Juniper started to migrate their firewalls from Netscreen to the Junos environment 'a couple of' months back. The advantage is that there's a universal OS for routers, switches and firewalls. Just like Cisco IOS. The disadvantage is that the Junos OS is being adapted for the firewalls. So the foundations are there, but there are still lots of features missing and bugs are also still abundant.
The bugs are thankfully mostly related to the WebGUI. On the commandlinethe bugs are in the same league as the Cisco, Checkpoint and every other vendor bugs. No piece of software is perfect.
For testing and development purposes I run a Cisco Secure ACS 5.x in a virtual machine at home. In this environment I also run an Apple Directory Service. I'll be using this setup to test several 802.1x and RADIUS authentication schemes.
To get things going I needed to connect to the ACS to my LDAP Directory. The Apple Directory Service is a bit different from the regular LDAP implementations. They seem to add the 'apple' reference in a lot of attribute values. Thankfully the ACS has a very versatile configuration interface.
Apple references in attribute valuesNormally, the group definition would be 'group' instead of 'apple-group'. So the configuration of the ACS should reflect these variations to the standard.
Earlier this week I got the announcement (I opened an Adobe application) that there was an update for the Adobe Reader app. Security-conscious as I am, I fired up the update process.
Each time, this process stopped at the (near??) end of the installation with the following error:
The operation couldn’t be completed. (com.adobe.ARM error 1807.)
The error also suggested looking at the log file. Examination of this file showed nothing out of the ordinary. At least not that made sense to me.
There were some lines in the log that made me try to do a work-around (in bold);
During the clean-up of my personal data on my Mac's, I found several PGP encrypted containers, and encrypted files. To see what was stored in them, I needed to install PGP (again).
After installing the software I dug up my keyrings and everything worked fine, until I tried to encrypt an e-mail. In the old days you had a button for encrypting the body of an e-mail message, but today things have changed. PGP is using some sort of (local) proxy to encrypt, decrypt, sign and verify e-mail messages. BUT there's also the possibility to do this with text on the clipboard, or text you selected with your mouse/keyboard.
This is where I ran into some missing functionality; Normally the PGP actions are visible under the 'right-mouse' click -> Services, but no PGP actions available. Further investigation showed that no PGP actions were available on (plain) text in editors. PGP actions on entire files were no problem.
I'm currently busy with several 802.1x implementations in corporate networks, and in one of those environment I get the strangest behavior in regards to the authentication process.
In this particular case I use a Microsoft 2008 Active Directory. Mandatory for distributing the wired network adapter settings in regards to 802.1x. The clients are a mix of Windows XP (SP1 and SP3) clients and some newer and/or exotic operating systems. The authentication mechanism of choice is EAP-TLS with dynamic VLAN assignment. The RADIUS server used is the Cisco Secure ACS v5.x appliance.
During the authentication process of the XP SP3 PC's I saw that the first authentication attempt was made with the PEAP mechanism. Since PEAP isn't allowed, the authentication mechanism failed. About a minute and twenty seconds later the PC started another dot1x authentication sequence. This time using EAP-TLS, and the PC got access to the network.
Today we ran into a feature of the Machine Authentication Restrictions (MAR) option in the Cisco Secure ACS Radius server. It seems that when you're using the ACS for 802.1x authentication, you have the option of demanding that the authenticating users can only be authenticated when the computer is already authenticated. This way, you make sure that no user can access the network without a legitimate PC.
PhotoLinkerI tend to geotag most of my photos. This way I have location information with the photo for future reference. It's also a neat feature that you might exploit when creating photo albums with e.g. iPhoto. The GPS coordinates in the images creates the option to create maps in iPhoto albums.
I use geotagging in two different ways. I use the jf Geocoding plugin in Lightroom and the PhotoLinker application. Both have their (dis)advantages. Something I won't go into in this post.
Nikon Coolpix P7000Some of the readers may know that I used the Panasonic Lumix LX3 as a backup/compact camera for the times a dSLR isn't welcome (or practical). One of the places where a dSLR isn't welcome is your average (pop)concert. The Lumix LX3 was (and still is) an excellent compact camera with astonishing low-light capabilities. The only problem I had with the camera was that the zoom function only went to 60mm (35mm equivalent), and 60mm is a bit short when you're not standing directly in front of the podium....
Last night we went to a concert/CD-release of the Belgium rockband Triggerfinger. This was also the first time I brought my new Nikon P7000. The following photos and video were shot with this new Nikon Coolpix Perfomance series compact camera.
The concert was great. Great enough to get their latest CD in the lobby. I hope we're gonna hear more of them.
;)
;)