ThousandEyes Pi4 Wi-fi Deployment at Black Hat USA

This information paperwork the setup and set up procedures used to deploy ThousandEyes at Black Hat 2023. This doc covers configuration of the TE agent on Raspberry Pi 4, together with each wired and wi-fi configurations. Wanted {hardware} for the assorted setup features are additionally listed.

Please notice that TE Enterprise Brokers will solely present information for layer 3 hops, and won’t present wi-fi entry level information. This is applicable to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wi-fi. The one TE agent that may present wi-fi AP information is the TE Endpoint Agent, which is meant to be put in on laptops and private gadgets.

There are a number of totally different {hardware} contingencies that have to be accounted for earlier than convention setup can happen.

1. A keyboard that may hook up with the USB port on the Raspberry Pi
2. Laptops that may hook up with the Pi Micro SD for TE agent provisioning. We used a number of totally different options for this:
   • An SD card to Micro SD adapter, which related to the SD reader on a Mac laptop computer (the SD reader just isn’t out there on all fashions)
   • A Vivitar Micro SD to USB-C adapter, which related to the USB-C port on a Mac laptop computer
   • A Micro SD to USB adapter that got here with the Raspberry Pi 4 Cana Equipment. This was related to a USB to USB-C Mac adapter
3. Screens that may hook up with the Raspberry Pi Micro HDMI port. This may be so simple as a standard HDMI monitor that connects to the Pi by way of HDMI to Micro HDMI, however these weren’t out there throughout the setup days of the convention. We used two options:
   • A conveyable monitor that related to the Pi by way of an HDMI to Micro HDMI cable
   • An adapter that related to the Pi by way of Micro HDMI, related to a Mac HDMI adapter, with the Mac HDMI adapter related to a USB-C port on the Mac laptop computer

Black Hat 2023 Pi 4 Kits

10x Raspberry Pi 4 Cana Kits, every with the next:

• 32GB Micro SD card
• Micro SD to USB adapter
• Case
• Heatsink
• Fan

Instance of constructed Pi with heatsinks and fan connected:

Observe that we had overheating points with the fan set to drag air out of the case. Orienting the fan to blow into the Pi case was more practical for our deployment.

The Raspberry Pi can learn Micro SD playing cards. The set up process is to obtain the TE Pi installer from the TE GUI, join the Micro SDs to the provisioning laptops, after which use balenaEtcher to put in the TE picture to the Micro SD.

From the ThousandEyes GUI, navigate to Cloud & Enterprise Brokers > Agent Settings.

Click on on Add New Enterprise Agent.

If the provisioning laptops should not have a Micro SD card reader then adapter options will probably be wanted to put in the TE picture to the Micro SD. For Black Hat 2023, we used a mixture of the next {hardware} with Mac laptops.

2x Vivitar Mac USB-C to Micro SD adapter

1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (included with some Pi bundles—the USB has an extra slot for the Micro SD card, which then plugs right into a USB port—on this case, the Mac adapter proven).

1x Micro SD to SD adapter

Creating the wi-fi configuration for the Pi can happen both earlier than or after booting the Pi for the primary time with the Micro SD picture that was configured within the prior part. If you need to create the wi-fi configuration earlier than booting the Pi, please comply with the steps on this part. Alternatively, if wi-fi just isn’t getting used or wi-fi configuration can happen after booting the Pi, this part can safely be skipped. Please notice that configuring wi-fi after booting the Pi would require enabling SSH on the TE agent, together with any requisite firewall guidelines to achieve the Pi over port 22.

Additionally notice that this part requires particular {hardware} and software program, as coated within the subsequent paragraphs. If the wanted {hardware} and software program just isn’t out there, the wi-fi configuration can nonetheless be completed utilizing handbook procedures given in later sections.

Earlier than starting the configuration, notice that the SSID and SSID password have to be exhausting coded. If the TE agent can not hook up with the hardcoded SSID after reboot, the wi-fi connection will fail. If the hardcoded SSID and password must be modified after the preliminary setup, it is going to be essential to (re)allow SSH on the TE agent.

Additionally notice that the TE agent file system have to be mounted onto a laptop computer to carry out these steps. At Black Hat 2023, we have been solely in a position to accomplish this step utilizing a Linux OS. Makes an attempt to mount the Micro SD on Mac didn’t accurately mount the TE agent partitions.

• Log in to a Linux system and join a Micro SD with the TE agent put in (this process was coated within the prior part). Use the Micro SD connection methodology supplied firstly of the information.
• Run the df command to confirm the mounted partitions. The under screenshot exhibits the df output earlier than and after connecting the Micro SD card, with the 2 mounted partitions seen after operating the two^nd df command. Observe the partition paths highlighted in pink, as they are going to be wanted to create the doit.sh script in Step 5.

• Create a file named rc.native in a selected listing. The particular identify ‘rc.native’ is critical for the script to run throughout the TE agent bootup course of.
• Create the script file:

# vim rc.native

• Sort ‘i’ to edit, and kind or paste the next:

#!/bin/bash
/configure_te_pi.sh
exit 0

• Sort ‘:’ then ‘wq!’ to save lots of the modifications and exit the file.
• Create the configure_te_pi.sh script in the identical listing because the rc.native file. Change the <SSID> and <SSID password> fields within the under script with the SSID and PSK that the Pi will hook up with. The SSID and PSK can be modified later, however it will require enabling SSH on the TE agent after which connecting to it.
• Create the script file:

# vim configure_te_pi.sh

• Sort ‘i’ to edit, and kind or paste the next:

#!/bin/bash
apt-get replace -y
apt-get set up te-va-unlock -y
apt-get set up net-tools ifmetric wireless-tools -y
ifconfig wlan0 up
wpa_passphrase <SSID> <SSID password> > /and many others/wpa_supplicant.conf
wpa_supplicant -B -i wlan0 -c /and many others/wpa_supplicant.conf -D wext
ifmetric eth0 200
sed -i ‘1iauto wlan0niface wlan0 inet dhcp’ /and many others/community/interfaces
dhclient wlan0
systemctl masks apt-news.service
systemctl masks esm-cache.service

• Sort ‘:’ then ‘wq!’ to save lots of the modifications and exit the file.
• Create the doit.sh script in the identical listing because the prior two scripts. Observe that the paths to the /writeable and /system-boot mounts will must be crammed in with the paths collected in Step 1.
• Create the script file:

# vim doit.sh

• Sort ‘i’ to edit, and kind or paste the next, modifying the paths to match the output in Step 1:

#!/bin/bash
cp rc.native /media/<username>/writeable/and many others
cp configure_te_pi.sh /media/<username>/writeable/and many others
chmod +x /media/<username>/writeable/configure_te_pi.sh
chmod +x / media/<username>/writeable/and many others/rc.native
umount /media/<username>/system-boot
umount /media/<username>/writable

• Sort ‘:’ then ‘wq!’ to save lots of the modifications and exit the file.

An instance of the script created for the output in Step 1 is supplied under.

#!/bin/bash
cp ~iredden/rc.native /media/iredden/writable/and many others
cp ~iredden/configure_te_pi.sh /media/iredden/writable
chmod +x /media/iredden/writable/configure_te_pi.sh
chmod +x /media/iredden/writable/and many others/rc.native
umount /media/iredden/system-boot
umount /media/iredden/writable

• Run the doit.sh script. The doit.sh script will carry out the configuration after which unmount the partitions, as proven under.

With the above steps full, the Micro SD card may be faraway from the laptop computer and related to the Raspberry Pi. The Pi will execute the scripts throughout bootup and hook up with wi-fi, if the SSID configured is reachable and the PSK is appropriate. Please see the subsequent part for setup directions and different concerns.

Additionally notice {that a} wired connection to the Pi continues to be really helpful for preliminary setup. Though the Pi TE agent can efficiently pull a wi-fi IP tackle throughout preliminary bootup, the TE agent is not going to show a wi-fi IP tackle on a related monitor, solely a wired one.

As soon as the TE picture has been put in on the Micro SD, join the Micro SD to the Raspberry Pi.

It’s essential to know the IP tackle assigned to a TE agent after preliminary boot in an effort to full preliminary registration. Whereas a Pi with a wi-fi configured TE agent can pull a wi-fi IP throughout its preliminary bootup, it is not going to show the wi-fi IP on a related monitor, solely a wired IP tackle. For that reason, it’s nonetheless really helpful to attach an ethernet cable to a wi-fi Pi earlier than preliminary energy on and use the assigned eth0 IP to carry out preliminary setup. The one various to a wired connection on preliminary boot is to determine the wi-fi IP tackle of the TE agent by means aside from a related monitor, comparable to by way of direct entry to the wi-fi AP that the TE agent connects to.

Two items of {hardware} are used to carry out the preliminary setup of the Raspberry Pi TE agent: (1) a keyboard that may hook up with the Pi by way of USB, and (2) a display screen that may hook up with the Pi by way of Micro HDMI. Preliminary setup may be carried out with out the keyboard if (a) an IP tackle is assigned to the TE agent by way of DHCP, and (b) the DHCP tackle may be recognized by way of the related display screen or by different means. Equally, preliminary setup may be accomplished with out the display screen if there may be one other option to determine the DHCP IP tackle assigned to the TE agent, comparable to admin entry to the swap related to the TE agent.

Regardless of the above options, a related keyboard and monitor are really helpful for ease of deployment and any wanted troubleshooting.

For the keyboard, we used a Bluetooth keyboard with a indifferent USB fob, however any keyboard that may hook up with the Pi by way of USB will work.

For the display screen, we used two separate {hardware} options.

The primary answer is a Kenowa moveable monitor with an HDMI to Micro HDMI cable. The HDMI facet of the cable connects to the Kenowa, and the Micro HDMI facet of the cable connects to the Raspberry Pi.

The second answer we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop computer. The Pi connects to the Elgato by way of a micro HDMI to HDMI cable. The Elgato makes use of an everyday HDMI cable to hook up with the HDMI facet of a Mac HDMI to USB-C adapter, with the USB-C facet of the Mac adapter connecting on to a Mac laptop computer.

With the {hardware} configurations within the prior sections full (i.e. the Pi is related to an ethernet port, monitor, and keyboard), join the Pi energy adapter to start preliminary boot.

As soon as the Pi is powered on, the TE agent set up will take a couple of minutes to run (extra if web entry just isn’t out there). As soon as the bootup is full, the Pi will show a message if an IP tackle was assigned to the ethernet port by way of DHCP.

If no IP tackle was assigned to the ethernet port by way of DHCP, the TE agent will show a unique message stating no IP tackle is configured. If that is so, it is going to be essential to both manually assign an IP tackle to the ethernet port utilizing a keyboard, or determine the IP tackle of the wi-fi interface utilizing admin entry to the related wi-fi AP.

• As soon as the IP tackle of the TE agent is understood, hook up with the IP by way of HTTPS and register with username admin and password welcome.

• Change the default password to one thing safer and click on Change Password.

• The GUI ought to routinely take you to Agent within the left menu.

• Retaining the ThousandEyes Bodily Equipment GUI open, create a brand new tab in your browser and hook up with the ThousandEyes net GUI, then click on on Cloud Enterprise Brokers > Agent Settings.

• Click on on the Add New Enterprise Agent

• Copy the Entry Group Token. Observe: the Copy button could not work, by which case click on the attention icon to point out the token and replica it manually.

• Return to the TE agent GUI and paste the Account Group Token into the Agent Click on Proceed.

• The GUI will routinely load the Assessment Equipment Standing and Diagnostics fields ought to change to inexperienced because the registration completes. Click on the Full button.

• Click on on the Community tab.

• Configure the hostname for the agent.

• Scroll all the way down to the DNS configuration and enter the inner and Exterior DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 exterior Umbrella DNS servers. These may be moved to DNS server 3 and 4 if inner DNS servers are most well-liked.

Jailbreaking the TE agent is critical for escalating to root and performing the instructions vital to construct the scripts for the wi-fi configuration.

We must always replace the Ubuntu OS earlier than operating the jailbreak command. Connect with the TE agent by way of SSH, then run the next two instructions to first replace the OS after which jailbreak the set up:

$ sudo apt-get replace
$ sudo apt-get set up te-va-unlock

With the TE agent efficiently jailbroken, we will now escalate to root and carry out the remainder of the configuration.

Earlier than starting this part, notice that the SSID and SSID password have to be exhausting coded. If the TE agent can not hook up with the hardcoded SSID after reboot, the wi-fi connection will fail. If the hardcoded SSID and password must be modified after the preliminary setup, it is going to be essential to (re)allow SSH on the TE agent and hook up with it over SSH.

• Escalate to root and create a file named rc.native within the /and many others listing. The identify is critical for the script to run throughout the TE agent bootup course of.

Create the script file:

$ sudo su
# cd /and many others
# vim rc.native

• Sort ‘i’ to edit, and kind or paste the next:

#!/bin/bash
/configure_te_pi.sh
exit 0

• Sort ‘:’ then ‘wq!’ to save lots of the modifications and exit the file. 
• Run the next to set the script permissions:

# chmod +x /and many others/rc.native

• Create the configure_te_pi.sh script within the prime degree / listing. Change the <SSID> and <SSID password> fields within the under script with the right values. The SSID and password can be modified later, however it will require a later SSH connection to the agent.
• Create the script file:

# cd /
# vim configure_te_pi.sh

• Sort ‘i’ to edit, and kind or paste the next, changing the <SSID> and <SSID password> fields with the right values:

#!/bin/bash
apt-get replace -y
apt-get set up te-va-unlock -y
apt-get set up net-tools ifmetric wireless-tools -y
ifconfig wlan0 up
wpa_passphrase <SSID> <SSID password> > /and many others/wpa_supplicant.conf
wpa_supplicant -B -i wlan0 -c /and many others/wpa_supplicant.conf -D wext
ifmetric eth0 200
sed -i ‘1iauto wlan0niface wlan0 inet dhcp’ /and many others/community/interfaces
dhclient wlan0
systemctl masks apt-news.service
systemctl masks esm-cache.service

• Sort ‘:’ then ‘wq!’ to save lots of the modifications and exit the file.
• Run the next to set the script permissions:

# chmod +x /configure_te_pi.sh
Reboot the Pi and check to substantiate that the wi-fi NIC can hook up with the ThousandEyes net account.

• From the ThousandEyes net GUI, navigate to Cloud & Enterprise Brokers > Agent Settings.

• Establish a registered TE agent with a wi-fi interface, then click on on it.

• Find the Basic Data The personal IP tackle of the TE agent will probably be displayed, which is the IP tackle that the TE agent used to hook up with the ThousandEyes net supervisor. If the TE agent has each an ethernet and wi-fi port, you may click on the System Data hyperlink to substantiate which IP tackle is assigned to every interface.

• Navigate to Cloud & Enterprise Brokers > Check Settings.

• Develop one of many exams after which broaden the Brokers

• Click on on the Enterprise button and broaden the dropdown subsequent to an agent with wi-fi enabled. If the agent has each a wired and a wi-fi interface enabled, they’ll each be displayed as within the screenshot under.

About Black Hat

GitHub with scripts

For TE brokers to function accurately, they might want to each hook up with ThousandEyes over the web and have firewall ACL entry to carry out any configured exams. Seek advice from the next doc for lists of ports and protocols per area.

Throughout testing of the wi-fi TE agent for Raspberry Pi, it was seen that the brokers misplaced connectivity with the ThousandEyes net supervisor after a variable period of time. Troubleshooting a number of failed brokers recognized logs related to updates to the apt-news.service and esm-cache.service processes instantly earlier than failure of the wlan:

syslog

Aug  6 02:17:04 registration-wireless systemd[1]: Began PackageKit Daemon.
Aug  6 02:17:20 registration-wireless systemd[1]: Beginning Replace APT Information…
Aug  6 02:17:20 registration-wireless systemd[1]: Beginning Replace the native ESM caches…
Aug  6 02:17:21 registration-wireless systemd[1]: apt-news.service: Succeeded.
Aug  6 02:17:21 registration-wireless systemd[1]: Completed Replace APT Information.
Aug  6 02:17:22 registration-wireless systemd[1]: esm-cache.service: Succeeded.
Aug  6 02:17:22 registration-wireless systemd[1]: Completed Replace the native ESM caches.
Aug  6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Misplaced service

Extra data on the 2 providers may be discovered right here: