ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm - JHC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm\" \/>\n<meta property=\"og:description\" content=\"A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan ThousandEyes (TE) Black Hat 2023 Deployment Guide This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed. Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices. Hardware Checklist for the Conference There are several different hardware contingencies that must be accounted for before conference setup can take place. A keyboard that can connect to the USB port on the Raspberry Pi Laptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this: An SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models) A Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop A Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions: A portable monitor that connected to the Pi via an HDMI to Micro HDMI cable An adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop Pi Hardware Assembly Black Hat 2023 Pi 4 Kits 10x Raspberry Pi 4 Cana Kits, each with the following: 32GB Micro SD card Micro SD to USB adapter Case Heatsink Fan Example of built Pi with heatsinks and fan attached: Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment. Provision the ThousandEyes Image onto the Pi Micro SD The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD. Retrieving the TE Agent Image & Documentation From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Click on Add New Enterprise Agent. Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG button. The Installation Guide for the Pi install is also available from this page. Connect the Micro SD(s) to Provisioning Laptops If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops. 2x Vivitar Mac USB-C to Micro SD adapter 1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown). 1x Micro SD to SD adapter Install the TE Image to Micro SDs We used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide. Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once. Optional: Use Scripts to Provision Wireless that will Persist Across Reboots Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22. Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections. Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent. Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions. Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide. Run the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5. Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process. Create the script file: # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it. Create the script file: # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1. Create the script file: # vim doit.sh Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1: #!\/bin\/bash cp rc.local \/media\/<username>\/writeable\/etc cp configure_te_pi.sh \/media\/<username>\/writeable\/etc chmod +x \/media\/<username>\/writeable\/configure_te_pi.sh chmod +x \/ media\/<username>\/writeable\/etc\/rc.local umount \/media\/<username>\/system-boot umount \/media\/<username>\/writable Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. An example of the script created for the output in Step 1 is provided below. #!\/bin\/bash cp ~iredden\/rc.local \/media\/iredden\/writable\/etc cp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable chmod +x \/media\/iredden\/writable\/configure_te_pi.sh chmod +x \/media\/iredden\/writable\/etc\/rc.local umount \/media\/iredden\/system-boot umount \/media\/iredden\/writable Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below. With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations. Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one. Initial Setup of TE Agent The Provision the ThousandEyes (TE) Image onto the Pi Micro SD section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section. This section will cover how to use the TE agent on the Micro SD card to perform initial setup. Connect Micro SD to Raspberry Pi Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi. Connect an Ethernet Cable to the Pi It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to. Connect Keyboard and Monitor to Raspberry Pi Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent. Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting. For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work. For the screen, we used two separate hardware solutions. The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi. The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop. Confirm Pi Hardware Connections With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot. Connect to the TE Agent GUI Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP. If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP. Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome. Change the default password to something more secure and click Change Password. The GUI should automatically take you to Agent in the left menu. Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings. Click on the Add New Enterprise Agent Copy the Access Group Token. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually. Return to the TE agent GUI and paste the Account Group Token into the Agent Click Continue. The GUI will automatically load the Review Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button. Click on the Network tab. Configure the hostname for the agent. Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred. Scroll down and click on the Save Changes Note that the Applying network settings pop-up may get stuck. Reload the page to clear it. Connect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI. Manual Wireless Config Track The Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent. Manual Wireless Config Track: Connect to the TE Agent via SSH Documentation for connecting to a Pi TE agent via SSH can be found in this guide. Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config) Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration. We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install: $ sudo apt-get update $ sudo apt-get install te-va-unlock With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration. Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH. Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process. Create the script file: $ sudo su # cd \/etc # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.\u00a0 Run the following to set the script permissions: # chmod +x \/etc\/rc.local Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent. Create the script file: # cd \/ # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Run the following to set the script permissions: # chmod +x \/configure_te_pi.sh Reboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account. Validate Wireless Interface in the ThousandEyes Web GUI Confirm Wired and Wireless IPs From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Identify a registered TE agent with a wireless interface, then click on it. Locate the General Information The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information link to confirm which IP address is assigned to each interface. Confirm Wired and Wireless Interfaces for Tests Navigate to Cloud & Enterprise Agents > Test Settings. Expand one of the tests and then expand the Agents Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below. About Black Hat For 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com. Black Hat is brought to you by Informa Tech. Appendix GitHub with scripts ThousandEyes Wireless Setup GitHub ThousandEyes Ports and Protocols For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region. https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents Script Functions Explained Scripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots and Manual Wireless Config Track sections of this guide. This appendix section explains the script functionality line by line. rc.local \u2013 this script will run as part of the TE agent startup process. #!\/bin\/bash \u2013 initialize the script to run using bash \/configure_te_pi.sh \u2013 run the configure_te_pi.sh script exit 0 \u2013 exit configure_te_pi.sh \u2013 this script will configure the TE agent for wireless functionality #!\/bin\/bash \u2013 initialize the script apt-get update -y \u2013 update the underlying Ubuntu OS apt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access apt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality ifconfig wlan0 up \u2013 bring up a wireless LAN interface wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver ifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface dhclient wlan0 \u2013 enable DHCP for the wireless interface systemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure section for more information systemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure section for more information Wireless TE Agent Update Failure During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan: syslog Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon. Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News\u2026 Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches\u2026 Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service: Succeeded. Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service: Succeeded. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches. Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier More information on the two services can be found here: https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them Masking the services so they are not run by systemd resolved the failure of wlan0: $ sudo systemctl mask apt-news.service $ sudo systemctl mask esm-cache.service The above commands were then added to the startup scripts. We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels Instagram Facebook Twitter LinkedIn \u200b A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan ThousandEyes (TE) Black Hat 2023 Deployment Guide This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed. Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices. Hardware Checklist for the Conference There are several different hardware contingencies that must be accounted for before conference setup can take place. A keyboard that can connect to the USB port on the Raspberry Pi Laptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this: An SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models) A Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop A Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions: A portable monitor that connected to the Pi via an HDMI to Micro HDMI cable An adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop Pi Hardware Assembly Black Hat 2023 Pi 4 Kits 10x Raspberry Pi 4 Cana Kits, each with the following: 32GB Micro SD card Micro SD to USB adapter Case Heatsink Fan Example of built Pi with heatsinks and fan attached: Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment. Provision the ThousandEyes Image onto the Pi Micro SD The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD. Retrieving the TE Agent Image & Documentation From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Click on Add New Enterprise Agent. Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG button. The Installation Guide for the Pi install is also available from this page. Connect the Micro SD(s) to Provisioning Laptops If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops. 2x Vivitar Mac USB-C to Micro SD adapter 1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown). 1x Micro SD to SD adapter Install the TE Image to Micro SDs We used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide. Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once. Optional: Use Scripts to Provision Wireless that will Persist Across Reboots Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22. Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections. Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent. Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions. Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide. Run the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5. Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process. Create the script file: # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it. Create the script file: # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1. Create the script file: # vim doit.sh Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1: #!\/bin\/bash cp rc.local \/media\/<username>\/writeable\/etc cp configure_te_pi.sh \/media\/<username>\/writeable\/etc chmod +x \/media\/<username>\/writeable\/configure_te_pi.sh chmod +x \/ media\/<username>\/writeable\/etc\/rc.local umount \/media\/<username>\/system-boot umount \/media\/<username>\/writable Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. An example of the script created for the output in Step 1 is provided below. #!\/bin\/bash cp ~iredden\/rc.local \/media\/iredden\/writable\/etc cp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable chmod +x \/media\/iredden\/writable\/configure_te_pi.sh chmod +x \/media\/iredden\/writable\/etc\/rc.local umount \/media\/iredden\/system-boot umount \/media\/iredden\/writable Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below. With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations. Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one. Initial Setup of TE Agent The Provision the ThousandEyes (TE) Image onto the Pi Micro SD section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section. This section will cover how to use the TE agent on the Micro SD card to perform initial setup. Connect Micro SD to Raspberry Pi Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi. Connect an Ethernet Cable to the Pi It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to. Connect Keyboard and Monitor to Raspberry Pi Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent. Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting. For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work. For the screen, we used two separate hardware solutions. The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi. The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop. Confirm Pi Hardware Connections With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot. Connect to the TE Agent GUI Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP. If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP. Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome. Change the default password to something more secure and click Change Password. The GUI should automatically take you to Agent in the left menu. Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings. Click on the Add New Enterprise Agent Copy the Access Group Token. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually. Return to the TE agent GUI and paste the Account Group Token into the Agent Click Continue. The GUI will automatically load the Review Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button. Click on the Network tab. Configure the hostname for the agent. Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred. Scroll down and click on the Save Changes Note that the Applying network settings pop-up may get stuck. Reload the page to clear it. Connect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI. Manual Wireless Config Track The Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent. Manual Wireless Config Track: Connect to the TE Agent via SSH Documentation for connecting to a Pi TE agent via SSH can be found in this guide. Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config) Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration. We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install: $ sudo apt-get update $ sudo apt-get install te-va-unlock With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration. Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH. Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process. Create the script file: $ sudo su # cd \/etc # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.\u00a0 Run the following to set the script permissions: # chmod +x \/etc\/rc.local Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent. Create the script file: # cd \/ # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Run the following to set the script permissions: # chmod +x \/configure_te_pi.sh Reboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account. Validate Wireless Interface in the ThousandEyes Web GUI Confirm Wired and Wireless IPs From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Identify a registered TE agent with a wireless interface, then click on it. Locate the General Information The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information link to confirm which IP address is assigned to each interface. Confirm Wired and Wireless Interfaces for Tests Navigate to Cloud & Enterprise Agents > Test Settings. Expand one of the tests and then expand the Agents Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below. About Black Hat For 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com. Black Hat is brought to you by Informa Tech. Appendix GitHub with scripts ThousandEyes Wireless Setup GitHub ThousandEyes Ports and Protocols For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region. https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents Script Functions Explained Scripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots and Manual Wireless Config Track sections of this guide. This appendix section explains the script functionality line by line. rc.local \u2013 this script will run as part of the TE agent startup process. #!\/bin\/bash \u2013 initialize the script to run using bash \/configure_te_pi.sh \u2013 run the configure_te_pi.sh script exit 0 \u2013 exit configure_te_pi.sh \u2013 this script will configure the TE agent for wireless functionality #!\/bin\/bash \u2013 initialize the script apt-get update -y \u2013 update the underlying Ubuntu OS apt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access apt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality ifconfig wlan0 up \u2013 bring up a wireless LAN interface wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver ifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface dhclient wlan0 \u2013 enable DHCP for the wireless interface systemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure section for more information systemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure section for more information Wireless TE Agent Update Failure During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan: syslog Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon. Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News\u2026 Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches\u2026 Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service: Succeeded. Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News.Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service: Succeeded. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches.Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier More information on the two services can be found here: https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them Masking the services so they are not run by systemd resolved the failure of wlan0: $ sudo systemctl mask apt-news.service $ sudo systemctl mask esm-cache.service The above commands were then added to the startup scripts. We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels InstagramFacebookTwitterLinkedIn Share Share: \u00a0\u00a0Read how Validated Design TMEs deployed ThousandEyes on Pi4s wirelessly on the Black Hat USA 2023 network to provide network assurance and actionable insights.\u00a0\u00a0Read More\u00a0Cisco Blogs\u00a0\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\" \/>\n<meta property=\"og:site_name\" content=\"JHC\" \/>\n<meta property=\"article:published_time\" content=\"2023-08-26T08:59:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\" \/>\n\t<meta property=\"og:image:width\" content=\"1\" \/>\n\t<meta property=\"og:image:height\" content=\"1\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/gif\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"39 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\"},\"author\":{\"name\":\"\",\"@id\":\"\"},\"headline\":\"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm\",\"datePublished\":\"2023-08-26T08:59:39+00:00\",\"dateModified\":\"2023-08-26T08:59:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\"},\"wordCount\":7816,\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\",\"articleSection\":[\"Cisco: Learning\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\",\"name\":\"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm - JHC\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\",\"datePublished\":\"2023-08-26T08:59:39+00:00\",\"dateModified\":\"2023-08-26T08:59:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\",\"width\":1,\"height\":1},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jacksonholdingcompany.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"name\":\"JHC\",\"description\":\"Your Business Is Our Business\",\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\",\"name\":\"JHC\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"width\":452,\"height\":149,\"caption\":\"JHC\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n","yoast_head_json":{"title":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm - JHC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/","og_locale":"en_US","og_type":"article","og_title":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm","og_description":"A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan ThousandEyes (TE) Black Hat 2023 Deployment Guide This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed. Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices. Hardware Checklist for the Conference There are several different hardware contingencies that must be accounted for before conference setup can take place. A keyboard that can connect to the USB port on the Raspberry Pi Laptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this: An SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models) A Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop A Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions: A portable monitor that connected to the Pi via an HDMI to Micro HDMI cable An adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop Pi Hardware Assembly Black Hat 2023 Pi 4 Kits 10x Raspberry Pi 4 Cana Kits, each with the following: 32GB Micro SD card Micro SD to USB adapter Case Heatsink Fan Example of built Pi with heatsinks and fan attached: Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment. Provision the ThousandEyes Image onto the Pi Micro SD The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD. Retrieving the TE Agent Image & Documentation From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Click on Add New Enterprise Agent. Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG button. The Installation Guide for the Pi install is also available from this page. Connect the Micro SD(s) to Provisioning Laptops If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops. 2x Vivitar Mac USB-C to Micro SD adapter 1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown). 1x Micro SD to SD adapter Install the TE Image to Micro SDs We used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide. Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once. Optional: Use Scripts to Provision Wireless that will Persist Across Reboots Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22. Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections. Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent. Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions. Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide. Run the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5. Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process. Create the script file: # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it. Create the script file: # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1. Create the script file: # vim doit.sh Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1: #!\/bin\/bash cp rc.local \/media\/<username>\/writeable\/etc cp configure_te_pi.sh \/media\/<username>\/writeable\/etc chmod +x \/media\/<username>\/writeable\/configure_te_pi.sh chmod +x \/ media\/<username>\/writeable\/etc\/rc.local umount \/media\/<username>\/system-boot umount \/media\/<username>\/writable Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. An example of the script created for the output in Step 1 is provided below. #!\/bin\/bash cp ~iredden\/rc.local \/media\/iredden\/writable\/etc cp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable chmod +x \/media\/iredden\/writable\/configure_te_pi.sh chmod +x \/media\/iredden\/writable\/etc\/rc.local umount \/media\/iredden\/system-boot umount \/media\/iredden\/writable Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below. With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations. Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one. Initial Setup of TE Agent The Provision the ThousandEyes (TE) Image onto the Pi Micro SD section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section. This section will cover how to use the TE agent on the Micro SD card to perform initial setup. Connect Micro SD to Raspberry Pi Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi. Connect an Ethernet Cable to the Pi It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to. Connect Keyboard and Monitor to Raspberry Pi Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent. Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting. For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work. For the screen, we used two separate hardware solutions. The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi. The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop. Confirm Pi Hardware Connections With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot. Connect to the TE Agent GUI Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP. If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP. Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome. Change the default password to something more secure and click Change Password. The GUI should automatically take you to Agent in the left menu. Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings. Click on the Add New Enterprise Agent Copy the Access Group Token. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually. Return to the TE agent GUI and paste the Account Group Token into the Agent Click Continue. The GUI will automatically load the Review Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button. Click on the Network tab. Configure the hostname for the agent. Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred. Scroll down and click on the Save Changes Note that the Applying network settings pop-up may get stuck. Reload the page to clear it. Connect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI. Manual Wireless Config Track The Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent. Manual Wireless Config Track: Connect to the TE Agent via SSH Documentation for connecting to a Pi TE agent via SSH can be found in this guide. Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config) Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration. We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install: $ sudo apt-get update $ sudo apt-get install te-va-unlock With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration. Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH. Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process. Create the script file: $ sudo su # cd \/etc # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.\u00a0 Run the following to set the script permissions: # chmod +x \/etc\/rc.local Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent. Create the script file: # cd \/ # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Run the following to set the script permissions: # chmod +x \/configure_te_pi.sh Reboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account. Validate Wireless Interface in the ThousandEyes Web GUI Confirm Wired and Wireless IPs From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Identify a registered TE agent with a wireless interface, then click on it. Locate the General Information The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information link to confirm which IP address is assigned to each interface. Confirm Wired and Wireless Interfaces for Tests Navigate to Cloud & Enterprise Agents > Test Settings. Expand one of the tests and then expand the Agents Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below. About Black Hat For 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com. Black Hat is brought to you by Informa Tech. Appendix GitHub with scripts ThousandEyes Wireless Setup GitHub ThousandEyes Ports and Protocols For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region. https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents Script Functions Explained Scripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots and Manual Wireless Config Track sections of this guide. This appendix section explains the script functionality line by line. rc.local \u2013 this script will run as part of the TE agent startup process. #!\/bin\/bash \u2013 initialize the script to run using bash \/configure_te_pi.sh \u2013 run the configure_te_pi.sh script exit 0 \u2013 exit configure_te_pi.sh \u2013 this script will configure the TE agent for wireless functionality #!\/bin\/bash \u2013 initialize the script apt-get update -y \u2013 update the underlying Ubuntu OS apt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access apt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality ifconfig wlan0 up \u2013 bring up a wireless LAN interface wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver ifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface dhclient wlan0 \u2013 enable DHCP for the wireless interface systemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure section for more information systemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure section for more information Wireless TE Agent Update Failure During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan: syslog Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon. Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News\u2026 Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches\u2026 Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service: Succeeded. Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service: Succeeded. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches. Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier More information on the two services can be found here: https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them Masking the services so they are not run by systemd resolved the failure of wlan0: $ sudo systemctl mask apt-news.service $ sudo systemctl mask esm-cache.service The above commands were then added to the startup scripts. We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels Instagram Facebook Twitter LinkedIn \u200b A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan ThousandEyes (TE) Black Hat 2023 Deployment Guide This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed. Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices. Hardware Checklist for the Conference There are several different hardware contingencies that must be accounted for before conference setup can take place. A keyboard that can connect to the USB port on the Raspberry Pi Laptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this: An SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models) A Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop A Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions: A portable monitor that connected to the Pi via an HDMI to Micro HDMI cable An adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop Pi Hardware Assembly Black Hat 2023 Pi 4 Kits 10x Raspberry Pi 4 Cana Kits, each with the following: 32GB Micro SD card Micro SD to USB adapter Case Heatsink Fan Example of built Pi with heatsinks and fan attached: Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment. Provision the ThousandEyes Image onto the Pi Micro SD The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD. Retrieving the TE Agent Image & Documentation From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Click on Add New Enterprise Agent. Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG button. The Installation Guide for the Pi install is also available from this page. Connect the Micro SD(s) to Provisioning Laptops If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops. 2x Vivitar Mac USB-C to Micro SD adapter 1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown). 1x Micro SD to SD adapter Install the TE Image to Micro SDs We used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide. Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once. Optional: Use Scripts to Provision Wireless that will Persist Across Reboots Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22. Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections. Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent. Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions. Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide. Run the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5. Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process. Create the script file: # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it. Create the script file: # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1. Create the script file: # vim doit.sh Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1: #!\/bin\/bash cp rc.local \/media\/<username>\/writeable\/etc cp configure_te_pi.sh \/media\/<username>\/writeable\/etc chmod +x \/media\/<username>\/writeable\/configure_te_pi.sh chmod +x \/ media\/<username>\/writeable\/etc\/rc.local umount \/media\/<username>\/system-boot umount \/media\/<username>\/writable Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. An example of the script created for the output in Step 1 is provided below. #!\/bin\/bash cp ~iredden\/rc.local \/media\/iredden\/writable\/etc cp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable chmod +x \/media\/iredden\/writable\/configure_te_pi.sh chmod +x \/media\/iredden\/writable\/etc\/rc.local umount \/media\/iredden\/system-boot umount \/media\/iredden\/writable Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below. With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations. Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one. Initial Setup of TE Agent The Provision the ThousandEyes (TE) Image onto the Pi Micro SD section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section. This section will cover how to use the TE agent on the Micro SD card to perform initial setup. Connect Micro SD to Raspberry Pi Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi. Connect an Ethernet Cable to the Pi It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to. Connect Keyboard and Monitor to Raspberry Pi Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent. Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting. For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work. For the screen, we used two separate hardware solutions. The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi. The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop. Confirm Pi Hardware Connections With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot. Connect to the TE Agent GUI Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP. If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP. Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome. Change the default password to something more secure and click Change Password. The GUI should automatically take you to Agent in the left menu. Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings. Click on the Add New Enterprise Agent Copy the Access Group Token. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually. Return to the TE agent GUI and paste the Account Group Token into the Agent Click Continue. The GUI will automatically load the Review Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button. Click on the Network tab. Configure the hostname for the agent. Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred. Scroll down and click on the Save Changes Note that the Applying network settings pop-up may get stuck. Reload the page to clear it. Connect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI. Manual Wireless Config Track The Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent. Manual Wireless Config Track: Connect to the TE Agent via SSH Documentation for connecting to a Pi TE agent via SSH can be found in this guide. Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config) Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration. We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install: $ sudo apt-get update $ sudo apt-get install te-va-unlock With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration. Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH. Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process. Create the script file: $ sudo su # cd \/etc # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.\u00a0 Run the following to set the script permissions: # chmod +x \/etc\/rc.local Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent. Create the script file: # cd \/ # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Run the following to set the script permissions: # chmod +x \/configure_te_pi.sh Reboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account. Validate Wireless Interface in the ThousandEyes Web GUI Confirm Wired and Wireless IPs From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Identify a registered TE agent with a wireless interface, then click on it. Locate the General Information The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information link to confirm which IP address is assigned to each interface. Confirm Wired and Wireless Interfaces for Tests Navigate to Cloud & Enterprise Agents > Test Settings. Expand one of the tests and then expand the Agents Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below. About Black Hat For 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com. Black Hat is brought to you by Informa Tech. Appendix GitHub with scripts ThousandEyes Wireless Setup GitHub ThousandEyes Ports and Protocols For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region. https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents Script Functions Explained Scripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots and Manual Wireless Config Track sections of this guide. This appendix section explains the script functionality line by line. rc.local \u2013 this script will run as part of the TE agent startup process. #!\/bin\/bash \u2013 initialize the script to run using bash \/configure_te_pi.sh \u2013 run the configure_te_pi.sh script exit 0 \u2013 exit configure_te_pi.sh \u2013 this script will configure the TE agent for wireless functionality #!\/bin\/bash \u2013 initialize the script apt-get update -y \u2013 update the underlying Ubuntu OS apt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access apt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality ifconfig wlan0 up \u2013 bring up a wireless LAN interface wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver ifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface dhclient wlan0 \u2013 enable DHCP for the wireless interface systemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure section for more information systemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure section for more information Wireless TE Agent Update Failure During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan: syslog Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon. Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News\u2026 Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches\u2026 Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service: Succeeded. Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News.Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service: Succeeded. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches.Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier More information on the two services can be found here: https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them Masking the services so they are not run by systemd resolved the failure of wlan0: $ sudo systemctl mask apt-news.service $ sudo systemctl mask esm-cache.service The above commands were then added to the startup scripts. We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels InstagramFacebookTwitterLinkedIn Share Share: \u00a0\u00a0Read how Validated Design TMEs deployed ThousandEyes on Pi4s wirelessly on the Black Hat USA 2023 network to provide network assurance and actionable insights.\u00a0\u00a0Read More\u00a0Cisco Blogs\u00a0","og_url":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/","og_site_name":"JHC","article_published_time":"2023-08-26T08:59:39+00:00","og_image":[{"width":1,"height":1,"url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","type":"image\/gif"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"39 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#article","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/"},"author":{"name":"","@id":""},"headline":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm","datePublished":"2023-08-26T08:59:39+00:00","dateModified":"2023-08-26T08:59:39+00:00","mainEntityOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/"},"wordCount":7816,"publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","articleSection":["Cisco: Learning"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/","url":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/","name":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm - JHC","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","datePublished":"2023-08-26T08:59:39+00:00","dateModified":"2023-08-26T08:59:39+00:00","breadcrumb":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","width":1,"height":1},{"@type":"BreadcrumbList","@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jacksonholdingcompany.com\/"},{"@type":"ListItem","position":2,"name":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm"}]},{"@type":"WebSite","@id":"https:\/\/jacksonholdingcompany.com\/#website","url":"https:\/\/jacksonholdingcompany.com\/","name":"JHC","description":"Your Business Is Our Business","publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jacksonholdingcompany.com\/#organization","name":"JHC","url":"https:\/\/jacksonholdingcompany.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","width":452,"height":149,"caption":"JHC"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/comments?post=959"}],"version-history":[{"count":0,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/959\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media\/940"}],"wp:attachment":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media?parent=959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/categories?post=959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/tags?post=959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

\n\t\tShare\n
\n
<\/div>\n<\/div>\n
\n
\n\t\t <\/a>\n\t<\/div>\n<\/div>\n
\n
\n\t\t <\/a>\n\t<\/div>\n<\/div>\n
\n
\n\t <\/a>\n\t<\/div>\n<\/div>\n<\/div>\n
Share:<\/div>\n
\n
\n
<\/div>\n<\/div>\n
\n
\n\t\t <\/a>\n\t<\/div>\n<\/div>\n
\n
\n\t\t <\/a>\n\t<\/div>\n<\/div>\n
\n
\n\t <\/a>\n\t<\/div>\n<\/div>\n<\/div>\n
\u00a0\u00a0Read how Validated Design TMEs deployed ThousandEyes on Pi4s wirelessly on the Black Hat USA 2023 network to provide network assurance and actionable insights.\u00a0\u00a0 Read More<\/a>\u00a0Cisco Blogs\u00a0<\/p>","protected":false},"excerpt":{"rendered":"
<\/p>\n
A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan<\/em><\/p>\n
<\/a>ThousandEyes (TE) Black Hat 2023 Deployment Guide<\/strong><\/span><\/h2>\n
This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed.<\/p>\n
<\/a>Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi<\/strong><\/span><\/h2>\n
Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices.<\/p>\n
<\/a>Hardware Checklist for the Conference<\/span><\/h2>\n
There are several different hardware contingencies that must be accounted for before conference setup can take place.<\/p>\n
A keyboard that can connect to the USB port on the Raspberry Pi
\nLaptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this:<\/p>\n
An SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models)
\nA Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop
\nA Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter<\/p>\n
Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions:<\/p>\n
A portable monitor that connected to the Pi via an HDMI to Micro HDMI cable
\nAn adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop<\/p>\n
<\/a>Pi Hardware Assembly<\/strong><\/span><\/h2>\nBlack Hat 2023 Pi 4 Kits<\/strong><\/h3>\n
10x Raspberry Pi 4 Cana Kits, each with the following:<\/p>\n
32GB Micro SD card
\nMicro SD to USB adapter
\nCase
\nHeatsink
\nFan<\/p>\n
Example of built Pi with heatsinks and fan attached:<\/p>\n
Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment.<\/p>\n
<\/a>Provision the ThousandEyes Image onto the Pi Micro SD<\/strong><\/span><\/h2>\n
The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD.<\/p>\n
<\/a>Retrieving the TE Agent Image & Documentation<\/strong><\/h3>\n
From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings<\/strong>.<\/p>\n
Click on Add New Enterprise Agent<\/strong>.<\/p>\n
Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG<\/strong> button. The Installation Guide<\/strong><\/a> for the Pi install is also available from this page.<\/p>\n
<\/a>Connect the Micro SD(s) to Provisioning Laptops<\/strong><\/h3>\n
If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops.<\/p>\n
2x Vivitar Mac USB-C to Micro SD adapter<\/strong><\/p>\n
1x Mac USB-C to USB adapter<\/strong> + 1x USB Micro SD Card Reader<\/strong> (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown).<\/p>\n
1x Micro SD to SD adapter<\/strong><\/p>\n
<\/a>Install the TE Image to Micro SDs<\/h3>\n
We used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide<\/a>.<\/p>\n
Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once.<\/p>\n
<\/a>Optional: Use Scripts to Provision Wireless that will Persist Across Reboots<\/strong><\/span><\/h2>\n
Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22.<\/p>\n
Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections.<\/p>\n
Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent.<\/p>\n
Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions.<\/p>\n
Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide.
\nRun the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5<\/strong>.<\/p>\n
Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process.
\nCreate the script file:<\/strong><\/p>\n
# vim rc.local<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following:<\/strong><\/p>\n
#!\/bin\/bash
\n\/configure_te_pi.sh
\nexit 0<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong>
\nCreate the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it.
\nCreate the script file:<\/strong><\/p>\n
# vim configure_te_pi.sh<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following:<\/strong><\/p>\n
#!\/bin\/bash
\napt-get update -y
\napt-get install te-va-unlock -y
\napt-get install net-tools ifmetric wireless-tools -y
\nifconfig wlan0 up
\nwpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf
\nwpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext
\nifmetric eth0 200
\nsed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces
\ndhclient wlan0
\nsystemctl mask apt-news.service
\nsystemctl mask esm-cache.service<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong>
\nCreate the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1.
\nCreate the script file:<\/strong><\/p>\n
# vim doit.sh<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1:<\/strong><\/p>\n
#!\/bin\/bash
\ncp rc.local \/media\/<username>\/writeable\/etc
\ncp configure_te_pi.sh \/media\/<username>\/writeable\/etc
\nchmod +x \/media\/<username>\/writeable\/configure_te_pi.sh
\nchmod +x \/ media\/<username>\/writeable\/etc\/rc.local
\numount \/media\/<username>\/system-boot
\numount \/media\/<username>\/writable<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong><\/p>\n
An example of the script created for the output in Step 1 is provided below.<\/strong><\/p>\n
#!\/bin\/bash
\ncp ~iredden\/rc.local \/media\/iredden\/writable\/etc
\ncp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable
\nchmod +x \/media\/iredden\/writable\/configure_te_pi.sh
\nchmod +x \/media\/iredden\/writable\/etc\/rc.local
\numount \/media\/iredden\/system-boot
\numount \/media\/iredden\/writable<\/p>\n
Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below.<\/p>\n
With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations.<\/p>\n
Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one.<\/p>\n
<\/a>Initial Setup of TE Agent<\/strong><\/span><\/h2>\nThe Provision the ThousandEyes (TE) Image onto the Pi Micro SD<\/a> section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section<\/a>. This section will cover how to use the TE agent on the Micro SD card to perform initial setup.<\/p>\n
<\/a>Connect Micro SD to Raspberry Pi<\/strong><\/h3>\n
Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi.<\/p>\n
<\/a>Connect an Ethernet Cable to the Pi<\/strong><\/h3>\n
It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to.<\/p>\n
<\/a>Connect Keyboard and Monitor to Raspberry Pi<\/strong><\/h3>\n
Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent.<\/p>\n
Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting.<\/p>\n
For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work.<\/p>\n
For the screen, we used two separate hardware solutions.<\/p>\n
The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi.<\/p>\n
The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop.<\/p>\n
<\/a>Confirm Pi Hardware Connections<\/strong><\/h3>\n
With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot.<\/p>\n
<\/a>Connect to the TE Agent GUI<\/strong><\/h3>\n
Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP.<\/p>\n
If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP.<\/p>\n
Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome.<\/p>\n
Change the default password to something more secure and click Change Password<\/strong>.<\/p>\n
The GUI should automatically take you to Agent<\/strong> in the left menu.<\/p>\n
Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings<\/strong>.<\/p>\n
Click on the Add New Enterprise Agent<\/strong><\/p>\n
Copy the Access Group Token<\/strong>. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually.<\/p>\n
Return to the TE agent GUI and paste the Account Group Token<\/strong> into the Agent<\/strong> Click Continue.<\/p>\n
The GUI will automatically load the Review<\/strong> Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button.<\/p>\n
Click on the Network tab.<\/p>\n
Configure the hostname for the agent.<\/p>\n
Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred.<\/p>\n
Scroll down and click on the Save Changes<\/strong> Note that the Applying network settings pop-up may get stuck. Reload the page to clear it.
\nConnect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI<\/a>.<\/p>\n
<\/a>Manual Wireless Config Track<\/strong><\/span><\/h2>\nThe Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots<\/a> section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent.<\/p>\n
<\/a>Manual Wireless Config Track: Connect to the TE Agent via SSH<\/strong><\/span><\/h2>\nDocumentation for connecting to a Pi TE agent via SSH can be found in this guide<\/a>.<\/p>\n
<\/a>Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config)<\/strong><\/span><\/h2>\n
Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration.<\/p>\n
We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install:<\/p>\n
$ sudo apt-get update
\n$ sudo apt-get install te-va-unlock<\/p>\n
With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration.<\/p>\n
<\/a>Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi<\/strong><\/span><\/h2>\n
Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH.<\/p>\n
Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process.<\/p>\n
Create the script file:<\/strong><\/p>\n
$ sudo su
\n# cd \/etc
\n# vim rc.local<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following:<\/strong><\/p>\n
#!\/bin\/bash
\n\/configure_te_pi.sh
\nexit 0<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong>\u00a0<\/strong>
\nRun the following to set the script permissions:<\/strong><\/p>\n
# chmod +x \/etc\/rc.local<\/p>\n
Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent.
\nCreate the script file:<\/strong><\/p>\n
# cd \/
\n# vim configure_te_pi.sh<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values:<\/strong><\/p>\n
#!\/bin\/bash
\napt-get update -y
\napt-get install te-va-unlock -y
\napt-get install net-tools ifmetric wireless-tools -y
\nifconfig wlan0 up
\nwpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf
\nwpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext
\nifmetric eth0 200
\nsed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces
\ndhclient wlan0
\nsystemctl mask apt-news.service
\nsystemctl mask esm-cache.service<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong>
\nRun the following to set the script permissions:<\/strong><\/p>\n
# chmod +x \/configure_te_pi.sh
\nReboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account.<\/p>\n
<\/a>Validate Wireless Interface in the ThousandEyes Web GUI<\/strong><\/span><\/h2>\n<\/a>Confirm Wired and Wireless IPs<\/strong><\/h3>\n
From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents<\/strong> > Agent Settings<\/strong>.<\/p>\n
Identify a registered TE agent with a wireless interface, then click on it.<\/p>\n
Locate the General Information<\/strong> The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information<\/strong> link to confirm which IP address is assigned to each interface.<\/p>\n
<\/a>Confirm Wired and Wireless Interfaces for Tests<\/strong><\/h3>\n
Navigate to Cloud & Enterprise Agents<\/strong> > Test Settings<\/strong>.<\/p>\n
Expand one of the tests and then expand the Agents<\/strong><\/p>\n
Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below.<\/p>\n
About Black Hat<\/span><\/h2>\nFor 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com<\/span><\/a>. Black Hat is brought to you by Informa Tech.<\/p>\n
<\/a>Appendix<\/strong><\/span><\/h2>\nGitHub with scripts<\/strong><\/h3>\nThousandEyes Wireless Setup GitHub<\/a><\/p>\n
<\/a>ThousandEyes Ports and Protocols<\/strong><\/h3>\n
For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region.<\/p>\n
https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents<\/a><\/p>\n
<\/a>Script Functions Explained<\/strong><\/h3>\nScripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots<\/a> and Manual Wireless Config Track<\/a> sections of this guide. This appendix section explains the script functionality line by line.<\/p>\n
rc.local<\/strong> \u2013 this script will run as part of the TE agent startup process.<\/p>\n
#!\/bin\/bash \u2013 initialize the script to run using bash
\n\/configure_te_pi.sh \u2013 run the configure_te_pi.sh script
\nexit 0 \u2013 exit<\/p>\n
configure_te_pi.sh<\/strong> \u2013 this script will configure the TE agent for wireless functionality<\/p>\n
#!\/bin\/bash \u2013 initialize the script
\napt-get update -y \u2013 update the underlying Ubuntu OS
\napt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access
\napt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality
\nifconfig wlan0 up \u2013 bring up a wireless LAN interface
\nwpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file
\nwpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver
\nifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface
\nsed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface
\ndhclient wlan0 \u2013 enable DHCP for the wireless interface
\nsystemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure<\/a> section for more information
\nsystemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure<\/a> section for more information<\/p>\n
<\/a>Wireless TE Agent Update Failure<\/strong><\/h3>\n
During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan:<\/p>\n
syslog<\/strong><\/p>\n
Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon.
\nAug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News<\/strong>\u2026
\nAug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches<\/strong>\u2026
\nAug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service<\/strong>: Succeeded.
\nAug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News.
\n<\/strong>Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service<\/strong>: Succeeded.
\nAug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches.
\n<\/strong>Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier<\/strong><\/p>\n
More information on the two services can be found here:<\/p>\n
https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them<\/a><\/p>\n
Masking the services so they are not run by systemd resolved the failure of wlan0:<\/p>\n
$ sudo systemctl mask apt-news.service
\n$ sudo systemctl mask esm-cache.service<\/p>\n
The above commands were then added to the startup scripts.<\/p>\n
We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!<\/em><\/p>\n
Cisco Secure Social Channels<\/strong><\/p>\n
Instagram<\/a><\/strong>
\nFacebook<\/a><\/strong>
\nTwitter<\/a><\/strong>
\nLinkedIn<\/a><\/strong><\/p>\n
\u200b<\/p>\n
A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan<\/em><\/p>\n
ThousandEyes (TE) Black Hat 2023 Deployment Guide<\/strong><\/h2>\n
This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed.<\/p>\n
Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi<\/strong><\/h2>\n
Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices.<\/p>\n
Hardware Checklist for the Conference<\/h2>\n
There are several different hardware contingencies that must be accounted for before conference setup can take place.<\/p>\n
A keyboard that can connect to the USB port on the Raspberry Pi
\nLaptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this:
\nAn SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models)
\nA Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop
\nA Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter<\/p>\n
Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions:
\nA portable monitor that connected to the Pi via an HDMI to Micro HDMI cable
\nAn adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop<\/p>\n
Pi Hardware Assembly<\/strong><\/h2>\n
Black Hat 2023 Pi 4 Kits<\/strong><\/h3>\n
10x Raspberry Pi 4 Cana Kits, each with the following:<\/p>\n
32GB Micro SD card
\nMicro SD to USB adapter
\nCase
\nHeatsink
\nFan<\/p>\n
Example of built Pi with heatsinks and fan attached:<\/p>\n
Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment.<\/p>\n
Provision the ThousandEyes Image onto the Pi Micro SD<\/strong><\/h2>\n
The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD.<\/p>\n
Retrieving the TE Agent Image & Documentation<\/strong><\/h3>\n
From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings<\/strong>.<\/p>\n
Click on Add New Enterprise Agent<\/strong>.<\/p>\n
Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG<\/strong> button. The Installation Guide<\/strong><\/a> for the Pi install is also available from this page.<\/p>\n
Connect the Micro SD(s) to Provisioning Laptops<\/strong><\/h3>\n
If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops.<\/p>\n
2x Vivitar Mac USB-C to Micro SD adapter<\/strong><\/p>\n
1x Mac USB-C to USB adapter<\/strong> + 1x USB Micro SD Card Reader<\/strong> (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown).<\/p>\n
1x Micro SD to SD adapter<\/strong><\/p>\n
Install the TE Image to Micro SDs<\/h3>\nWe used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide<\/a>.<\/p>\n
Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once.<\/p>\n
Optional: Use Scripts to Provision Wireless that will Persist Across Reboots<\/strong><\/h2>\n
Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22.<\/p>\n
Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections.<\/p>\n
Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent.<\/p>\n
Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions.<\/p>\n
Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide.
\nRun the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5<\/strong>.<\/p>\n
Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process.
\nCreate the script file:<\/strong><\/p>\n
# vim rc.local<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following:<\/strong><\/p>\n
#!\/bin\/bash
\n\/configure_te_pi.sh
\nexit 0<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong>
\nCreate the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it.
\nCreate the script file:<\/strong><\/p>\n
# vim configure_te_pi.sh<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following:<\/strong><\/p>\n
#!\/bin\/bash
\napt-get update -y
\napt-get install te-va-unlock -y
\napt-get install net-tools ifmetric wireless-tools -y
\nifconfig wlan0 up
\nwpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf
\nwpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext
\nifmetric eth0 200
\nsed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces
\ndhclient wlan0
\nsystemctl mask apt-news.service
\nsystemctl mask esm-cache.service<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong>
\nCreate the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1.
\nCreate the script file:<\/strong><\/p>\n
# vim doit.sh<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1:<\/strong><\/p>\n
#!\/bin\/bash
\ncp rc.local \/media\/<username>\/writeable\/etc
\ncp configure_te_pi.sh \/media\/<username>\/writeable\/etc
\nchmod +x \/media\/<username>\/writeable\/configure_te_pi.sh
\nchmod +x \/ media\/<username>\/writeable\/etc\/rc.local
\numount \/media\/<username>\/system-boot
\numount \/media\/<username>\/writable<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong><\/p>\n
An example of the script created for the output in Step 1 is provided below.<\/strong><\/p>\n
#!\/bin\/bash
\ncp ~iredden\/rc.local \/media\/iredden\/writable\/etc
\ncp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable
\nchmod +x \/media\/iredden\/writable\/configure_te_pi.sh
\nchmod +x \/media\/iredden\/writable\/etc\/rc.local
\numount \/media\/iredden\/system-boot
\numount \/media\/iredden\/writable<\/p>\n
Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below.<\/p>\n
With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations.<\/p>\n
Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one.<\/p>\n
Initial Setup of TE Agent<\/strong><\/h2>\nThe Provision the ThousandEyes (TE) Image onto the Pi Micro SD<\/a> section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section<\/a>. This section will cover how to use the TE agent on the Micro SD card to perform initial setup.<\/p>\n
Connect Micro SD to Raspberry Pi<\/strong><\/h3>\n
Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi.<\/p>\n
Connect an Ethernet Cable to the Pi<\/strong><\/h3>\n
It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to.<\/p>\n
Connect Keyboard and Monitor to Raspberry Pi<\/strong><\/h3>\n
Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent.<\/p>\n
Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting.<\/p>\n
For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work.<\/p>\n
For the screen, we used two separate hardware solutions.<\/p>\n
The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi.<\/p>\n
The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop.<\/p>\n
Confirm Pi Hardware Connections<\/strong><\/h3>\n
With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot.<\/p>\n
Connect to the TE Agent GUI<\/strong><\/h3>\n
Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP.<\/p>\n
If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP.<\/p>\n
Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome.<\/p>\n
Change the default password to something more secure and click Change Password<\/strong>.<\/p>\n
The GUI should automatically take you to Agent<\/strong> in the left menu.<\/p>\n
Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings<\/strong>.<\/p>\n
Click on the Add New Enterprise Agent<\/strong><\/p>\n
Copy the Access Group Token<\/strong>. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually.<\/p>\n
Return to the TE agent GUI and paste the Account Group Token<\/strong> into the Agent<\/strong> Click Continue.<\/p>\n
The GUI will automatically load the Review<\/strong> Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button.<\/p>\n
Click on the Network tab.<\/p>\n
Configure the hostname for the agent.<\/p>\n
Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred.<\/p>\n
Scroll down and click on the Save Changes<\/strong> Note that the Applying network settings pop-up may get stuck. Reload the page to clear it.
\nConnect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI<\/a>.<\/p>\n
Manual Wireless Config Track<\/strong><\/h2>\nThe Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots<\/a> section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent.<\/p>\n
Manual Wireless Config Track: Connect to the TE Agent via SSH<\/strong><\/h2>\nDocumentation for connecting to a Pi TE agent via SSH can be found in this guide<\/a>.<\/p>\n
Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config)<\/strong><\/h2>\n
Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration.<\/p>\n
We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install:<\/p>\n
$ sudo apt-get update
\n$ sudo apt-get install te-va-unlock<\/p>\n
With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration.<\/p>\n
Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi<\/strong><\/h2>\n
Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH.<\/p>\n
Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process.<\/p>\n
Create the script file:<\/strong><\/p>\n
$ sudo su
\n# cd \/etc
\n# vim rc.local<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following:<\/strong><\/p>\n
#!\/bin\/bash
\n\/configure_te_pi.sh
\nexit 0<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong>\u00a0<\/strong>
\nRun the following to set the script permissions:<\/strong><\/p>\n
# chmod +x \/etc\/rc.local<\/p>\n
Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent.
\nCreate the script file:<\/strong><\/p>\n
# cd \/
\n# vim configure_te_pi.sh<\/p>\n
Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values:<\/strong><\/p>\n
#!\/bin\/bash
\napt-get update -y
\napt-get install te-va-unlock -y
\napt-get install net-tools ifmetric wireless-tools -y
\nifconfig wlan0 up
\nwpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf
\nwpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext
\nifmetric eth0 200
\nsed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces
\ndhclient wlan0
\nsystemctl mask apt-news.service
\nsystemctl mask esm-cache.service<\/p>\n
Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.<\/strong>
\nRun the following to set the script permissions:<\/strong><\/p>\n
# chmod +x \/configure_te_pi.sh
\nReboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account.<\/p>\n
Validate Wireless Interface in the ThousandEyes Web GUI<\/strong><\/h2>\n
Confirm Wired and Wireless IPs<\/strong><\/h3>\n
From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents<\/strong> > Agent Settings<\/strong>.<\/p>\n
Identify a registered TE agent with a wireless interface, then click on it.<\/p>\n
Locate the General Information<\/strong> The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information<\/strong> link to confirm which IP address is assigned to each interface.<\/p>\n
Confirm Wired and Wireless Interfaces for Tests<\/strong><\/h3>\n
Navigate to Cloud & Enterprise Agents<\/strong> > Test Settings<\/strong>.<\/p>\n
Expand one of the tests and then expand the Agents<\/strong><\/p>\n
Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below.<\/p>\n
About Black Hat<\/h2>\nFor 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com<\/a>. Black Hat is brought to you by Informa Tech.<\/p>\n
Appendix<\/strong><\/h2>\nGitHub with scripts<\/strong><\/h3>\nThousandEyes Wireless Setup GitHub<\/a><\/p>\n
ThousandEyes Ports and Protocols<\/strong><\/h3>\n
For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region.<\/p>\n
https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents<\/a><\/p>\n
Script Functions Explained<\/strong><\/h3>\nScripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots<\/a> and Manual Wireless Config Track<\/a> sections of this guide. This appendix section explains the script functionality line by line.<\/p>\n
rc.local<\/strong> \u2013 this script will run as part of the TE agent startup process.<\/p>\n
#!\/bin\/bash \u2013 initialize the script to run using bash
\n\/configure_te_pi.sh \u2013 run the configure_te_pi.sh script
\nexit 0 \u2013 exit<\/p>\n
configure_te_pi.sh<\/strong> \u2013 this script will configure the TE agent for wireless functionality<\/p>\n
#!\/bin\/bash \u2013 initialize the script
\napt-get update -y \u2013 update the underlying Ubuntu OS
\napt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access
\napt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality
\nifconfig wlan0 up \u2013 bring up a wireless LAN interface
\nwpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file
\nwpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver
\nifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface
\nsed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface
\ndhclient wlan0 \u2013 enable DHCP for the wireless interface
\nsystemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure<\/a> section for more information
\nsystemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure<\/a> section for more information<\/p>\n
Wireless TE Agent Update Failure<\/strong><\/h3>\n
During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan:<\/p>\n
syslog<\/strong><\/p>\n
Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon.
\nAug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News<\/strong>\u2026
\nAug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches<\/strong>\u2026
\nAug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service<\/strong>: Succeeded.
\nAug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News.<\/strong>Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service<\/strong>: Succeeded.
\nAug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches.<\/strong>Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier<\/strong><\/p>\n
More information on the two services can be found here:<\/p>\n
https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them<\/a><\/p>\n
Masking the services so they are not run by systemd resolved the failure of wlan0:<\/p>\n
$ sudo systemctl mask apt-news.service
\n$ sudo systemctl mask esm-cache.service<\/p>\n
The above commands were then added to the startup scripts.<\/p>\n
We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!<\/em><\/p>\n
Cisco Secure Social Channels<\/strong><\/p>\n
Instagram<\/a><\/strong>Facebook<\/a><\/strong>Twitter<\/a><\/strong>LinkedIn<\/a><\/strong><\/p>\n
\n\t\tShare<\/p>\n
\n
<\/div>\n<\/div>\n
\n
\n\t\t <\/a>\n\t<\/div>\n<\/div>\n
\n
\n\t\t <\/a>\n\t<\/div>\n<\/div>\n
\n
\n\t <\/a>\n\t<\/div>\n<\/div>\n<\/div>\n
Share:<\/div>\n
\n
\n
<\/div>\n<\/div>\n
\n
\n\t\t <\/a>\n\t<\/div>\n<\/div>\n
\n
\n\t\t <\/a>\n\t<\/div>\n<\/div>\n
\n
\n\t <\/a>\n\t<\/div>\n<\/div>\n<\/div>\n
\u00a0\u00a0Read how Validated Design TMEs deployed ThousandEyes on Pi4s wirelessly on the Black Hat USA 2023 network to provide network assurance and actionable insights.\u00a0\u00a0 Read More<\/a>\u00a0Cisco Blogs\u00a0<\/p>\n
<\/p>\n","protected":false},"author":0,"featured_media":940,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-959","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cisco-learning"],"yoast_head":"\nThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm - JHC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm\" \/>\n<meta property=\"og:description\" content=\"A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan ThousandEyes (TE) Black Hat 2023 Deployment Guide This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed. Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices. Hardware Checklist for the Conference There are several different hardware contingencies that must be accounted for before conference setup can take place. A keyboard that can connect to the USB port on the Raspberry Pi Laptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this: An SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models) A Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop A Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions: A portable monitor that connected to the Pi via an HDMI to Micro HDMI cable An adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop Pi Hardware Assembly Black Hat 2023 Pi 4 Kits 10x Raspberry Pi 4 Cana Kits, each with the following: 32GB Micro SD card Micro SD to USB adapter Case Heatsink Fan Example of built Pi with heatsinks and fan attached: Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment. Provision the ThousandEyes Image onto the Pi Micro SD The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD. Retrieving the TE Agent Image & Documentation From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Click on Add New Enterprise Agent. Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG button. The Installation Guide for the Pi install is also available from this page. Connect the Micro SD(s) to Provisioning Laptops If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops. 2x Vivitar Mac USB-C to Micro SD adapter 1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown). 1x Micro SD to SD adapter Install the TE Image to Micro SDs We used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide. Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once. Optional: Use Scripts to Provision Wireless that will Persist Across Reboots Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22. Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections. Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent. Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions. Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide. Run the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5. Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process. Create the script file: # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it. Create the script file: # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1. Create the script file: # vim doit.sh Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1: #!\/bin\/bash cp rc.local \/media\/<username>\/writeable\/etc cp configure_te_pi.sh \/media\/<username>\/writeable\/etc chmod +x \/media\/<username>\/writeable\/configure_te_pi.sh chmod +x \/ media\/<username>\/writeable\/etc\/rc.local umount \/media\/<username>\/system-boot umount \/media\/<username>\/writable Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. An example of the script created for the output in Step 1 is provided below. #!\/bin\/bash cp ~iredden\/rc.local \/media\/iredden\/writable\/etc cp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable chmod +x \/media\/iredden\/writable\/configure_te_pi.sh chmod +x \/media\/iredden\/writable\/etc\/rc.local umount \/media\/iredden\/system-boot umount \/media\/iredden\/writable Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below. With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations. Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one. Initial Setup of TE Agent The Provision the ThousandEyes (TE) Image onto the Pi Micro SD section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section. This section will cover how to use the TE agent on the Micro SD card to perform initial setup. Connect Micro SD to Raspberry Pi Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi. Connect an Ethernet Cable to the Pi It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to. Connect Keyboard and Monitor to Raspberry Pi Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent. Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting. For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work. For the screen, we used two separate hardware solutions. The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi. The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop. Confirm Pi Hardware Connections With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot. Connect to the TE Agent GUI Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP. If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP. Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome. Change the default password to something more secure and click Change Password. The GUI should automatically take you to Agent in the left menu. Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings. Click on the Add New Enterprise Agent Copy the Access Group Token. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually. Return to the TE agent GUI and paste the Account Group Token into the Agent Click Continue. The GUI will automatically load the Review Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button. Click on the Network tab. Configure the hostname for the agent. Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred. Scroll down and click on the Save Changes Note that the Applying network settings pop-up may get stuck. Reload the page to clear it. Connect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI. Manual Wireless Config Track The Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent. Manual Wireless Config Track: Connect to the TE Agent via SSH Documentation for connecting to a Pi TE agent via SSH can be found in this guide. Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config) Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration. We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install: $ sudo apt-get update $ sudo apt-get install te-va-unlock With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration. Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH. Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process. Create the script file: $ sudo su # cd \/etc # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.\u00a0 Run the following to set the script permissions: # chmod +x \/etc\/rc.local Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent. Create the script file: # cd \/ # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Run the following to set the script permissions: # chmod +x \/configure_te_pi.sh Reboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account. Validate Wireless Interface in the ThousandEyes Web GUI Confirm Wired and Wireless IPs From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Identify a registered TE agent with a wireless interface, then click on it. Locate the General Information The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information link to confirm which IP address is assigned to each interface. Confirm Wired and Wireless Interfaces for Tests Navigate to Cloud & Enterprise Agents > Test Settings. Expand one of the tests and then expand the Agents Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below. About Black Hat For 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com. Black Hat is brought to you by Informa Tech. Appendix GitHub with scripts ThousandEyes Wireless Setup GitHub ThousandEyes Ports and Protocols For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region. https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents Script Functions Explained Scripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots and Manual Wireless Config Track sections of this guide. This appendix section explains the script functionality line by line. rc.local \u2013 this script will run as part of the TE agent startup process. #!\/bin\/bash \u2013 initialize the script to run using bash \/configure_te_pi.sh \u2013 run the configure_te_pi.sh script exit 0 \u2013 exit configure_te_pi.sh \u2013 this script will configure the TE agent for wireless functionality #!\/bin\/bash \u2013 initialize the script apt-get update -y \u2013 update the underlying Ubuntu OS apt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access apt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality ifconfig wlan0 up \u2013 bring up a wireless LAN interface wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver ifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface dhclient wlan0 \u2013 enable DHCP for the wireless interface systemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure section for more information systemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure section for more information Wireless TE Agent Update Failure During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan: syslog Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon. Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News\u2026 Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches\u2026 Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service: Succeeded. Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service: Succeeded. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches. Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier More information on the two services can be found here: https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them Masking the services so they are not run by systemd resolved the failure of wlan0: $ sudo systemctl mask apt-news.service $ sudo systemctl mask esm-cache.service The above commands were then added to the startup scripts. We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels Instagram Facebook Twitter LinkedIn \u200b A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan ThousandEyes (TE) Black Hat 2023 Deployment Guide This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed. Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices. Hardware Checklist for the Conference There are several different hardware contingencies that must be accounted for before conference setup can take place. A keyboard that can connect to the USB port on the Raspberry Pi Laptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this: An SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models) A Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop A Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions: A portable monitor that connected to the Pi via an HDMI to Micro HDMI cable An adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop Pi Hardware Assembly Black Hat 2023 Pi 4 Kits 10x Raspberry Pi 4 Cana Kits, each with the following: 32GB Micro SD card Micro SD to USB adapter Case Heatsink Fan Example of built Pi with heatsinks and fan attached: Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment. Provision the ThousandEyes Image onto the Pi Micro SD The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD. Retrieving the TE Agent Image & Documentation From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Click on Add New Enterprise Agent. Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG button. The Installation Guide for the Pi install is also available from this page. Connect the Micro SD(s) to Provisioning Laptops If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops. 2x Vivitar Mac USB-C to Micro SD adapter 1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown). 1x Micro SD to SD adapter Install the TE Image to Micro SDs We used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide. Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once. Optional: Use Scripts to Provision Wireless that will Persist Across Reboots Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22. Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections. Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent. Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions. Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide. Run the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5. Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process. Create the script file: # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it. Create the script file: # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1. Create the script file: # vim doit.sh Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1: #!\/bin\/bash cp rc.local \/media\/<username>\/writeable\/etc cp configure_te_pi.sh \/media\/<username>\/writeable\/etc chmod +x \/media\/<username>\/writeable\/configure_te_pi.sh chmod +x \/ media\/<username>\/writeable\/etc\/rc.local umount \/media\/<username>\/system-boot umount \/media\/<username>\/writable Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. An example of the script created for the output in Step 1 is provided below. #!\/bin\/bash cp ~iredden\/rc.local \/media\/iredden\/writable\/etc cp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable chmod +x \/media\/iredden\/writable\/configure_te_pi.sh chmod +x \/media\/iredden\/writable\/etc\/rc.local umount \/media\/iredden\/system-boot umount \/media\/iredden\/writable Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below. With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations. Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one. Initial Setup of TE Agent The Provision the ThousandEyes (TE) Image onto the Pi Micro SD section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section. This section will cover how to use the TE agent on the Micro SD card to perform initial setup. Connect Micro SD to Raspberry Pi Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi. Connect an Ethernet Cable to the Pi It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to. Connect Keyboard and Monitor to Raspberry Pi Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent. Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting. For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work. For the screen, we used two separate hardware solutions. The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi. The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop. Confirm Pi Hardware Connections With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot. Connect to the TE Agent GUI Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP. If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP. Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome. Change the default password to something more secure and click Change Password. The GUI should automatically take you to Agent in the left menu. Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings. Click on the Add New Enterprise Agent Copy the Access Group Token. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually. Return to the TE agent GUI and paste the Account Group Token into the Agent Click Continue. The GUI will automatically load the Review Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button. Click on the Network tab. Configure the hostname for the agent. Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred. Scroll down and click on the Save Changes Note that the Applying network settings pop-up may get stuck. Reload the page to clear it. Connect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI. Manual Wireless Config Track The Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent. Manual Wireless Config Track: Connect to the TE Agent via SSH Documentation for connecting to a Pi TE agent via SSH can be found in this guide. Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config) Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration. We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install: $ sudo apt-get update $ sudo apt-get install te-va-unlock With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration. Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH. Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process. Create the script file: $ sudo su # cd \/etc # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.\u00a0 Run the following to set the script permissions: # chmod +x \/etc\/rc.local Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent. Create the script file: # cd \/ # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Run the following to set the script permissions: # chmod +x \/configure_te_pi.sh Reboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account. Validate Wireless Interface in the ThousandEyes Web GUI Confirm Wired and Wireless IPs From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Identify a registered TE agent with a wireless interface, then click on it. Locate the General Information The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information link to confirm which IP address is assigned to each interface. Confirm Wired and Wireless Interfaces for Tests Navigate to Cloud & Enterprise Agents > Test Settings. Expand one of the tests and then expand the Agents Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below. About Black Hat For 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com. Black Hat is brought to you by Informa Tech. Appendix GitHub with scripts ThousandEyes Wireless Setup GitHub ThousandEyes Ports and Protocols For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region. https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents Script Functions Explained Scripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots and Manual Wireless Config Track sections of this guide. This appendix section explains the script functionality line by line. rc.local \u2013 this script will run as part of the TE agent startup process. #!\/bin\/bash \u2013 initialize the script to run using bash \/configure_te_pi.sh \u2013 run the configure_te_pi.sh script exit 0 \u2013 exit configure_te_pi.sh \u2013 this script will configure the TE agent for wireless functionality #!\/bin\/bash \u2013 initialize the script apt-get update -y \u2013 update the underlying Ubuntu OS apt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access apt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality ifconfig wlan0 up \u2013 bring up a wireless LAN interface wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver ifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface dhclient wlan0 \u2013 enable DHCP for the wireless interface systemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure section for more information systemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure section for more information Wireless TE Agent Update Failure During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan: syslog Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon. Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News\u2026 Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches\u2026 Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service: Succeeded. Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News.Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service: Succeeded. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches.Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier More information on the two services can be found here: https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them Masking the services so they are not run by systemd resolved the failure of wlan0: $ sudo systemctl mask apt-news.service $ sudo systemctl mask esm-cache.service The above commands were then added to the startup scripts. We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels InstagramFacebookTwitterLinkedIn Share Share: \u00a0\u00a0Read how Validated Design TMEs deployed ThousandEyes on Pi4s wirelessly on the Black Hat USA 2023 network to provide network assurance and actionable insights.\u00a0\u00a0Read More\u00a0Cisco Blogs\u00a0\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\" \/>\n<meta property=\"og:site_name\" content=\"JHC\" \/>\n<meta property=\"article:published_time\" content=\"2023-08-26T08:59:39+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\" \/>\n\t<meta property=\"og:image:width\" content=\"1\" \/>\n\t<meta property=\"og:image:height\" content=\"1\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/gif\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"39 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\"},\"author\":{\"name\":\"\",\"@id\":\"\"},\"headline\":\"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm\",\"datePublished\":\"2023-08-26T08:59:39+00:00\",\"dateModified\":\"2023-08-26T08:59:39+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\"},\"wordCount\":7816,\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\",\"articleSection\":[\"Cisco: Learning\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\",\"name\":\"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm - JHC\",\"isPartOf\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\",\"datePublished\":\"2023-08-26T08:59:39+00:00\",\"dateModified\":\"2023-08-26T08:59:39+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif\",\"width\":1,\"height\":1},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jacksonholdingcompany.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#website\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"name\":\"JHC\",\"description\":\"Your Business Is Our Business\",\"publisher\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#organization\",\"name\":\"JHC\",\"url\":\"https:\/\/jacksonholdingcompany.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"contentUrl\":\"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png\",\"width\":452,\"height\":149,\"caption\":\"JHC\"},\"image\":{\"@id\":\"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n","yoast_head_json":{"title":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm - JHC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/","og_locale":"en_US","og_type":"article","og_title":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm","og_description":"A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan ThousandEyes (TE) Black Hat 2023 Deployment Guide This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed. Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices. Hardware Checklist for the Conference There are several different hardware contingencies that must be accounted for before conference setup can take place. A keyboard that can connect to the USB port on the Raspberry Pi Laptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this: An SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models) A Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop A Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions: A portable monitor that connected to the Pi via an HDMI to Micro HDMI cable An adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop Pi Hardware Assembly Black Hat 2023 Pi 4 Kits 10x Raspberry Pi 4 Cana Kits, each with the following: 32GB Micro SD card Micro SD to USB adapter Case Heatsink Fan Example of built Pi with heatsinks and fan attached: Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment. Provision the ThousandEyes Image onto the Pi Micro SD The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD. Retrieving the TE Agent Image & Documentation From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Click on Add New Enterprise Agent. Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG button. The Installation Guide for the Pi install is also available from this page. Connect the Micro SD(s) to Provisioning Laptops If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops. 2x Vivitar Mac USB-C to Micro SD adapter 1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown). 1x Micro SD to SD adapter Install the TE Image to Micro SDs We used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide. Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once. Optional: Use Scripts to Provision Wireless that will Persist Across Reboots Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22. Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections. Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent. Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions. Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide. Run the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5. Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process. Create the script file: # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it. Create the script file: # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1. Create the script file: # vim doit.sh Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1: #!\/bin\/bash cp rc.local \/media\/<username>\/writeable\/etc cp configure_te_pi.sh \/media\/<username>\/writeable\/etc chmod +x \/media\/<username>\/writeable\/configure_te_pi.sh chmod +x \/ media\/<username>\/writeable\/etc\/rc.local umount \/media\/<username>\/system-boot umount \/media\/<username>\/writable Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. An example of the script created for the output in Step 1 is provided below. #!\/bin\/bash cp ~iredden\/rc.local \/media\/iredden\/writable\/etc cp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable chmod +x \/media\/iredden\/writable\/configure_te_pi.sh chmod +x \/media\/iredden\/writable\/etc\/rc.local umount \/media\/iredden\/system-boot umount \/media\/iredden\/writable Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below. With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations. Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one. Initial Setup of TE Agent The Provision the ThousandEyes (TE) Image onto the Pi Micro SD section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section. This section will cover how to use the TE agent on the Micro SD card to perform initial setup. Connect Micro SD to Raspberry Pi Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi. Connect an Ethernet Cable to the Pi It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to. Connect Keyboard and Monitor to Raspberry Pi Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent. Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting. For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work. For the screen, we used two separate hardware solutions. The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi. The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop. Confirm Pi Hardware Connections With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot. Connect to the TE Agent GUI Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP. If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP. Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome. Change the default password to something more secure and click Change Password. The GUI should automatically take you to Agent in the left menu. Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings. Click on the Add New Enterprise Agent Copy the Access Group Token. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually. Return to the TE agent GUI and paste the Account Group Token into the Agent Click Continue. The GUI will automatically load the Review Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button. Click on the Network tab. Configure the hostname for the agent. Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred. Scroll down and click on the Save Changes Note that the Applying network settings pop-up may get stuck. Reload the page to clear it. Connect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI. Manual Wireless Config Track The Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent. Manual Wireless Config Track: Connect to the TE Agent via SSH Documentation for connecting to a Pi TE agent via SSH can be found in this guide. Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config) Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration. We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install: $ sudo apt-get update $ sudo apt-get install te-va-unlock With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration. Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH. Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process. Create the script file: $ sudo su # cd \/etc # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.\u00a0 Run the following to set the script permissions: # chmod +x \/etc\/rc.local Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent. Create the script file: # cd \/ # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Run the following to set the script permissions: # chmod +x \/configure_te_pi.sh Reboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account. Validate Wireless Interface in the ThousandEyes Web GUI Confirm Wired and Wireless IPs From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Identify a registered TE agent with a wireless interface, then click on it. Locate the General Information The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information link to confirm which IP address is assigned to each interface. Confirm Wired and Wireless Interfaces for Tests Navigate to Cloud & Enterprise Agents > Test Settings. Expand one of the tests and then expand the Agents Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below. About Black Hat For 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com. Black Hat is brought to you by Informa Tech. Appendix GitHub with scripts ThousandEyes Wireless Setup GitHub ThousandEyes Ports and Protocols For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region. https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents Script Functions Explained Scripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots and Manual Wireless Config Track sections of this guide. This appendix section explains the script functionality line by line. rc.local \u2013 this script will run as part of the TE agent startup process. #!\/bin\/bash \u2013 initialize the script to run using bash \/configure_te_pi.sh \u2013 run the configure_te_pi.sh script exit 0 \u2013 exit configure_te_pi.sh \u2013 this script will configure the TE agent for wireless functionality #!\/bin\/bash \u2013 initialize the script apt-get update -y \u2013 update the underlying Ubuntu OS apt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access apt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality ifconfig wlan0 up \u2013 bring up a wireless LAN interface wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver ifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface dhclient wlan0 \u2013 enable DHCP for the wireless interface systemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure section for more information systemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure section for more information Wireless TE Agent Update Failure During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan: syslog Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon. Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News\u2026 Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches\u2026 Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service: Succeeded. Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service: Succeeded. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches. Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier More information on the two services can be found here: https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them Masking the services so they are not run by systemd resolved the failure of wlan0: $ sudo systemctl mask apt-news.service $ sudo systemctl mask esm-cache.service The above commands were then added to the startup scripts. We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels Instagram Facebook Twitter LinkedIn \u200b A deployment guide for wireless ThousandEyes agents deployed to monitor the Black Hat 2023 conference by Adam Kilgore & Ryan MacLennan ThousandEyes (TE) Black Hat 2023 Deployment Guide This guide documents the setup and installation procedures used to deploy ThousandEyes at Black Hat 2023. This document covers configuration of the TE agent on Raspberry Pi 4, including both wired and wireless configurations. Needed hardware for the various setup functions are also listed. Limitations of Deploying ThousandEyes Enterprise Agents on Raspberry Pi Please note that TE Enterprise Agents will only show data for layer 3 hops, and will not show wireless access point data. This applies to deploying the TE Enterprise Agent on the Raspberry Pi and configuring it for wireless. The only TE agent that can provide wireless AP data is the TE Endpoint Agent, which is intended to be installed on laptops and personal devices. Hardware Checklist for the Conference There are several different hardware contingencies that must be accounted for before conference setup can take place. A keyboard that can connect to the USB port on the Raspberry Pi Laptops that can connect to the Pi Micro SD for TE agent provisioning. We used several different solutions for this: An SD card to Micro SD adapter, which connected to the SD reader on a Mac laptop (the SD reader is not available on all models) A Vivitar Micro SD to USB-C adapter, which connected to the USB-C port on a Mac laptop A Micro SD to USB adapter that came with the Raspberry Pi 4 Cana Kit. This was connected to a USB to USB-C Mac adapter Screens that can connect to the Raspberry Pi Micro HDMI port. This can be as simple as a normal HDMI monitor that connects to the Pi via HDMI to Micro HDMI, but these were not available during the setup days of the conference. We used two solutions: A portable monitor that connected to the Pi via an HDMI to Micro HDMI cable An adapter that connected to the Pi via Micro HDMI, connected to a Mac HDMI adapter, with the Mac HDMI adapter connected to a USB-C port on the Mac laptop Pi Hardware Assembly Black Hat 2023 Pi 4 Kits 10x Raspberry Pi 4 Cana Kits, each with the following: 32GB Micro SD card Micro SD to USB adapter Case Heatsink Fan Example of built Pi with heatsinks and fan attached: Note that we had overheating issues with the fan set to pull air out of the case. Orienting the fan to blow into the Pi case was more effective for our deployment. Provision the ThousandEyes Image onto the Pi Micro SD The Raspberry Pi can read Micro SD cards. The installation procedure is to download the TE Pi installer from the TE GUI, connect the Micro SDs to the provisioning laptops, and then use balenaEtcher to install the TE image to the Micro SD. Retrieving the TE Agent Image & Documentation From the ThousandEyes GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Click on Add New Enterprise Agent. Locate the entry for Raspberry Pi 4 and click the Download \u2013 IMG button. The Installation Guide for the Pi install is also available from this page. Connect the Micro SD(s) to Provisioning Laptops If the provisioning laptops do not have a Micro SD card reader then adapter solutions will be needed to install the TE image to the Micro SD. For Black Hat 2023, we used a combination of the following hardware with Mac laptops. 2x Vivitar Mac USB-C to Micro SD adapter 1x Mac USB-C to USB adapter + 1x USB Micro SD Card Reader (included with some Pi bundles\u2014the USB has an additional slot for the Micro SD card, which then plugs into a USB port\u2014in this case, the Mac adapter shown). 1x Micro SD to SD adapter Install the TE Image to Micro SDs We used balenaEtcher to write the TE images to Micro SD, as covered in the TE Pi deployment guide. Note that Etcher can write multiple images to multiple Micro SDs at once, your only limit is the number of Micro SD cards that can be connected to the provisioning laptops (USB-C, Micro SD card reader, USB port, etc.) at once. Optional: Use Scripts to Provision Wireless that will Persist Across Reboots Creating the wireless configuration for the Pi can occur either before or after booting the Pi for the first time with the Micro SD image that was configured in the prior section. If you would like to create the wireless configuration before booting the Pi, please follow the steps in this section. Alternatively, if wireless is not being used or wireless configuration can occur after booting the Pi, this section can safely be skipped. Please note that configuring wireless after booting the Pi will require enabling SSH on the TE agent, along with any requisite firewall rules to reach the Pi over port 22. Also note that this section requires specific hardware and software, as covered in the next paragraphs. If the needed hardware and software is not available, the wireless configuration can still be accomplished using manual procedures given in later sections. Before beginning the configuration, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent. Also note that the TE agent file system must be mounted onto a laptop to perform these steps. At Black Hat 2023, we were only able to accomplish this step using a Linux OS. Attempts to mount the Micro SD on Mac did not correctly mount the TE agent partitions. Log in to a Linux system and connect a Micro SD with the TE agent installed (this procedure was covered in the prior section). Use the Micro SD connection methodology provided at the start of the guide. Run the df command to verify the mounted partitions. The below screenshot shows the df output before and after connecting the Micro SD card, with the two mounted partitions visible after running the 2nd df command. Note the partition paths highlighted in red, as they will be needed to create the doit.sh script in Step 5. Create a file named rc.local in a chosen directory. The specific name \u2018rc.local\u2019 is necessary for the script to run during the TE agent bootup process. Create the script file: # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the configure_te_pi.sh script in the same directory as the rc.local file. Replace the <SSID> and <SSID password> fields in the below script with the SSID and PSK that the Pi will connect to. The SSID and PSK can also be changed later, but this will require enabling SSH on the TE agent and then connecting to it. Create the script file: # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Create the doit.sh script in the same directory as the prior two scripts. Note that the paths to the \/writeable and \/system-boot mounts will need to be filled in with the paths collected in Step 1. Create the script file: # vim doit.sh Type \u2018i\u2019 to edit, and type or paste the following, modifying the paths to match the output in Step 1: #!\/bin\/bash cp rc.local \/media\/<username>\/writeable\/etc cp configure_te_pi.sh \/media\/<username>\/writeable\/etc chmod +x \/media\/<username>\/writeable\/configure_te_pi.sh chmod +x \/ media\/<username>\/writeable\/etc\/rc.local umount \/media\/<username>\/system-boot umount \/media\/<username>\/writable Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. An example of the script created for the output in Step 1 is provided below. #!\/bin\/bash cp ~iredden\/rc.local \/media\/iredden\/writable\/etc cp ~iredden\/configure_te_pi.sh \/media\/iredden\/writable chmod +x \/media\/iredden\/writable\/configure_te_pi.sh chmod +x \/media\/iredden\/writable\/etc\/rc.local umount \/media\/iredden\/system-boot umount \/media\/iredden\/writable Run the doit.sh script. The doit.sh script will perform the configuration and then unmount the partitions, as shown below. With the above steps complete, the Micro SD card can be removed from the laptop and connected to the Raspberry Pi. The Pi will execute the scripts during bootup and connect to wireless, if the SSID configured is reachable and the PSK is correct. Please see the next section for setup instructions and other considerations. Also note that a wired connection to the Pi is still recommended for initial setup. Although the Pi TE agent can successfully pull a wireless IP address during initial bootup, the TE agent will not display a wireless IP address on a connected monitor, only a wired one. Initial Setup of TE Agent The Provision the ThousandEyes (TE) Image onto the Pi Micro SD section of this guide covered how to provision TE agents onto Micro SD cards. An optional section covering how to script wireless capability onto the TE agent image was also provided in the Use Scripts to Configure Wireless that will Persist Across Reboots section. This section will cover how to use the TE agent on the Micro SD card to perform initial setup. Connect Micro SD to Raspberry Pi Once the TE image has been installed on the Micro SD, connect the Micro SD to the Raspberry Pi. Connect an Ethernet Cable to the Pi It is necessary to know the IP address assigned to a TE agent after initial boot in order to complete initial registration. While a Pi with a wireless configured TE agent can pull a wireless IP during its initial bootup, it will not display the wireless IP on a connected monitor, only a wired IP address. For this reason, it is still recommended to connect an ethernet cable to a wireless Pi before initial power on and use the assigned eth0 IP to perform initial setup. The only alternative to a wired connection on initial boot is to identify the wireless IP address of the TE agent by means other than a connected monitor, such as via direct access to the wireless AP that the TE agent connects to. Connect Keyboard and Monitor to Raspberry Pi Two pieces of hardware are used to perform the initial setup of the Raspberry Pi TE agent: (1) a keyboard that can connect to the Pi via USB, and (2) a screen that can connect to the Pi via Micro HDMI. Initial setup can be performed without the keyboard if (a) an IP address is assigned to the TE agent via DHCP, and (b) the DHCP address can be identified via the connected screen or by other means. Similarly, initial setup can be completed without the screen if there is another way to identify the DHCP IP address assigned to the TE agent, such as admin access to the switch connected to the TE agent. Despite the above alternatives, a connected keyboard and monitor are recommended for ease of deployment and any needed troubleshooting. For the keyboard, we used a Bluetooth keyboard with a detached USB fob, but any keyboard that can connect to the Pi via USB will work. For the screen, we used two separate hardware solutions. The first solution is a Kenowa portable monitor with an HDMI to Micro HDMI cable. The HDMI side of the cable connects to the Kenowa, and the Micro HDMI side of the cable connects to the Raspberry Pi. The second solution we used is an Elgato adapter that sits between the Raspberry Pi and a Mac laptop. The Pi connects to the Elgato via a micro HDMI to HDMI cable. The Elgato uses a regular HDMI cable to connect to the HDMI side of a Mac HDMI to USB-C adapter, with the USB-C side of the Mac adapter connecting directly to a Mac laptop. Confirm Pi Hardware Connections With the hardware configurations in the prior sections complete (i.e. the Pi is connected to an ethernet port, monitor, and keyboard), connect the Pi power adapter to begin initial boot. Connect to the TE Agent GUI Once the Pi is powered on, the TE agent install will take a few minutes to run (more if internet access is not available). Once the bootup is complete, the Pi will display a message if an IP address was assigned to the ethernet port via DHCP. If no IP address was assigned to the ethernet port via DHCP, the TE agent will display a different message stating no IP address is configured. If this is the case, it will be necessary to either manually assign an IP address to the ethernet port using a keyboard, or identify the IP address of the wireless interface using admin access to the connected wireless AP. Once the IP address of the TE agent is known, connect to the IP via HTTPS and sign in with username admin and password welcome. Change the default password to something more secure and click Change Password. The GUI should automatically take you to Agent in the left menu. Keeping the ThousandEyes Physical Appliance GUI open, create a new tab in your browser and connect to the ThousandEyes web GUI, then click on Cloud Enterprise Agents > Agent Settings. Click on the Add New Enterprise Agent Copy the Access Group Token. Note: the Copy button may not work, in which case click the eye icon to show the token and copy it manually. Return to the TE agent GUI and paste the Account Group Token into the Agent Click Continue. The GUI will automatically load the Review Appliance Status and Diagnostics fields should change to green as the registration completes. Click the Complete button. Click on the Network tab. Configure the hostname for the agent. Scroll down to the DNS configuration and enter the internal and External DNS servers. By Default, the agent will use the 208.67.222.222 and 208.67.222.220 external Umbrella DNS servers. These can be moved to DNS server 3 and 4 if internal DNS servers are preferred. Scroll down and click on the Save Changes Note that the Applying network settings pop-up may get stuck. Reload the page to clear it. Connect to the ThousandEyes web GUI and confirm that the agent shows as active under Enterprise Agents. For additional guidance, please see the section Validate Wireless Interface in the ThousandEyes Web GUI. Manual Wireless Config Track The Raspberry Pi TE agent can only connect via a wired connection using the default installation. If wireless is needed for the deployment but the necessary hardware\/software was not available for the Optional: Use Scripts to Configure Wireless that will Persist Across Reboots section, or if the TE agent has already been deployed, the series of manual configuration steps starting in this section can be used to configure persistent wireless on a Pi TE agent. Manual Wireless Config Track: Connect to the TE Agent via SSH Documentation for connecting to a Pi TE agent via SSH can be found in this guide. Manual Wireless Config Track: Jailbreak the TE Agent (to allow Wireless config) Jailbreaking the TE agent is necessary for escalating to root and performing the commands necessary to build the scripts for the wireless configuration. We should update the Ubuntu OS before running the jailbreak command. Connect to the TE agent via SSH, then run the following two commands to first update the OS and then jailbreak the install: $ sudo apt-get update $ sudo apt-get install te-va-unlock With the TE agent successfully jailbroken, we can now escalate to root and perform the rest of the configuration. Manual Wireless Config Track: Configure Wireless that will Persist Across Reboots using only the Pi Before beginning this section, note that the SSID and SSID password must be hard coded. If the TE agent cannot connect to the hardcoded SSID after reboot, the wireless connection will fail. If the hardcoded SSID and password need to be changed after the initial setup, it will be necessary to (re)enable SSH on the TE agent and connect to it over SSH. Escalate to root and create a file named rc.local in the \/etc directory. The name is necessary for the script to run during the TE agent bootup process. Create the script file: $ sudo su # cd \/etc # vim rc.local Type \u2018i\u2019 to edit, and type or paste the following: #!\/bin\/bash \/configure_te_pi.sh exit 0 Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file.\u00a0 Run the following to set the script permissions: # chmod +x \/etc\/rc.local Create the configure_te_pi.sh script in the top level \/ directory. Replace the <SSID> and <SSID password> fields in the below script with the correct values. The SSID and password can also be changed later, but this will require a later SSH connection to the agent. Create the script file: # cd \/ # vim configure_te_pi.sh Type \u2018i\u2019 to edit, and type or paste the following, replacing the <SSID> and <SSID password> fields with the correct values: #!\/bin\/bash apt-get update -y apt-get install te-va-unlock -y apt-get install net-tools ifmetric wireless-tools -y ifconfig wlan0 up wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext ifmetric eth0 200 sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces dhclient wlan0 systemctl mask apt-news.service systemctl mask esm-cache.service Type \u2018:\u2019 then \u2018wq!\u2019 to save the changes and exit the file. Run the following to set the script permissions: # chmod +x \/configure_te_pi.sh Reboot the Pi and test to confirm that the wireless NIC can connect to the ThousandEyes web account. Validate Wireless Interface in the ThousandEyes Web GUI Confirm Wired and Wireless IPs From the ThousandEyes web GUI, navigate to Cloud & Enterprise Agents > Agent Settings. Identify a registered TE agent with a wireless interface, then click on it. Locate the General Information The private IP address of the TE agent will be displayed, which is the IP address that the TE agent used to connect to the ThousandEyes web manager. If the TE agent has both an ethernet and wireless port, you can click the System Information link to confirm which IP address is assigned to each interface. Confirm Wired and Wireless Interfaces for Tests Navigate to Cloud & Enterprise Agents > Test Settings. Expand one of the tests and then expand the Agents Click on the Enterprise button and expand the dropdown next to an agent with wireless enabled. If the agent has both a wired and a wireless interface enabled, they will both be displayed as in the screenshot below. About Black Hat For 26 years, Black Hat has provided attendees with the very latest in information security research, development, and trends. These high-profile global events and trainings are driven by the needs of the security community, striving to bring together the best minds in the industry. Black Hat inspires professionals at all career levels, encouraging growth and collaboration among academia, world-class researchers, and leaders in the public and private sectors. Black Hat Briefings and Trainings are held annually in the United States, Europe and USA. More information is available at: BlackHat.com. Black Hat is brought to you by Informa Tech. Appendix GitHub with scripts ThousandEyes Wireless Setup GitHub ThousandEyes Ports and Protocols For TE agents to operate correctly, they will need to both connect to ThousandEyes over the internet and have firewall ACL access to perform any configured tests. Refer to the following document for lists of ports and protocols per region. https:\/\/docs.thousandeyes.com\/product-documentation\/global-vantage-points\/enterprise-agents\/configuring\/firewall-configuration-for-enterprise-agents Script Functions Explained Scripts to enable wireless functionality of the Raspberry Pi TE agent on startup are included in the Optional: Use Scripts to Provision Wireless that will Persist Across Reboots and Manual Wireless Config Track sections of this guide. This appendix section explains the script functionality line by line. rc.local \u2013 this script will run as part of the TE agent startup process. #!\/bin\/bash \u2013 initialize the script to run using bash \/configure_te_pi.sh \u2013 run the configure_te_pi.sh script exit 0 \u2013 exit configure_te_pi.sh \u2013 this script will configure the TE agent for wireless functionality #!\/bin\/bash \u2013 initialize the script apt-get update -y \u2013 update the underlying Ubuntu OS apt-get install te-va-unlock -y \u2013 jailbreak the TE agent to allow additional sudo access apt-get install net-tools ifmetric wireless-tools -y \u2013 install tools to allow wireless functionality ifconfig wlan0 up \u2013 bring up a wireless LAN interface wpa_passphrase <SSID> <SSID password> > \/etc\/wpa_supplicant.conf \u2013 configure SSID and PSK values for the wireless connection and write them to the wpa_supplicant.conf file wpa_supplicant -B -i wlan0 -c \/etc\/wpa_supplicant.conf -D wext \u2013 imports the wpa_supplicant file and configures the wireless LAN interface to use the wext driver ifmetric eth0 200 \u2013 set the wired interface to have a lower priority than the wireless interface sed -i \u20181iauto wlan0niface wlan0 inet dhcp\u2019 \/etc\/network\/interfaces \u2013 configure DHCP for the wireless interface dhclient wlan0 \u2013 enable DHCP for the wireless interface systemctl mask apt-news.service \u2013 prevent apt-news.service from running. See the Wireless TE Agent Update Failure section for more information systemctl mask esm-cache.service \u2013 prevent the esm-cache.service from running. See the Wireless TE Agent Update Failure section for more information Wireless TE Agent Update Failure During testing of the wireless TE agent for Raspberry Pi, it was noticed that the agents lost connectivity with the ThousandEyes web manager after a variable amount of time. Troubleshooting multiple failed agents identified logs associated with updates to the apt-news.service and esm-cache.service processes immediately before failure of the wlan: syslog Aug\u00a0 6 02:17:04 registration-wireless systemd[1]: Started PackageKit Daemon. Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update APT News\u2026 Aug\u00a0 6 02:17:20 registration-wireless systemd[1]: Starting Update the local ESM caches\u2026 Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: apt-news.service: Succeeded. Aug\u00a0 6 02:17:21 registration-wireless systemd[1]: Finished Update APT News.Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: esm-cache.service: Succeeded. Aug\u00a0 6 02:17:22 registration-wireless systemd[1]: Finished Update the local ESM caches.Aug\u00a0 6 02:18:38 registration-wireless systemd-networkd[667]: wlan0: Lost carrier More information on the two services can be found here: https:\/\/askubuntu.com\/questions\/1452519\/what-are-the-services-apt-news-and-esm-cache-and-how-do-i-disable-them Masking the services so they are not run by systemd resolved the failure of wlan0: $ sudo systemctl mask apt-news.service $ sudo systemctl mask esm-cache.service The above commands were then added to the startup scripts. We\u2019d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social! Cisco Secure Social Channels InstagramFacebookTwitterLinkedIn Share Share: \u00a0\u00a0Read how Validated Design TMEs deployed ThousandEyes on Pi4s wirelessly on the Black Hat USA 2023 network to provide network assurance and actionable insights.\u00a0\u00a0Read More\u00a0Cisco Blogs\u00a0","og_url":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/","og_site_name":"JHC","article_published_time":"2023-08-26T08:59:39+00:00","og_image":[{"width":1,"height":1,"url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","type":"image\/gif"}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"39 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#article","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/"},"author":{"name":"","@id":""},"headline":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm","datePublished":"2023-08-26T08:59:39+00:00","dateModified":"2023-08-26T08:59:39+00:00","mainEntityOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/"},"wordCount":7816,"publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","articleSection":["Cisco: Learning"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/","url":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/","name":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm - JHC","isPartOf":{"@id":"https:\/\/jacksonholdingcompany.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage"},"thumbnailUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","datePublished":"2023-08-26T08:59:39+00:00","dateModified":"2023-08-26T08:59:39+00:00","breadcrumb":{"@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#primaryimage","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/08\/16311806-EJgkXn.gif","width":1,"height":1},{"@type":"BreadcrumbList","@id":"https:\/\/jacksonholdingcompany.com\/thousandeyes-pi4-wireless-deployment-at-black-hat-usa-ryan-maclennan-on-august-24-2023-at-1200-pm-2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jacksonholdingcompany.com\/"},{"@type":"ListItem","position":2,"name":"ThousandEyes Pi4 Wireless Deployment at Black Hat USA Ryan Maclennan on August 24, 2023 at 12:00 pm"}]},{"@type":"WebSite","@id":"https:\/\/jacksonholdingcompany.com\/#website","url":"https:\/\/jacksonholdingcompany.com\/","name":"JHC","description":"Your Business Is Our Business","publisher":{"@id":"https:\/\/jacksonholdingcompany.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jacksonholdingcompany.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jacksonholdingcompany.com\/#organization","name":"JHC","url":"https:\/\/jacksonholdingcompany.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/","url":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","contentUrl":"https:\/\/jacksonholdingcompany.com\/wp-content\/uploads\/2023\/07\/cropped-cropped-jHC-white-500-\u00d7-200-px-1-1.png","width":452,"height":149,"caption":"JHC"},"image":{"@id":"https:\/\/jacksonholdingcompany.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/959","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/comments?post=959"}],"version-history":[{"count":0,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/posts\/959\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media\/940"}],"wp:attachment":[{"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/media?parent=959"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/categories?post=959"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacksonholdingcompany.com\/wp-json\/wp\/v2\/tags?post=959"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}