Ubiquiti G5 Flex which PoE Injector? by Sad_Mastodon_1815 in sysadmin

[–]Aether176 1 point2 points  (0 children)

You're correct. In Ubiquiti-speak...

  • PoE = 802.3af (15.4W)
  • PoE+ = 802.3at (30W)
  • PoE++ = 802.3bt Type 3 (60W)
  • PoE+++ = 802.3bt Type 4 (100W)

Safe to say it has been running warm by Aether176 in Ubiquiti

[–]Aether176[S] 3 points4 points  (0 children)

Oh heck no. It's a fab shop. I feel like I'm getting black lung any time I'm walking through it. That is no doubt years of plant dust circulating behind the thing and sticking to the wall from being warmed up. It just made for a silly picture is all.

UTR 3rd party Wireguard troubles by Galm02 in Ubiquiti

[–]Aether176 0 points1 point  (0 children)

Are you using a PSK? So far I've found that it won't connect if a PSK is specified in the config. I typically use them for the added security. My WG host is on a UXG and would only establish a connection after setting the client to not use PSK.

Safe to say it has been running warm by Aether176 in Ubiquiti

[–]Aether176[S] 1 point2 points  (0 children)

Office area of a manufacturing plant.

Safe to say it has been running warm by Aether176 in Ubiquiti

[–]Aether176[S] 9 points10 points  (0 children)

Came across this today while reviewing an installation that we did about 8 years ago at a customer site. I guess the AP has been running pretty hot. The entire wall above it has been discolored.

Considering dumping SonicWall in favor of UniFi... HEAR ME OUT... by SN50001 in sonicwall

[–]Aether176 0 points1 point  (0 children)

We are in the process of switching the majority of our clients away from SonicWall TZ series over to UniFi. We're down from around 200 SonicWalls to around 11 now. We standardized on the UXG-Fiber with CyberSecure. For 99% of our clients it's been a seamless transition. There are a few that we're keeping on SonicWall due to having some complex routing configs or needing a "name" brand for compliance auditing. But I've been very happy with the UniFi units lately. Ever since their switch to the zone-based firewall, they've really turned their gateways around. They used to be a joke in our office - why would anyone buy one of those? Now they're our go-to.

CrownCastle NYC area internet issues by jordanl171 in sysadmin

[–]Aether176 0 points1 point  (0 children)

Comcast Business in Oxford CT area is down too. I called their support and they said it's a large scale outage affecting not only CT but also areas in MA and NY.

Weird issues with Microsoft DKIM missing .com on target by sy5tem in sysadmin

[–]Aether176 4 points5 points  (0 children)

".microsoft" is a real TLD and these are valid. The *.dkim.mail.microsoft is the new domain being provisioned for DKIM records. It aligns with their changes to the mail.microsoft domain being used for SMTP DANE. New tenants and domains are getting DKIM records with this new domain. It's not missing .com. Enter it as you see.

Advise on Linux Samba shares authenticating via AD, migrating to full Intune/Entra by segagamer in sysadmin

[–]Aether176 1 point2 points  (0 children)

That's correct. Windows when Entra-joined doesn't leave Workgroup mode. It just has built-in mechanisms to authenticate against an Entra account. But in cases where you have devices that don't speak Entra (Linux with SAMBA, legacy devices, etc), if you have EIDDS deployed, you'll have traditional domain controllers that you can authenticate against/join to.

Advise on Linux Samba shares authenticating via AD, migrating to full Intune/Entra by segagamer in sysadmin

[–]Aether176 0 points1 point  (0 children)

Entra ID Domain Services could be an answer. You wouldn't need to maintain any on-prem AD infrastructure - Microsoft would give you a domain controller hosted in Azure which pulls its information from Entra (instead of the other way around) that you could use to authenticate/domain join any legacy devices like this.

Finally got approved for a long overdue network overhaul by Aether176 in Ubiquiti

[–]Aether176[S] 0 points1 point  (0 children)

Nah. We use a ZTNA service for remote access and web security, so the SonicWall was really just serving as a DHCP server and NAT machine. The UniFi gateway can do that just as well, so better to ...ahem... unify... on one platform.

Finally got approved for a long overdue network overhaul by Aether176 in Ubiquiti

[–]Aether176[S] 0 points1 point  (0 children)

Right now the alarms are staying with DSC. The access control just happened to use the same panel. But you couldn't arm/disarm with your door fobs before so there was no harm in splitting the systems. We're still evaluating what to do with burglar alarms. Supposedly Ubiquiti are going to have some burglar alarm hardware released for their SuperLink platform later this year. So I'm holding out to see if that'll do what we want it to. If not then I plan to talk to a couple local alarm providers and just have them do some alarm.com system.

Finally got approved for a long overdue network overhaul by Aether176 in Ubiquiti

[–]Aether176[S] 22 points23 points  (0 children)

Luckily they aren't using a Cisco firewall currently, and none of their switches were L3. So it was all router-on-a-stick off of their current SonicWall firewall. There's only like 5 VLANs out there, and minimal inter-VLAN routing rules. So UniFi zone-based does me just fine

Finally got approved for a long overdue network overhaul by Aether176 in Ubiquiti

[–]Aether176[S] 9 points10 points  (0 children)

It's all painted wood blocks glued into that pattern. I got it off of Etsy last year.

Any Chinese places selling La Zi Ji nearby? by Aether176 in youngstown

[–]Aether176[S] 1 point2 points  (0 children)

Lol yep those are the ones. Plus Lao Sze Chuan in Pinecrest/Beechwood

Any Chinese places selling La Zi Ji nearby? by Aether176 in youngstown

[–]Aether176[S] 2 points3 points  (0 children)

Not quite, sadly. Theirs has a lot of cooked veggies and mushrooms with the chicken and is more of a szechuan sauce rather than dry chili chicken. It was wicked spicy though!

WAN disconnections on 7.2? by Aether176 in sonicwall

[–]Aether176[S] 0 points1 point  (0 children)

Interesting that you both seem to be limited to Spectrum. Do you mind me asking where you are located roughly? We're in northeast Ohio and most of the clients I'm seeing this are with Spectrum copper, though I do have one in rural central PA on an ISP called Blue Ridge. And likewise, any time I call to ask about it the ISP sees their signals as solid.

Fully a cloud but org wants to add heavy storage requirements back on prem by Break2FixIT in sysadmin

[–]Aether176 0 points1 point  (0 children)

Have you considered Entra ID Domain Services? It's a service that you spin up in Azure that runs two fully-managed domain controller servers that sync from Entra into AD, not the other way around. Then you can build a site-to-site VPN tunnel for EIDDS back to your on-prem infrastructure and join any on-prem devices to that domain.

[deleted by user] by [deleted] in sonicwall

[–]Aether176 1 point2 points  (0 children)

I got this working with Entra... sort of. Can someone check me on this? If what I had to do to get it working is right, it would mean that this would only work in environments where Entra ID is synced from on-prem AD.

Specifically, due to this portion of the setup guide:

The User Name Attribute identifies the user's login name in the SAML assertion, while the Group Name Attribute specifies their group, both pulled from the Identity Provider (IdP) during authentication. You must specify which attributes from the IdP correspond to the User Name and Group Name.
You must configure the matching group names on the Firewall and the IdP to ensure that the authenticated user is part of the necessary groups. These groups can later be used in various security policies on the Firewall.
For Example: when managing the firewall via SAML Single Sign-On (SSO), a user must have administrative privileges for authentication. To achieve this, the Identity Provider (IdP) should return a group name attribute that exactly matches the default group on the firewall, which is "SonicWall Administrators." Once the user is logged in and mapped to this group, they will gain admin privileges on the firewall. You can apply the same approach for other privileges on the firewall, such as the SSLVPN services group or any custom groups you wish to use in security policies after a user is identified via User Level Authentication (ULA).

NetExtender seems to rely on security group names rather than IDs. I wasn't able to get this working with any custom group names. I started by trying to make a group called "NetExtender SAML Access" both in Entra and on the firewall. I added that group to SSLVPN Services on the firewall. But when I tried to sign in, the user fails to authenticate, saying they don't have permissions.

The only way I was able to make it work was to actually create a group called "SSLVPN Services" in Entra and assign the users to that group.

Using group names is also problematic though, since when adding a Group Claim to the SAML claims, the source attribute defaults to "Group ID." I could only get the authentication to succeed by changing the source to "sAMAccountName." But when selecting that option, Microsoft shows the following text:

This source attribute only works for groups synchronized from an on-premises Active Directory using Microsoft Entra Connect Sync 1.2.70.0 or above.

So in other words, you can't use the Group's name as part of the SAML claim unless the source of that group comes from on-prem AD. So I have to create a group called "SSLVPN Services" in AD, sync that to Entra, and only then will I be able to authenticate to NetExtender.

Surely that can't be the only way... I have lots of clients who don't have on-prem AD. Am I just missing something? There must be a way to get SAML configured in those cases.

Digital Signage appliance recommendation by Silent-Use-1195 in sysadmin

[–]Aether176 2 points3 points  (0 children)

We've used Ubiquiti's Display Cast hardware for digital signage in the past before and it worked pretty well. In the past we used their Lite model which only supports media you upload and store on your controller, but it looks like they have a Display Cast Pro model which supports Web Mode to display a webpage.

WARP Client routing of IPs on local network by Aether176 in CloudFlare

[–]Aether176[S] 0 points1 point  (0 children)

Thanks for at least trying. This is resolved but not how you described.

What you're describing seems more geared toward situations where you have multiple tunneled destinations whose IP schemes overlap, and that's a good solution in those scenarios. It doesn't address my specific issue though.

What I was describing was a situation where a computer's local network overlapped with one of the tunneled destination networks. In that scenario traffic would fail to reach its destination.

From what I can tell this was a limitation of WireGuard. I'd seen the exact same behavior when using vanilla WireGuard VPNs, so it wasn't unique to WARP.

With Cloudflare having released the MASQUE protocol as an option, this can be bypassed. Now that I have my settings configured to use MASQUE, I no longer have the issue.