit of software called Avahi.
The guide here – http://community.spiceworks.com/how_to/show/38251-build-your-own-bonjour-gateway shows very well how to setup the Avahi software; in my case I went without the VLANs and just used native NICs sitting in the Server, Windows Clients and Mac Clients VLANs.
A few more details in the screen shots below-
Next up is an article on the BYOD SSID which uses a very cool feature on our Smoothwall firewall to make logins really easy.
Now that we have the basics configured its time to setup the first SSID (shown here as OSA-WiFi). This SSID will be used for Windows computers that are domain joined, this could be desktop PCs with wireless adapters as well as laptops and tablet PCs with built in wireless.
To complete this section you will need a Windows Server with the Network Access Protection role installed on it as well as a valid SSL assigned to it (the SSL cert must be ‘in date’ as otherwise your clients won’t connect to the network). If you don’t have a valid SSL certificate issued by a 3rd party you can use this guide here which shows you how to use the Active Directory certificate services to provision your own – http://www.windowsnetworking.com/articles-tutorials/windows-server-2008/Setting-up-Wi-Fi-Authentication-Windows-Server-2008-Part1.html.
One of the great things about using this kind of authentication in a domain environment is that you don’t need to manage individual passkeys for your clients (in a school it can be a massive time saver if you have a class set of 30 new laptops to roll out) as all the settings required to connect can be pushed down via Group Policy Object.
Network Access Protection Server
First to be setup is the Windows Network Access Protection Server; this server hosts a service called RADIUS which receives authentication requests from the HP MSM and then checks the credentials (in this case the fact that the computer wishing to connect is indeed a member of the Windows Active Directory Domain) against Active Directory and in turn allows/prevents the client from connecting to the network.
Now that we have the backend service together its time to get the HP MSM Controller to use the RADIUS/NAP server and present a SSID to the clients.
Group Policy Setup
As previously mentioned by using this Wireless authentication model you can easily pass out the settings to your domain joined Windows Computers without having to manually tap in a passkey on each machine. Ok so maybe it take a while to setup and maintain but in the long run shouldn’t we be nice to our technicians and get them doing something more important?
In the next part of this guide I’ll look at the setup of the Apple Mac wireless network as well as give you some pointers on how to get Bonjour packets to traverse between your Windows Wireless and Apple Network (great for the modern craze of Airplay).
Its VLANs time! In this part of the guide I am going to look at the VLAN configuration required to get all of this up and running. For the whole setup we have the following VLANs being used-
172.16.8.0/21 – VLAN 2 Services which includes 172.16.8.4 as our Windows DHCP server, 172.16.8.39 as the Wireless Controller and 172.16.15.254 as the Smoothwall firewall
172.16.24.0/21 – VLAN4 APs just a DHCP range (powered by Windows Server) that the APs sit in, once they have their first IP address it gets converted to a reservation
172.16.72.0/21 – VLAN10 Windows clients another DHCP range (powered by Windows Server)
172.16.104.0/21 – VLAN14 Apple clients another DHCP range (powered by Windows Server)
172.16.128.0/21 – VLAN17 BYOD clients another DHCP range (powered by the Smoothwall firewall)
172.16.136.0/21 – VLAN18 Public clients just one more DHCP range (powered by Windows Server)
The Windows DHCP server serves up IP addresses for various services as listed in the screen shot below.
Core switch configuration
The core switch provides Layer 3 routing (required to get VLANs to talk to each other) and also houses the Wireless Controller as an expansion module. The Smoothwall firewall actually sits on a separate switch in this configuration which can be found on port number K8.
Edge switch configuration (includes Smoothwall Firewall)
The edge switch config below shows how the switch talks back to the Core switch and which VLANs the Smoothwall sits in.
HP MSM Controller
This next part shows how the IP configuration is setup on the HP MSM wireless controller; click through the screen shots for more info.
HP MSM Access Points
This time its the turn for the access points, again just click through the screen shots.
In this series of posts Im going to look at the technical setup required for providing 4 different SSIDs each on its own network (using VLANs) which provides wireless services for a variety of services.
For each of the networks I am looking to achieve something specific-
- OSA-WiFi – Domain joined Windows devices, served by computer authentication with the settings deployed through Group Policy
- OSA-MacWiFi – Domain joined Apple devices, WPA2-PSK with a Bonjour gateway to finish it all off to allow anything on this network to talk to our AirServer installation
- OSA-BYOD – ‘Bring your own device’ network for staff and students – as easy as possible to connect to using the Smoothwall 802.1x features
- OSA-Public – A regularly changed WPA2-PSK key (I did consider single use keys but then worked out it would need a lot of keys generated for when we have 100+ visitors!) to be used by visitors
To accomplish this I shall be using the following infrastructure components
- 1x HP MSM765zl Mobility Series Controller (housed in a HP 8212 Layer 3 Switch)
- 60x HP MSM460 Wireless Access Points (there are a few HP MSM466s in there for good measure as well)
- HP ProCurve wired infrastructure – a mixture of various Layer 2 switches with 1Gbit to the client and 10Gbit to the core
- 1x Windows Server 2012 running DHCP for 3 of the SSIDs (running as a virtual machine)
- 1x Windows Server 2012 running Network Access Protection to serve as a RADIUS server (running as a virtual machine)
- 1x Smoothwall UTM 1000 series Firewall/Web filter appliance
Before you go further… an understanding of DHCP on Windows Servers, VLANs (ideally on HP ProCurve) and Smoothwall Firewalls will greatly aid following this series of posts! In addition I’m sorry if this guide seems a little disjointed – hopefully with time I’ll work out a way to tidy it up.
Go into any school these days and it will be hard to avoid any shiny ‘iDevices’ and in support of that I have recently deployed AirServer by App Dynamic.
The installer is provided as an MSI although our retailer suggested a command line option to deploy and activate the software for all users of the PC; a very nice idea there is a much simpler method which involves a quick modification of the downloaded MSI using Orca. For the full guide take a look at the screenshot sequence below-
One point to note is that upon installation the installer will reach out to the AirServer website to perform product activation; as in most schools a web proxy will get in the way of this however if you allow unfiltered access to 220.127.116.11 the authentication will go through without any issues.
Another point to note – make sure you have all the prerequisites installed on any machine targeted for AirServer installation. The deployment of these is outside the scope of this document however the easiest way I have found so far is to download the full iTunes installer, unzip it (with 7zip) and deploy the MSIs inside it separately.