pskl.us

Tutorials

Did you know that there is a fiber tester inside your SFPs?

by on Dec.07, 2010, under Tutorials

Cisco calls it DOM – Digital Optical Monitoring – and it’s built into some of their SFP, XenPak, and X2 transceivers:

http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_8031.html

Unfortunately, but not surprisingly, the feature isn’t built into any of the common SFPs that most network engineers use on a day to day basis, such as the GLC-LX or GLC-SX units.  Cisco thinks that DOM functionality is worth an extra $300 a pop, putting the cost of a DOM-enabled single mode SFP close to $800.

I have found, however, that some third-party SFPs include the DOM functionality.  I’ve been using the single-fiber SFPs from Champion One for many years.  They work great, only use a single fiber (instead of a pair) and give you DOM functionality for free.

Here’s how to get started with DOM:

1)  Enable support for non-Cisco SFPs:

PSKL_6509(config)#service unsupported-transceiver

2)  Enable DOM Monitoring :

PSKL_6509(config)#transceiver type all

3)  Install some DOM-compatible transceivers.

4)  Take some light measurements!  In this example, I’m using a 1000SFP31B20L Single Fiber SFP in slot 2/9/22:

PSKL_6509#sh interfaces gigabitEthernet 2/9/22 transceiver 

ITU Channel not available (Wavelength not available),
Transceiver is internally calibrated.
If device is externally calibrated, only calibrated values are printed.
++ : high alarm, +  : high warning, -  : low warning, -- : low alarm.
NA or N/A: not applicable, Tx: transmit, Rx: receive.
mA: milliamperes, dBm: decibels (milliwatts).

                                  Optical   Optical
            Temperature  Voltage  Current   Tx Power  Rx Power
Port        (Celsius)    (Volts)  (mA)      (dBm)     (dBm)
----------  -----------  -------  --------  --------  --------
Gi2/9/22      44.1       3.26      22.2      -2.5      -5.1

This feature is incredibly handy when troubleshooting fiber issues.  A low value in the Rx Power column indicates that you have a bad fiber, or more commonly, a dirty jumper somewhere.    You can even use MRTG or Cacti to log and graph your optical health over time.

~Eric

Leave a Comment more...

500mW USB Adapter goodness!

by on Oct.26, 2010, under Hardware, Security, Tutorials

Alfa 500mW AWUS036H USB Wireless Adapter 802.11 b/g Network Radio Card is a win in Backtrack 4!

I picked up a Alfa USB Wireless Adapter about a month or so ago, and it’s a definitely a good card for Backtrak 4.

For some reason, I’m one of the few that had to switch the realtek driver for it, and boom, every wireless utility a tried in BT4 worked great.  (I’m using BT4 RC1, on a Lenovo x201.)

So to get the good love, follow my simple steps in BT4:
vi /etc/modprobe.d/blacklist

find “blacklist r8187” (if you don’t know how to use vi or vim, I weep for you.)
comment that out with the hash / pound / number / whateveryoucallitinyourworld “#”, and add this line:
blacklist rtl8187

save it and reboot. (too used to dealing winblows.. probably could remove it and rmmod the rtl8187)
it should be using the r8187 kernel module instead of the rtl8187.

Boom, kismet should work and all the other good stuff should work in BT4 with this good card.

A side item: if you’ve never used wepbuster to show someone how bad wep is, *do it*.
Eric and I wrote some scripts for DEFCON a few years ago to automatically crack WEP with the parts that were around then. This does something just like it, but seems to run through all the different vectors you could use. Basically, start it, and let it go… very handy!

Leave a Comment :, more...

The InGrid (or LifeShield) Home Security System – Is It Awesome? (Part 2 of 2 – The Install)

by on Mar.09, 2010, under Group News, Presentations, Reviews, Tutorials, Whining

NOTE: InGrid recently changed their name to LifeShield, but the equipment and service is still the same as is reviewed here

If you are interested in how I got to this point, check out the first post.

UPDATE 10-18-2010: LifeShield has added a few items/features you should know about:
They now sell the cellular backup unit. Add it to your system and your alarms will go through even if your phone lines and internet connection are cut.
They also now offer a smartphone app for the iPhone, Android, and BlackBerry. I’ve used the Android and BlackBerry versions and I’ll review them here ASAP.
One last thing, I’ve reviewed their Wireless Homeview Camera which integrates with the security system.

UPDATE (05-10-2012): I’ve been less-than-thrilled with the business practices of LifeShield lately. I still am a big fan of their products and services, so these reviews stand true, but if you’d like to know what they are up to, read this blog post.

UPDATE 10-18-2010: LifeShield has added a few items/features you should know about:

They now sell the cellular backup unit. Add it to your system and your alarms will go through even if your phone lines and internet connection are cut.

They also now offer a smartphone app for the iPhone, Android, and BlackBerry.

One last thing, I’ve reviewed their Wireless Homeview Camera which integrates with the security system.

UPDATE 11-11-2010: The battery in my Siren Detector died already, which is odd, but the good news is that it uses the same batteries as the door/window sensor: a CR2450 coin-cell battery. These can be purchased from amazon.com for pretty cheap…I bought a 5-pack for under $7 shipped.

UPDATE 12-08-2011 – THIS IS AN IMPORTANT ONE: In the past year LifeShield has changed their business plan a lot. As you read the review below, bear in mind that the following things are now the case for new customers:

  • They no longer sell the base systems outright, they are free-ish and subsidized by a…
  • Minimum 3 year contract. Sign up for a 5 year contract and your monthly rate will be cheaper (of course). Minimum $35/month for a 3 year contract, minimum $30/month for 5 year. One nice thing about being on contract is that the hardware is completely supported by LS, even including the batteries in your sensors.
  • There is a (minimum) $99 activation fee. It can be higher if you select certain options, such as the Cellular Backup unit

All this being said, it is still a decent deal. If I were security-system shopping today (instead of 2 years ago), I’d probably still go with LifeShield. I recommend you call the competition and get a quote, then check out LifeShield and see how it compares. If you are handy enough to install the system yourself (and you are… it isn’t hard), I think you’ll end up being happier with the LifeShield system.

Original Review:

As I discussed in the last post, I decided to go with the InGrid (LifeShield) security system. I ordered up all the parts I wanted and waited for them to arrive. Before you even receive your hardware, you can set up your account with the web portal (http://myingrid.com/). You create a password for accessing the account as well as other security questions. All of this can be edited later but you might as well get it out of the way now. Once you finish, you can poke around the site and see what kind of settings are available to you. Interesting, but I just couldn’t wait for the hardware to arrive so that I could get started with…

The Install

InGrid hardware

The packaging and documentation were all very impressive. There’s a great attention to detail they show here and it does not go unappreciated. The photo above shows all the stuff I got to start with, although I might add more later. It includes some very nice signs which I think I’ll be leaving in the box. Letting people know you have an alarm system is one thing, letting them know exactly what kind you have is another. Maybe I’ll put up some Brinks signs or something. When you open up the big box, you get this:

InGrid big box 1

A paper telling you, among other things, that “specialty sensors” can’t be added until 24 hours after system activation. No problem, plenty of other sensors to install first. It ended up being less than 24 hours for me anyway. Also included is a CD with PDFs of all the manuals. Then you get to the meat of the system:

InGrid big box 2

The numbered boxes make it even easier than I thought it would be. These 4 units make up the backbone of your security system. They are already associated with each other so there is no “syncing” to be done with these items. Just follow the simple instructions for each box (basically, connect the internal backup battery and plug it in) and you are good to go. Here is a shot of the book showing how simple the instructions are:

InGrid Instructions

As I mentioned, all of the items have internal backup batteries. Supposedly, the batteries will last around 24 hours if your power goes out. They are all simple rechargeable-phone-type batteries that you can buy at WalMart. First up is the base unit:

Base unit still in the box

Base unit still in the box

Base unit front

Base unit front

Base unit back

Base unit back

This guy is the real brain of the operation. You plug it into your internets and into your phone system (VOIP, in my case). It has a cradle for charging the phone unit, but the phone also comes with a charging base, so you don’t NEED to use this to charge the phone. I prefer hiding this somewhere out of sight so that nobody knows where to look to disable your system. If you are using your phone system as a backup, two of the other parts have phone jacks (the Console and the Grid Extender)…which means that this unit could be destroyed but either of those units could still phone home to the monitoring service. That’s part of what is so cool about this system…it is so decentralized.

Next up is the Handset and charger. Here is a pic next to a soda can for size reference:

InGrid handset

This handset has all the functionality of the Console, which is up next:

InGrid console

Either the handset or the console can be used to arm the system, disarm the system, view the status of sensors, and act as a phone (the console acts as a speakerphone). You can set the console on a countertop or mount it on the wall. It needs to be connected to AC power at all times (the battery is really just for backup purposes) so you are somewhat limited in mounting options. These units are also used for adding sensors and other goodies to the system. We’ll get into that shortly. I should also mention that you can view your current weather on either of these units as well as any “weather alerts.” Neato.

IMG00165-20100309-0734

I didn’t take a photo of the grid extender… it isn’t very exciting. Basically a brick that you plug into the wall. As I mentioned before, it has a phone jack which will be used to call the monitoring center if other systems fail. The grid extender also does what the name implies… it physically extends the network for sensors and other devices to be recognized by your system, so you should take that into account when deciding where to place all this stuff. You can even put a grid extender in your neighbor’s house (with permission, of course) and plug it into their phone line. That way, a thief would have to cut your internets, your phone, AND your neighbor’s phone to stop the system from calling in an alarm. If power, phone, and cable are knocked out for your entire neighborhood…well… I guess you are SOL… but InGrid says they have a GSM backup module coming soon, so you’ll be able to breathe easy (UPDATE: the GSM backup module is now available from lifeshield.com)

Once you have these 4 items powered up, you can activate your system online with myingrid.com. Very simple process that involves getting a code from the website and then entering it into your handset. Done. Now you can start adding open/closed sensors to your windows and doors. Here’s a little video introduction to the open/closed sensors, followed by a video I made explaining the very simple process of adding a sensor to your security system:

Easy, right?

You can add a bunch of these sensors and then sit down at your computer and name them appropriately from there (if you don’t want to do it from the handset or console).

Once the 24 hours have passed, you’ll get an email to tell you that your system has been activated and you are now in “Practice Mode” for 7 days… which means that any alarm you set off won’t call the monitoring system. So you have 7 days fool around and see how things work without being afraid that the cops will show up and yell at you. This activation email also means you can install your other sensors and dealies. In my case, that meant keyfobs, a siren detector, and a motion detector.

Here are a few videos showing my experience with those 3 addons:

All of that was pretty painless, right? I was a bit annoyed at how the motion sensor integrates with the system, so it gave me an excuse to call their tech support. The problem is that it logs motion events whether the system is armed or not. I understand that concept with door/window sensors, but not with motion sensors… The idea is to keep them in living spaces, so that means you’ll be tripping it all day long. Every time it senses motion, the console and the handset both display “Open: Motion Sensor” as if it is a window you keep opening and closing. My event log on myingrid.com very quickly just gets spammed with these “events.” Sure, I can filter the event log, but I shouldn’t have to. I asked tech support about it and they basically told me that it “isn’t a big deal” and that’s just how it works. They are right, it isn’t a “big deal,” but it IS annoying. There should at least be an OPTION to set it so that motion detector events only get logged (or noticed at all) when the system is armed. Working the way it does, I’m going to put a cover over my motion detector and only take it off when I leave the house or go to bed at night.

Now that the system is up and running, the only thing left to do is give you a quick tour of the myInGrid web UI. The following slideshow takes you through a bunch of the important screens. Many of the features shown here are also available via their mobile-friendly version of the myInGrid site, including being able to look at content grabbed by the cameras attached to your system (I really need to get one of their cameras). If you move your mouse over the slideshow, the controls pop up at the bottom which will allow you to pause it or move forward or backwards in the slideshow. The caption on each screenshot explains what you are looking at.


View the screenshots here if you want to look more closely.

I already mentioned the cameras they offer to integrate with the system. They have a few other items that I don’t (yet) own, but you should know about:

  • Glass break sensors – these recognize the sound of glass breaking and trigger the alarm
  • Water/temperature sensors – these are convenience sensors that alert you to a change in temperature and/or water where it shouldn’t be. I need one of these for our upstairs laundry room.
  • Smoke/heat detectors – you can use these rather than the siren detector I’m using.

I’m hoping that they’ll release some new products soon, such as:

  • A thermostat – would be killer to be able to see the current temperature and change the desired settings remotely
  • Light/appliance controls – or just add a module that supports X10 stuff
  • An outdoor camera – preferably wireless. If it is wired, make it support PoE and include a power injector. Seriously. I will pay for this.
  • A doorbell. This would be interesting to log events on, and it could just ring through all the same units that chirp when a door opens.
  • How about a module with a dry contact interface so we can start to have some REAL fun with this thing…

The Conclusion

So that’s pretty much it… If you have any questions that I have not answered, feel free to ask in the comments and I’ll do my best. Aside from the motion detector silliness, I think this is the perfect home security system…well, it is perfect when used in conjunction with the .44 Desert Eagle I keep in my bedroom. Maybe I should put a picture of THAT in my yard rather than the InGrid signs…

108 Comments :, , , , , , more...

Configure your Cisco routers (yes, switches too!) to authenticate against Active Directory using Microsoft’s IAS

by on Dec.29, 2009, under Tutorials

Ok, I’ll admit it. I’ve come to really like Microsoft’s Radius server, IAS:  Internet Authentication Service.  [Don’t panic — I’m not sending my RHCE back just yet!]  It’s a very robust and powerful platform and is an ideal solution for network administrators looking to authenticate network-anything against active directory. In this tutorial, I’ll show you how to configure your Cisco switches and routers to authenticate administrative logins against AD.

Step One: Re-Install your Windows Server.

Sadly, this isn’t as much of a joke as it sounds. You’ll need to be running the Enterprise or Data Center edition of Windows Server 2003 or 2008 in order to get the *good* version of the IAS server. IAS under the Standard, Web, or SBS versions does not allow you to configure Radius clients using network masks.  It’s also limited to processing only 50 concurrent connection requests.

CropperCapture[1]

Step Two:  Install and Configure IAS.

2.1) From your Windows server, install the IAS components:

>> Control Panel > Add or Remove Programs > Add/Remove Windows Components > Networking Services > Internet Authentication Service

2.2) Open the IAS administration tool:

>> Start > Control Panel > Administrative Tools > Internet Authentication Service

2.3) Under the Action menu, select “Register Server in Active Directory”.  You have to do this once to allow IAS to read parameters from your AD.

2.4) Right-click on “RADIUS Clients” and select “New Radius Client”.  Enter a name and a network mask, then click Next.

CropperCapture[2]

On the next screen, change the “Client-Vendor” to Cisco and enter the shared secret you’d like to use for this connection.  Click Finish.

CropperCapture[3]

2.5) Right-click on “Remote Access Policies” and select ‘New Remote Access Policy.”  Choose to “Set up a custom policy.”  Give it a meaningful name, then click Next.

CropperCapture[4]

In the “Policy Conditions” window, click Add and select “Client-IP-Address.”    This is a string match, so use asterisks instead of CIDR notation to specify the IP range of the management interfaces of your Cisco devices.   Add a second condition, “Windows-Groups” and specify the groups in AD which contain the users who should be permitted to log into your networking gear.   You should end up with something like this:

CropperCapture[5]

Click Next.  In the next window, indicate that you wish to Grant access.

CropperCapture[6]

Click Next.    On the next window, click “Edit Profile” and select the Authentication tab.  Enable all of the options.

CropperCapture[7]

Select the “Advanced” tab and delete the two default attributes which are present.

Click Add and select “Service-Type”.  Set the Attribute Value to “Login”.

Click “Add” again and this time select “Vendor-Specific”.    In the “Multivalued Attribute Information” window, click “Add”.   The “Vendor-Specific Attribute Information” window appears;  in the “Specify network access server vendor” pull-down, select “Cisco”.   Select “Yes.  It conforms” and then click the “Configure Attribute…” button.

CropperCapture[12]

In the “Configure VSA” window, change the “Vendor-assigned attribute number” to 1, “Attribute format” to “String”, and Attribute Value to “shell:priv-lvl=15”.

CropperCapture[13]

This VSA will cause your AD-authenticated users to be granted privilege-level 15.  Change this value to suit your local need, if desired.

The completed “Advanced” tab configuration should look like this:

CropperCapture[14]

Close any open IAS windows by clicking “Apply” or “OK”.  We’re now ready to configure the routers.

Step Three:  Configure the Routers and Switches.
Customize the following code snippet to fit your network, and then paste the config into your running switch or router.

username admin privilege 15 password your-backup-admin-password

aaa new-model
aaa authentication login default group radius local
aaa authentication enable default line
aaa authorization exec default group radius local
aaa session-id common

ip radius source-interface Vlan421

radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 key your-secret-key
radius-server host 2.2.2.2 auth-port 1645 acct-port 1646 key your-secret-key

radius-server source-ports 1645-1646

line con 0
line vty 0 4
line vty 5 15

The following line specifies a local administrator account to be used in the event that the switch or router can not communicate with the radius servers.  In reality, you won’t use this because your IAS servers are down, you’ll use this to log into the console port when you blow a SFP or have a fiber cut.

username admin privilege 15 password your-backup-admin-password

You should have at least two IAS servers, each configured in the same way  (see my post here for an IAS  Config replication tip) .  Add as many servers as needed;  the router will try each one in succession if the first one in the list does not respond.

radius-server host 1.1.1.1 auth-port 1645 acct-port 1646 key your-secret-key
radius-server host 2.2.2.2 auth-port 1645 acct-port 1646 key your-secret-key

If you’re configuring a router, be sure to specify the proper source interface.  This interface should be in the same IP space that you specified when configuring the client under IAS.

ip radius source-interface Vlan421

If you’re upgrading a switch that had been using local accounts and/or line passwords, be sure to remove any configurations under the con and vty declarations.   Your sh run should look like this:

line con 0
line vty 0 4
line vty 5 15

You can test the router’s ability to authenticate using the test subsystem:

ApisLab_3560#test aaa group radius some-username ad-password  new-code
Trying to authenticate with Servergroup radius
User successfully authenticated

If the “test aaa results” look good, try to ssh into your router.  Don’t close the window that you’re using, unless you know exactly where your console cable is 🙂
Good luck!

~Eric

3 Comments : more...

Dollar Store Digital Geiger Counter Hack

by on Dec.05, 2009, under Hardware, Tutorials

In order to take long-term readings of background radiation, you have two options:  1)  Sit quietly for hours on end, marking your notebook every time a click is heard or 2) make a machine to do it for you.  I like option #2.

Here’s how to build your very own digital Geiger counter interface for just a few dollars in parts.

1.  Head to your local Dollar Tree store and buy a digital pedometer.

pedometer-inpackage

2.  Pick up a 1k resistor and a 2N3904 transistor from your favorite electronics store.  Radio Shack also carries these parts.

3.  Take the pedometer apart.  Remove the mechanical lever and the thin wire which connects it to the board.

pedometer-back-removed

4.  Drill a hole in the back cover and insert a rubber grommet.

pedometer-hole

5.  Cut the end off an RCA audio cable (or any cable you’d like to use) and thread it through the grommet.  Make the electrical connections as follows:

  • RCA Center Conductor to 1K resistor to transistor base (center pin)
  • Transistor collector to the exposed wire on the pedometer.
  • RCA shield and transistor emitter to the spring contact.

Hint:  If you align the parts as shown in the photo (which you can click for a close-up) the flat part of the transistor goes against the back of the system board — then solder as shown.

pedometer-parts-1

6.  Put it all back together and connect to your geiger counter’s headphone jack.

completed-project

Here’s a video of my modded Geiger counter in action, recording the counts from a nearby radium dial:

Since the pedometer is designed to take measurements at around 1Hz (the speed of a human walking), measurements taken from sources considerably higher than background will not give accurate results.

Happy Geigering!

7 Comments :, , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!