Cisco UCS authentication with RADIUS and Windows Server 2008 and 2012

I’ve recently decided to rollout RADIUS to all shared-login devices that support it (mostly network devices). When dealing with basic Cisco and Juniper switches, it’s pretty trivial and well documented. NX-OS is a bit more difficult due to the fact that authentication methods are mutually exclusive. That means that you cannot simultaneously authenticate with a local account and a RADIUS account. Radius needs to be completely down for a Nexus switch to revert to local authentication.

The biggest annoyance in that “RADIUS everything” project was in fact UCS. Cisco are big proponents of their in-house RADIUS server, ACS. That makes things a bit difficult when you’re using Windows as your RADIUS server.

There is very little detailed documentation that exists for setting up RADIUS on the UCS platform.

Cisco’s documentation is very sparse and doesn’t mention authentication methods (spoiler alert: it’s unencrypted).
The most helpful resource is this Tumblr (!!) blog post about Windows 2003 Server and IAS. While it’s more detailed, it really doesn’t look like NPS in Windows Server 2008 and above.

So, without further ado, here’s how I did it.

I’ll skip the NPS installation and initial configuration because it’s really not the point of this post.

In NPS, create a new Network Policy (under Policies):

  • Type of network access server: Unspecified
  • Conditions: Add the Windows Group you’ll be using to grant admin access to UCS. You can also add a “Client Friendly Name” to filter our the authentication requests. Please remember that in order to use friendly names, you need to add your UCS Fabric Interconnects as RADIUS Clients. You will need to add the main IP as well as the A and B Fabric Interconnects in order for authentication to work. The “Device Manufacturer” or “Vendor Name” must be set to “RADIUS Standard” for UCS equipment.
  • Access permission: Access granted (obviously)
  • Authentication methods: simply select “Unencrypted (PAP, SPAP)” as the authentication method and nothing else.
  • Constraints: none, unless you want to configure timeouts.
  • Settings: RADIUS Attributes > Standard > remove everything then add Service-Type (Attribute nunber 6) Login.
  • RADIUS Attributes > Vendor Specific > add Vendor-Specific (Attribute number 26) > add network access server vendor Cisco then “Yes, it conforms” then click “Configure Attribute…” > Vendor-assigned attribute 1, Attribute format String, Attribute value shell:roles*”admin network­admin”

It should look like this:


Once you are done, simply add a RADIUS provider to your UCS system by doing the following:

  • Login to UCS.
  • Go to Admin > All > User Management > RADIUS
  • Under RADIUS Providers, add your RADIUS server(s) along with a key you defined in NPS.
  • Then, create a RADIUS Provider Group into which you add the RADIUS Providers you just created.
  • Under Admin > All > User Management > Authentication, create a new domain, name it whatever you’d like, then select the Radius radio button. Select the Provider Group you created for RADIUS. Click OK.
  • Create another domain called local with local as the realm (this is very important and will save you from being locked out if something goes wrong).
  • Under Admin > All > User Management > Authentication > Native Authentication, select Realm: Radius and the Provider Group you created.

Please note that you can use any authentication method for the GUI as long as it’s configured properly. However, the CLI will only work with RADIUS. Local authentication will not work unless your RADIUS infrastructure is completely down.

I have raised a bug with Cisco:

Save and exit.



Elegantly resizing a Linux LVM volume in a virtual machine…

I’ve seen many articles on how to resize a LVM volume after increasing a virtual disk capacity. Most write-ups call for adding partitions and simply adding them to the volume group. While it is simple, it’s not future proof since the number of partitions is limited.

Here’s the way I do it. I hope you enjoy!

  1. Resize your virtual disk (this depends on your hypervisor, I use VMware so YMMV)
  2. Shut down the VM, find an ISO that has GParted. I use PartedMagic but the GParted Live ISO works too.
  3. Boot from the ISO, start GParted.
    1 GParted
  4. Select the LVM physical volume, right click on it then click on deactivate.
    2 Deactivate
  5. Then right click on Resize/Move
    3 Resize
  6. Resize the partition (here, sda2, yours might be different)
    4 Resize
  7. Apply the changes by clicking the green checkmark in the toolbar at the top. Click Apply in the popup.
    5 Apply
  8. Don’t forget to reactivate the LVM physical volume.
    6 Activate
  9. In the terminal, enter the following commands (volume group names may vary) do an ls /dev/ if you’re not sure.
    #extend the volume
    lvm lvextend /dev/lv_hostname/lv_root /dev/sda2
    #check the filesystem for inconsistencies
    e2fsck -f /dev/lv_hostname/lv_root
    #resize the filesystem
    resize2fs /dev/lv_hostname/lv_root
  10. Shut down the VM, unmount the iso.
  11. You’re done.


Resizing an OSX partition on a VM hosted on ESXi.

Update 11/2/2014: We are successfully virtualizing Mavericks (10.9) and it is possible to resize disks online without having to go through the following guide. It still applies to Mountain Lion (10.8) and earlier versions.

One of the great things in vSphere 5.1 is that the Mac Pro is a fully supported server for ESXi. That means you can virtualize OSX on supported and recent hardware.

While the templating and integration is not as great as with Windows and Linux, you can deploy VMs in a reasonably short amount of time. Just make sure you don’t check the “Edit virtual hardware (Experimental)” box as it may blow your template up.

If you attempt to grow the disk, you will get a “Partition failed” error message in OSX “MediaKit reports partition (map) too small.”. No matter how many times you try it won’t work…

At this point you have 4 options:

Since I didn’t have time to place a purchase request and didn’t have much time, I used a PartedMagic iso I already had in one of my Datastores. Only to notice that the iso wouldn’t boot. This is due to the fact that OSX VMs are running in EFI boot mode only.

Fear not, there is a way to get it to boot:

  1. Shut your VM down.
  2. Right click > Edit Settings.
  3. Increase the disk space to the capacity you want.
  4. Go to the options tab, change the “Guest Operating System” to Windows and select any flavor of Windows in the drop down menu.
    From this:
    To this:
  5. Then, still in the Options screen, under “Advanced > Boot Options”, change the boot firmware from EFI to BIOS.
  6. Your VM should now be able to boot from the ISO.
  7. In PartedMagic, start Partition Editor, you should see an error message similar to this:
    Click Fix. If another dialog prompts you to fix something else, click Fix again.
  8. Add a FAT32 partition in the empty space.
  9. Click Apply.
  10. Shut down and revert the Guest OS and Boot Firmware options.
  11. Boot into OSX, delete the FAT32 partition and resize your main partition.
  12. You’re done.


Serving Mountain Lion updates with a server running Lion.

UPDATE 10/03/12: Turns out, Apple decided it’s no longer possible to update a newer OS than what the server is actually running (i.e. no updates for 10.8 if the server is running 10.7). As per this KB article, updating Mountain Lion requires a Mountain Lion server. My stance on this is to use either Reposado or Munki to server updates moving forward… Apple still doesn’t care about the enterprise market.

Anything below this is deprecated and no longer works. Keeping it here for archiving purposes.

You want to follow this Apple article that applies to Snow Leopard:

Add the following line at the end of the otherCatalogs array in /etc/swupd/swupd.plist:

Then, locate the following line in /etc/swupd/swupd.conf:

RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-lion-snowleopard-leopard.merged-1.sucatalog

Add these 2 lines after:

RewriteCond %{HTTP_USER_AGENT} Darwin/12
RewriteRule ^/index\.sucatalog$ http://%{HTTP_HOST}/cgi-bin/SoftwareUpdateServerGetCatalog?/index-mountainlion-lion-snowleopard-leopard.merged-1.sucatalog

Restart Software Update.


Quick MDT 2012 facts

I’ve been quite busy lately so I’ll try to be quick… I would like to share my discoveries on MDT 2012 and the information I gathered while I was migrating from MDT 2010.

  • Mikael Nystrom’s step by step on how to update BIOS in MDT still works perfectly.
  • Andrew Barnes’ how to integrate BGInfo into WinPE still works, and even better, MDT 2012 comes with a 64-bit version of BGInfo (located at %deploymentshare%\Tools\x64).
  • It is no longer needed to have a custom pane to set local administrators in MDT 2012. Instead use the “SkipAdminAccounts=NO” property in CustomSettings.ini. Please note that the administrators accounts page only appears if you selected “Join a domain” as I mention on the TechNet Forums.
  • Thanks to Michael Niehaus, DaRT integration is now fully supported in MDT 2012. I talked about this earlier but it’s always good to reiterate the benefits of software assurance.
  • A very interesting new feature of MDT 2012 is monitoring. It can be enabled in a few simple steps: Navigate to your deployment share properties, go to the last tab called “Monitoring”, check the box called “Enable monitoring for this deployment share”. Then click OK. It should work right away… A good way to check is to look at your CustomSettings.ini for a new line called “EventService=http://myserver.corp/“. Is you run into issues there is always this good troubleshooting article. Used in conjonction with DaRT, you can remotely control deployments from a central location.
  • Another feature that might not be actually that new but still useful is the “SLSHARE=” property. It allows you to set a network share where the logs are written during the deployment. This is particularly useful when your helpdesk people forget to capture logs if a deployment fails. A good security practice it to set a sticky bit, using the user directory technique on that particular folder since logs may contain sensitive information.
  • You are now able to use only one (32-bit) boot image to initiate both 32-bit and 64-bit deployments. A word of caution, though, if you need to use DaRT to repair an install you will need to boot the appropriate architecture.


Integrate Microsoft Diagnostics and Recovery Tools (DaRT) into the MDT boot image

If you’re running MDT 2012, please read Michael Niehaus’ post:

I recently found out Microsoft Diagnostics and Recovery Tools (I’ll refer to it as DaRT thereafter) was quite handy. It is part of Microsoft Desktop Optimization Pack, which is available for free if you’re covered by Software Assurance.

So basically the goal here it to integrate the tools available in DaRT into the WinPE boot image generated by MDT.

Looks handy, doesn’t it?

DaRT is distributed as an installer which requires Windows 7 setup files to generate a custom WIM encapsulated into an ISO. Sounds quite cool but that’s one more thing to maintain and update with new drivers… Since the DaRT installer uses WinPE that shouldn’t be too hard to figure out a way to add some more files to make it work.

Took me a little while to figure out but it ended up working so I’m sharing the technique with you guys:

You will need: Windows AIK, the DaRT installer, MDT 2010 and some kind of archive utility like 7-zip.

You will also need to do this twice, once for the x86 Boot Image and once for the x64 Boot Image.

  1. Acquire the MS DaRT installers for x86 and x64 located in the MDOP iso available through MS Volume Licensing or MSDN.
  2. Follow the wizard to create the 2 ISOs, 1 for x86 and the other one for x64.
  3. Create a directory called the following directories: c:\DaRT\ERD and c:\DaRT\files (or whatever/wherever you like).
  4. Expand the ISOs to c:\DaRT\ERD\x86 and c:\DaRT\ERD\x64 (using 7-zip for example).
  5. Open a privileged command prompt and use the following command:
    C:Program FilesWindows AIKToolsServicing>dism /Mount-Wim /wimfile:c:\DaRT\ERD\x86\sources\boot.wim /mountdir:c:\DaRT\files\x86 /index:1
    C:Program FilesWindows AIKToolsServicing>dism /Mount-Wim /wimfile:c:\DaRT\ERD\x64\sources\boot.wim /mountdir:c:\DaRT\files\x64 /index:1
  6. At this point you can delete c:\DaRT\ERD if you want.
  7. Go to c:\DaRT\files\x86 and x64. You should see the following directories:
    Program Files
    Program Data
  8. Delete Program Data and Users.
  9. Go to Program Files, delete all directories but “Standalone System Sweeper”.
  10. Go to sources, delete all directories but “recovery”.
  11. Go to Windows, delete all directories but “System32”. Then, under System32 sort files by date. Delete all files and folders that are not timestamped as of the day you created the ISO. That should leave you with 28 files (37 if you have the debugging tools). Additionally, delete winpeshl.ini as it interferes with the MDT wizard.
  12. At this point we’re pretty much done.
  13. Go to MDT, right click on your Deployment Share > Properties.
  14. In both Windows PE x86 Settings or Windows PE x64 Settings at the Extra Directory to add, specify C:\DaRT\files\x86 for the x86 boot image and C:\DaRT\files\x64 for the x64 boot image (or any other folder you may already be using/wanting to use).
  15. Rebuild your deployment share.
You’re done.

Make an MDT task sequence resolution independent.

You will often find yourself with a deployed computer that doesn’t match the resolution it’s supposed to use. It’s quite annoying, especially on laptops (have you seen how ugly Windows is when displayed at 1024×768 on a 1920×1200 screen?).

There is a very easy way around that:
  • Go to your task sequence properties.
  • Go to the OS info tab then click on “Edit Unattend.xml”
  • WSIM will launch, navigate to: Unattend\Components\1 windowsPE\x86_Microsoft-Windows-Setup_neutral (replace x86 with x64 if using a 64-bit OS, of course)
  • Delete the Display component.
  • Navigate to Unattend\Components\7 oobeSystem\x86_Microsoft-Windows-Setup_neutral (replace x86 with x64 if using a 64-bit OS, of course)
  • Delete the Display component.
  • Save and exit WSIM.
Congrats, you now have a resolution independent task sequence. It is highly recommended to have up to date drivers available in your deployment process.

Target an advertisement based on the software version in SCCM

Let’s say we want to advertise an update to Adobe Reader only to clients with outdated versions (anything older than 10.0.1).

  • Create a new collection.
  • Edit the membership rules.
  • Click on Edit Query Statement.
  • At the bottom press “Show Query Language”.
  • Paste the following:

  • select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
    SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_ADD_REMOVE_PROGRAMS on SMS_G_System_ADD_REMOVE_PROGRAMS.ResourceID = SMS_R_System.ResourceId where SMS_G_System_ADD_REMOVE_PROGRAMS.DisplayName like "Adobe Reader %" and SMS_G_System_ADD_REMOVE_PROGRAMS.Version != "10.0.1"

Make edits to match the DisplayName and Version according to the results you want.
You’re good to go.


Unable to run reports in ConfigMgr?

You may get the following error message when trying to generate reports:

“The page you are requesting cannot be served because of the extension configuration. If the page is a script, add a handler. If the file should be downloaded, add a MIME map.”
To solve that, add the ASP Role Service to IIS in addition to