the ongoing struggle: man vs machine
The recommended way to configure an enterprise wireless network is with certificates rather than a shared passphrase. This allows you to issue a certificate to each wireless device, and should a device be lost, revoking the certificate is all that is required to prevent access.
Searching the internet reveals that many guides focus on using the iPhone Configuration Utility to install a certificate and wireless profile on IOS devices as, or using MDM, as the only possible ways to enable apple devices to participate in this network. What I seek to outline is a 3rd way that relies on neither of these methods.
The reason for this guide is that the iPhone Configuration Utility is end of life, and will not work with IOS 8 and above. It has been replaced by Apple Configurator, which is an app only available on MacOS. Purchasing a Mac just to configure iPads is not an option for me.
I will details all steps to get a non-domain joined device (weather it be a PC, Tablet or Phone) to join the wireless network.
This guide assumes that you already have a functional WPA2-Enterprise EAP-TLS Wi-Fi network, NAP server and Certificate Authority. This network should already be functional with domain-joined PCs.
Stage 1 of this process is to create an appropriate certificate template, and enable the template on our Certification Authority.
Stage two of this process is to request a certificate. I am doing this from my own domain-joined Windows 7 PC, however it may be better practice to have a workstation dedicated to this task. (Note that I have certificate auto-enrolment enabled for my domain, so my PC will automatically enrol certificates issued to it).
On your Certification Authority Server, open up the Certification Authority Console (as administrator) and navigate to “Pending Requests”. Issue the certificate from the right click menu (Ensure that you have the correct certificate request).
Note: The normal authentication process involves the computer presenting the certificate (Common Name) to the Network Policy Server (NPS), which in turn will check if the computer account is enabled in AD DS, and that the certificate is valid. Because we are issuing computer certificates, logic would follow that we need to map the computer certificate to a computer account in active directory.
Devices such as iPads behave differently, where they treat all certificates installed as a user certificate, hence when passing the subject name to the NPS server, NPS will look for a user object in AD DS rather than a computer object, causing the authentication request to fail. When this occurs, you will see logs in the NPS server security event log. Keep in mind that devices from different vendors may behave differently, so watch out for this issue.
Note: These instructions have only been tested on an IPAD 3 running IOS 9.0.1. Your mileage may vary.
Now to the heart of the issue. The previous steps are only an overview of the process to prepare a certificate for a non-domain joined device, and should be acceptable for most devices for WPA2-Enterprise EAP-TLS authentication. What follows are the steps to perform on the iPad (or iPhone) to enrol the certificate on the device, and use the certificate as the credentials to join the wireless network.
Depending on how your Certificate Authority is configured, and the cache timeouts for Certificate Revocation List checking, there are two ways that can be used to prevent a device from connecting to the wireless network.
1. Revoke the certificate. – This is the most reliable method, as it ensures the certificate cannot be used again. The downside is that this can take a long time to take effect, as the various cache timeouts and CRL updates can take a long time.
2. Disable or delete the computer or user account that the certificate is mapped to – This takes effect immediately, however the certificate is still valid, and if used for other purposes, can still authenticate.
I recommend you perform both of these steps, just to be sure. Neither of these steps will kick an active Wi-Fi connection off the network, but they prevent a re-connection attempt.
I hope you find this helpful.
Connecting iPads to an Enterprise Wireless 802.1x Network Using Certificates and Network Device Enrollment Services (NDES) – http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx
Certificates and Exporting Private Key – https://social.technet.microsoft.com/forums/systemcenter/en-US/b24c4a4f-7b4c-42d3-b23f-58fcc18ddb80/certificates-and-exporting-private-key
This guide will lead you through the basic steps to deploy Google Chrome with group policy. It is based on v38, which at the time of writing is the current release. To follow this guide, you should already be familiar with Group Policy in general.
As with any task, first clearly define the objectives you want to achieve before starting. Your objectives will no doubt be different, so this guide should be a general reference only.
1. Install Google Chrome 64bit edition for all users of selected Windows 7 PCs. For our purpose the computers are all in the active directory organisational unit “Computers – Windows 7”.
2. Set home page to a specific address.
3. Reduce automatic update frequency.
In my case I need to import the .admx template files into my Windows 2008 R2 central store. Your group policy setup may be different. The below paths are for my environment, and your environment will be different.
Chrome will be updated via the Google Update software that is installed alongside Chrome, even for users without admin rights. To manage this software, we need to use the Google update adm template that we downloaded earlier.
Now you should have a working setup. I would recommend you review the documents located below in the resources section, and the other available group policy settings to identify further opportunities to set default settings as appropriate.
Set up Chrome for Work
Set chrome policies for devices
Google Update for Enterprise
This article will go through the simple steps required to install the ESXi Vmware tools onto a debian 7 guest.
1. The first step is to install debian’s compiling tools and kernel headers for the current running kernel.
aptitude install build-essential
aptitude install linux-headers-$(uname -r)
2. Mount the VMware tools CD by going to the guest menu and selecting “Install VMware tools”.
3. Mount the CD
mount /dev/sr0 /mnt/
4. Extract the archive to the local tmp folder.
tar xfzv /mnt/VMwareTools-9.0.5-1065307.tar.gz –C /tmp
5. Change to the extracted directory
6. Run the script to build the needed kernel modules.
7. The script will ask you various questions as the install progresses. Just press enter to accept the default choices, unless you desire to change it.
8. Reboot the virtual machine and check that the vmware tools are now listed as running by vmware.
This is actually not the case. Microsoft have just made the feature difficult to find.
To find this option, you must search for “file history” from the start menu (previously known as the metro interface) and run it. Alternatively, you can find the file history program from the control panel in desktop mode.
Once the file history program loads, you will see the “System Image Backup” link at the bottom left of the screen. This gives access to the same backup interface that was available in Windows 7. No 3rd party software and no powershell scripts are required.
We all know life is busy for us system administrators. Keeping servers updated is generally a good security practice, but is often overlooked due to more pressing concerns. This can often be especially true for the trusty linux servers that sit in the corner and never cause a problem.
This short tutorial will guide you through setting up the apticron tool to alert you when updates are available for debian.
It relies on the server being able to send emails, so ensure that this is possible through exim, postfix or sendmail first.
1. Open terminal as root
2. run command apt-get install apticron
3. Edit the configuration file with nano.
4. Change EMAIL=”root” to a valid email address. Note that quotes must remain around the email address.
5. Press CTRL-O to save, then CTRL-X to quit nano.
All done. You will now receive a daily email with the required updates.
Today I received a notification from the System Administrators Guild of Australia (SAGE-AU) forum that Microsoft was releasing a large number of their Microsoft Press Books for free, and I thought I would share this with the wider community.
Microsoft’s Director or Partner Experience, Eric Ligman, has posted links to a large number of free eBooks and resources for Developers and System Administrators.
I encourage everyone to check it out.