06 Mar

Response attributes on Synology RADIUS server

Secure Your Network

You can use Synology NAS products not only as file storage. The DSM system provides a broad spectrum of additional services via packages – either signed by Synology or provided by third-party communities – the SynoCommunity repository is the most known. The only limitation you have is your NAS hardware platform and its performance. I own DS211 model which reached its End of Sale status already. I run several network services like DNS server there, and I use it as remote storage for SMB and AFP shares as well as for iSCSI LUNs. It also provides some services for my home network and lab. One of them is RADIUS server.

I want to show you how you can use the Synology products as RADIUS server which will use LDAP database for user authentication. This way local accounts that I use for network shares authentication remains separated from any additional accounts dedicated to RADIUS service. Both RADIUS and LDAP runs on the NAS itself.

Read More

01 Feb

How to register lightweight AP in WLC using DNS records

Wireless networks

So you have your brand new shiny lightweight AP from Cisco and wireless controller. The beauty of the managed wireless solution is that it requires almost no effort to add a new access point to existing local network. There are multiple ways how lightweight AP can discover the WLC – I will show you, in my opinion, the easiest one.

Access Point registration

The WLC has two essential ports – management and service. The second one we use mostly for recovery procedure on physical appliances and is not that important when you use vWLC. The Management Port is the one you use to connect to WLC GUI. But by default, it is also used to register access point. You can always change this by selecting the “Enable Dynamic AP Management” option in other port configuration.

There are multiple options how lightweight access point can discover the controller. I think one of the most known is by using DHCP option 43, but that usually requires quite a lot of work and may not be supported by all DHCP server software. In my opinion, the easiest way to let AP discover the controller is via DNS discovery. There are two requirements for this solution to work:

  • The DHCP server must provide DNS servers IP addresses and the domain name in response
  • You need to configure CISCO-LWAPP-CONTROLLER.localdomain or CISCO-CAPWAP-CONTROLLER.localdomain where the ‘localdomain’ is the access point domain provided by DHCP.

So the whole required configuration is limited to setting up DHCP like for any other host you have in a network (no unique attributes), adding DNS entry and configure switch port in proper VLAN.

Before AP can register at WLC, we must configure the WLC itself as the master controller for the wireless network. To do that go to Controller -> Advanced -> Master Controller Mode, click the checkbox and apply the change.

When you boot up the AP, it should obtain its IP address from DHCP server. You should also see logs as below on AP console which means access point is trying to join the controller provided in DNS configuration.

*Dec 16 23:19:42.015: AP has SHA2 MIC certificate - Using SHA2 MIC certificate for DTLS.

*Dec 16 23:19:42.000: %CAPWAP-5-DTLSREQSEND: DTLS connection request sent peer_ip: peer_port: 5246
*Dec 16 23:19:42.223: %CAPWAP-5-DTLSREQSUCC: DTLS connection created sucessfully peer_ip: peer_port: 5246
*Dec 16 23:19:42.223: %CAPWAP-5-SENDJOIN: sending Join Request to
*Dec 16 23:19:47.223: %CAPWAP-5-SENDJOIN: sending Join Request to

It takes 1-2 minute for AP to join the controller, even more, to be operational. Usually new AP first require firmware upgrade which takes time (unless you are needed do to it manually because it is too old compared to WLC firmware which I explained in Manual firmware upgrade of lightweight access point post). When registration process completes, you will see the access point on the list in the Wireless section.


09 Jan

Setting up vWLC controller in 10 minutes

Wireless networks

Those are not my first steps with wireless controllers or wireless networking. I had my first touch of enterprise-class wireless networks like 7-8 years ago when Cisco WLC controllers hit the market and lead the evolving world of wireless networking. Working for Cisco Gold Partner back then gave me the opportunity to configure few both autonomous and centrally managed wireless networks at different scale. I also performed a security audit of one quite big installation. Back then there was no virtual vWLC controller back then.

Why am I getting back to the Cisco wireless solutions now? I got Cisco AIR-CAP3702 access point lately, so it was excellent opportunity to refresh my knowledge and look at the past few years changes. It is a popular enterprise model that can work either as an autonomous access point or managed via a controller. So this model is for tests and PoC labs for me, so I decided to check what has changed in Cisco wireless world.

Read More

03 Jan

Manual firmware upgrade of lightweight access point

Wireless networks

The Cisco lightweight access point managed by the wireless controller is not a new product. It has been on the market for years, evolved from LWAPP to CAPWAP model, is supporting a wide range of access point models. The idea is that access point upgrades its firmware when it registers to WLC. Sounds easy? Yes. Is it working? Yes, usually, but not always. Sometimes you need to perform a manual lightweight access point firmware upgrade procedure which is not well documented. And you need to know a hidden command. I will show you how.


Read More

28 Dec

SMTP Relay on IIS for Exchange Online

Microsoft Office 365

On March 1, 2018, Microsoft will disable support for TLS 1.0 and TLS 1.1 protocols in many of its online services. That means TLS 1.2 or later version will be only allowed in browser-server and client-server connections. It is a good move and security enhancement. You should not even see this change unless you use the old legacy software.

During the past few weeks, I have been working on the project related to the implementation of the GDPR law for one of my customers. One of the milestone tasks was a migration to Office365 and Exchange Online. They were using external email service from one of the national providers so far. One of the applications they are still using is the on-premise CRM – I cannot name the product, but it has support from the vendor and every few months users get a new release. However, this CRM does not support TLS at all in deployed version, only the SSL, for connection to the SMTP server. It was not a problem for previous email service provider, but Microsoft is not going to enable SSL for you just because you need it.

Even in small company changing or upgrading the CRM is not a quick and easy task, so it was not an option in this case. So I had to make changes to SMTP service. My choice was to install SMTP Relay.


Read More

23 Nov

Dynamic VIRL inventory for Ansible playbooks

Ansible is one of the powerful tools providing us an automation of recurring tasks. In the current world, it is impossible to manage infrastructure manually efficiently. Many people still do this but the world has already changed and we need to progress otherwise our business will be cost ineffective. You can provide static inventory – list of the devices where you want to execute the playbook. But in dynamic environments, such as Cisco VIRL simulations you don’t want to edit inventory file manually. That is why I use Python script that will generate Dynamic VIRL inventory for Ansible playbook for me.

Read More

03 Nov

IOx and guestshell on IOS XE

Most of the recent firmware on Cisco devices run on top of Linux operating system. Yout IOS XE or NX-OS is just a Linux process! It is nothing new; Juniper does it for years. However, it does not mean you can access the operating system directly; this is reserved just for Cisco TAC and developers in case the base operating system might be the source of the problems. However, you can use the IOx and the guestshell container introduced in IOS XE Everest 16.5.1 release.

Read More

17 Oct

When your ISP sends you BPDU frames…

As an end-user, you should never receive STP BPDU frames from the ISP. The workstation in enterprise networks should not either. It is always a result of misconfiguration or lack of knowledge from network engineers about basics of network security. BPDU can reveal information about your network that can be later used to compromise it. In the worst case, an attacker can impact your system by changing the spanning-tree topology and perform a Man-In-The-Middle attack.

I noticed that my ISP is sending me BPDU frames. Let’s see, using this case real-life scenario, what we can tell about his network.

Read More

13 Oct

How to install multiple ASAv firmwares on Cisco VIRL

Cisco VIRL

Cisco VIRL is powerful network simulation tool. There are weeks when I run simulations 24/7 because of some projects or learning are ongoing. With VIRL you get almost the latest firmware for supported platforms. Almost – sometimes you have to wait for next release for a new firmware to be available. I experienced it a few months ago when with ASA 9.7(1) release Cisco introduced the route-based VPNs (VTIs). At this point VIRL users got the 9.6(2) release bundled into latest simulator release. In other simulation, you may want to use different ASAv firmware versions for various nodes, so your simulation is more similar to your production network.

Cisco VIRL uses real firmware in the simulations. I will show you how you can add different ASAv firmware and use it in parallel with the software available on VIRL repository.

Read More