Posts filed under Software

Install Cisco Identity Services Engine v2.4 From USB

The Cisco Identity Service Engine (ISE) is a NAC solution used for accessing the network. The version (while writing this post) is v2.4.

For a new implementation of Cisco ISE I had to re-image 2 SNS-3595 appliances with the latest software. This can be done in various ways;

  1. Write the ISE iso to USB and boot / install from the USB flash-drive

  2. Use the JAVA/HTML5 KVM option through the CICM interface

  3. Hookup a USB DVD player with a dual-layer DVD containing the appropriate ISO file

The preferred option is the USB flash-drive, since it’s the fastest, but only if you are able to boot from USB….. After trying several USB flash drives with the tool recommended in the Cisco manual I gave up. No way that the Boot menu saw the USB flash drive. So after wasting several hours doing that I opted for the KVM install method.

Juniper vSRX Firewall and VMWare Workstation 14

For a work related project, I wanted to run the Juniper vSRX firewall (v15.1X49-D110) on my work laptop by using VMWare Workstation Pro 14. Unfortunately, the installation (importing the Juniper vSRX OVA file resulted in a VMWare Workstation crash.

Kodi Media Playback Stops Frequently

Ever since the good-old Popcorn Hour died last year, we've been consuming our media through a Minix media player with XBMC, or Kodi as it's called since version 15. And even though this was a complete package (everything configured and pre-installed), it had a learning curve and required more maintenance than the Popcorn Hour.

A couple of weeks back, we started to experience cut-offs in the media we were consuming. TV shows, and movies stopped for no reason. The image froze, audio cut-out, and the subtitles would go on like nothing was wrong. After a few seconds display goes black, and after 5 to 10 seconds the Kodi-menu would present itself.
At this point we would select play, and the TV show, or movie would continue were it had stopped.

The stopping (or crashing) of the media could occur 1-10 times in a movie and a couple of times in a TV show. One or two times is already annoying, so you can imaging what 10 or 15 'crashes' might invoke....

Posted on December 1, 2015 and filed under Tips'n Tricks, Software, Hardware, Annoying.

Firefox v42 Tracking Protection

With the launch of Firefox v42 (and up) they introduced an adBlocker in the browser. The ad blocking feature is available (by default) during the use of Private Browsing.

But if you don't want to see those advertisements, and for some reason you don't want to use Private Browsing (like me), than you're out of luck (by default). There's no normal way to enable this feature without the use of Private Browsing (or use an adBlocker add-on for Firefox). Thankfully, Firefox uses a config module in which you can tweak almost everything.... including the Tracking Protection.

Posted on November 4, 2015 and filed under Browsers, Internet, Privacy, Security, Software, Tips'n Tricks.

Rsync And Encrypted Containers

My 'little' off-site Raspberry Pi backup/remote storage project will probably use a combination of Bittorrent Sync and rsync. The latter will be used to backup personal information, but I want that data to be absolutely secure. So I want to use encryption. Preferably by using container that I can mount (e.g. Truecrypt or the Apple OSX encrypted disk images).

The problem with containers is that many backup solutions tend to backup / transfer the entire container when a change occurred. Thankfully, rsync only copies the changes.

Posted on June 20, 2015 and filed under Raspberry Pi, Security, Software, Tips'n Tricks.

Domain User Membership check via LDAP

When you are using LDAP to determine Windows Active Directory group membership, and the group you are aiming for is the Domain Users group, than you're in for a surprise. It turns out that the LDAP interface doesn't have the Domain Users group listed for a user. It's missing the memberOf attribute for Domain Users. Just compare the following screenshots. The first screenshot shows the Active Directory user interface for the user Administrator, and the second shows the LDAP equivalent of that same user.

Active Directory group memberships

LDAP group memberships

The LDAP output doesn't show a 'memberOf: CN=Domain Users, CN=Users, DC=testdomain, DC=local' attribute.

The reason is that Active Directory has a so-called Primary Group attribute, and this is by default the Domain Users group. With that piece of information you might see a LDAP attribute called 'primaryGroupID' with a number. That number represents the Domain Users group.

So if you need to check for Domain User membership with LDAP, you should check the value of the primaryGroupID attribute. This value is (for as far as I know) always the same (513).

So if you're using Certificate based authentication on a Juniper Pulse Access Gateway or Pulse Access Control Service, and you need to check Windows Domain User group membership the primaryGroupID is the way to go.

B.t.w., if you're looking for a good cross-platform LDAP browser, I can recommend the Apache Directory Studio. It's intuitive, has a good interface and just works (oh... and it's free).

No EAP Protocol Was Agreed On

Having the opportunity to experiment with some Juniper security products at home has its (dis)advantages. Juniper offers a (limited) virtual appliance version for both the Unified Access Control appliance (aka the Infranet Controller or Pulse Access Control Gateway), and the SSL VPN solution (aka Secure Access or Pulse Secure Access Gateway).

The limited parts are:

  • SSL is limited to 3 concurrent users
  • UAC is limited to 5 concurrent users
  • You cannot add additional licenses
  • The UAC has no IF-MAP server capabilities, since that requires at least a 50 user license (and you cannot add additionel licenses).
Max. 3 concurrent SSL VPN users

Max. 3 concurrent SSL VPN users

Max. 5 concurrent UAC users

Max. 5 concurrent UAC users

So yes, it's crippled, but still very nice to play with in a lab or home/study environment.

Anyway, I have both the UAC and the SSL VPN running at home. Both running in  VMWare Fusion on a MAC OSX server (Mac Mini).

A couple of months ago, Juniper released a new major version for the software (v5 for the UAC, and v8 for the SSL VPN), so I wanted to upgrade the VM's to the latstes software (also because of the Heartbleed bug in OpenSSL). This was no problem for the SSL VPN. The upgrade went smooth. However, the UAC was a different story. For some reason, the upgrade package was corrupt or invalid (even though it could be used to do a clean install), so upgrading was out of the question.

So I tried to do a clean install and see if I could import the old config of the existing UAC (v4.4) in the new version 5. Something that didn't work in the older versions of both the SSL VPN and UAC. Importing a software version meant that you needed the correct software version on the device first.

Anyway, importing the system config seemed to work, because all visible settings were correct. The XML import (other configuration settings regarding authentication servers, realms, user roles, etc.) also imported correctly (or so it seemed).
I compared the two configs side by side, and everything checked out. That was until I tried to authenticate on a switch with 802.1x. That didn't work as it should.

The logging of the UAC showed numerous 'No EAP Protocol Was Agreed On' errors. This was weird, because everything worked correctly on the older version.
Since the EAP protocol relies (for a part) on the SSL certificate on the device, I swapped that one for a new certificate from my personal PKI service.

After having checked, and double checked everything (I even tried authenticating against the older UAC version... which still worked), I decided to do a clean install (back to factory settings), and reconfigure the entire UAC by hand instead of the import.

Guess what, everything worked great after I had copied everything by hand.

So I guess that the import of a XML file belonging to a earlier software version still doesn't work. Only difference is that in the old days I got a warning/error.

So if you're getting the 'No EAP Protocol Was Agreed On' error in your events logging, and you did a recent upgrade, you might want to try a fresh install and configure things by hand.

I have no idea if this is applicable to the 'normal' hardware appliances with the software.

Posted on April 13, 2014 and filed under Security, Software, Tips'n Tricks.

Updating to iOS 7.0.5 Turned Ugly


During the update of my iPhone it got stuck in the so-called recovery mode. This means that everything on the iPhone is lost, and that you need to restore everything from a backup. Thankfully, the last backup was made 10 minutes before the upgrade process began. So no worries there.

The panic started to kick in when the actual recovery process terminated with an unknown error (17).

An unknown error occurred (17)

No matter what I tried, the error kept re-occurring

Searching the Interwebs,  I founds several forums mentioning modifying the hosts file on your computer. Any entries referring to the domain should be removed.

Checking the hosts file out (located @ /etc/hosts on a Mac), I found a reference to a with a specific IP address. At that point things started to dawn on me....

A couple of years ago I started to experiment with creating your own MobileMe thing (so I would have no need to purchase a MobileMe account back then). In that process you needed to fake some Apple web-servers. One of those servers was

After removing the entry from my hosts file and rebooting my iMac, the recovery process went flawlessly.

This 'experience' made me wonder; Did the 'crash' of the iPhone happen because of the hosts file entry? If so, this could be disastrous if someone made these servers unresponsive (e.g. DNS hack, or whatever), since the iPhone would become a brick. At least for as long as these servers are not accessible....

Posted on February 8, 2014 and filed under Annoying, Apple, iPhone, Personal, Software, Tips'n Tricks.

Creating Funny Money

is not as easy (of funny) as it might sound.

Last weekend we a dinner celebrating the 12.5 years of marriage of my sister-in-law. Our gift was a gazillion envelops filled with;

  1. useless paper
  2. 10 euro bill
  3. .....

This way they had something to do when they came home from the dinner. The fourth option was supposed to be funny money; scanned and severely altered euro billet.

The initial idea was to create a euro bill for 12.5 euro's, but that would take too much work, so I opted for a 55 euro bill (just clone the existing 5 on the 5 euro bill).

Posted on December 4, 2013 and filed under Annoying, Personal, Security, Software.

Use One SSL Certificate in an ISPConfig3 Configuration

Last year I implemented an ISPConfig3 configuration for personal use. Mainly to host some e-mail domains, and perhaps some basic websites. This setup relatively easy to implement a should have been a breeze to maintain.... Untill I got an email from the provider last Tuesday, mentioning that my Linux VPS was attacking other hosts around the world..... *GASP*.. my VPS had (most likely) been assimilated into a botnet of some sort, and it was flooding a ton of other hosts.

Posted on February 15, 2013 and filed under Software, Tips'n Tricks, Security.