Convert Aruba AP-325 from Campus mode to Instant mode

There are two versions of the Aruba AP-325. One version is the Campus AP that has 256MB of RAM. The other version is the Instant-AP with 512MB of RAM. Campus APs that are converted to Instant APs are limited to ArubaOS 6 and cannot be upgraded further even if Aruba Central or the AP themselves claim there is an update available. Campus AP-325s that are upgraded to ArubaOS 8 will boot, but will at some point, kernel panic and be inoperable. Do not upgrade to versions beyond ArubaOS 6. Below are instructions to convert a Campus AP to an Instant AP. If an access point is already in Aruba Central, licensing must be removed from it before converting.

You can grab the Instant AP firmware directly from Aruba. You will need to be connected to the AP via a console cable. These instructions starts when you connect power via AC or POE.

Steps to convert a Campus AP to an Instant AP

1. When prompted to stop autoboot, press the <Enter> key. You have three seconds to do this. You should be at the “apboot>” prompt.

2. Enter the following commands line by line.

A note about the first line that is entered. Particularly this part of the line “CCODE-US-de6fdb363ff04c13ee261ec04fbb01bdd482d1cd”. This part of the line needs to be generated using the SHA1 hash of the serial number. This is important to tell the access point that it is in the US and to broadcast US frequencies instead of an international access point. Search for an online SHA1 generator or a downloadable SHA1 generator. Say for example that the serial number of the access point is AGA303822, you would need to generate a SHA1 hash for “US-AGA303822”, without the quotes. Make sure the SHA1 hash uses lower case. The SHA1 hash for US-AGA303822 is c84c75531a033b5ab80c5a26e33004b7306ef657. Therefore, the correct command for the first line is “proginv system ccode CCODE-US-c84c75531a033b5ab80c5a26e33004b7306ef657”. No quotes.

proginv system ccode CCODE-US-de6fdb363ff04c13ee261ec04fbb01bdd482d1cd
 invent -w
 dhcp
 setenv serverip 10.200.0.20
 upgrade os 0  ArubaInstant_Hercules_6.5.4.19_79367 
 upgrade os 1  ArubaInstant_Hercules_6.5.4.19_79367 
 factory_reset
 saveenv

3. At this point, you can restart the AP by removing and re-attaching power or you can issue the following command to boot the AP. boot

Note that the IP in the setenv serverip must be set to the TFTP server with the AP firmware.

The upgraded AP should show up in Aruba Central as long as it is in the inventory and is assigned an appropriate license.

Import certificate for Firepower Remote Access VPN

This guide uses a DigiCert certificate, but any certificate bundle would work.

The easiest way to do this is using a PKCS12 file. The certificate CSR, key, and PFX file are generated in Linux. Save settings as needed.

First we need to create a CSR to use with Digicert to issue our certificate in Linux. The following command will generate two files, domain.key and domain.csr. Use the contents of domain.csr to generate the certificate in Digicert.

openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

Download the certificate file from Digicert using the “A single .pem file containing all certs”. Use the following command to generate a PKCS12 bundle. domain.pem is the certificate file you downloaded from Digicert. domain.pfx is the file you will import to the Firepower FMC. domain.key is generated using the first command.

openssl pkcs12 -export -out domain.pfx -inkey domain.key -in domain.pem

Navigate to Objects → PKI → Cert Enrollment → Add Cert Enrollment

Choose PKCS12 file in the Enrollment Type dropdown. Select domain.pfx and click Save.

Navigate to Devices → Certificates → Add

Select your target device and enrollment that you created in the previous steps and click Add.

Navigate to Devices → VPN → Remote Access and edit your target device.

Click on the Access Interfaces tab.

In SSL Global Identity Certificate and IKEv2 Identity Certificate, select the Enrollment Cert you created in the previous steps.

Save and deploy.

· 2021/10/26 09:01 · 2021/10/26 09:24

Enable Melanox Connect X support in OPNsense

Support for Mellanox Connect-X NICs aren't enabled on OPNsense by default.

The following line has to be added to /boot/loader.conf.local.

mlx4en_load="YES"

However this did not work for me and I had to add this from the web interface, System → Settings → Tunables.

· 2021/08/05 18:22 · 2021/08/05 18:26

Install telnet, ftp on MacOS

telnet and ftp have been removed from Mac. While people shouldn't be using insecure versions of these protocols, I use telnet often to diagnose connections issues. The solution to this is to install inetutils.

You can install inetutils using Homebrew or MacPorts, but I prefer compiling from source. It is more straight-forward and does not require installing additional packages.

Download and Extract

First off, dowload your preferred version of inetutils from https://ftp.gnu.org/gnu/inetutils/.

curl https://ftp.gnu.org/gnu/inetutils/inetutils-1.4.0.tar.gz -o inetutils-1.4.0.tar.gz
tar xzvf inetutils-1.4.0.tar.gz

Compile and Install

cd inetutils-1.4.0
./configure
make
sudo make install

Profit!

inetutils should now be installed!

· 2021/07/05 17:27 · 2021/08/05 18:35

Install Apache, FreeRadius, daloRADIUS, and MariaDB on Ubuntu 20.04

This quick guide assumes you are root or using sudo on a fresh install of Ubuntu Server 20.04.

Install apache2, MariaDB, and PHP

Install Apache

apt install apache2

Install PHP

sudo apt install php libapache2-mod-php php-{gd,common,mail,mail-mime,mysql,pear,db,mbstring,xml,curl}

Install MariaDB

apt install mariadb-server mysql_secure_installation

Install FreeRADIUS w/ MariaDB

Install FreeRADIUS

apt install freeradius freeradius-mysql freeradius-utils systemctl enable –now freeradius

Use MariaDB with FreeRADIUS

Login to MariaDB with the password you just created (Remember to replace password with your own password.

mysql -u root -p

Create database and database user

MariaDB [(none)]> CREATE DATABASE radius; MariaDB [(none)]> GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY “password”; MariaDB [(none)]> FLUSH PRIVILEGES; MariaDB [(none)]> quit

Import FreeRADIUS schema into MariaDB

mysql -u root -p radius < /etc/freeradius/3.0/mods-config/sql/main/mysql/schema.sql

Link to the SQL module

ln -s /etc/freeradius/3.0/mods-available/sql /etc/freeradius/3.0/mods-enabled/

Edit the FreeRADIUS config file at /etc/freeradius/3.0/mods-enabled/sql

  • Change dialect = “sqlite” to dialect = “mysql”.
  • Comment out driver = “rlm_sql_null” and uncomment driver = “rlm_sql_${dialect}”
  • Comment out the entire tls section. We will not be using TLS here.
  • Uncomment the Connection info: section and fill out the database details using the values you created previously.
  • Uncomment read_clients = yes.

Fix file ownership

chgrp -h freerad /etc/freeradius/3.0/mods-available/sql chown -R freerad:freerad /etc/freeradius/3.0/mods-enabled/sql

Restart FreeRADIUS

systemctl restart freeradius.service

*this is unfinished*

Older entries >>