Fun with Certificates

Fun with certificates. Wow. Certificates in an enterprise are a delicate item to undertake, even just end-point certificates such as users, workstations and SCEP/NDES devices.I finally issued my first certificate to an iPad as a -computer- account following a lot of the blogs on the internet. Now it is time to see if that cert can be used for device authentication on our new wireless overlay. Yeah, we could do generic accounts on the device which is the fall back plan. We've found anything we have to rely on the end point user tends to require a certain amount of support costs. I'll fully document everything this weekend if it works and we are to deploy a successful test (10-100 units). 1 is easy. 10 is work. 100 needs automation. Have to get it relatively automated if possible. No comment on the lack of documentation except on microsoft oriented sites. To those who have created the content, I thank you! My basic sites I visited and followed.

• http://www.kurtdillard.com/StudyGuides/70-640/6.html
• http://marckean.wordpress.com/2010/07/28/build-an-offline-root-ca-with-a-subordinate-ca/
• http://social.technet.microsoft.com/wiki/contents/articles/2900.offline-root-certification-authority-ca.aspx 
• bounty of sub-links to read and understand
• http://security-24-7.com/windows-2008-r2-certification-authority-installation-guide/
• http://blogs.technet.com/b/pki/archive/2012/02/27/ndes-and-ipads.aspx

Notice the lack of apple content. there is a reason! Bad Apple! You will need to download the iphone configuration utility too. The issue I had is with the X.500 name. There is hints and direction, but people are stingy on this one. My entry looked like

O=mycompany.com, CN=iPad123456

O is our domain listed in the certificate signing piece. If your CA signs certs for devices in mycompany.com, then put O=mycompany.com.

CN is the devices name you gave it. We use our asset tag system. This doesn't have to match much along the way. Until I fixed those I was getting 0x800094001. The other flavored the request subject name is invalid or too long is addressed by the authors above.

The O should be capitalized. So should the CN. including a comma and space might be necessary. Haven't chased the rabbit that far down the hole yet.

Onto the next fun part. Cisco ISE. Oh boy! 1.1 release software is fun.

Quick update

We've been busy! The summer projects are about to start. We ran school late this year. Short list of items:

• When deploying workstation certificates, check which servers can issue the certificates.Things you learn along the way.
• Having new team members is fun. New blood. New perspective. New questions. Nice thing to have. 
• Having issues with whatsupgold "crashing". Trying to have it read some WMI from windows servers and it just stops scanning. Everything. Not good.
• Good is the VM discovery features in whatsup. Check that discover vm environment!
• Updating, verifying, 3500 edge switches is a pain in the ... well, its a pain. Once verified, whatsconfigured will take over and rule. Voice config and security and a few other configs to update.
• Emergency construction is fun. And smelly. Broken water lines, of all flavors! Have to move our equipment (workstations, network stuff, others) out of the way. 
• Every 3rd party application wants to do upgrades this week such as our bus route software, special ed *2, energy management, food service, and a couple of others. Not a bad thing, but they asked -- Yesterday. Saying no isn't a real option. At least most of these the vendors will webex/remote-in and do the upgrade. So Veeam snapshot before starting in case they -aw !@#$- it. 
• Google Calendar is awesome. Sharing a calendar with vendors/resellers regarding schedules at schools is beneficial. Having to train them how to sign up and use it, but all in all it is good. Better than having to continually export a ics from exchange. 

That has been the last week. And my people are busier than me. Its good to have a team to run $1M mostly on their own.

Nothing Technical

The only downside to summer planning is all that happens is meetings. And once those are done, you have to schedule more meetings. Nature of the beast. The kids are going. The teachers are going. The buildings are about to empty. Facilities, Construction, Training, Summer School, Technology all want a chance at the empty buildings to do tasks, whether it be painting, waxing, moving AC units, continuing ed credits, credit recovery, and whatever we are supposed to do (phones, wireless, ipads, nooks, etc). Time to get on the same page to start. We all know best laid plans, etc, but at least if you start on the same page you can adjust. Here's hoping we get to the same page. Thats why the lack of technical fun recently. And I'm tired of getting errors with ipads trying to register as a device with NDES/SCEP. grrr. Need those 4-6 hours uninterrupted to turn up the debugging to really see what the errors are.

Coordination

Woo! Summer is almost here! Welcome to the beginning of an organized train wreck called summer project time. Well, not quite a train wreck, but does it ever feel like it. Trying to cram all work that was put off during the year cause it was too intrusive, too expensive, too time intensive into 8-10 weeks. I think we need a bigger shoe horn sometimes. Here are the few items we are trying to coordinate.

1. Construction at 6 sites
2. Summer School
3. Summer Cleaning/Waxing Schedule
4. Summer painting schedules
5. Technology projects
6. Start of new school year stuff
7. Vacations
8. Politics 

Ok. It is only 7 items. Each has anywhere between 2-20 sub-items beneath it. For example, who cares about summer cleaning, right? Well, everyone in the district does. The floors gotta -shine- the first day those kids come back. First impressions matter. And a shine with my big ol' hoof print in it isn't going to win me any points. So we have to schedule around that process which takes about 5 days per school with 4 schools going at a time. 

I'll even break out item 5, cause, well, that's what I do for a living.

• 5a -- deploy new phones to 40 sites!
• Pick up old phones
• What do we with the wall where the old phone was mounted? Yikes!
• deploy new phones
• verify extensions
• verify e911
• configure a fax solution now that we are all IP
• 5b -- deploy 1000 access points to 40 sites!
• Verify student, staff, and guest ssid's work right
• install about 100 switches to light up said APs
• 5c -- implement new email policy
• 5d -- deploy out 300 ipads
• 5e -- deploy out 300 nooks
• 5f -- deploy out 1200 new workstations/laptops
• 5g -- Upgrade internet pipe to larger size
• 5h -- implement new content filter

I'm sure if i polled my group, they'd add 2 or 3 more each. 

Anyhow that's what we do during the summer. Working with the other departments is fun. Teamwork matters. 

Microsoft CA's & DNS entries

Important lesson on implementing Microsoft CA and autoenroll. Make sure your primary dns suffix and such is set to your CA's domain. We had broken out our workstations to be register in their campus locations for dns such as workstationa.mydomain.org. Yeah, not so good when you setup auto enroll on your CA. After following guides from http://www.kurtdillard.com/StudyGuides/70-640/6.html and http://security-24-7.com/windows-2008-r2-certification-authority-installation-guide/, I got a sub CA with hidden root running. Lesson learned for future designs of networks. Always, Always, Always buy enterprise server licenses for your CA. Anyhow the registration entries errors on both the CA and client would give a DNS entry not found error (sorry, not rdp'd into pull the exact language). We've since modified our GPO to have the primary dns suffix be only mydomain.org. auto-enroll is working great now.

Next up is how to get an iPad with a workstation cert. following a few of the guides. will let you know.

Intermittent

Wanted to say these are the worst problems to troubleshoot. Especially when they are happening to your own equipment. AIGH! Probably should reboot the workstation and not blame the network. always always step one (after whining and bitching). reboot.

Writing Tech Cabling Needs for Architects and Installers

When building or updating a new school, it can appear to be a daunting task to write out a data cable plan design especially for infrastructure to give to the architect. However, one of my professors a long time ago told me something very important. Make it into smaller problems. 

Our process starts thinking what type of rooms are in a school? Classrooms, Offices, Libraries, Science Labs, Computer labs, Cafeterias, Gyms, Hallways, and maybe a few others. 

Lets break one of those down. Whats in a classroom? A teachers computer station, a projector of some sort, maybe a few student stations, and perhaps kids with student devices (ipads, nooks, kindles, etc). What connectivity is needed at a teacher computer station? A data drop, a phone drop (likely a data), an interface to the projector, power outlet, and maybe something else? So that makes 2 data drops, an AV plug, and power for a teacher computer location. Maybe we want to define the AV plug a bit more. Most projectors have 2 SVGAs, HDMI, mini audio, and svideo, RCA crap. Well, we get lots of tech support calls on svideo and RCA so we don't install them. No reason to create a headache in the future for both groups. If you give people a spot to plug in a cable, they will. simple but important lesson. The cables will need to be run to the projector so that fact will need to be notated (btw, there are some cool solution that will fit in a 3/4" to 1" conduit for this). 

Now onto the projector. Lets call this the ceiling since more things will be up here. You have the projector which will need power and the matching AV from the teacher location. If there are lots of wireless devices, maybe a network drop. Most rooms have speakers too. some are getting cameras. We do all these over IP in our house. lets count. 1 data for the projector for management, 1 for wireless, 1 for speaker, and for camera/future. 4 data in the ceiling plus an AV box and don't forget power for the porjector. Using a custom ceiling tile here works well. Other things the designers will want to know is the throw of the projector so learn to dig up cut-sheets. 

Next student drops. Data and power, just how many. We do 2 or 4 depending on the age. we are dropping to two since all devices now are wireless. no reason to put data on the wall not to be used.

It looks like we've just defined a classroom? A teacher station location, an AV/ceiling location, and student data locations. Other notes to add for the designers, projectors do not like hot air. do not place a vent in front of the projector. It works great...until the first cold day. You'll find you can reuse a lot of your definitions as you go. Our spec to hand to architects and designers is about 8-10 pages.We add stuff for IDFs, MDFs, etc. We even cover service loops, support structure and other items. It ends up taking about 1-2 days to write it out with another to clean it up.

And thanks again to my professor who taught me solve a bunch of small problems.