No EAP Protocol Was Agreed On

Having the opportunity to experiment with some Juniper security products at home has its (dis)advantages. Juniper offers a (limited) virtual appliance version for both the Unified Access Control appliance (aka the Infranet Controller or Pulse Access Control Gateway), and the SSL VPN solution (aka Secure Access or Pulse Secure Access Gateway).

The limited parts are:

  • SSL is limited to 3 concurrent users
  • UAC is limited to 5 concurrent users
  • You cannot add additional licenses
  • The UAC has no IF-MAP server capabilities, since that requires at least a 50 user license (and you cannot add additionel licenses).
Max. 3 concurrent SSL VPN users

Max. 3 concurrent SSL VPN users

Max. 5 concurrent UAC users

Max. 5 concurrent UAC users

So yes, it's crippled, but still very nice to play with in a lab or home/study environment.

Anyway, I have both the UAC and the SSL VPN running at home. Both running in  VMWare Fusion on a MAC OSX server (Mac Mini).

A couple of months ago, Juniper released a new major version for the software (v5 for the UAC, and v8 for the SSL VPN), so I wanted to upgrade the VM's to the latstes software (also because of the Heartbleed bug in OpenSSL). This was no problem for the SSL VPN. The upgrade went smooth. However, the UAC was a different story. For some reason, the upgrade package was corrupt or invalid (even though it could be used to do a clean install), so upgrading was out of the question.

So I tried to do a clean install and see if I could import the old config of the existing UAC (v4.4) in the new version 5. Something that didn't work in the older versions of both the SSL VPN and UAC. Importing a software version meant that you needed the correct software version on the device first.

Anyway, importing the system config seemed to work, because all visible settings were correct. The XML import (other configuration settings regarding authentication servers, realms, user roles, etc.) also imported correctly (or so it seemed).
I compared the two configs side by side, and everything checked out. That was until I tried to authenticate on a switch with 802.1x. That didn't work as it should.

The logging of the UAC showed numerous 'No EAP Protocol Was Agreed On' errors. This was weird, because everything worked correctly on the older version.
Since the EAP protocol relies (for a part) on the SSL certificate on the device, I swapped that one for a new certificate from my personal PKI service.

After having checked, and double checked everything (I even tried authenticating against the older UAC version... which still worked), I decided to do a clean install (back to factory settings), and reconfigure the entire UAC by hand instead of the import.

Guess what, everything worked great after I had copied everything by hand.

So I guess that the import of a XML file belonging to a earlier software version still doesn't work. Only difference is that in the old days I got a warning/error.

So if you're getting the 'No EAP Protocol Was Agreed On' error in your events logging, and you did a recent upgrade, you might want to try a fresh install and configure things by hand.

I have no idea if this is applicable to the 'normal' hardware appliances with the software.

Posted on April 13, 2014 and filed under Security, Software, Tips'n Tricks.

Fujifilm X-T1 and Lee Filters

Lee Filter System

Lee Filter System

During the time with my Nikon D300 I always used regular (thread) filters (circular polarizers, and ND filters). Since the release of the Fujifilm X-T1 I wondered if a Lee filter system might be better / more flexible (not cheaper!!!!).

At the moment they offer the normal 100mm filter system and the new 75mm filter system (Seven5). The latter is designed specially for the smaller camera's (MFT, Mirrorless APS-C, etc.).

Fujinon XF 10-24mm f/4 R IOS

The Seven5 series is cheaper since it uses smaller filters (75mm versus 100mm), and since my Fujifilm X-T1 uses relatively small lenses this could be a winner (the kit lens has a 58mm filter thread). Until I found out that the new ultra wide angle Fujinon XF 10-24mm F/4 R OIS has a 72mm filter thread. And as you might guess, I'm really interested in that lens.

Fortunately, Lee has a 75-to-72mm adapter, so technically the Seven5 system can be used with that lens.

Adaptor ring thread sizes:
The holder attaches to the lens via a screw-in adaptor ring. The adaptor ring is available in the following thread sizes: 37, 37.5, 39, 40, 40.5, 43, 46, 49, 52, 55, 58, 60, 62, 67 and 72mm.

But 72mm versus 75mm doesn't leave much room on the vignetting side of it. Chances are that you get serious vignetting on the ultra wide end of the focal range (10-14mm), because of the filter holder attached to the lens.

Just to make sure, I dropped Lee an e-mail, and this is what I got in return:

I tested a pre launch version of this lens last week on my XPro-1 - 10mm is very wide and the lens is the maximum size our 75mm holder can accept. You do get vignetting below about 12mm, which is still good given that is 15mm FF equivalent.

You would have no problems with the bigger system and a wide angle ring at 10mm, but the system is much larger and more expensive.

The s5 system works very well on all other X lenses - you just need to decide whether those last 2mm of focal length are really important to you.

Personally, I will be sticking with the 14mm prime (but upgrading to the X-T1)

I hope this helps.

With regards,

Tech Support - LEE Filters
— - email

Fujinon XF 14mm f/2.8 R

So, there yo got it; Accept additional vignetting on the ultra wide side, or invest in the more expensive 100mm filter system. But before I even invest in a filter system I need to see some independent reviews of that new lens. I might even get the Fujinon XF 14mm f/2.8 R. That lens is available at the moment and is highly recommended by several sites [2] / reviewers / users.

Choices, choices, choices

Posted on March 28, 2014 and filed under Gear, Photography, Personal, Tips'n Tricks.

Fujifilm X-T1 Review

My interest in Fujifilm camera's was rekindled when they released the X-Pro1. When they announced and released the X-T1 this year I had to have one. Why, because it had everything that my old Nikon D300 doesn't have;

  • Lighter
  • Smaller
  • More Mpix (16 versus 12)
  • Lighter quality lenses
  • Capable of mounting Leica and Nikon lenses (through the use of third party adapters).
  • Tilt-screen
  • Electronic View Finder (EVF)

So my Nikon gear went on sale, and the X-T1 with the Fujinon 18-55mm 1:2.8-4 R LM OIS kitlens found a way into my camera bag, and I skipped the Sony A7(r).

Posted on March 28, 2014 and filed under Gear, Photography, Review.

Train iPhone 5s Touch ID

Touch ID is the name for the fingerprint reader in the new iPhone 5s. When you configure it, you have the possibility to register a number of fingers (5) with which you can unlock your iPhone.

Settings -> General -> Touch ID & Passcode -> Touch ID

For some reason this always failed after a couple of days on my phone. For some reason the fingers didn't 'register' properly, and I was forces to use the PIN.

The way to solve this (temporary) was to re-register the fingers, until I read about a way of training the device.
When you're in the menu where you normally register your fingerprints, you can register additional print data for each finger by just placing one og the already registered fingers on the home button. When the finger is recognized the registered finger entry on the iPhone turns grey for a second (as shown in the screenshot). Doing this for every finger a couple of times increases the registered data for those fingers. The more data that's registered the better the chance that the finger keeps getting recognized in the future.

UPDATE: With the iOS 7.1 update the Touch ID responds a lot better.

Posted on February 10, 2014 and filed under Apple, iPhone, Tips'n Tricks.