Sony PlayStation allows remote play using the PS Remote Play app available on mulitple operating systems (including for mobile). I recently got given a Backbone One controller which allows me to put my mobile phone into its dock and use the familiar controls for gaming. It's convenient for travel but also useful at home when you can't play wherever your PlayStation is located.
The PS Remote Play app will switch your PS5 on if you have configured the appropriate settings and usually the performance over Wi-Fi is pretty good. I do have a lot of wireless clients on my network however and there are times when the lag just gets unbearable. It can appear as glitchy graphics which can really impact negatively on gameplay, or sometimes it's just stuttering audio. To improve this situation I started investigating what the traffic between the PS5 and client was and whether it could be prioritised over the network. I was able to find the traffic on my network using packet captures and could see that the stream of data between my mobile and the PS5 was using UDP. The ports ranged from 9295 through 9304. I was able to quickly mark traffic through my Aruba Wi-Fi using an access rule within the SSID I use for my mobile phone. The access rule looks for UDP traffic on ports 9295-9304 to the destination IP of my PS5, it then marks that with the DSCP tag 32 (CS4).
Traffic with this mark is prioritised through the Wi-Fi in the direction of client to PlayStation but the bulk of the traffic is actually in the opposite flow (PS5 to client). This is what holds the video and audio. If the PS5 was a wireless client also then this rule could be modified to not include itself as the destination. Or duplicated with the client IP as the destination to cover both directions in two rules.
In my case the PS5 is a wired client, so instead of marking the traffic from the PS5 at the Wi-Fi infrastructure I can mark it within the switch which means the switch outbound queuing will take it into consideration also. In an Aruba OS switch configuration classify the traffic with the below classifier:
Create a policy which marks the matched classified traffic:
Finally, apply the qos policy to the VLAN or physical interface that the PS5 connects to:
Within the IP protocol details in a captured packet using Wireshark you can see the Differentiated Services Field is marked as 32 which represents the Class Selector 4. The switch also marks packets with this DSCP marking to priority 4 which is marked in the 802.1q VLAN tags if it were to leave the switch to another switch for example.
The Aruba Access Point honours this DSCP mark and forwards the packet appropriately over the air. CS4 matches to the Wi-Fi Multimedia (WMM) Video Access Category (AC_VI) which will provide it an advantage for transmission opportunities over the best efforts and background categories.
So marking the traffic close to the source is important. The most beneficial mark in this case comes from the switch that the PS5 is plugged in to. The AP honours it and passes the traffic over the air with higher priority using WMM. The access rule on the AP marks return UDP traffic from the client (the PS Remote device) so that it reaches the PS5 with higher priority. This traffic is likely to contain controller (button press) data so it can't hurt to prioritise it.
These QoS capabilities could be used for all kinds of applications. What have you used QoS for?
Comments
It is possible to temporarily change the prompt that is appears on every line within macOS and other operating systems which present a bash style terminal. You may want to customise this during a demonstration or screenshare rather than showing off your computers hostname and username.
When you open Terminal in macOS, for example, you are operating a Z shell. Older versions of macOS used Bash. By default, the prompt will show the username of the currently logged in user, followed by @ and the hostname of the computer you are using.
To change this temporarily you can use export.
You can create custom date and time strings relative to "now" with the [Time Source] Authentication Source. This was useful recently when I needed to customise the expiration of MAC caching on Guest devices.
Instead of having the MAC Caching last until the Guest Account expired, or a day or week from now I wanted the caching to last until midnight of the current day. Here is how I achieved it. In the ClearPass Guest Authentication with MAC Caching template an attribute is written to the endpoint called "MAC-Auth Expiry". The value of the caching duration is derived in the MAC Caching Settings tab of the service template configuration wizard. By default it would be set to the Account Expiry Time using %{Authorization:[Guest User Repository]:ExpireTime} in the MAC Caching enforcement profile. to edit.
Note: I have used the prefix "deleteme" when using the Service Template so that I remember do remove the components it creates for this demonstration.
The value of Expire Time is extracted from the Guest User Repository so that it matches the Guest Account expiration when written to the Endpoint attribute.
The variable changes somewhat if you set the expiration to One Day or One Week however. Instead of pulling information from the Guest User Repository it instead uses the Time Source, which is a based on a SQL query.
"One Week DT" is just one of the options available by default as part of the default Time Source configuration. It references the following SQL query which pulls the current time rounded to the hour and adds 1 week.
There are various other examples built in to the time source such as Now DT, One Day DT, One Month DT and Six Months DT. These all display in a clear to read Date-Time format of YYYY-MM-DD HH:MM:SS. There are various other aliases that return an integer value relative to Epoch. I am less interested in calculating the time from a number so I will focus on the more readable form.
To create a variable which would return my desired result I added an additional filter to the Time Source. This is found in the ClearPass Policy Manager under Configuration --> Authentication --> Sources.
I called the Filter "Today at Midnight" and used the following Filter Query:
This query rounds the date-time to the current day and the time component is represented as 00:00:00. It then adds 23 hours, 59 minutes and 59 seconds resulting in data in the form of YYYY-MM-DD 23:59:59 (where YYYY-MM-DD is the current day). I then referenced tonight with the Alias Name of "Tonight DT" so I can use that in my Enforcement Profile variable.
Save the filter and the Time Source.
Now go to Enforcement --> Profiles and find your Guest MAC Caching profile for your service. In the Attributes tab of the profile edit the Endpoint Attribute Value for the MAC-Auth Expiry so that it uses the new Time Source variable.
When a Guest successfully authenticates the Guest MAC Caching enforcement profile is called by the "User Authentication with MAC Caching Enforcement Policy". You will see it as one of the multitude of Actions taken.
The "MAC Authentication Role Mapping" policy (as created by the service template) is referenced by the "MAC Authentication Enforcement Policy". Notice in the first condition which defines the TIPS Role of {MAC Caching] checks the Endpoint MAC-Auth Expiry attribute and ensures that the present time is less than it.
Now DT actually is rounded to the hour if you inspect the SQL query. I found this out when I was testing and had used an expiration of 5 minutes from now by using the following SQL query. Because of this, Now DT would not be granular enough if you needed expiration to occur in periods shorter than one hour and may require some further modification. There are possibly better ways to attack such a scenario however. Because "Now DT" will not be less than %{Endpoint:MAC-Auth-Expiry} at precisely midnight this works as expected.
The result of all of this is that upon subsequent MAC Authentication requests beyond the first date of connection the device is presented with a Captive Portal. In my use case this was a customised web-login page which required the username to be entered to resume the session. This would occur all the way until the Guest Account Expiration disables the account (which could be weeks, months or longer in to the future).
Let me know if this helps you out by commenting below or sharing in your social feeds. This article covers a very specific case when you are importing a certificate and private key pair where the private key does not have a password. It does not explain the certificate types or use cases, certificate and key-file file formats or detail the intricacies of PKI. ClearPass requires certificates in order to operate securely (encrypt/decrypt traffic) and identify itself during RADIUS transactions. The most common certificates you would import are RADIUS, HTTPS and RadSec. There are others but these all require a private key. ClearPass allows you to import the certificate and private key as two separate files (you can also import them as a combined file). It is quite common to receive a private key file that is not protected by a password, whether it be from a public certificate authority or an internal CA service. When you try to import this file pair into ClearPass while leaving the "Private Key Password" field blank you will receive an error: The error states that the Private Key Password must be specified. The problem is there isn't one to be entered, so it can be confusing how you may proceed.
You can get around this error by entering anything (I haven't exhaustively tested every possible entry) into the Private Key Password field. During my first attempt I used "null", which worked. Then I used "asdf" which also worked. A simple, single character entry also appeared to work fine. When using phone numbers in ClearPass guest self-registration, the system elevates US and UK to the top of the country codes selector by default. This isn't always suitable so you may want to change the country codes that are promoted to the top to be more appropriate for your user base. Generally this will come up when you are building a Guest Self-Registration workflow - but it may be relevant for any page which shows a phone number field in a ClearPass form. It is possible to edit the settings of the most commonly used visitor_phone Base Field. This should result in an update across all Forms which use this Field. This can be done from the ClearPass Guest Configuration page.
It is possible to edit this field on a per form basis so that portals and pages can have differing preferred country codes. This may be appropriate for ClearPass deployments that cater to global or multi-national use-cases.
|
WifiHaxWe build and optimise networks. Continuous learning is our secret to being good. Along the learning journey we will share things here... Archives
November 2022
Categories
All
|