PBSPlaza.nl

DHCP fingerprinting (available in ArubaOS 6.0.1.0 and above) is a very powerful feature to classify different mobile devices from the particular user.

DHCP Fingerprinting is a means of passively identifying the operating system of a device via option in a DHCP frame.

One use is to differentiate devices that share the same network. For example, if your wireless phones, as well as your laptops both do 802.1x, instead of creating two separate networks for each, you can write a rule looking for that phone’s DHCP option and put it into a role that optimizes VOIP traffic; the laptops will get the default enterprise role. If you have a 802.1x wireless network for your laptops and employees keep connecting to it with their smartphones, you could write a rule that gives smartphone users that connect via AD credentials a different role to keep that traffic separate from employee traffic, but allow them to easily connect to your network without having to type credentials in a tiny captive portal screen time and time again.

This is how you can configure and use DHCP fingerprinting.

First, we have to enable some logging to see the DHCP fingerprint info.

(config) #logging level debugging network subcat dhcp

Now check the log:

# show log network 10

In the log you can see the following output:

<DBUG> |dhcpdwrap| |dhcp| Datapath vlan1: REQUEST 00:22:fb:23:dc:88 reqIP=10.1.1.118 Options 3d:010022fb23dc88 0c:706273 51:000000706273 3c:4d53465420352e30 37:010f03062c2e2f1f2179f92b

To write the rule, you are looking for an option that has a 0c, 37, 3c or 51 before the colon. In my case, the interesting part is the bold part. This is a Win7 machine.

Now we can write the aaa derivation-rule.

aaa derivation-rules user dhcp-fingerprint-rule
  set role condition dhcp-option equals "37010f03062c2e2f1f2179f92b" set-value test description "win7"
  set role condition dhcp-option equals "370103060f77fc" set-value guest description "iPad"

Now we have to mount the derivation rule to the aaa profile you want:

aaa profile "company-aaa_prof"
   user-derivation-rules "dhcp-fingerprint-rule"

The original post from the Airheads forum can be found here.
Another post with some fingerprint examples can be found here.

Just started with the IPv6 certification from HE. If you want to join it, you can click here.

SAN certificates are great when you need to protect several websites with ssl. In a SAN certificate, the “Subject  Alternative Name” is used for the different names you want to associate with the certificate.

One of the advantages of a SAN certificate, is that additional names can be added later. To get this accomplished, you need to generate a new CSR with al the existing names AND the new names in it! I use openssl to generate the CSR. To get SAN names in the CSR, you have to edit the openssl configuration file.

This example is based on cygwin.

1. edit \cygwin\usr\ssl\openssl.cnf

2. @line 121: uncomment req_extensions = v3_req

3. @line 211: under [ v3_req ], add the following:

## lines added to get SAN fields in CSR
# Some CAs do not yet support subjectAltName in CSRs.
# Instead the additional names are form entries on web
# pages where one requests the certificate…
subjectAltName          = @alt_names

[alt_names]
DNS.1   = www.example.com
DNS.2   = www.example2.com
DNS.3   = www.example3.com

You can check the newly created request to ensure that the SAN names are in it:

$ openssl req -text -noout -verify -in cert.req

By default, certificates that are issued by a stand-alone (Windows) CA root certificate server, the default validity for the issued certificates is one year. If you want to extend these period, you have to modify the registry as followed;

Open the registry editor (regedit)

Locate, and then click the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CertSvc\
Configuration\<CAName>

In the right pane, double-click ValidityPeriod.

In the Value data box, type one of the following, and then click OK:
Days
Weeks
Months
Years

In the right pane, double-click ValidityPeriodUnits.

In the Value data box, type the numeric value that you want, and then click OK. For example, type 2.

Stop, and then restart the Certificate Services service. To do so:

At the command prompt, type the following lines. Press ENTER after each line.
net stop certsvc
net start certsvc

Reference document on the MS support website.

When upgrading Cacti to 0.8.7g/PIA2.8, I have noticed that the superlinks plugin is not working correctly. When clicking on a tab which was created by the superlinks plugin, the html page is showing up only half. There is a tiny scrollbar on the right site within IE. Some browsers like Chrome shows a blank page.

When searching around on the Internet, I found the following solution:

Edit /var/www/html/plugins/superlinks/superlinks.php. Rule number 58 shows the following code:

print ‘<iframe src="’ . $page['contentfile'] . ‘" width="100%" height="100%" frameborder="0"></iframe>’;

Replace this with the following code:

print ‘<iframe id="frame" src="’ . $page['contentfile'] .’" width="100%" height="100%" frameborder="0"></iframe>’;
print "<script type=’text/javascript’>
function resizeIframe() {
var height=window.innerWidth;//Firefox
if (document.documentElement.clientHeight) {
height=document.documentElement.clientHeight;//IE
};
document.getElementById(‘frame’).style.height=parseInt(height-document.getElementById(‘frame’).offsetTop-72)+’px’;
};
document.getElementById(‘frame’).onload = resizeIframe;
window.onresize = resizeIframe;
</script>";

 

Reference:
The forum article on the official cacti forum.
My colleague @booches.nl.

the last days I was working with my experimental installation of CactiEZ. I have updated my installation of CactiEZ to the latest versions of system packages and Cacti files/plugins. I shut down my PC, went to home and tried to finish the installation. But when I started up my VM, I noticed that the Apache web server did not start. The following message appear when I tried to start the web server manually:

[root@localhost ~]# service httpd start
Starting httpd: /usr/sbin/httpd: error while loading shared libraries: libpcre.so.0: cannot open shared object file: Permission denied

It appears that SELinux is responsible for this. Probably SELinux is activated or installed while I did an update with yum update. I found out that SELinux was operating in “enforcing mode”, which is the default setting.

The following information can be found on the centos wiki:

SELinux has 3 basic modes of operation out of which Enforcing is set as the default mode.

• Enforcing: The default mode which will enable and enforce the SELinux security policy on the system, denying access and logging actions

• Permissive: In Permissive mode, SELinux is enabled but will not enforce the security policy, only warn and log actions. Permissive mode is useful for troubleshooting SELinux issues

• Disabled: SELinux is turned off

  It was clear for me that I want to force the SELinux mode to disabled. I modified the /etc/selinux/config file, and set the default mode to disabled (so that this setting is surviving a reboot). Now, after a reboot, the web server is starting successfully.

My /etc/selinux/config file:

[root@localhost ~]# more /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#       enforcing – SELinux security policy is enforced.
#       permissive – SELinux prints warnings instead of enforcing.
#       disabled – No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#       targeted – Only targeted network daemons are protected.
#       strict – Full SELinux protection.
SELINUXTYPE=targeted

The capture feature in a Cisco ASA is a very useful feature when you want to see exactly what is happening with a particular connection. Today, a customer wants to see the results quickly in a browser or Wireshark. This can be done by simply type the following URL’s in a browser:

To see quickly the capture results in a browser;

https://10.1.1.1/admin/capture/<capture_name>

To download the capture results to a PC in pcap format (you can view pcap with Wireshark);

https://10.1.1.1/capture/<capture_name>/pcap

source: cisco.com

The following commands can be used to quick-create a CSR and a private key in OpenSSL;

$ openssl genrsa -des3 -out private.key 2048 – Generate a 2048 bits private key.
$ openssl req -new -key private.key -out cert.csr – Generate the CSR with the newly created private key.
$ openssl pkcs12 –export –inkey private.key –in signed-csr.cer –out cert.p12 – Create a file which holds the public and private key (password protected).

check the CSR:

$ openssl req -text -noout -in csr.req

Generate a self-signed certificate with a lifetime of 1 year:

$ openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout my_key.pem -out my_cert.pem

While i am working with the Aruba Networks Mobility Controller, i have collected some useful commands which can be used in daily operating the controller. The following commands can be used with Aruba OS 5.0.

The list will be expanded in the future.

LICENSING COMMANDS

#show license
#show license limit

USER COMMANDS

#show user – displays the users which are currently connected to the MC.
#aaa user clear-sessions [A.B.C.D.] – This command clears ongoing sessions for the specified client.
#aaa user delete [A.B.C.D.] – This command deletes clients, users, or roles.

ACL COMMANDS

#show acl hits role [STRING] – Show internal ACL hit counters.
#show acl hits

LOG COMMANDS

#show log security 20 – displays the last 20 rules of the security log buffer. Useful when you are suspecting a problem with an AAA profile.

Since IOS 8.2, the Cisco ASA can protect you against Botnets. Here is some relevant information when you want to use the Botnet Traffic Filter in a Cisco ASA firewall with IOS 8.2.

1. A license is needed: ASA55xx-BOT-1YR=
2. You need to configure DNS snooping in the ASA
3. The following syslog ID’s are used with syslog:

338001
338002
338003
338004

5. Reverse access rules need to be configured.

A tutorial can be found here.