Posts filed under Tips'n Tricks

Juniper Unified Access Control With Junos Pulse

This blog post hold the key ingredients for successfully authenticating on layer 2 (802.1x or dot1x) and layer 3 with:

General Information

The setup consists of four networks (VLAN's) and Internet access. Inter-VLAN communication is handled by a Juniper SRX210. The four VLAN's are:

  • Untrust (VLAN 20)
    The Internet
  • Trust (VLAN 10 - 192.168.1.0/24)
    This VLAN hosts the UAC, Active Directory, DNS and DHCP services
  • Production (VLAN 100 - 192.168.100.0/24)
    Network where the normal workstations are placed
  • Quarantine (VLAN 200 - 192.168.200.0/24)
    This is where the naughty people/PC's are dropped

When a PC is placed in Quarantine, it looses all access to the Internet, but can still resolve domain names, access minimal internal services like the DHCP server and the UAC.

The components on the network are:

  • Domain Controller + DNS Server - 192.168.1.10
  • DHCP Server - 192.168.1.1
  • UAC - 192.168.1.11
  • Gateway(s) - .254
Read more …
Posted on August 5, 2014 by Willem and filed under Security, Tips'n Tricks and tagged Juniper UAC host checker Junos Pulse EX2200 srx.

Continuous Macro Lighting

When shooting macro, you need a lot of light. Normally you would use one or more (off-camera) flashes to facilitate this. The downside of a flash is that you only get the light when you press the shutter button. This can be challenging a relative low-light environment.

A solution for this is continuous lighting.

The traditional continuous lighting setups would get really hot. A couple of hundred Watts of power was nothing, and, in a small workspace, things could get hot (literally).
Thankfully, we have LED lights nowadays. Small (battery powered) devices with a lot of bright LED's, which are very affordable.

I bought a set of video lights on Amazon with 160 LED's (NanGuang CN-160) each. The devices are battery powered and give a lot of light. The video lights have a dimmer, so you can control the amount of light.

NanGuang CN-160 Video Lights

They take several types of batteries. Including 6 AA-type rechargeable batteries. The problem with the AA batteries is that they drain relatively fast, so I got a set of supported batteries, which normally go into a Sony camcorder (NP-F750F). Not the originals, but a cheaper knock-off. Another advantage of the larger batteries over the AA-types is that the amount of light produced is significant higher, and lasts for a longer period of time.

Batteries not included

The lights itself are relatively light, but with the batteries they tend to weigh around half a kilo each. So this is not a practical setup for handheld macro photography in the field.

To give you an idea of how much light they produce: The following photo was made in a dark room with one of the video lights on full power with the included diffuser. The camera (handheld) / lens settings were:

  • Camera: Fujifilm X-T1
  • Lens: Sigma 105mm F/2.8 Macro DG (F-mount with a X-adapter)
  • Shutter: 1/600
  • Aperture: F/8
  • ISO: 400

All I need right now is to create some sort of a flexible (portable) workspace with a way of positioning the lights independently around the subject.

UPDATE: I received my cheap flexible tripods and (even cheaper) ballheads by mail today. This should make the lighting for my macro photography a bit easier.

The total cost of this setup is around €150 (depending on the currency exchange rate).

Note: The setup is sufficient for the (cheap) LED-lights, but I wouldn't trust them with my Leica or Fuji camera.

Posted on April 25, 2014 by Willem and filed under Gear, Hardware, Photography, Tips'n Tricks and tagged CN-160 video lighting macro.

Domain User Membership check via LDAP

When you are using LDAP to determine Windows Active Directory group membership, and the group you are aiming for is the Domain Users group, than you're in for a surprise. It turns out that the LDAP interface doesn't have the Domain Users group listed for a user. It's missing the memberOf attribute for Domain Users. Just compare the following screenshots. The first screenshot shows the Active Directory user interface for the user Administrator, and the second shows the LDAP equivalent of that same user.

Active Directory group memberships

LDAP group memberships

The LDAP output doesn't show a 'memberOf: CN=Domain Users, CN=Users, DC=testdomain, DC=local' attribute.

The reason is that Active Directory has a so-called Primary Group attribute, and this is by default the Domain Users group. With that piece of information you might see a LDAP attribute called 'primaryGroupID' with a number. That number represents the Domain Users group.

So if you need to check for Domain User membership with LDAP, you should check the value of the primaryGroupID attribute. This value is (for as far as I know) always the same (513).

So if you're using Certificate based authentication on a Juniper Pulse Access Gateway or Pulse Access Control Service, and you need to check Windows Domain User group membership the primaryGroupID is the way to go.

B.t.w., if you're looking for a good cross-platform LDAP browser, I can recommend the Apache Directory Studio. It's intuitive, has a good interface and just works (oh... and it's free).

Posted on April 16, 2014 by Willem and filed under Tips'n Tricks, Software, Security and tagged Domain Users primaryGroupID LDAP Active Directory Juniper Access Control.

No EAP Protocol Was Agreed On

Having the opportunity to experiment with some Juniper security products at home has its (dis)advantages. Juniper offers a (limited) virtual appliance version for both the Unified Access Control appliance (aka the Infranet Controller or Pulse Access Control Gateway), and the SSL VPN solution (aka Secure Access or Pulse Secure Access Gateway).

The limited parts are:

  • SSL is limited to 3 concurrent users
  • UAC is limited to 5 concurrent users
  • You cannot add additional licenses
  • The UAC has no IF-MAP server capabilities, since that requires at least a 50 user license (and you cannot add additionel licenses).
Max. 3 concurrent SSL VPN users

Max. 3 concurrent SSL VPN users

Max. 5 concurrent UAC users

Max. 5 concurrent UAC users

So yes, it's crippled, but still very nice to play with in a lab or home/study environment.

Anyway, I have both the UAC and the SSL VPN running at home. Both running in  VMWare Fusion on a MAC OSX server (Mac Mini).

A couple of months ago, Juniper released a new major version for the software (v5 for the UAC, and v8 for the SSL VPN), so I wanted to upgrade the VM's to the latstes software (also because of the Heartbleed bug in OpenSSL). This was no problem for the SSL VPN. The upgrade went smooth. However, the UAC was a different story. For some reason, the upgrade package was corrupt or invalid (even though it could be used to do a clean install), so upgrading was out of the question.

So I tried to do a clean install and see if I could import the old config of the existing UAC (v4.4) in the new version 5. Something that didn't work in the older versions of both the SSL VPN and UAC. Importing a software version meant that you needed the correct software version on the device first.

Anyway, importing the system config seemed to work, because all visible settings were correct. The XML import (other configuration settings regarding authentication servers, realms, user roles, etc.) also imported correctly (or so it seemed).
I compared the two configs side by side, and everything checked out. That was until I tried to authenticate on a switch with 802.1x. That didn't work as it should.

The logging of the UAC showed numerous 'No EAP Protocol Was Agreed On' errors. This was weird, because everything worked correctly on the older version.
Since the EAP protocol relies (for a part) on the SSL certificate on the device, I swapped that one for a new certificate from my personal PKI service.

After having checked, and double checked everything (I even tried authenticating against the older UAC version... which still worked), I decided to do a clean install (back to factory settings), and reconfigure the entire UAC by hand instead of the import.

Guess what, everything worked great after I had copied everything by hand.

So I guess that the import of a XML file belonging to a earlier software version still doesn't work. Only difference is that in the old days I got a warning/error.

So if you're getting the 'No EAP Protocol Was Agreed On' error in your events logging, and you did a recent upgrade, you might want to try a fresh install and configure things by hand.

I have no idea if this is applicable to the 'normal' hardware appliances with the software.

Posted on April 13, 2014 by Willem and filed under Security, Software, Tips'n Tricks and tagged UAC IC Pulse SA Juniper EAP Error Protocol sslvpn.

Fujifilm X-T1 and Lee Filters

Lee Filter System

Lee Filter System

During the time with my Nikon D300 I always used regular (thread) filters (circular polarizers, and ND filters). Since the release of the Fujifilm X-T1 I wondered if a Lee filter system might be better / more flexible (not cheaper!!!!).

At the moment they offer the normal 100mm filter system and the new 75mm filter system (Seven5). The latter is designed specially for the smaller camera's (MFT, Mirrorless APS-C, etc.).

Fujinon XF 10-24mm f/4 R IOS

The Seven5 series is cheaper since it uses smaller filters (75mm versus 100mm), and since my Fujifilm X-T1 uses relatively small lenses this could be a winner (the kit lens has a 58mm filter thread). Until I found out that the new ultra wide angle Fujinon XF 10-24mm F/4 R OIS has a 72mm filter thread. And as you might guess, I'm really interested in that lens.

Fortunately, Lee has a 75-to-72mm adapter, so technically the Seven5 system can be used with that lens.

Adaptor ring thread sizes:
The holder attaches to the lens via a screw-in adaptor ring. The adaptor ring is available in the following thread sizes: 37, 37.5, 39, 40, 40.5, 43, 46, 49, 52, 55, 58, 60, 62, 67 and 72mm.

But 72mm versus 75mm doesn't leave much room on the vignetting side of it. Chances are that you get serious vignetting on the ultra wide end of the focal range (10-14mm), because of the filter holder attached to the lens.

Just to make sure, I dropped Lee an e-mail, and this is what I got in return:

I tested a pre launch version of this lens last week on my XPro-1 - 10mm is very wide and the lens is the maximum size our 75mm holder can accept. You do get vignetting below about 12mm, which is still good given that is 15mm FF equivalent.

You would have no problems with the bigger system and a wide angle ring at 10mm, but the system is much larger and more expensive.

The s5 system works very well on all other X lenses - you just need to decide whether those last 2mm of focal length are really important to you.

Personally, I will be sticking with the 14mm prime (but upgrading to the X-T1)

I hope this helps.

With regards,

Tech Support - LEE Filters
— - email

Fujinon XF 14mm f/2.8 R

So, there yo got it; Accept additional vignetting on the ultra wide side, or invest in the more expensive 100mm filter system. But before I even invest in a filter system I need to see some independent reviews of that new lens. I might even get the Fujinon XF 14mm f/2.8 R. That lens is available at the moment and is highly recommended by several sites [2] / reviewers / users.

Choices, choices, choices

UPDATE: After much deliberation I bought the Lee 100mm kit with two adapter rings. One for the Fuji 18-55mm (58mm filter thread) and one for the Samyang / Rokinon 12mm f/2 (67mm filter thread). I also added the Big Stopper (10 stops ND) and the Little Stopper (6 stops ND) to my cart.

So in the event I decide to switch camera brand/systems with different lenses (filter threads) I can still use this filter system. I only have to get new/other lens adapters.

Posted on March 28, 2014 by Willem and filed under Gear, Photography, Personal, Tips'n Tricks and tagged lee filter seven5 75mm 100mm.

Train iPhone 5s Touch ID

Touch ID is the name for the fingerprint reader in the new iPhone 5s. When you configure it, you have the possibility to register a number of fingers (5) with which you can unlock your iPhone.

Settings -> General -> Touch ID & Passcode -> Touch ID

For some reason this always failed after a couple of days on my phone. For some reason the fingers didn't 'register' properly, and I was forces to use the PIN.

The way to solve this (temporary) was to re-register the fingers, until I read about a way of training the device.
When you're in the menu where you normally register your fingerprints, you can register additional print data for each finger by just placing one og the already registered fingers on the home button. When the finger is recognized the registered finger entry on the iPhone turns grey for a second (as shown in the screenshot). Doing this for every finger a couple of times increases the registered data for those fingers. The more data that's registered the better the chance that the finger keeps getting recognized in the future.

UPDATE: With the iOS 7.1 update the Touch ID responds a lot better.

Posted on February 10, 2014 by Willem and filed under Apple, iPhone, Tips'n Tricks and tagged touch id 5s train iPhone.

Updating to iOS 7.0.5 Turned Ugly

iPhoneRecoveryState.png

During the update of my iPhone it got stuck in the so-called recovery mode. This means that everything on the iPhone is lost, and that you need to restore everything from a backup. Thankfully, the last backup was made 10 minutes before the upgrade process began. So no worries there.

The panic started to kick in when the actual recovery process terminated with an unknown error (17).

An unknown error occurred (17)

No matter what I tried, the error kept re-occurring

Searching the Interwebs,  I founds several forums mentioning modifying the hosts file on your computer. Any entries referring to the apple.com domain should be removed.

Checking the hosts file out (located @ /etc/hosts on a Mac), I found a reference to a gs.apple.com with a specific IP address. At that point things started to dawn on me....

A couple of years ago I started to experiment with creating your own MobileMe thing (so I would have no need to purchase a MobileMe account back then). In that process you needed to fake some Apple web-servers. One of those servers was gs.apple.com.

After removing the entry from my hosts file and rebooting my iMac, the recovery process went flawlessly.

This 'experience' made me wonder; Did the 'crash' of the iPhone happen because of the hosts file entry? If so, this could be disastrous if someone made these servers unresponsive (e.g. DNS hack, or whatever), since the iPhone would become a brick. At least for as long as these servers are not accessible....

Posted on February 8, 2014 by Willem and filed under Annoying, Apple, iPhone, Personal, Software, Tips'n Tricks and tagged ios error 17 recovery mode iPhone.

Use Cisco ISE for RADIUS Authentication with Juniper Junos Devices

While preparing for some Juniper exams, I wanted to test RADIUS authentication for Junos device access. This way of authenticating is helpful in larger networks. Instead of providing all the devices with several usernames and passwords you can use a centralized RADIUS server for authenticating on all those devices. If that RADIUS server uses the Active Directory as a user database you can login on your network devices using your regular username and password.

The RADIUS server of choice (at the moment of writing this) is Cisco Identity Service Engine (ISE). Overkill for this specific blog post, but fun to do.

Read more …
Posted on January 22, 2014 by Willem and filed under Junos, Security, Tips'n Tricks and tagged Cisco ISE RADIUS Splunk.

Export Photos From Lightroom As Fine Art Prints

Usually, I export my photos from Adobe Lightroom for print or for online display. The exports for online use (SmugMug, Flickr, or several online forums contain a watermark in the bottom right corner. Something that can be done by using the export module in Adobe Lightroom.

I wrote an article a while back on how to do this using Photoshop actions, but this time I want to use a different approach. One without (or at least minimizing) the use of Adobe Photoshop, and using the power of Adobe Lightroom (plugins).

Read more …
Posted on January 17, 2014 by Willem and filed under Tips'n Tricks, Photography and tagged Adobe Lightroom fine art border mogrify.

Expired SSL Certificates

When I'm doing my thing on customer projects, and there's some SSL stuff involved, I always keep reminding them to make sure that they renew their certificates in time. Why, because they almost always forget it the renew them in time, and after the expire stuff stops working, and they call us.

Guess what? My certificates expired this evening, so I got numerous warnings and errors in several applications that use those SSL certificates. Thankfully I run my own CA (XCA), and I documented where I use them, and how to replace them, so I was back in business in 10 minutes.

Lesson(s) learned: make a notification in my calendar to replace them ahead of time.

Posted on January 5, 2014 by Willem and filed under Security, Tips'n Tricks and tagged xca ssl certificates expire.