Monday, 18 August 2014

Friday afternoons

There seems to be a rule with a number of users that states 'when you need something doing by the end of the week, don't tell IT until Friday afternoon'. This rule was certainly in full force this last Friday.

We received an email around 2.15pm asking for a large number of sockets to be made live for staff to move in that afternoon.

Apart from the fact that there was only 2 hours of the working day left and we had plenty of other jobs we were currently on with (including clearing), and that we ask for 5 days notice of moves, there were a number of other reasons IT should have been involved earlier:
  • The sockets were cabled back to an area where we have no services
  • Providing services would require a data switch to be purchased and installed (approx cost £2000)
  • We would need access to be provided from an outside estates department
  • We would require a fibre connection from the hub room to said area
  • We would need to borrow fibre from the people who manage this buildings IT as, as mentioned, we don't have any services here
  • The hub switch has no fibre capacity left
  • Providing services would require a new stack on the hub (approx cost £3000)
If we had been involved before the event we could have, either, instructed the contractors to cable back to an area where we did have services and capacity, or purchased and set up the required kit ahead of time so that everything would be ready to go in time for the move.

As it stands they will have to live without any form of connectivity until the above issues are addressed.

People! Please talk to your IT team. Don't just do stuff off your own back.

Thursday, 3 July 2014

Next version of android improves WiFi connectivity information

A great new feature of android 'L' looks to be the ability to see the link speed and frequency at which you are connected to wireless. I have seen the HTC One M8 has the ability to choose which frequency you connect using, but from a troubleshooting point of view having this information built into android is a big plus.

Picture from

Wednesday, 25 June 2014

Temporary Wireless Installation

We were asked, rather last minute, if we could provide wireless coverage for a manufacturing conference. One of the stipulations was that they didn't want to spend any money(!). What we expected to be a job that took a few hours though naturally ran into nearly a full week.

Day 1

We found where they were erecting the venue, worryingly, on a patch of wasteland. Not only was half the marquee not yet erected, there was also no power.

The nearest building was all brick walls and fire exits. No windows or doors that we could use to run services our of temporarily. We found access to the roof, but then had the problem of no data connections nearby.

We thought about using a point-to-point solution but there was nowhere flat or secure at the 'tent' where we could put the remote end.

We eventually found a plant room with data we could use, but this was well over the 90 meters cable length we specify, and probably another 90 meters to the cab. We therefore decided to put some active kit in the plant room and another switch, this time PoE, at the conference end. 

Back at the office (as the generator was not yet on site) we put ends on the cable at around 190 meters and tested it running four wireless access points. Not ideal, but all worked, even if only at 100Mb rather than 1Gb.

Day 2

Department meeting in the morning so only a bit of time in the afternoon to get set up. Spent the afternoon running cables around to the positions we would like the access points.

The generator was not working so couldn't test everything on site.

Day 3

Hooray! The generator is working. We finished running the cables out, as we now have beams where we would like all the access points, and tie-wrapped the access points to the beams.

We deployed four Cisco 1142 access points (2 per tent) and checked for full coverage. We have two SSID's, one for staff and one for guests. As we used a little less than the 190 meters we tested in the office we actually got a gigabit connection.

We did carry out some proper tests, but I also took the quick screenshot on my phone below.

Day 4

An early start to run the cable out and find some tubing and boards so nobody tripped over it (we didn't have a pickaxe to dig a trench and the ground was too hard for the hammer).

Thankfully no problems with any of the kit, and soon after we were set up we saw upwards of 80 users connecting.

At this point we left them to it to get back to the day to day jobs. Informing the staff on site about passwords and locations. 

Day 5

Clean up and pack away.

I wonder if people realise how much work goes into these things?

Wednesday, 4 June 2014

Wireless & lamp posts

We have been looking at alternative solutions to digging up the roads to install fibre in order to get services to properties belonging to the University that may not have had connectivity before. In particular there are a number of University-owned houses that would like access to the eduroam wireless service.

It is particularly difficult (and expensive) for us to dig up nearby roads as we are situated next to a number of hospitals and, therefore, important emergency routes.

One solution we went to have a look at yesterday was an outdoor wireless mesh network that made use of the power available from existing street lights.

As you can see it was a rather grey day, but atop the lamp post is a point to point wireless link back to campus and using PoE off that is a Motorola outdoor access point with one 802.11a radio antenna connected to a mesh of other AP's as well as an 802.11b/g/n radio antenna providing wireless access to the houses nearby.

The basic idea is:

If the council aren't amenable to having us install on street lights (as an alternative to digging up the road) we already have a CCTV pole there that we could make use of and install the mesh AP's on the chimneys instead. All we would have to do is get power up to the chimney stacks.

There is a huge cost saving not having to install fibre, data cabinets, cabling and building level switches and access points in every, or almost all, of the 46 properties.

It is a solution we haven't really thought much about before, although we have used a few point to point links previously and still having one in use. The numbers of access points in the mesh would depend on the results of the pre-installation survey and, at least if we do install them on chimneys, we have more locations to choose from.

Tuesday, 3 June 2014

iOS 8 - android? is that you?

It was Apple's WWDC yesterday, and instead of watching it I decided to do something else and check the announcements on Twitter. What seemed to me to be coming out of the presentations was a list of features previously available on android.

So what were the new features of iOS 8?

  • Third party keyboards - Swype et al have been on android for years
  • Predictive keyboard - So it will now be like most android keyboards
  • Widgets - Was there ever a version of android that didn't have widgets?
  • Actionable notifications - android 4.3
  • Cloud drive - Google Drive...but Google gives you 15GB for free, not 5GB
  • Family sharing - android tablets have multi-user support and music can be shared for limited listens
  • Share and copy between apps (such as a web link to an email) - On android since the beginning
  • Choose which apps to use following certain functions (for example using Google Maps instead of Apple Maps when tapping on an address) - android did it?
  • Health apps and integration with fitness tracking devices - Hello Samsung Galaxy & Gear Fit
  • Homekit (integration with smart home products) - Like Nest, that Google has been selling
  • Photos with auto- backup - Identical to Google+ photos, apart from Google gives you unlimited storage
  • iMessage improvements - Basically it is now includes Snapchat/WhatsApp functionality
  • You can now launch Siri by saying "Hey Siri" - "OK Google"
  • Siri can listen to TV and movies and integrate with Shazam - So Google Now then?
  • Watch videos of apps before you download them - Already available on the Google Play store
I don't intend to start arguments, it just looked to me that the major features the Apple fan-boys on Twitter were going mad for were imitations of what Google have already been doing...despite some cheap shots at android during the day.

Apple will do things in their own way and ideas will be built upon and developed by both companies.

I suppose imitation is said to be the sincerest form of flattery.

Friday, 30 May 2014

Antivirus: The balance between privacy and security

I read an article the other day which showed antivirus software in a whole new light. At Makeuseof they had picked up on a report by AV-comparatives that analysed what data was being transmitted by a host of antivrus products.

I have been using a wide variety of security products over the years and this year I was so impressed with the latest free version of Avast I very nearly purchased the paid for version. I am now having second thoughts though as I have read the report linked above that, worryingly, found a number of popular products send the following information and files to the company (either encrypted or unencrypted, it is not clear):

  • The computer name
  • The Windows username
  • The local IP address
  • Information about third party applications
  • Information about running processes
  • Operating System event logs
  • A list of all visited URL's
  • The name and path of files
  • Documents that may be classified as suspicious

I don't understand why, if the product sends a unique identifier for the user and machine on which it is installed, things like Windows username and computer name are required.

I have highlighted documents in the list as this is potentially the one most troublesome. It is entirely possible your sensitive documents could end up stored somewhere in EU/Russia/Korea/USA just because your antivirus product classified it a certain way.

There is a longer list of what information is sent, but some of this information, such as version numbers and operating systems, is obviously essential for updates and so forth.

I urge you to check out the report, and also the MakeUseOf article, which both have good summaries of the findings. I mentioned Avast, which is by no means the worst, and another of my favourite free tools, Avira, seems to come out of it fairly well. I have just checked out the Avira privacy policy and it states "Avira sends suspicious programs only (executable files) to our secure German data centers. Avira does not send any personal data. Files such as pdf, doc, xls as well other personal data, like pictures and videos are not being automatically sent.".

AhnLab and Emisoft are two paid for products that won't send URL's or documents over the internet.

Making the choice between which product to use/buy should not have to be a choice that involves how much privacy you are willing to give-up, but rather how good it is at keeping you secure. At the moment though it seems to be both.

Tuesday, 27 May 2014

Coffee shop or WiFi shop?

I nipped into the Student Union coffee shop on my way back from a job and was a little shocked by the numbers of laptops I could see. I did a quick head count while I was waiting and found most people were using the area to work or study, rather than to buy food or drink. A few people were doing both, but the majority seemed to just be there to use the WiFi, and it probably helps that it is a nicer space (comfy sofas, light and airy, music) than a number of other study areas.

*63 clients seen on the controllers (probably including a number of phones in pockets and passers by).

While most were using laptops there were a few others just making notes on paper. There were only two or three tables in the whole space where people weren't working in some visible capacity.

This sort of information is good to know, as it impacts on how you design the space from a networking point of view. We may need to treat this area more like a teaching space, where we want to ensure a high density of clients can get connected and achieve a usable speed.

Friday, 23 May 2014

WLC 7.6 and MFP anomalies

Since we have set up a wireless controller with WLC 7.6 we are seeing large numbers of alarms starting with: "MFP Anomaly Detected - x 'CCMP Not Encrypted' violation(s) have originated from the client with MAC..."

MFP, as I understand it is Management Frame Protection and is used to help prevent denial of service and man in the middle attacks. While I am fairly sure nobody is trying to attack our test environment, I am pretty concerned that this has coincided with a group of Apple device users reporting they have trouble connecting, or lose connection and have to reauthenticate.

We have set MFP from optional to disabled on the controller that is reporting all the problems but the alarms still persist, as does the problems with Macs and iPhones. The client MAC addresses on the alarms all display Apple or unknown as the vendor type. I can't see any obvious other problems and all other devices seem to be working well.

I'd love to stop people using Apple kit, but I don't think that is going to work somehow.

If/when I find a solution I will update below. It may have to involve a call to Cisco before too long.

Update 27/05/14

I am still seeing the errors after the MFP changes, but I am also seeing Apple OSX Mavericks clients being unable to connect without displaying an error.

Update 30/05/14

A few days off and still scratching my head. Not just Apple devices now but reports from a variety of devices and OS's. 3 People complained in one room and when investigated had a SNR of 40dBm and signal strength in the -50dBm's, they had an AP in their room, which typically works fine when we are stood in the room.

Of course, we were told by management that packet capturing tools were too advanced and we didn't need that level of expertise. Now, though, at this stage what are we supposed to do without them?

Update 09/07/14

This morning we upgraded our controllers to The MFP anomaly alarms are still appearing on Prime, but leaving MFP and QoS disabled and reapplying the config to our backup controller seems to have halted the client connectivity issues that have been reported. So far the affected users say the wireless has been much better.

Going to keep the support call open with our supplier as Prime is currently showing 225 critical alarms.