Juniper SRX cannot use RADIUS authentication for client VPN?

We’ve been trying now literally for weeks to configure our Juniper SRX VPN using RADIUS authentication. We previously had a Cisco ASA 5510 and it worked fine but we moved to an SRX because it was much easier to administer and was about 1/3 the cost. For the most part we’ve been pretty happy with the SRX vs the ASA – common-sense features like saving previous configs for trivial rollback, a web gui that’s way easier to use than ASDM, etc. But this VPN thing is a real fiasco. Basically what we want to do is use the SRX to authenticate against our Active Directory using IAS.

The closest we’ve gotten so far is having the SRX authenticate via RADIUS but apparently we still need to maintain a local user list on the SRX itself, defeating the purpose of central authentication. We were sold 10 VPN licenses with the understanding that this meant we could have up to 10 simultaneous VPN connections open. Apparently that’s true, but we’d have to specify which 10 users can access the VPN, which won’t work for us.

This doesn’t seem like we’re trying to do anything exotic here but according to the vendor and JTAC support, they’re not aware of anyone doing this, and have no idea how to do it. The ticket’s been open with Juniper for over 1 month now. We’re at the point where we just want a refund for the VPN licenses rather than continuing to bang our heads against the wall with this. The vendor originally wanted us to buy an SA VPN appliance in addition to the SRX, but assured us the SRX would do what we needed with the caveat that the JunOS Pulse client for the SRX VPN was kind of crappy.

So after opening tickets in JTAC and the vendor’s support system, the net result apparently is that this is actually not possible. Not only is it not possible but everybody acts like we’re trying to do some strange voodoo. I mean, we have other stuff hooked into AD IAS already – wifi access points for one, and the old ASA AnyConnect VPN for another. We even went so far as to create a FreeRadius server to serve as an intermediary between the SRX and AD so we could get better log messages, and that didn’t work either.

So hopefully we can get a refund on the 10 useless VPN licenses and use our old ASA for AnyConnect VPN. I’m not holding my breath though. Fortunately we’ve eliminated the need for VPN for almost everything, the local fileserver is really the only thing left that requires VPN access.

Advertisements

Calculating SHA-1 sums in Java

Java has functionality for calculating SHA-1 and MD5 checksums but not for displaying them as the 40-char hex strings I’m used to. I want to update my photo reorganizer so it doesn’t create duplicate files so I figured this would be a handy thing to write. I wrote one for MD5 a while ago (the only code you really need to write is the byte-array-to-hex-string converter) but I guess I lost it. Anyway, here it is.

Edit: Rather than paste a huge useless block of code here, I put it on github: https://github.com/evandhoffman/Java-SHA-1-Hasher.

Output appears to match that of the command-line utility:

[evan@EvanMBP bin]$ java -jar SHA1.jar ~/text.txt
3bbed58697cc1775e8fadcf1324e26d4d092e7c2        /Users/evan/text.txt
[evan@EvanMBP bin]$ shasum ~/text.txt
3bbed58697cc1775e8fadcf1324e26d4d092e7c2  /Users/evan/text.txt

It’s not as fast as shasum (as I expected) but that may partially be due to reading data in 1k chunks.

Back on FiOS again (finally)

Well, that was quite an ordeal. But Verizon came today and finally installed FiOS. All’s well that ends well, I suppose. My phone number was finally ported over and the internet is insanely fast. This is 25/25 internet with my desktop Fedora box plugged into the TP-Link router which is then plugged into the FiOS ActionTec router. I didn’t want to have to reconnect all my computers to a new SSID so I’ll just continue using the TP-Link until I have a reason not to.

FiOS 25/25 Speed Test - May 20th, 2011
FiOS 25/25 Speed Test - May 20th, 2011

One thing I did right away was change my DNS servers. The default DNS servers with Verizon were 68.237.161.12 and 71.243.0.12. By default, Verizon uses “DNS assistance,” meaning that DNS queries against these servers will return IP addresses when they should return NXDOMAIN, so if you mistype the hostname in a URL it can direct you to a page full of ads. You can disable this by replacing the last octet of the default DNS IP with 14. So for the two IPs above, it would be 68.237.161.14 and 71.243.0.14. I figured I’d compare the response times of these servers with Google’s 8.8.8.8 and 8.8.4.4. I used dig to time DNS requests and also used ping to measure latency. 68.237.161.14 was the fastest for me, followed by 8.8.4.4 and then 71.243.0.14, so those are my primary, secondary, and tertiary DNS servers.

PostgreSQL query to determine the largest tables in the database

This is just a handy query I use from time to time to see which tables are growing madly, and how much of the growth is index bloat.

select
schemaname,
tablename,
pg_size_pretty(pg_relation_size(schemaname || '.' || tablename)) as size_p,
pg_total_relation_size(schemaname || '.' || tablename) as siz,
pg_size_pretty(pg_total_relation_size(schemaname || '.' || tablename)) as total_size_p,
pg_total_relation_size(schemaname || '.' || tablename) - pg_relation_size(schemaname || '.' || tablename) as index_size,
(100*(pg_total_relation_size(schemaname || '.' || tablename) - pg_relation_size(schemaname || '.' || tablename)))/case when pg_total_relation_size(schemaname || '.' || tablename) = 0 then 1 else pg_total_relation_size(schemaname || '.' || tablename) end || '%' as index_pct
from pg_tables
order by siz desc limit 20;

This returns schema, table, size on disk (in human-readable and byte format – for sorting), and total size on disk including indices, and the percentage of the total size that comprises the indexes.

Sample result from our OpenFire Jabber server:

 schemaname |      tablename       |   size_p   |    siz    | total_size_p | index_size | index_pct
------------+----------------------+------------+-----------+--------------+------------+-----------
 public     | ofconversation       | 71 MB      | 159236096 | 152 MB       |   84623360 | 53%
 public     | ofconparticipant     | 38 MB      |  95395840 | 91 MB        |   55394304 | 58%
 public     | ofpresence           | 10184 kB   |  10452992 | 10208 kB     |      24576 | 0%
 public     | ofpubsubitem         | 5336 kB    |   7733248 | 7552 kB      |    2269184 | 29%
 public     | ofid                 | 4008 kB    |   4120576 | 4024 kB      |      16384 | 0%
 public     | ofpubsubsubscription | 912 kB     |   1458176 | 1424 kB      |     524288 | 35%
 public     | ofpubsubaffiliation  | 728 kB     |   1196032 | 1168 kB      |     450560 | 37%
 public     | ofoffline            | 832 kB     |    942080 | 920 kB       |      90112 | 9%
 pg_catalog | pg_depend            | 320 kB     |    794624 | 776 kB       |     466944 | 58%
 pg_catalog | pg_attribute         | 384 kB     |    761856 | 744 kB       |     368640 | 48%
 pg_catalog | pg_proc              | 376 kB     |    753664 | 736 kB       |     368640 | 48%
 pg_catalog | pg_rewrite           | 72 kB      |    270336 | 264 kB       |     196608 | 72%
 pg_catalog | pg_description       | 136 kB     |    245760 | 240 kB       |     106496 | 43%
 pg_catalog | pg_operator          | 112 kB     |    237568 | 232 kB       |     122880 | 51%
 pg_catalog | pg_class             | 88 kB      |    212992 | 208 kB       |     122880 | 57%
 pg_catalog | pg_type              | 64 kB      |    155648 | 152 kB       |      90112 | 57%
 pg_catalog | pg_statistic         | 72 kB      |     98304 | 96 kB        |      24576 | 25%
 pg_catalog | pg_amop              | 24 kB      |     90112 | 88 kB        |      65536 | 72%
 pg_catalog | pg_conversion        | 16 kB      |     90112 | 88 kB        |      73728 | 81%
 pg_catalog | pg_constraint        | 8192 bytes |     81920 | 80 kB        |      73728 | 90%
(20 rows)

Time: 8.917 ms

Amazon SES – "Illegal Header" errors

A few people have inquired about the “Illegal header” error when attempting to relay email through SES. “Oncle Tom” pointed to a thread on Amazon’s forums about a similar problem which led to a list of headers Amazon will accept. The list is below; if you need to add headers outside this list, you can do so using “X-Headers.”

Some people have posted sample code in the thread with modifications to ses-send-email.pl to replace “illegal” headers read from STDIN with an equivalent X-Header. I wrote something generic that takes the list of legal headers and replaces anything not on that list with its X-Header equivalent. Disclaimer: I haven’t tested it, but it seems like this type of solution would be more adaptable since you don’t have to keep fixing it every time a new application attempts to send email with a new header. I haven’t worked this into ses-send-email.pl (since I’m not having any problems, I don’t want to touch it 🙂 ) but I fed in an email header and the output looked correct.

Input email:

MIME-Version: 1.0
Received: by 10.142.136.15 with HTTP; Mon, 16 May 2011 09:32:44 -0700 (PDT)
Date: Mon, 16 May 2011 12:32:44 -0400
Delivered-To: evandhoffman@gmail.com
Message-ID: 
Subject: Hi friend.
From: "Evan D. Hoffman" 
To: "Evan D. Hoffman (Personal)" 
Content-Type: text/plain; charset=ISO-8859-1

Email Test.

Output email:

[evan@EvanMBP ~]$ perl replace-headers.pl test-email.txt
MIME-Version: 1.0
Received: by 10.142.136.15 with HTTP; Mon, 16 May 2011 09:32:44 -0700 (PDT)
Date: Mon, 16 May 2011 12:32:44 -0400
X-Delivered-To: evandhoffman@gmail.com
X-Message-ID: 
Subject: Hi friend.
From: "Evan D. Hoffman" 
To: "Evan D. Hoffman (Personal)" 
Content-Type: text/plain; charset=ISO-8859-1

Email Test.

Hope this helps someone.

Here’s the legal header list, from http://docs.amazonwebservices.com/ses/2010-12-01/DeveloperGuide/index.html?AppendixHeaders.html

  • Accept-Language

  • Bcc

  • Cc

  • Comments

  • Content-Type

  • Content-Transfer-Encoding

  • Content-ID

  • Content-Description

  • Content-Disposition

  • Content-Language

  • Date

  • DKIM-Signature

  • DomainKey-Signature

  • From

  • In-Reply-To

  • Keywords

  • List-Archive

  • List-Help

  • List-Id

  • List-Owner

  • List-Post

  • List-Subscribe

  • List-Unsubscribe

  • Message-Id

  • MIME-Version

  • Received

  • References

  • Reply-To

  • Return-Path

  • Sender

  • Subject

  • Thread-Index

  • Thread-Topic

  • To

  • User-Agent

Verizon stood me up

Several weeks ago, I scheduled the FiOS install for 5/14/2011 and they said it would be between 8am and 5pm. I got confirmation emails (welcome to FiOS) and a confirmation call on 5/12. I waited all day yesterday for Verizon to show, and they never did. I called at 11:58 AM and gave my order number to see if they could tell me roughly what time the tech would be here, since I didn’t want to sit around all day if the tech wouldn’t be there until 4 PM. They couldn’t. They said we were still scheduled for today, between 8 and 5. I asked if they could call the tech scheduled to do the installation and see when he thought he’d get here and I was told they couldn’t.

At 5:45 we called Verizon to find out what happened, why the tech didn’t show, since we’d waited around the house all day. They told us the order had been put on hold 2 days before because Cablevision wouldn’t release our phone number. I understand things happen, but not calling to let me know, and then giving me incorrect info when I called, is inexcusable. The Verizon rep we spoke to afterwards wasn’t even apologetic. Disappointing.