Shawn's WebSpace

Situation:

Configure Cisco DHCP server to provide Network Call Processor (NCP) IP address to 3Com NBX phones using DHCP option 184.

Resolution:

3com NBX phones can receive their NCP (Network Call Processor) server from DHCP, by using DHCP Option 184. The settings I found that work best, are to simply provide the hex values for option 184. All references I could find online from 3Com to the proper values referenced Windows DHCP servers. The Cisco documentation was of course only talking about Cisco IP phones. I was finally able to figure out the format after referencing the proper DHCP Options RFCs and calculating the hex values manually, and capturing packets on the network to see what the values were. I could not find this documented anywhere else online.

Example:

Syntax for Option 184 for NBX is:
ASCII:   1      4    10  10   1  50
HEX:    01     04    0a  0a  01  32
         |      |          |
Value:  Flag  Field       IP
              Length    Address

Windows DHCP HEX (Reversed):
0x32 0x1 0xa 0xa 0x4 0x1

Cisco HEX line Value (Cisco):
0104.ac10.013c

On a Cisco Router’s built-in DHCP, you then use the commands in Configuration mode:
Router(config)# ip dhcp pool NAME
Router(config-dhcp)# option 184 hex 0104.ac10.013c

Situation:

Calculate optimum MTU for TCP/IP traffic in a VPN. It took me awhile to track all this down.

Resolution:

The best solution is to have the router adjust the TCP for the Maximum Send Size.
For Example:
1500 is the Standard MTU
- 20 for the IP Header
- 24 for the GRE Encapsulation
-  8 for the PPPoE (this one is optional based on your setup)
- 20 for the TCP Header
= 52 for IPSec Encap. Tunnel Mode
or  
= 32 for IPSec Encap. Transport Mode

For DMVPN this gives us an MTU of:
(MaxMTU) - [ (GRE Encaps) + (IPSec Transport) ] = (MTUValue)
 (1500)  - [ (    24    ) + (       32      ) ] = (  1444  )

And a DMVPN MSS of:
(MaxMTU) - [ (GRE Encaps) + (IPSec Transport) + (TCPHeader) + (IP Header) ] = (MSSValue)
 (1500)  - [ (    24    ) + (       32      ) + (    20   ) + (    20   ) ] = (  1404  )

Hint: You can see how many packets the router is Fragmenting by using the "SHOW IP TRAFFIC" command on a Cisco IOS Router.

I know this is covered all over the internet already, but I keep forgetting myself...

Situation:

Want to add a Favicon to website (that little icon next to the URL in the address bar of Browsers like FireFox, and in bookmarks of sites in IE6).

Resolution:

To add your new favicon.ico to a web page put it on the server into the same directory as the web page it is for. (e.g. www.example.com/foo/favicon.ico for www.example.com/foo/index.html). That is the first place a browser will search.

If it doesn't find an icon there, the browser then checks the top-level directory of the server
(www.example.com/favicon.ico for the www.example.com server),
so by putting it there you can have a default favicon for all the pages in your site.

Depending on browser and configuration, the favicon.ico is not always rendered,
even if it is in one of the above locations, unless the web page explicitly declares
its presence. To declare that your web page has an icon, you add the following
2 lines into the section of your page:

<link rel="icon" href="favicon.ico" type="image/x-icon">
<link rel="shortcut icon" href="favicon.ico" type="image/x-icon">

Situation:

In this case we went with a SSL Certificate from GoDaddy.com because of price, and the hot chick in their advertisements. The problem arose from the fact that the CSR (Certificate Signing Request) wasn't generated from the Cisco VPN Concentrator itself. However, in retrospect, this was probably the only way to do it properly because there doesn't seem to be a way to export the private key from the Cisco. This would have posed a problem in our case because we purchased a Wildcard SSL Certificate (*.domain.tld) that can be installed on unlimited servers in our domain, and secure any host server within our domain.

Required Resources:

The following software was used to complete this project:

• OpenSSL installed from cygwin
  
• Windows IIS Server
  
• Text Editor
  
• Web Browser

Resolution:

These are the general steps necessary to set this up, and should work for most major Certificate Authorities (CAs):

1. Certificate Signing Request (CSR) generated on IIS Server. The CSR contains the Requested Public Key. The Private Key is left on the server.
   
2. CSR submitted to Certificate Authority (CA). They generate the SSL Certificate, and provide the Cert, along with their CA Cert and Intermediate Cert.
   
3. The CA Cert and Intermediate Cert are installed as CA Certs on the Cisco VPN Concentrator 3000.
   
4. Here's the tricky part. The Cisco Concentrator requires the SSL Cert to be in PKCS8 format, and contain the Private key and SSL Cert.
   
5. I exported the Private/Public Key pair from the IIS Server, using the Windows Certificate Export Wizard; selecting to export both keys, and saving withOUT 'high security', and a password.
   
6. This generates an encrypted PKCS12 file.
   
7. At the unix command line (I used CYGWIN), I used OpenSSL (thanks to this site for OpenSSL basics)to first convert the PKCS12 file to standard format:
   

   openssl pkcs12 -in CERTIFICATE_NAME.pfx -out CERTIFICATE_NAME.pem

   The command prompts for the password used to export the key file from the IIS server. Then asks for a new password.
   
8. I then converted the standard file to PKCS8 format for the Cisco:
   

   openssl pkcs8 -in CERTIFICATE_NAME.pem -topk8 -out CERTIFICATE_NAME.pk8

   Again the command prompts for the 'New Password' from the last export, and asks again for a newer password.
   
9. Back on the Cisco Concentrator, I import a SSL certificate manually with Private Key for the Private Interface. Use the 'copy and paste' method.
   
10. One other issue we have is that our CA uses an 'Intermediate Certificate'. Thus creating a 'chain' of 3 trusted certificates: Ours, the 'intermediate' CA and the 'root' CA.
    
11. In a text editor open both the CERTIFICATE_NAME.pk8 Private Key file you generated, along with the CERTIFICATE_NAME.cer SSL Certificate file provided to you by the CA.
    
12. Copy and paste the Private key into the text box on the concentrator.
    
13. Then immediately after, copy and paste the SSL Certifcate. Avoid any excess spaces, or blank lines.
    
14. Then copy and paste the Issuing certifacte after the SSL Certificate.
    
15. Finally copy and paste the Root Certificate at the end.
    
16. The whole thing should look something like this:
    

    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MIICiyuqweiSDuryiGquweryiDFuqweyGrqour
    <>
    9bgt3ouiiDnmbweFmnriorGuweioruu8u=
    -----END ENCRYPTED PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MIIEZkjasdlkDFajljkFyasdf8kGlyysfklysk
    <>
    asklfjsadkyy7DuklasyFdjfklyaGsdfjld=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIEQkjasdlkDFajljkFyasdf8kGlyysfklysk
    <>
    asklfjsadkyy7DuklasyFdjfklyaGsdfjld=
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    MIIC5jasdlkDFajljkFyasdf8kGlyysfklysk
    <>
    asklfjsadkyy7DuklasyFdjfklyaGsdfjld=
    -----END CERTIFICATE-----

17. Enter the same sequence of data again for the Public interface.

Situation:

Setup Apache on Linux to authenticate to an Active Directory Domain based upon some unique identifier of the site (the server hosts multiple sites). At the time we did this in 2003 we couldn't figure out any other easy way to do it. mod_auth_radius was at version 1.5.2. There may be a better/alternate way to do this now; but I haven't looking into it.

Sources:

The mod_auth_radius site and source code.

Resolution:

Extensive digging on the problem of how to Authenticate users resulted in the following solution:

1. setup IAS server (MS Radius Server) in domain. Set it up to match the group for authentication with the NAS-Identifier value.
   
2. setup each separate authentication site as a separate Virtual Server Site in Apache.
   
3. Setup mod_auth_radius as normal.

When the setup is complete users will get prompted for login information. This information is then passed by mod_auth_radius to the Radius (IAS) server. Along with this request the 'NAS-Identifier' value is also passed along. This is key, because as the source code says:

version 1.5.2 Updates for NAS-Identifier and NAS-IP-Address, based on ideas from Adrian Hosey. The NAS-Identifier is the virtual server host name, and the NAS-IP-Address is the IP address of the base server.

The Radius server checks against Windows Group and virtual-server name, and authenticates appropriately, when you setup a seperate authentication policy for each site/group combination.

Other key clues from the documentation:

/*
RFC 2138 says that this port number is wrong, but everyone's using it.
Use " AddRadiusAuth server:port secret " to change the port manually.
*/
#define RADIUS_AUTH_UDP_PORT 1645

#define RADIUS_PASSWORD_LEN 16
#define RADIUS_RANDOM_VECTOR_LEN 16

/* RADIUS ID definitions. See RFC 2138 */
#define RADIUS_ACCESS_REQUEST 1
#define RADIUS_ACCESS_ACCEPT 2
#define RADIUS_ACCESS_REJECT 3
#define RADIUS_ACCESS_CHALLENGE 11

/* RADIUS attribute definitions. Also from RFC 2138 */
#define RADIUS_USER_NAME 1
#define RADIUS_PASSWORD 2
#define RADIUS_NAS_IP_ADDRESS 4
#define RADIUS_SERVICE_TYPE 6
#define RADIUS_REPLY_MESSAGE 18
#define RADIUS_STATE 24
#define RADIUS_SESSION_TIMEOUT 27
#define RADIUS_NAS_IDENTIFIER 32

/* service types : authenticate only for now */
#define RADIUS_AUTHENTICATE_ONLY 8

/* How large the packets may be */
#define RADIUS_PACKET_RECV_SIZE 1024
#define RADIUS_PACKET_SEND_SIZE 1024
#define APACHE_RADIUS_MAGIC_STATE "f36809ad"

Situation:

I just recently obtained a Dell 2405FPW 24" widescreen display. It's native resolution is 1920x1200. Incidentally this is the same native resolution as the 23" Apple Cinema Display. One thing the Dell display does, that other displays don't seem to do, is report to the Video Card that it supports almost EVERY possible resolution (because it in fact does--of course it scales the image). The problem with this, is that in Warcraft 3 on my mac, the list of display resolution choices is longer than the screen! I mean, when will I ever want to use 1344x1008 or 1360x768 in only 16bit color? This results in the largest (and most-ideal for my modern computer and display) resolutions being inaccessible! To make matters worse, there is no keyboard support in the game setup menu, thus there is no way at all in the GUI to set the desired video resolution.

Resolution:

(No pun intended)
I knew that on Windows, you can edit some Registry keys to set any custom resolution you want. On the Mac, because there is no registry, programs almost exclusively use a preferences file. The WC3 Preferences are stored in a Resource Fork of the preferences file: "~/Library/Preferences/com.blizzard.WarcraftIII". Once I determined that, I knew there had to be a way to edit the file to set my desired screen size.

1. First run the game at least once after install to create the preferences file, and setup an easy to identify resolution, and set all your other video settings. Then exit the game.
   
2. Open the preferences file with a Resource Editor (For this example I used ResFool. Other tools may have different steps, but the concepts should remain the same.)
   
3. You will see a resource named 'HKEY'. Expand it to see all of the values. The names of the values simply correspond to the same windows Registry Keys used for the PC version of War3. It's common knowledge that in windows you set the resolution with the 'reswidth' and 'resheight' keys. It's the same in here.
   
4. What we want to do is open each resource byte and edit the values to the desired settings (in my case 1600x1200), or 1920x1200 if I wanted the game to be stretched full-screen. (No matter what you set, the game will NOT change the FOV [Field of View]).
   
5. Now this is the tricky part. In ResFool, there is no 'known' template for the 'HKEY' resource type. Templates in ResFool (and other resource editors) 'translate' the raw data in the resource value and add known 'labels', field-types, etc.
   
6. The easy way I found to edit these values in ResFool is to apply a different template manually. (Without a template the raw hex and ascii values you see aren't easily translatable to decimal. I don't know the type of translation needed, but a little trial-and-error with different provided templates produced results!)
   
7. I found the 'template' type of 'WIND' to be a good choice. (A few others also worked, but this one is pretty easy to remember.)
   Open the 'reswidth' resource item, and select "Interpret with Template" from the "Edit" menu. Type in 'WIND', or select it from the list, and click OK.
   
8. This will show the following:
   
   (Click for full-size picture in new window)
   
9. You merely want to expand the "BoundsRect" value, and then edit the existing 'Right (####)' value.
   Be careful to ONLY change the necessary part of the value. Editing other parts of the template will add/remove other (probably necessary) bits of the resource fork, and will most likely render the preferences file useless.
   
10. Repeat this same action for the other 'resheight' value.
    
11. Save your changes to the file and exit ResFool.
    
12. Launch WarCraft III program, and it should now be running at your defined resolution. If for some reason something is wrong, or it's not working; try <cmd-q> to quit the program and delete the preferences file. The program will re-create it with defaults.