The Moose and Squirrel Files

August 31, 2008

802.1x and Wake on LAN

Filed under: Network — Tags: , — networknerd @ 4:04 pm

The 802.1x standard makes allowances for WOL by allowing port control to be uni-directional or bidirectional.

The real problem occurs when you configure cisco switches to use auth fail vlans, and guest vlans. These are designed for computers that fail authentication, or don’t have a supplicant respectively. The interface commands would be something like this.

switchport access vlan 900

switchport mode access

dot1x pae authenticator

dot1x port-control auto

dot1x control-direction in

dot1x guest-vlan 999

dot1x auth-fail vlan 999

Now when a port has this type of config and the computer is turned off there is a very brief link state transition which causes the port to become unauthenticated. The switch will attempt to start authentication a number of times before timing out and placing the port into the auth fail/guest vlan.

Now most management software like SMS keeps an inventory of the PC’s mac address and last known ip address.  The WOL magic packets are sent to the broadcast address of the network where the PC was last known.  All good except that the network card is now listening in the auth fail/guest vlan.  The WOL packets will never reach the intended destination.

I wish that I could say I had a brilliant solution, but unfortunately I only have a workaround that depends entirely on what wakeup product you have.

The workaround is to follow/tail the logs generated by your management software’s wakeup package and extract the mac address and the IP address.  By performing a little math/scripting manipulation you can then execute a separate WOL destined for the mac address and the authfail/guest network.

I use MC-WOL, but any wake-on-lan utility will do. Obviously every network will be different, and the math you use to perform the broadcast IP address transform depends on your network structure.  If the subnetting is consistent it will be simple.  If not then it may pay to pre-fill a dictionary/hash and perform a lookup.

For SMS-Wakeup (an addon from 1E for M$’s SMS) the log files look like

9/5/2007 14:01:36: send_magicpkt (03) for broadcast on [00:40:CA:69:34:EE]

and we can use a simple vbscript filter to read the tailed output from the logfile and do the transform.  I used the code below  with the tail utility in the windows resource kit for my proof of concept. Whatever you do make sure to check behaviour of your code when the log file rolls over.  NetIQ security manager has the ability to tail text logs, parse them and execute programs in response to an event.  It also handles log rollovers gracefully. In my case using NetIQ was a no-brainer, but it really shouldn’t be that difficult to customise code to suit your environment.

option explicit
Const IP_PARAM = 5
Const MAC_PARAM = 9
dim strLine,strArray,item,ip_addr,octets,strMAC,WshShell
Set WshShell = WScript.CreateObject("WScript.Shell")
Do While Not wscript.StdIn.AtEndOfStream
  strLine = wscript.stdin.readline
  if (instr(1,strLine,"send_magicpkt")> 0) then
    strArray = split(strLine)
    octets = split(strArray(IP_PARAM),".")
    octets(2) = octets(2) + 3 'perform the IP address transform to get the guest network
    octets(3) = 127               'broadcast address
    ip_addr = join(octets,".")
  end if
  strMAC = mid(strArray(MAC_PARAM),2,17) 'remove leading '[' and trailing ']' "mc-wol "  & strMAC & " /a " & ip_addr

August 28, 2008

Checkpoint Secureplatform Wisdom

Filed under: checkpoint — Tags: , — networknerd @ 8:22 pm

Enable SCP – sk26258

  • Go into expert mode and add users to the /etc/scpusers file.  Create the file if necessary.
  • Restart sshd using the command service sshd restart

Enable IP Forwarding – sk25818

  • Go into expert mode and type the command “echo 1 > /proc/sys/net/ipv4/ip_forward”

Enable SSH Public key Authentication – sk30366

  • Go into expert mode
  • mkdir  $HOME/.ssh
  • chmod 0700 $HOME/.ssh
  • touch $HOME/.ssh/authorized_keys
  • chmod 0600 $HOME/.ssh/authorized_keys
  • vi $HOME/.ssh/authorized_keys
  • :$ (goes to the last line of the file)
  • A (appends to the end of the line)
  • paste in the key that you have copied from the client
  • esc (get out of insert mode)
  • : x (save the file and exit)

To be able to match a login to a users key perform the following steps.

  • vi /etc/ssh/sshd_config
  • find the Logging section and add en entry LogLevel VERBOSE
  • Restart sshd using the command service sshd restart
  • The fingerprint of  the key used is then recorded in /var/log/secure
  • To check the fingerprints you can use the script below
#! /bin/bash

#Generate fingerprints for ssh public keys so we can match logons to users

#Create a temp file and bail out if we can't
TMPFILE=`mktemp /tmp/fingerprint.XXXXXX` || exit 1

#Check to see if a keyfile is specified
if [ -r "$1" ]; then

#Cleanup temp files on exit
trap "rm -f ${TMPFILE}" 0

#Truncate the output file
cat /dev/null >${FPFILE}

#Hook up the authorized_keys file to File descriptor 3
exec 3< ${KEYFILE}

#loop through each key in the file
while read <&3
        if (!(echo ${REPLY} | egrep "^\#"i)); then
                # If not a comment then save the key and generate a fingerprint
                echo "${REPLY}" >${TMPFILE}
                /usr/bin/ssh-keygen -l -f ${TMPFILE} >> ${FPFILE}

#Close FD 3
exec 3<&-
/bin/echo "The fingerprints for ${KEYFILE} have been saved in ${FPFILE}."

Convert a securecrt ssh public key for use with secureplatform.

This recipe converts IETF multiline key format to the single line format used by openssh on secureplatform.

  • Go into expert mode
  • create a new file on the firewall with vi.  For example vi mypubkey.txt
  • Paste in the new key, save the file and exit.
  • type “ssh-keygen -i -f mypubkey.txt >>/home/admin/.ssh/authorized_keys

Restrict a public key authentication to a single command

This recipe is useful if you want to restrict users to a particular operation such as shutdown or reboot.

  • Go into expert mode
  • edit /home/admin/.ssh/authorized_keys
  • Paste in the new key or modify the old key
  • At the beginning of the line containing the key insert command=”/sbin/shutdown -h now”
  • Save and exit
  • Change the shell for admin  using the command usermod -s /bin/bash -U admin
  • If you prefer to go into the cpshell when logging in interactively then execute the command “echo exec /bin/cpshell > /etc/profile.d/

Increase OSPF adjacency memberships on SecurePlatform Pro – sk32568

  • Go into expert mode
  • vi /etc/rc.d/rc.local
  • add the line ” echo 50 > /proc/sys/net/ipv4/igmp_max_memberships"
  • save and exit (: x)

Note the knowledgebase article suggest you add the command to /etc/rc.d/init.d/cpboot.  You could also add an entry directly to /etc/sysctl.conf net.ipv4.igmp_max_memberships= 50

Identify network adapters on Secureplatform/Linux

The recipe helps you identify which physical nic is mapped to an alias such as eth1 by flashing them in turn for 15 seconds.  Adjust the time to suit yourself

  • Go into expert mode
  • type the following command all on one line
  • for i in `egrep "eth[0-9]+" /etc/modules.conf | cut -f2 -d" "`; do echo $i;ethtool -p $i 15; done

August 27, 2008

Writing Filters in VBScript

Filed under: Code — Tags: , — networknerd @ 3:18 pm

The original philosophy of unix was to create a set of tools that do one job well and that could be chained together in a pipeline.  Each program was a filter, and it’s a powerful concept once you get your head around it.  Unfortunately that concept didn’t really make it into windows.

All is not lost, however, because we can easily create our own custom filters in vbscript on almost any windows box. No C compiler required; no downloads of cygwin or the MKS Toolkit. When using cscript we can read from STDIN, perform some manipulations and write to STDOUT.

The example below uses this technique to convert logfiles exported from the checkpoint log viewer into CSV format.  By using the filter technique the data can be analysed and converted in one hit by piping the transformed data directly into Microsoft’s logparser utility. (more…)

August 25, 2008

TCP Keepalives

Filed under: Network — Tags: , — networknerd @ 11:11 pm

Microsoft knowledgebase article 314053 does a good job of describing the configurable parameters of the windows TCP/IP stack.  When it comes to the entry on keepalives though it pays to read the fine print.  The final part of the description says

By default, keepalive packets are not sent. A program can turn on this feature on a connection.

So clearly we need to add the appropriate lines in the code (if we have it) or hope the vendor had enough sense to compile their code with an option to turn it on.  In the .Net framework we can turn it on using a call to the setsocketoption method as shown in the C# code below.


August 24, 2008

Word Add-IN to Persist a Dictionary Object as XML

Filed under: Code — Tags: , — networknerd @ 5:50 am

A friend of my eldest child asked for some advice on creating a database. Seems that she was a keen fiction writer and needed to keep track of the meanings of the words she’d invented.

A Database would be overkill for the job and it seemed like a good opportunity to practice using XML and VBA.  Two scripting.dictionary objects could be used to hold the data in memory while creating the story. One for fiction to english translation and the other to perform reverse lookups. The data would be retrieved from the xml file when the add-in loaded and saved when it was unloaded.

It turned out to be a pretty simple job and the code is shown below. Four simple functions were required: add a word, delete a word, lookup and reverse lookup. (more…)

August 23, 2008

Display RSS in a Browser Window

Filed under: Uncategorized — Tags: , — networknerd @ 12:16 pm

One of the knowledge management people at work were amazed by a server application that rendered RSS news feeds as HTML to the client browser. I opined that that was a trivial exercise and that the same thing could be done client side on the browser.  To prove the point I googled up some javascript from Tim Huffam and pasted it straight into a web page. That should have been the end of the story.  Next day I hear that it doesn’t work for some RSS feeds.  Turns out that they are all from feedburner.

Javascript debugging was a bust, so I moved down the application tree and used a telnet client to connect to That returned a 302 code and a new host to check  Trying the url in IE worked. The answer must be that the MSXML2.DOMDocument.3.0 cant handle redirects. All good in theory except that a nagging doubt, confirmed by google, tells me otherwise.

Next move was to open up word and try it in VBA (The debugging is much better than IE).  Naturally it worked properly first time.  So why did the activex object behave differently in IE?  When in doubt look at packets.  Wireshark was installed and a capture was performed using IE and netcat to perform the HTTP GET. For IE the return from the server was HTML.  For netcat the return was pure XML.  The next conclusion I jumped to was that it was dependent on the useragent header in the get request.  Wrong again. I eventually narrowed it down to the referer header. Oh well, most of my exercise does come from jumping to the wrong conclusion.

Feedburner must use some clever server side stuff (mod_rewrite perhaps) to detect if the requester is using a browser based on the referer header.

I did  prove to myself once again though that most application level problems can be more readily identified at the network level.

Why Moose and Squirrel? Why Blog?

Filed under: Random — networknerd @ 11:27 am

Moose and Squirrel?  Just showing my age I guess.  Rocky and Bullwinkle obviously had some impact on my childhood.

Why blog?  Just so that I can record stuff and find it again when I’ve got nothing but a vague memory of what I did last time to solve a particular problem.

Time will tell if the experiment is a success.

Create a free website or blog at