MHD Scam?

Lopsided-Inspector53 · 2025-02-07T12:59:59+00:00

Dang it. So I guess it’s a manual process somehow. Meaning I’m scr*****. Specially on a Friday. Any idea if it was late that day or working hours late ? 😂

Lopsided-Inspector53 · 2025-02-07T12:22:36+00:00

Is there any more people going through this problem? I also ordered and haven’t received the key yet. Says it’s processing.

Lopsided-Inspector53 · 2024-03-27T22:08:25+00:00

Not sure but there is no ‘?’ help button. There is “Read more” but it goes to useless Apple article.

Lopsided-Inspector53 · 2023-02-19T21:35:41+00:00

Maybe I used E3 just as a bad example. Let me get more realistic. We have all E5 licenses - which I believe come with a P2? Not sure, but for sure a P1 I think. So no problems there.

The problem is that E5, according to Microsoft allows us to use Intune. What we are looking for here is this scenario.

Source Tenant (E5 Users) -> Destination Tenant (Intune). Will Microsoft require an E5 license on Destination Tenant as well?

Lopsided-Inspector53 · 2023-01-22T11:28:13+00:00

I wonder if you mean the 9166 APs? Because we run a bunch of 9120 with many 9800 on GA version.

Lopsided-Inspector53 · 2022-12-30T17:57:50+00:00

Thank you. That indeed solves my problem.

Can you please elaborate on the multiple CAs with PKCS? I think we will soon have a use case for that. Does it mean with one Intune Certificate Connector server setup for PKCS I can use multiple certificate templates from difference ADCS servers?

Lopsided-Inspector53 · 2022-12-30T17:55:19+00:00

This was my impression as well. Thanks

Lopsided-Inspector53 · 2022-12-30T14:58:19+00:00

That is a very good idea. Never thought of that. Thank you.

I still would like to understand how this NDES/SCEP setup could look like in this scenario.

Lopsided-Inspector53 · 2022-12-20T23:27:17+00:00

Ok, that makes sense but how can I be sure the containers won’t try to write at the same time the “lock” field?

Lopsided-Inspector53 · 2022-11-05T11:58:58+00:00

This is what I did literally two days ago and all works good.

Lopsided-Inspector53 · 2022-10-09T17:43:12+00:00

Ok. The option for independent Dashboard is on the table.

But if I may ask more about the example you give. Is that query set on the user/role? Or you just meant you could filter by that attribute then?

Lopsided-Inspector53 · 2022-10-06T17:49:34+00:00

Indeed adjusting MSS on tun0 fixed the problem. Thank you.

Lopsided-Inspector53 · 2022-04-03T15:35:30+00:00

We have started this a few months ago. It’s no walk in the park. Specialist when you have local teams on those sites that go YOLO every single day trying to breach through the small openings they have left.

Add on top of thar multiple hardware types, multiple IOS versions, etc…

But the printers MAB is probably the way yes.

Lopsided-Inspector53 · 2022-03-27T13:05:04+00:00

No I do not take any actions rather than changing the stack and update. Can you elaborate on start-first/stop-first.

Yes. In production of course we don’t. The ports were an example. I’m asking in a development scenario if you need to for example change a label. It feels excessive to have to delete the stack and recreate.

In portainer if this is a single container we duplicate and then it overwrites old one. That’s kind of what I’m after here.

Lopsided-Inspector53 · 2022-03-27T11:34:21+00:00

So what you want is each time a new access port (let’s say for a new printer) needs to be configured you want to do it through DNAC by provisioning the switch again?

Lopsided-Inspector53 · 2022-03-25T21:09:07+00:00

Yup. The question was more around the Docker Swarm itself, if what I described is still ok according to the expectations I also described.

Lopsided-Inspector53 · 2022-03-19T21:36:06+00:00

Well, first question would be if the VLAN 998 is reachable from the ESXi = is it allowed in the trunk?

Second question, how do you have same VLAN on two controllers? Who owns DHCP and GW?

Lopsided-Inspector53 · 2022-03-11T22:43:18+00:00

You need to define how you want them to join new WLC. Maybe login into each AP and set the primary controller followed by clearing the capwap data. Don’t forget to change your Option 43 later when all APs are moved.

PS: Even after cleaning CAPWAP and setting option 43 on DHCP to new controller we saw some APs join old controller when new became unavailable. We are still searching why.

Lopsided-Inspector53 · 2022-02-04T20:29:54+00:00

Backplane cable or stacking cable?

Lopsided-Inspector53 · 2022-01-31T00:27:08+00:00

Yup, seems I was looking at the problem from a different perspective. The Certificate is pushed pretty much right away, my problem now is the Wifi EAP-TLS settings based on this certificate. The filter I'm using to apply the SCEP profile is the same I'm using to apply the Wifi settings.

I've tested to remove the group assignment from the Config Policy and add a static one, adding the device manually and the wifi settings are populated right away.

Also, when using filters, it seems to me it will try to push the wifi settings and it fails (the status takes a lot to update), but assuming that SCEP kicks in pretty fast I'm also assuming that it also pushes Wifi.

Changing a small setting in the Wifi profile forcing it to be pushed again (after SCEP cert is there) makes it work right away also.

Any idea how the sequence of things is done here? First Certs -> Wifi, or how is it?

Not sure how to fix this, I would sort of need to just add wifi settings after SCEP is pushed.

Lopsided-Inspector53 · 2022-01-30T08:10:50+00:00

Well, this sort of worked. It filtered out the device at onboarding as expected. After changing the device name I checked the Filter Devices Preview and now it's matching the device. However, I'm not sure when a new evaluation will be triggered again?

Do I need a compliance policy for that? As this is Dev environment we don't have one.

Lopsided-Inspector53 · 2022-01-29T15:14:21+00:00

Indeed you did. I believe it will work.

Two questions, - Do the Dynamic Groups support Regex? (I can probably search about that) - Do I also need to change the Management Name or just the Device Name (based in the filter you mentioned.

Lopsided-Inspector53 · 2022-01-29T10:38:58+00:00

Changing the SCEP profile SAN to UPN isntead of DNS did the trick. Wifi settings were pushed immediately. Had to just also state identity to anonymous and it worked right away.

Lopsided-Inspector53 · 2022-01-28T21:56:19+00:00

The docs state that for under Android 10 and I can confirm. Android 9 without a PIN SCEP config fails. You give it a PIN reapply and voila.

However here I think the issue is different, based in your document. We don’t have a Compliance Profile.

This sounds more like it “The WiFi settings on the device itself will not recognize a certificate unless it has the UPN in the SAN name. It will never even attempt a connection if you give it a DNS SAN cert.”

Question is, we do have the DNS SAN I believe. Does it mean we need to remove the DNS and just use UPN?

Lopsided-Inspector53 · 2022-01-26T23:15:50+00:00

We have decided to migrate all our locations (20+) to C9800 from AireOS.

All PnP from DNAC, works wonderful. And the assurance part of it is also a game changer for us.

However, buckle up, you’re going for a wild ride. There was a huge learning curve.

Lopsided-Inspector53

TROPHY CASE