Fixing macOS Sierra/OpenSSH 7.x Compatibility

aaa cliI’ve seen this question come up several times from users of macOS Sierra who use SSH after upgrading. It usually goes something like, “Has anyone seen this since upgrading to Sierra?”

Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Another issue you might come across is your public key ceasing to work. If you connect with the verbose option (ssh -v hostname), you might catch a bit like this in the output:

Skipping ssh-dss key /Users/scottm/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes

These aren’t a Sierra issue per-se, but is more specifically related to the upgrade from OpenSSH 6.9 in El Capitan to OpenSSH 7.2 in Sierra. OpenSSH deprecated a number of methods and algorithms in 7.0. They are still supported, but are disabled by default. For more information, check out OpenSSH: Legacy Options.

That’s all fine and dandy, but what you really want is a solution. You probably have some security appliance, router, or similar that doesn’t support any other methods and you just need it to work. Perhaps like me, you have an older private key that isn’t up to the new requirements, but you still need to use it. The options to fix these issues are KexAlgorithms +diffie-hellman-group1-sha1 and PubkeyAcceptedKeyTypes=+ssh-dss. You can add these at the command line (ssh -o PubkeyAcceptedKeyTypes=+ssh-dss hostname), but that’s kind of a pain.

A more convenient way to use them is to add these options to your ~/.ssh/config file. If you don’t already have this config file, it’s a plain text file you can create with your text editor of choice. At the top of the file, add:

# Settings for all hosts
KexAlgorithms +diffie-hellman-group1-sha1

Now your public key and the key exchange algorithm will work anywhere you connect. Perhaps you’d like a bit more granularity?

# Settings for all hosts

# Host specific settings
Host *
 KexAlgorithms +diffie-hellman-group1-sha1
 User username

This allows the public key for all hosts, but only allows the diffie-hellman-group1-sha1 algorithm to be used with hosts matching the wildcard. Additionally, this example shows using a different username than your login on your local machine. There are a lot of options available, but these are the ones I use most. You might also find Compression yes to be useful if you connect to hosts with low bandwidth links.

As an aside, if you are a macOS user using Terminal, I highly recommend checking out iTerm2. It’s far superior to Terminal and has many features to improve the experience of using the shell.


ArubaOS 8: VMC and AirMatch

As part of Mobility Field Day Live, I had the opportunity to visit Aruba, a Hewlett Packard Enterprise Company at their Executive Briefing Center in Sunnyvale to learn about their newly introduced Mobile First platform. The foundation for the platform is ArubaOS 8, which is a major new release with a long list of new features that will give you flexibility in your deployments.
Let’s start with the Virtual Mobility Controller (VMC). This is a virtual wireless controller that includes feature parity with the hardware controllers. Yes, that really does include the data plane. I’m told that the only real bottleneck is throughput and they are seeing 4-5Gbps on your average VM host, which sounds pretty reasonable. If you need more throughput, you can scale out with more VMCs or you can still go with hardware controllers. The physical controllers have hardware acceleration for the encryption processes, which is why a big controller like a 7240 can push as much as 40Gbps.

The way Aruba has chosen to license the VMC makes scaling with it easy, at least assuming you have the VM hosts around to accommodate them. The Virtual Mobility Controller is licensed by the number of APs managed by the Mobility Master, not the APs managed by individual controllers. You can license the VMC in groups of 50, 250, or 1000 APs, but if you install a VMC in standalone mode you must apply the license directly to the controller and lose the ability to share the licenses. This means that if you have 1000 AP licenses attached to your Mobility Master, you can attach any number of VMCs to the Mobility Master so long as your total AP count does not exceed the license. This gives you the flexibility to add additional controllers when and where you need them. Currently, only VMware is supported, but KVM support will be coming with ArubaOS 8.0.1.

Since I mentioned the Mobility Master, let’s look into that a bit more closely. The Mobility Master is the next generation of the Master Controller. The Mobility Master can be an x86 hardware appliance or a VM. The Mobility Master gives you the ability to move services out of the wireless controller so that these services do not impact network performance. In fact, some services are only available when you have a Mobility Master available. AirMatch is Aruba’s new RF optimization technology aimed at improving spectrum reuse in high density WLANs. Due to the processing power required, you only get it if you are using a Mobility Master. AirMatch looks at groups of 50 APs and use statistics from the last 24 hours to determine the best AP power levels, channel plan, and channel width for the network. This is a much more powerful than ARM. Here’s a quick side by side comparison:

AirMatch and ARM Comparison

So how does this actually work? Every half hour, each AP will measure the RF environment for 5 minutes. During the day, these measurements are collected by the Mobility Master. At 5am every morning, the Mobility Master will churn through the numbers from the last 24 hours to determine the optimal channel plan for all the APs and deploy those changes to the network. There are two exceptions to this. First, when an AP is first detected by the Mobility Master, it will recalculate that APs channel and power settings every 30 minutes for the first eight hours. After that, the new AP is on the same schedule as the rest of the network. The second exception is in the case of a DFS event or significant interference. In either of these cases, the AP can change channels on its own. If you want to see the changes that the Mobility Master is making, you can view some of the details in the AirWave Network Management console.

This really only scratches the surface of what’s happening with the Aruba’s Mobile First Platform launch. Updates to Aruba Central to manage ArubaOS switches, Aruba Clarity for proactive monitoring, ClearPass Extensions that enable third party development, APIs for developers to create detailed analytics and much more. Aruba has released a lot of exciting enhancements that will be the foundation of your networks for years to come.


Disclosure: As a delegate for MFD Live with Aruba, Aruba indirectly paid for my travel and meals during the event and also compensated me for my time to write this post. This post is still my opinion and only I have editorial control of the contents. This stuff genuinely is exciting! Aruba did request I use their tracking links, which seemed like a reasonable request.

Ventev Keeps Antennas Interesting at #MFD1

In case you missed it, Wireless Field Day is now Mobility Field Day, and day one of the inaugural MFD is complete. I am not a delegate this time, but there’s a great group of delegates with a number of new people who really added to the discussions. The day ended with a great roundtable session that you really should go watch. Check the Mobility Field Day 1 Playlist for that and the other sessions from MFD1. In particular, they have an excellent conversation about RRM, which has been a hot topic as of late. This, however, is not what I wanted to write about.

You probably see Ventev gear all the time and don’t notice it. They don’t make radios, but they do make antennas, mounts, enclosures and other tools and hardware useful in the WLAN space. That may not sound like a very interesting topic, but the 2 hour session flew by because they had so many great ideas to share.

I really like the innovation that stadium deployments are driving. From enclosures that have a slight slant to them so rain will run off, to handrail mounted enclosures and antennas. I particularly like this two AP enclosure. There’s no questioning what’s in that box!

In case you are wondering about the antennas in this confined space, they actually have you mounting the external antennas back to back with a metal backing plate between them. They had data showing sufficient RF separation in their testing, despite them being so close.

Ventev has some great new ideas for antennas designed to serve the places that have always been difficult to cover. They are putting antennas everywhere and making them hard to spot.

They also discussed their in floor antenna system, which is a unique solution designed for areas with raised floors, a nice antenna built into an old work junction box, and a number of mounting systems designed for challenging environments.

It really was a great presentation and I highly recommend watching the video. It’s full of solutions to real problems facing WLAN designers who are trying to figure out how to install more APs into areas that are not designed with that in mind!

The videos are included below so you can see it all for yourself.


Unofficial #WLPC Twitter Attendee List, PHX2016 Edition

Last year I ran an Unofficial WLPC Twitter Attendee List after Jennifer Huber (@JenniferLucille) wondered if there was a list of Twitter peeps who were attending. Obviously, I’ve decided to do it again this year. Fill out the form at the bottom of this page to be added (easiest for me), but you can also send a tweet to me at @scottm32768. This year I’ve upgraded the list by allowing notes so you can share anything of interest to the attendees. You can share your CWNE status, your podcast, that you work for a vendor, or that you really like pie.

Note: This is for attendees. Sorry, if you aren’t attending I will not add you to the list.

Name Twitter Blog Notes
Keith Parsons @KeithRParsons Runs the WLPC Conferences!
Scott McDermott @scottm32768 Creator of this list
Scott Stapleton @scottpstapleton Wi-Fi Smartass
Shaun Bender @Welles Tacos.
Matthew Norwood @matthewnorwood I come for all the wired sessions.
Luke Jenkins @WiFiLuke
Nate York @dot11Nate
Adrian Granados @adriangranados Maker of WiFi Explorer
Tom Carpenter @carpentertom
Aaron Scott @wifidownunder The one with the best Aussie accent
Brian Smith @elonsmitty Here for the Free Food
Darrell DeRosia @Darrell_DeRosia 2.4 is official dead. Cisco and Apple said so…
Samuel Clements @samuel_clements The one, the only.
Blake Krone @blakekrone Mr Big Deal Himself
Ryan Adzima @radzima Blame Canada
Steve McKim @alfmckim Polite Canadian
Kimberly Graves @KimberlyAGraves Aruba Networks
Jonathan Davis @subnetwork Equal Opportunity Offender
Jim Comment @JimWifi1 First time at WLPC
David Coleman @@mistermultipath whiffie
Jake Snyder @Jsnyder81 Peter Griffin impersonator
Trent Cutler @Firemywires
Joshua Williams @802dotMe First timer. These are my people.
Mike Leibovitz @MikeLeibovitz Canadian who accepts no blame
Troy Martin @troymart riding the Wi-Fi fad
Nathan Wilder @Wildernets
Brian Long @blong1 Let’s do this …
Ronald van Kleunen @Globeron Globeron – Wireless Certification Training
Colleen Szymanik @wifi_unicorn Nothing witty to say
Eddie Forero @HeyEddie RRM is dead… along with 2.4GHz and Elvis. (Ok, Elvis is NOT dead…)
Joel Crane @FuelCellWiFi My Twitter handle means nothing.
Glenn Cate @grcate
Manon Lessard @Mae149 Not always polite Canadian.
Andrew Fly4WiFiGuy vonNagy @revolutionwifi
Jerry Olla @jolla Meow
Jonathan Finney @wifispy I like turtles
Anders Nilsson @HerrNilsson2 Part of Team Sweden and yes I’m bringing the Moose
Stephen Montgomery @steviewireless hanging with Jack and some smart people
Juan Carlos Luna @jclkanter Mad about wireless
Eddie Klaczko @EddieKlaczko I like warm weather.
Brad Weldon @bradweldon coffee, tacos, chocolate, repeat…
Trent Hurt @Wifiguy502
Martin Ericson @maer1952 Yihaa in cowboy land
Austin Godbey @austingodbey wireless == magic
Chris Young @netmanchris On behalf of Canada “I’m sorry”.
Robert Eubanks @eubanksrob
John Turner @wifijt “where do I plug this in?”
Ben Montour @BenMontour First time WLPC attendee.
Dan Ryan @Danryan06
John Cosgrove @rtr_man
James Garringer @jamesgarringer Apple
Daniel Dillon @Trilithic
Shaun Neal @sv_neal
Simon “Cucumber Tony” Morley @@cucumbertony
Kenneth Fernandes @wifiblogdotcom
Andrew Campbell @wifiandrew
Mark Edwards @marke3117 Yes
Jay Botelho @jaybotelho Savvius (OmniPeek)
Van Le @Vansterzzz 1st WLPC
Timothy Otto @mage2 Wireless Noob , security guy
Joeri De Winter @joeri_Skyline
Fields marked with an * are required


In Wi-Fi They (Don’t Really) Trust

Sometimes, the biggest problem with the network is its very existence. Anytime something breaks, the fingers start pointing at the network. Database stopped responding? It must be the network. Client can’t access the Internet? Must be the network. Never mind that what the client can’t access is just their home page and everything else is working…

The problem isn’t so much that the network exists, but that it exists and most users, and even most IT pros, don’t understand it. Now we take that complex system that people already have a difficult time understanding and replace the simple Cat5 cable with… Magic? Arthur C. Clarke once wrote that any sufficiently advanced technology is indistinguishable from magic. For many people, wireless is a magical black box. Actually, it’s usually an opaque white box, but that’s beside the point. Things happen in it, but they can’t be seen and they are not easily understood. The explanations for how it works, or more likely why it doesn’t work, generally involve lots of vague hand waving motions and end with either blaming the client or the network, depending on which side you are on.

Now when something breaks and there’s nothing obviously wrong with the device people trust, it’s logical (from their perspective) to blame the thing they don’t understand. It’s known that it needs to be working for them to do what they want, so that must be what’s broken.

You can read the rest of my thoughts on this on the Aruba Airheads Community.


How hard can it be not to install wires?

There’s a joke, “How hard can it be not to install wires?” (See this Dilbert comic) However, it’s a good question, so let’s think through this a bit.

Let’s say you are deploying a new wireless network. Maybe you had it thrown at you already purchased and delivered. You just get to implement it. What fun! Maybe it’s “just” an upgrade, so can’t you just swap things out?

Things you need to consider: What model are the APs? Do you have enough for coverage? More importantly, what about capacity?

To read the reast of this article, check it out over on the Aruba Airheads Community.


My First Aruba Beacon #WFD8

Back at the beginning of October, I had the opportunity to be a delegate to Wireless Field Day 8. The Aruba Networks presentation was very impressive and they also were kind enough to provide all the delegates with a number of nifty items, including some Aruba Networks LS-BT1 BLE location beacons.

If you aren’t familiar with Bluetooth Low Energy (BLE), it’s an extension to the Bluetooth standard that allows for low power communications. This is the standard that provides the basis to create beacons and allows them to operate for multiple years using standard button cell batteries. Beacons are not the only devices out there that use BLE for communication, but those are outside the scope of the rest of this post, which you can continue reading on the Aruba Airheads Community.

Below is the video of Aruba’s location presentation, featuring Kiyu Kubo, Director of the Meridian Group at Aruba Networks.

Aruba Networks Meridian Stadium Applications with Kiyo Kubo from Stephen Foskett on Vimeo.

Kiyo Kubo, Director of Meridian Group, discusses the use of Aruba Networks Meridian location technology at Levi's Stadium. Use of beacons is demonstrated and security around the technology is also discussed. Recorded at Wireless Field Day 8 on October 1, 2015. For more information, please visit or