My old wireless router had started having trouble and the wireless chipset was beginning to get flaky.  I’d been running DD-WRT on it for about a year and a half without any problems, but lately it started having issues only with wireless connections.  Being the cheapskate I am, I ordered a refurb E2500 Cisco from Amazon for under $40 and in a few days it showed up in the mail.  I had already looked up the router in the DD-WRT router database and pulled down the mini firmware in order to overwrite the stock firmware.  (Unfortunately, what I would later read in the forum posts is that the firmware version dd-wrt.v24-18625_NEWD-2_K2.6_mini-e2500.bin would basically brick the router.)  So do yourself a favor and use the 18710 version right off the bat  (dd-wrt.v24-18710_NEWD-2_K2.6_std_usb_nas-e2500.bin).

Even though I had properly followed the 30-30-30 power cycling procedure and updated the firmware with the one recommended in the router database, my router was caught in a continuous reboot cycle.  Every so often I could ping the router for a little while and if I timed it right, I could successfully TFTP up the original stock firmware, however after manually power cycling, it would go back to it’s constant reboot cycle on its own.  Believe me, I worked on it for quite a few hours and then gave up on it.  Then as luck would have it a few days later, I read a post that someone had left it unplugged for a day and the router no longer went through the automatic reboot and stayed solid, but they couldn’t get to the GUI DD-WRT interface.  I had the same results, and left the router unplugged for two days, and when I tired was able to telnet to the router and fix it using these steps:

Telnetting to the E2500 router
I had to set my laptop’s NIC card manually first to 192.168.1.100/24 and then was able to telnet to the router at 192.168.1.1

Then, as you can see above, I performed an “erase linux” and “erase nvram” and then power cycled the router.   At this point I could get to the Management Mode Firmware Upgrade Utility by going to http://192.168.1.1

Firmware upgrade management interface - cisco E2500
Thank goodness for the firmware upgrade management interface – cisco E2500

Now believe me, I really thought hard about loading up the stock firmware, but hey, I might as well try DD-WRT again.  Using the management interface I uploaded  newer fixed version of the DDWRT firmware (version 18625).

Of course waiting during the firmware upload is the worst part
Of course waiting during the firmware upload is the worst part for me. I’ve spent too many sleepless hours back in the day waiting around for hours while uploading images to old cisco routers over xmodem protocols to enjoy this sort of thing anymore.

Luckily this time the firmware took and after a single *yay* power-cycle, I was presented with the standard, change your password page for DD-WRT!

Yay!  The default change your user and password page for DD-WRT
Yay! The default change your user and password page for DD-WRT

Then all I had to do was go thought and put back in all my settings… and enjoy my new router with much better working wireless.

This is how you can perform authentication using RSA Secure ID authentication in your PHP environment. RSA does not provide a module or agent to directly work with PHP, so in order to make it work we will use a PAM PECL extension.  This tutorial assumes you already have a working RSA Manager installation and SecureID tokens, and a running apache/php install.

Step 1:

Install the PAM PECL extension.  You can find it at  http://pecl.php.net/package/PAM

Follow the instructions to install and enable this extension.  This may require some development packages if you’re using the vendor-supplied build of PHP.  So for instance, in the case of RHEL6, this will require assignment of the “RHEL Server Optional” channel.   You can then install the php-devel package.  If using a custom build of PHP, this step should not be necessary.

yum install php-devel
yum install pam-devel
Unzip, and run “phpize” in the directory
Then run “./configure”
Then “make”
Then “make install”

Edit your /etc/php.ini configuration file to include:

[PHP]
extension=pam.so

Step 2:

Install the linux RSA PAM agent following the instructions that are included with that agent.  Download from here: http://www.rsa.com/node.aspx?id=2844

Step 3:

Make sure to run acetest that is provided with the RSA pam authentication agent.  For 64-bit Red Hat, this utility will typically live in /opt/pam/bin/64bit/acetest .  This serves two purposes:  it creates files in /var/ace that we will need to change permissions on, and it also verifies that you are communicating with and properly authenticating against the RSA Manager/server.  If you are not able to verify with the acetest utility, make sure you have properly added the agent to your RSA Manager.

 Step 4:

Change the permissions on files in /var/ace:

Change the group of sdstatus.1 and securid to the web server group (for example, apache)

cd /var/ace
chgrp apache sdstatus.1
chgrp apache securid
chmod 664 sdstatus.1
chmod 440 securid

This is required so that the php process can read the securid file and update sdstatus.1 .  Default permissions only allow root to do this.

Step 5:

Create a PAM configuration file.  The default pam configuration name is “php” unless a different pam.servicename is specified in the php.ini.

As an example, on RHEL 6, you could create this as /etc/pam.d/php with the following entries:

auth         required        pam_securid.so debug
account       required        pam_permit.so

Note: debug is optional, this gives you some potentially useful logging information while you are fine tuning your authentication.  Once you have a working config, debug can certainly be removed.

Step 6:

Create an rsa_auth.php test page to verify if your php/pam/RSA configuration is working:

<html>
<head><title>RSA Test Page!</title></head>
<body>
<?php
$message = “”;
$err = “”;
if (isset($_POST[‘username’] ) && isset($_POST[‘passcode’])) {
if (pam_auth($_POST[‘username’], $_POST[‘passcode’], $err, false) === true) {
$message = “Authentication was Successfull”;
}
else {
$message = “Authentication Failed – $err”;
}
}
?>
<font color=”red”><?php echo $message ?></font><br>
<form method=POST action=”<?php echo $_SERVER[‘PHP_SELF’]?>”>
username: <input type=”text” name=”username” /><br>
passcode: <input type=”password” name=”passcode” />
<input type=”submit” />
</form>
</body>
</html>

Step 7:
Restart apache and try it out!

Please remember to integrate your real PHP authentication page with the appropriate input filtering to better secure and sanitze the input to protect against exploits, etc.

 


Oh Yes, We Get to Use Commandlets!

I started upgrading some of the machines around the office to the new version of Office for Forced down the Microsoft Path AgainMac — the Office:Mac 2011 version. I have to admit it is really pretty nice except for a few things and I wasn’t complaining until the users started taking their laptops out of the office. I soon found out that they couldn’t connect to our Exchange server. Upon further investigation, what we discovered was that unlike Entourage every time Outlook 2011 is started that it queries the server to refresh the server account settings and for some reason it was using only the internal name of my server instead of the external URL similar to what everyone would be using for the OWA (Outlook Web Access) interface. After a bunch of research, I found that I had to stipulate the external address specifically for the Outlook Anywhere functionality using some commandlets.

Here’s how to do it. Open up your Exchange Power shell interface and put in these settings using Commandlets for publishing Outlook Anywhere configurations using your real servername and real external address:

Enable-OutlookAnywhere -Server servername -ExternalHostname “mail.yourdomain.com” -ExternalAuthenticationMethod “Basic” -SSLOffloading:$False

Set-OABVirtualDirectory -identity “servername\OAB (Default Web Site)” -externalurl https://mail.yourdomain.com/OAB -RequireSSL:$true

Set-WebServicesVirtualDirectory -identity “servername\EWS (Default Web Site)” -externalurl https://mail.yourdomain.com/EWS/Exchange.asmx -BasicAuthentication:$True

To make sure you entered it correctly you can look up the URLs for web services with the following command:

Get-WebServicesVirtualDirectory | Select name, *url* | fl

It is worthwhile to make sure that you have to have some other things in place correctly such as the appropriate DNS settings as well as the right SSL SAN certificate set up in IIS. I had these all correct and it wasn’t an issue until this latest version of Office 2011 for Mac was used.

Oh Honey, There’s One Thing Missing…

I recently decided to upgrade my wife with a new to 64-bit Windows 7 laptop. Everything went quite smoothly and I had all the applications and data, even the little stuff like bookmarks, moved over and running just great… at least until she decided she needed to print something. “Oh yeah, no sweat! I forgot to add the printer for you!”

Canon didn't provide a 64-bit driver for my printer.
Canon has not updated many of their older printers, like this MF3110 model with 64-bit drivers for XP, Vista or Windows 7.

Our printer is a Canon MF3110 black and white multifunction laser which is shared off an older Vista computer. We leave it running and use as our home file and printing “server.” Much to my disappointment, I found out that Canon decided not to create 64-bit drivers for that model (as well as a lot of their other printers that are a few years old). Now don’t hear me complaining too loud about Canon. I love a lot of their products and especially that printer, mainly because I can find toner cartridges at ridiculously low prices and it never seems to break down.

After looking around online I saw where someone had done something similar and shared that model of printer from a XP workstation out as a generic postscript printer using the Ghostscript software for a Linux Ubuntu system in order to print to it. I decided I’d try to see if I could do the same thing, but instead share it to the 64-bit Windows 7 laptop. Sure thing, after a bit of tweaking, it worked like a charm!

Here’s what I did:
On my 32-bit computer where my Canon printer is located, I downloaded and installed the following three programs:

Ghostscript Windows 32-bit version:
http://pages.cs.wisc.edu/~ghost/doc/GPL/gpl864.htm

GsView Windows 32-bit version:
http://pages.cs.wisc.edu/~ghost/gsview/get49.htm

Redmon Port Redirector:
http://www.is-foehr.de/

I didn’t really do anything custom or special during the installs. I just let them run their course.

Again, on the same computer where the Canon printer is, I added a new local printer. I named it something generic like Canon64b, (and then here’s the first tricky part) on the very next screen I selected “Create a new port” and selected “Redirected Port” and named it “RPT1:” which should be the default. Then for the model and driver of the printer, I used something really generic “MS Publisher Imagesetter” that should already have drivers on all Windows systems (including 64-bit versions). Then I shared out the printer to “everyone.” The other tricky part was within the Properties of the printer to go to the “Ports” tab and click on the “Configure Port” button for the RPT1 port and set up the correct parameters:

In the “Redirect this port to the program:” field I put in the gsprint program’s location:
C:\Program Files\Ghostgum\gsview\gsprint.exe

For Arguments in the next box down, I put in the name of my real printer which is on the computer like this:
-printer “Canon MF3110” –

Note: is important to include the quotes around the printer, a space and then a dash for this all to work properly.

In the Output area: select “Program handles output” and make sure the printer section is pointing to the real printer. The Run field should be selected as “Hidden

Then I applied all the changes.

Interactive Hiccup
In order to get it to run without interaction and prevent displaying a confirmation message every time I print a page, I had to copy a registry string value key using regedit

From this location:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices

To this location:
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Devices

The key should be named the same as your real printer and look something similar to this:
Canon MF3110 REG_SZ winspool,Ne03:

After adding the registry key, on my 32-bit computer, I ran a test print from my new virtual Postscript printer and made sure it printed fine.

Then I went to my wife’s laptop and added the new network printer and was able to print… crisis averted and happy wife!

 


Server temperature graphic

I had an issue where at one of my remote offices an air handling unit was failing and the server room was heating up far beyond the recommended operating temperature. There were people working in that remote office, but I couldn’t rely on them to check on it daily and nobody was there over the weekends. I looked around and there were a few different devices and software products for monitoring temperature, but some were quite expensive.

I decided to play around and see if I could get a method working where I could monitor the temperature using something built-in and basic. I had read that most Dell servers have temperature probes that monitor air temperature for ambient air as well as planar (off the CPU/motherboard) and would make that available to the SNMP service specifically within the MIB-Dell-10892 specification.

I was surprised to find out how easy it was to set up SNMP and MRTG to poll the server and provide me with the readings I was looking for! Here’s how I did it:

First on the server, I enabled the SNMP service. It was a Windows server, so it was as simple as going to Start > Control Panel > Add/Remove Programs > Add/Remove Windows Components > Management and Monitoring Tools > [Details] > Select “Simple Network Management Protocol” to install it. Then to make sure there was a reasonable level of security, I went to the Services applet, found the SNMP Service and chose a READ ONLY community string and specified the IP of my monitoring host under the Security tab. I made sure the service was started.

Then I made sure to allow the UDP 161 and UDP 162 ports associated with SNMP were allowed through the firewall.

Next I put in the following settings into my MRTG configuration file. To tell you the truth, the hardest part was determining the calculation and syntax in order to get it to convert from Celcius to Farenheit!  Be sure to replace my IP and snmp community string with the IP and community string of your host in the configuration file settings.

################################################
WorkDir: /var/www/mrtg
### Measure Planar and Ambient Temps
#—————————————————————
Target[10.1.100.100.temp]: 1.3.6.1.4.1.674.10892.1.700.20.1.6.1.1&1.3.6.1.4.1.674.10892.1.700.20.1.6.1.2:readonlycommunitystring@10.1.100.100 / 10 * 1.8 + 32
MaxBytes[10.1.100.100.temp]: 150
Title[10.1.100.100.temp]: Planar and Ambient Temperature – Remote Server
PageTop[10.1.100.100.temp]: <H1>Planar and Ambient Temperature – Remote Server</H1>
Options[10.1.100.100.temp]: gauge, integer, nopercent
YSize[10.1.100.100.temp]: 220
YTics[10.1.100.100.temp]: 11
YLegend[10.1.100.100.temp]: Temp degrees F
ShortLegend[10.1.100.100.temp]: deg F
Legend1[10.1.100.100.temp]: Temperature1
Legend2[10.1.100.100.temp]: Temperature2
Legend3[10.1.100.100.temp]: Legend3
Legend4[10.1.100.100.temp]: Legend4
LegendI[10.1.100.100.temp]: MotherBD Temp 1:
LegendO[10.1.100.100.temp]: Ambient Temp 2:
###################################################