2007 Apr 30 - Mon
Implementing a Wired 802.1X Network With Cisco and Microsoft
Some companies will set up guest networks utilizing a parallel network configuration: separate switches or hubs, along
with separate DSL/router internet connections. They will then designate certain ports in a conference room to be 'corporate
connections' and certain ports to be 'guest network'. They then leave it up to the user to 'pick a port'.
This mechanism does indeed provide a separate path to the internet, but obviously, the weakness is an inability to
prevent people from using inappropriate ports.
A better from of enforcement is provided through the implementation of an authentication/authorization protocol called
802.1X. This protocol works with wired as well as wireless networks. Various methods of operation are available. The
simplest to to either enable or disable a switch port based upon receipt of appropriate credentials from the supplicant,
which is the computer/user being connected to the network.
A more sophisticated form of operation is to assign a vlan (and associated IP address) based upon computer and/or user
credentials. If a connecting device does not have supplicant ability, a default 'guest' vlan can be assigned.
According to Cisco's and Microsoft's literature, the best authentication mechanism for 802.1X is through EAP-TLS, a
PKI/certificate mechanism.
This document describes an implementation based upon Microsoft's Certifcate Authority (CA), Microsoft's Internet
Authentication Server (IAS), and Cisco Switches.
The implementation uses a Windows Server 2003, Enterprise Edition, for the Certificate Authority. The Enterprise
Edition has a
few more CA templates (such as Wireless certificate templates) than does the Standard Edition product. One recommendation is
to run the CA on a VMWare server. This
provides the ability for simple backups and to move the CA from place to place. For very risk averse environments,
placing the CA on a dedicated server in a secure room would be a better choice. The primary consideration in this is that
the CA is a single point of failure and requires a simple, convenient, fast mechanism to bring it back to life during some
sort of failure condition.
With the CA in place, machine and user certificates can be automatically issued through a Group Policy configuration.
Users and machines should be assigned to various Active Directory groups. For machines, possible groupings would be
servers, workstations, and laptops. Since Laptops are typically more prone to carrying malicious nasties, assigning them
to protected segments is beneficial.
As some HP printers are 802.1X ready, they can also be issued certificates.
Users can also be issued certificates. Preliminary testing indicates that Group Policy doesn't push out the certificates.
Users need to download them manually by connecting to the CA server webpage at http://ca/certsrv to obtain their
certificates.
Windows XP workstations have the 802.1X supplicant built in. The settings for the supplicant are in the authentication
tab under properties for the network card. On some machines, you may need to start the Wireless Zero Configuration
(WZC) service in order to see the tab. For our implementation, the defaults are fine.
However, there are two registry keys we play with to change the characteristics somewhat. They are described in a
document called 802.11 Wireless Tools and Settings. Even though the document is about 802.11 Wireless, the settings still
apply to wired connections. After changing the registry keys, the machine will need to be rebooted, or simpler, restart the
WZC service.
- AuthMode: HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\AuthMode
- SupplicantMode: HKEY_LOCAL_MACHINE\Software\Microsoft\EAPOL\Parameters\General\Global\SupplicantMode
With AuthMode of 1 and SupplicantMode of 3, you can get different VLAN's depending upon whether or not a user is logged
in. If a user is not logged in, and a machine is plugged in, the machine certificate defines the VLAN. If a user
subsequently logs in, the VLAN assignment changes to that associated with the user. If the user logs out, the VLAN reverts
back to the VLAN associated with the machine certificate.
For another site where the administrator wants to ensure that users login to the network in order to ensure login
scripts run (scripts that check that virus clients are up to date and such), a SupplicantMode of 2 and an AuthMode of 1 would
be used. Supplicant mode of 2 will not force a renegotiation when a user logs in. In this scenario, one of two VLAN
assignments happen:
- If a user is logged in and the machine is connected to the network, the VLAN assignment is based upon the logged in
user's certificate. As this doesn't force a domain login, no login scripts are run. Therefore, a blocked VLAN would be
assigned to this relationship. This will force a user to logout, disconnect and reconnect in order to get the machine based
VLAN instead.
- If a user is not logged in and the machine is connected to the network, the VLAN assigned is the one associated with
the machine certificate. Even when the user subsequently logs in, the VLAN assignment does not change. This mechansim
forces the user's domain log in and the operation of log in scripts. (See further in this document on how this relates to
the 'reauthenticate' command in the switch).
A company called Blue Socket may have some add-on tools that force
Domain Login.
On the Cisco side of things, there are a number of configuration items. For a 3750 switch, Here is an example
configuration document: Configuring 802.1x Port-Based Authentication.
The switch needs to know of one or, preferably more, RADIUS servers:
radius-server host 10.10.10.10 auth-port 1645 acct-port 1646 key thisisakey
radius-server source-ports 1645-1646
Make sure you have a username line and enable secret in the configuration:
username switchadmin password switchadminpass
enable secret enablesecret
Then let the switch know to where authentication requests need to be sent:
aaa new-model
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
aaa accounting system default start-stop group radius
A switch global command is required:
dot1x system-auth-control
Each interface needs some additional commands:
interface GigabitEthernet0/1
switchport access vlan 3
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
dot1x pae authenticator
dot1x port-control auto
dot1x timeout quiet-period 3
dot1x timeout server-timeout 10
dot1x timeout tx-period 5
dot1x timeout supp-timeout 5
! dot1x reauthentication
dot1x auth-fail vlan 105
spanning-tree portfast
spanning-tree bpduguard enable
The 'dot1x reauthentication' may or may not be applicable. A scenario in which it should not be used is the following. I
mentioned a scenario where you want a machine to be connected to the network before a user logs in. When the user does
finally login, you don't want the vlan to change. Hence, SupplicantMode should be 2, and there should be no 'dot1x
reauthentication' command. If the command were in place, the reauthentication would see the user certificate and change the
vlan to suit. Which wouldn't be the desired affect.
For further reading and reference, here are some additional links:
[/Cisco]
permanent link
2007 Apr 25 - Wed
My Voip Source
MyVoIPsource.org is a community
plattform to Voice-over-IP Know-How. Here you will find:
- Opensource VoIP Tools to make your IP-Telephony solution more attractive
- VoIP Trainings to bring you "up-to-speed"
- Support services if you don't have the time to do it yourself
- A forum to engage with people who share your technical challenges
- Development resources for your special features and needs
From their website: "Our focus is to explore the potential of integrating enterprise
applications such as Outlook/Exchange, ERP, CRM, directories, databases etc. with VoIP
solutions to create new ways of "how things can be done". We achieve this by using
intelligent APIs and standardized interfaces that most Voice-over-IP solutions offer today.
"
[/Cisco]
permanent link
2007 Apr 23 - Mon
Linux On Wall Street
In a news headline this morning, I came across the following. It is the 5th Annual Show
& Conference for Linux/Open Source on Wall Street. Which happens to be taking place
today. On the site, you'll find a few presentations from last year's show as an indication
of what materials and thoughts are happening this year.
Now if SmartQuant QuantDeveloper was on a Linux platform, it would be a blazing fast
trading environment.
[/Trading]
permanent link
2007 Apr 22 - Sun
IQFeed Provider For SmartQuant QuantDeveloper: Updated
I have an original article which discusses a beta IQFeed Provider for SmartQuant's
QuantDeveloper product.
I've fixed a few bugs in the provider. In addition, it should work with IQFeed's soon to
be released data feeds which are stamped at the second resolution rather than minute
resolution. The Provider is released in a zip file with an updated Ticker utility called:
OneUnified.IQFeed.1.1.zip.
The new IQFeed client is iqfeed_client_4_2_1_3.exe.
[/Trading/SmartQuant/Articles]
permanent link
2007 Apr 20 - Fri
Running the Same Commands on Multiple Cisco Devices
Older switches don't have the nifty 'interface range' command for applying the same
configuration to multiple interfaces at the same time. On older style 48 port switches,
it can be a boring task to update all interfaces with, say, a new vlan assignment.
I was thinking of doing an Expect script to perform the task. I tackled it once upon a
time, and did come up with a working example, but it took a while to get used to the nuances
of the Expect language.
Having more skills in Perl, and realizing that there is a CPAN add-on for Cisco devices,
I recently did something up in Perl. The example below connects to a switch, and for each
of 48 interfaces, it defaults it and then applies a new vlan.
By creating an array of devices, and if they have common usernames and passwords, or are
authenticated through TACACS, the same commands could be applied to a range of devices in
one easy run.
use strict;
use Net::Telnet::Cisco;
my $postDevice = 'bmsw08';
my $postCommand = 'sho inter status';
my $session = Net::Telnet::Cisco->new(
Host => $postDevice
);
# $session->login( '', 'password' );
$session->login( 'username', 'password' );
$session->enable('enable');
my @output;
# my @output = $session->cmd(String => $postCommand );
# print @output;
print $session->cmd( String => 'config t' );
for ( my $i = 1; $i <= 48; $i++ ) {
print $session->cmd( String => "inter f0/$i" );
print $session->cmd( String => "default desc" );
print $session->cmd( String => "swi acc vlan 103" );
}
$session->close();
There are two types of logins, one with a username and password, and one with just a
password. An Enable is used in either case.
[/Cisco]
permanent link
2007 Apr 12 - Thu
SmartQuant QuantDeveloper & DataCenter Release
SmartQuant has released a revision
to DataCenter and
QuantDeveloper. DataCenter and QuantDeveloper are at the following revision levels:
DataCenter
Version 2.2.3 (12-Apr-2007)
QuantDeveloper Enterprise Edition
Version 2.5.3 (12-Apr-2007)
QuantDeveloper Source Code
Version 2.5.1 (23-Mar-2007)
* Recent Versions available through
version control
[/Trading/SmartQuant/Releases]
permanent link
2007 Apr 06 - Fri
SmartQuant QuantDeveloper & DataCenter Release
SmartQuant has released a revision
to DataCenter and
QuantDeveloper. DataCenter and QuantDeveloper are at the following revision levels:
DataCenter
Version 2.2.2 (04-Apr-2007)
QuantDeveloper Enterprise Edition
Version 2.5.2 (04-Apr-2007)
QuantDeveloper Source Code
Version 2.5.1 (23-Mar-2007)
* Recent Versions available through
version control
[/Trading/SmartQuant/Releases]
permanent link
2007 Apr 05 - Thu
Cisco's Embedded Event Manager
For a long time, certain of Cisco's routers had the ability to run tcl scripts,
particularily routers with voip loads, in order to perform credit card billings for voip connection
validations. To me, the tcl scripting was a black art and not well documented.
That has changed. The capability has now become officially and publically supported. It is now known as
the Cisco Embedded Event Manager. Part of it is integrated into
SLA functionality. This, for example, provides the ability to adjust routing and other
configuration
details on the fly depending upon reachability testing. That one example barely covers
the surface of what can be done to dynamically and automatically alter a router's functioning parameters.
That, in itself, is a two edged sword. But with today's interconnected, converged, flexible networks, sometimes
one needs a trick like that to make things happen.
Some URL's:
[/Cisco]
permanent link
Trading Site of the Day -- Kirk Report: One Pro's View of the Stock Market
Charles E. Kirk is a trader who writes the The Kirk Report. The site is green, the color of money. On the serious
side, he offers up daily market commentary on what has happened with the markets, what were
the news affects, and offers up how his own portfolio is doing in the markets.
[/Trading/SiteOfTheDay/D200704]
permanent link
2007 Apr 03 - Tue
Emulated Test Labs for Cisco Routing Gear
This is a two in one article actually. In a posting to today's cisco-nsp mailing list,
Josh Horton provided a couple of links to his BlindHog Blog. His site has a wealth of good how-to articles for things
routing and linux related. One entry that caught my eye was how to link router login AAA to
a Microsoft IAS server. This basically does the job of a Tacacs server. Although it does
the authentication and authorization, this Radius based authentication doesn't do the
command logging that a Tacacs server can do. Even so, it is well worth a look. Other posts
relate to ssh and some other router odds and sods.
The reason for his posting to the mail list was to advertise his wrapper for a Cisco
router emulation engine at Dynagen. So
for those studying for the CCNP exams and need a bunch of routers to check out OSPF, EIGRP,
BGP and IGP, no need to spend thousands of dollars on real gear. Just get a recent IOS
image and you can run multiple virtual routers all on your PC. The author says throughput
is about 1kpps or so. But just to check out and test routing protocols with no sacrifice in
command line options, this is an impressive capability.
[/Cisco]
permanent link
2007 Apr 02 - Mon
Trading Sites of the Day -- ETFs, Day Trading, Short Time Periods
Yesterday I did a search with the keywords of 'active trader magazine scalp scalping'.
The magazine, Active Trader
Magazine, wasn't very high up in the results, mostly because they hide
most of their content. I'm wondering if they would do better, not that I know if they are
doing well or not, if they had a better indexable site. Even Stocks and Commodities
Magazine has good teasers to get people interested in their content. But I digress.
Well, I'll stay digressed for a moment. In the recent issue of Stocks and Commodities,
at the back of the issue, is an article describing the web site ETF Connect.
I've linked to their education page. The web site is a good introductory source to Exchange
Traded Funds, in their various incarnations.
Now that I've covered the interesting but unrelated, now I move back to the subject at
hand, regarding short term trading, right down to scalping.
PowerZone Trading has a pdf called Trading with the High Performance Intraday Analysis Indicator Suite. The
draw back with this document is that they couch all their setups in proprietary lingo.
However, by reading between the terms, and reviewing the charts, there are some good points
regarding trade setups that can be used. They allude to using multiple time-frames, which I
wholly support. Near the end of the document, they go into some scalping setups that could
prove to be useful. I'm in the process of writing an article in my Automated Trading
Strategy section that goes more into what I've come to learn about scalping. To wrap up,
the last page of the article references some of the author's other work in various
periodicals. One ariticle that I do have is the August 2006 issue of Stocks and Commodities
on page
34 regarding Intraday Market Forecasting. There is a good table in there regarding how to
Guage Market Strength with INDU, COMPX, TRIN, and TICK. I think it is good enough to
reproduce here because it solidifies what I've learned about these indicators elsewhere:
| Market Direction | INDU | COMPX | TRIN | TICK
| | High Reversal Probability | | | 0.55 or lower | 1000 or higher
| | Extremely Bullish | above 75 | above 20 | 0.70 to 0.55 | 600 to 1000
| | Bullish | 35 to 75 | 15 to 20 | 0.85 to 0.70 | 300 to 600
| | Neutral | 35 to -35 | 15 to -15 | 1.00 to 0.85 | 300 to -300
| | Bearish | -35 to -75 | -15 to -20 | 1.15 to 1.00 | -300 to -600
| | Extremely Bearish | -75 or lower | -20 or lower | 1.30 to 1.15 | -600 to -1000
| | High Reversal Probability | | | 1.30 or higher | -1000 or lower
|
In an article at Stocks, Futures, and Options Magazine, there is an article called Precision Trading: Trading Shorter Time Frames Well Still Depends on Method
and Psyche discusses various trading time frades, all the way from scalping, intraday
trading, up to swing trading. It puts scalping into perspective as fast in out trades,
almost without regards to trends and analysis of which other time periods make heavy use.
I've refered to the 1option site previously, but I've come across another article that
serves to perpetuate some myths that appear to be prevalent about trading. There is an
article called Can An Option Trader With A $100k Account Consistently Make $500 A Day?.
In one portion of the article, the author makes mention
of Warren Buffet, trading, and scalping in the same breath. I suppose among other
things, Warren Bufffet traded. But I think for the most part, he specialized in
buying under valued companies and turning them around. I suppose that's what you get when
you trade enough stocks in a company to become a primary shareholder. So a trader
in companies, maybe, to stretch the definition, or bend it somewhat. The author goes on
to say that scalpers aren't rich. The counter argument for that would be BATS (the trading
system the specializes in making big dollars in scalping), and Market Makers who make their
money on spreads.
'Making their money on spreads'. I've finally clued in to that. Limit Orders and
Spreads. Basically scalping. After two years of research, I think I've finally figured
out how this stuff works, after spending a bunch of time spinning my wheels on bar analysis
and technical analysis. So the thought is to make more than $500 a day on a $100,000
account. Yes it can be done. I'll go
more into that in another article.
To finish off this page, I came across a Trading Tips page. At
first, with their big Roman fonts and yellow highlighting, I didn't know how seriously to
take this page. Well, I still take it with a grain of salt. But unlike most sites with
yellow buy me now hilights, this actually offers up some value. There is an article called
Making the Market. It, very cynically, but probably with much truth,
discusses Market Makers and, as a side-benefit,
discusses what scalping does and how to watch where it goes. Be aware that the article
doesn't finish, but references a more complete article at traders101.
And only on that link's last page does it go into self promotion. But you learn something
along the way. And if you pay attention to pivots, support, resistance, and trading ranges,
paying someone else for the service may not be necessary, other than to get you over the
first few hurdles.
Also at TraderAide is an article called Markets in Profile. Coincidentily, I had made the purchase through Amazon
before coming across that article. I'm not sure if the time frames discussed in the book
cover the quick trades like scalping, but perhaps it might cover some of the things to keep
a watch for in intraday type of trading.
I should have spread these treasures over several days, but I tend to loose my bookmarks
if I don't deal with them right away. Happy reading.
[/Trading/SiteOfTheDay/D200704]
permanent link
2007 Apr 01 - Sun
Stopping Screen Flicker in C#/.NET ListView Controls
The automated trading solution I'm building is starting out being a manual trading
affair. I figure that once I can prove the algorithm manually, then I can probably cast the
manual rules I use in stone and automate them. As such, I've been putting an user-interface
into the software. Part of the interface uses a ListView. The only draw back to using this
tool is the amount of flicker it presents.
A number of sites highly ranked on the search sites offer up solutions for resolving the
Screen Flicker
problem in C#/.NET v2.0 applications. None of them catch a key feature that makes it so
simple (or at least it took me a whilei to catch on). Most of the solutions, such as the
solution presented by c
pound use the
technique of inheriting from the basic ListView. Even that is a bit too much like work.
Franceso's Blog does a fairly large song and dance to resolve ListView
screen flicker by manually copying stuff back and
forth. Nope, that one isn't very good either.
An article called Painting
Techniques using Windows Forms for the Microsoft .NET Framework shows up some good
manaul ways of using double buffering to provide flicker free drawing. Another related
background article is at Jeremy
Kuhne's Blog. It offers up some good points, but still not the main point.
A related question at the The Scripts Developer Network was posted by a chap who, coincidentally, is
doing some sort of stock ticker ap. The solution also references the technique of
derivation and setting 'DoubleBuffered' to true. Nope, not quite what I was looking for.
That article did point to a commercial grade ListView replacement called Glacial
ListView. Looks good, but I'm looking for a free solution.
And the winner is: a page from the MSDN ControlStyles Enumeration. The secret ingredient for eliminating
ListView Screen Flicker is to put the ControlStyle initialization flags in to the
form's form_load override.
Here is a sample with all the test stuff in it:
private void frmTradeFrame_Load( object sender, EventArgs e ) {
this.SetStyle(
//ControlStyles.UserPaint |
ControlStyles.AllPaintingInWmPaint |
//ControlStyles.Opaque |
ControlStyles.OptimizedDoubleBuffer,
true);
//this.DoubleBuffered = true;
this.SetStyle(ControlStyles.EnableNotifyMessage, true);
SetStyle(ControlStyles.ResizeRedraw, true);
}
protected override void OnNotifyMessage( Message m ) {
if (m.Msg != 0x14) {
base.OnNotifyMessage(m);
}
}
When I'm done, it should all boil down to this:
private void frmTradeFrame_Load( object sender, EventArgs e ) {
this.SetStyle(
ControlStyles.AllPaintingInWmPaint |
ControlStyles.OptimizedDoubleBuffer,
true);
SetStyle(ControlStyles.ResizeRedraw, true);
}
Or maybe even this:
private void frmTradeFrame_Load( object sender, EventArgs e ) {
this.DoubleBuffered = true;
}
}
... since one of the documents I referenced indicated that DoubleBuffered sets those
ControlStyles flags for you.
After all that ranting and raving, it didn't work. The following mods do. The key
requirement is that you do have to override the ListView form, you can can't just override
the containing form.
public frmLV() {
this.SetStyle(
ControlStyles.AllPaintingInWmPaint |
ControlStyles.Opaque |
ControlStyles.OptimizedDoubleBuffer,
true);
this.SetStyle(ControlStyles.EnableNotifyMessage, true);
SetStyle(ControlStyles.ResizeRedraw, true);
SetStyle(ControlStyles.ResizeRedraw, true);
}
protected override void OnNotifyMessage( Message m ) {
if (m.Msg == 0x14) m.Msg = 0x00;
//if (m.Msg != 0x14) {
base.OnNotifyMessage(m);
//}
}
The bonus feature that appears to reduce cpu utilization a bit is:
// http://msdn.microsoft.com/msdnmag/issues/06/03/WindowsFormsPerformance/
lvBook.Invalidate(lvi.GetBounds(ItemBoundsPortion.Entire),false);
If you've read this far, the simple solution to the problem, if you get to the
low level code, according to a link at a
Microsoft MSDN List is to "filter out the erase background message". Therefore, in the main draw code, one needs to
paint the background text all in one fell swoop.
[/Trading/AutomatedTrading]
permanent link
|
