Archive for March, 2013

You Need A Budget (YNAB)

I don’t regularly review software, so this entry is a bit of an oddity on my blog.

I recently ran across a  budgeting tool called You Need A Budget, refereed from here on out as YNAB.  Some commenters posted praise of the tool, while others complained that it didn’t auto-import transactions.  Still others asked what it does that Mint doesn’t do, for free.  And speaking of price, while it’s normally around $60, it’s on sale through Steam for just over $20.  From what I could gather, they’ve been running specials on Steam recently, so you might be able to get it there if you check in from time to time.

Anyhow, after reading the YNAB website, and considering it a bit, I realized that perhaps part of my problem IS features like automatic transaction importing.

I’ve used Quick Essentials for the last couple of years.  One of the features I really liked about it was that it support auto-import for my major accounts.  It doesn’t work with my checking account or one of my credit cards, but it works with others, including the credit card I use the most, my Amex.  Truth is, though, I import my transactions about once a month (sometimes less frequently).  I used to be very conscientious of my credit card bills, going through all the transactions to make sure they are all appropriate, but I’m downright lazy about it now.

I’ve also been trying to pay down my debt since… well, it seems like forever.  While I have been able to chip away at it, I never seem to be able to save enough to buy the things I want, so I usually end up taking out loans for those purchases, then paying down those loans.  Sort of the reverse of what I’d like to do, plus I get the added bonus of paying extra in the form of interest.

One of the YNAB videos I watched mentioned being able to see how much money you have left in your budget for a particular category, and then making a spending decision based on that, not your bank balance.  While that’s not exactly my process, it struck a nerve.  I realized that I don’t have a very good handle on where my money goes, and sometimes when I see a good deal, I may think about my immediate situation and go ahead and make a purchase, without giving it the proper amount of consideration.

So, I looked even closer at YNAB.  Their website has details about their process, including a surprising amount of video help.

What about Mint?  Well, Mint is pretty.  It auto-imports the crap out of everything too.  After using YNAB for a couple hours today, I see that at it’s core, YNAB is a budgeting program.  Most of the other tools out there are glorified check registers, geared toward tracking income and expenditures.  Yes, there may be a Budget component, but it’s not the same as YNAB.

I grabbed the YNAB iPhone app too.  If you enable it, your budget sits in the cloud (in Dropbox) and the iPhone app syncs up with your desktop.  The iPhone app will let me enter transactions in while I’m on-the-go.  It even support GPS, so it can tell where you are when you add a transaction (though I haven’t tested that yet).

Anyhow, I’m starting out with YNAB, so I’ll see how it goes over the next few months.

March 24, 2013 at 8:47 pm Leave a comment

Synology DSM 4.2 is out! Radius Alert!

DSM version 4.1 has been my standard since I got my Diskstation sometime last summer.  Today, I happened to check and found that version 4.2 is now available.

NOTE:  Right now there is a screaming good deal on a 3TB WD Red drive at NewEgg ($139).  Check out for the coupon code.  I ordered one minutes after seeing the price, as that’s a very good buy on this drive, which NewEgg normally sells for $179.

Anyhow, I installed DSM 4.2 not expecting much, with it being a point upgrade.  Looking around at it though, I’m surprised, and in a good way!

The first thing I noticed was that the GUI for the Package Center is different.

The second thing I noticed was that there were a bunch of new packages that look really good.

DHCP Server
I remember this being a feature of 4.1, but I believe it was lacking reservations.  They are supported now, along with screen to show you the current leases, plus you can do multiple scopes now.
DNS Server
I’ve wanted a decent DNS server for my NAS, and now I’ve got one.  It’s got a nice GUI interface for setting up zones, and it seems pretty fast.  Not sure whats under the hood, but I’m using it as mine now.
Radius Server
This was a surprise, and it’s the Gem of the upgrade, in my opinion.  It’s got a deceptively simple GUI.   It was nice to see that it comes out-of-the-box with options to authenticate local users, LDAP users, or Domain users (the only options on the Settings panel).  The Clients panel allows you to add clients… I added a quick client (a newly created SSID on my OpenWRT box), set the Shared secret, and Applied it.   It’s got a Block List panel, which appears to allow you to set certain users (or groups) that you wish NOT to be authenticated.  Lastly, it has a Log panel, which lets you see what it’s been up to.

Perhaps most surprising of all, my simple test worked with very little effort.  I connected to my new WPA2 Enterprise SSID via my iPhone, and it prompted me to accept the Certificate, put in my new username and password, and it authenticated.  My iPhone was connected and working.  I may just move all of my Enterprise Auth to the Radius server on my Diskstation, if it proves to work well.

Other new features that I’ve only looked at briefly, but look good:Antivirus by McAfee – Not saying this is a good thing, but more A/V options aren’t really bad.
Syslog Server – Nice looking GUI interface.  It’s not Splunk, but it’s decent.
Directory Server – Was this in 4.1?  I plan to check into this one when I have some time…

There are lots more packages, that look to be useful in a business setting as well.

I’ve already turned off DHCP for my router and started using this as my caching DNS server.  Perhaps this weekend, I’ll move my “main” SSID over to let my DiskStation handle the Radius auth as well.

March 14, 2013 at 12:06 am 1 comment

Cisco WCS Issues

WARNING:  Very technical (but short) article follows that deals with the inner workings of a little documented file used in Ciscos WCS.  If you don’t already know what WCS is, you should probably stop reading now, as the rest of this article won’t make much sense.  I’ve most written this post to document this for myself, but if there’s anyone else out there that this helps, then that’s a bonus.

Cisco WCS (Wireless Control System) is a system used to manage WLCs (Wireless LAN Controllers).  A WLC manages access points.  So, WCS is basically a software package that manages devices, which in turn manage access points.  The APs don’t need any individual config on them, as they get everything they need from their WLC.

We’ve been running the latest edition of version 6.0 for quite some time.  It works beautifully.  Our routers are configured to hand out a special set of DHCP options just for WLCs, which we can do because there is only one per remote site.  The vendor class ID of the WLC is inspected by the router, and if it’s found to be a WLC, the scope using the special options is used.  These DHCP options allow a brand new WLC to be unboxed and plugged in with no pre-configuration.  DHCP will point it to a good startup config from the WCS server, after which it will pull all the appropriate templates that are configured in the config group it is part of, using a feature of WCS called AutoProvisioning.  This has worked beautifully for several years, applying about 25 templates to each location, adding settings such as WLANs, Radius servers, NTP and Syslog, and much more.  This makes for super easy new installations, not to mention replacing WLCs.  No need to pre-configure the hardware.  Just unbox it, plug it in and go.

Recently, we found that the Cisco 2106 WLC has been discontinued, which is what we have in more than 500 sites.  Since we are adding 200 sites, we’d prefer to use the same model, but they have been replaced by a newer model, the 2504.  It supports a maximum of 5 APs (verses 6 of the 2106) and it has only 4 ports (verses 8 of the 2106), but otherwise it has at least the same capabilities.

Unfortunately, the 2504 requires WCS version 7.0 at a minimum.  Cisco has versions of firmware that are 7.2, and 7.3, etc, but those won’t work with WCS.  Cisco moved to NCS (Network Control System), and as of the latest version they’ve changed the name again.  Furthermore, NCS and later are virtual appliances, so you can’t run it under your own Windows server, as you could with WCS.

Anyhow, we set out to test things.

Our test system was upgraded to version  After performing numerous tests, we found that WCS version 7.0 has some issues.  (We tried also, same issues)  It didn’t matter if the WLC was running the matching firmware, or even back on a 6.0 version of firmware, the same problems exist.

1. The AS_4200_startup.confg xml file is really a template that forms the basis for each -confg file that gets generated by WCS using the AutoProvision filter.  It has a username embedded within it, along with a password.  Unfortunately, the password didn’t work for the 2504.  I found that you can export a config from a WLC with a password set, then replace the contents of the <iv>, <mac>, and <passwd> fields within the AS_4200_startup.confg xml file and then the 2504 will work with the password you set.  Unfortunately, that password won’t be properly decoded by a 2106 that’s loaded using this xml file.  This is really more of an annoying issue, but still a problem.

Fix A:  The password store defaults to a ps_type of PS_STATIC_AES128CBC_SHA1.  This can be changed in the xml config template to a type of PS_NULL_NULL_NULL, and the <iv> and <mac> tags can be deleted.  Then, take your password, convert it to hex, and place that in the <passwd> tag, and set the <passwd_len> tag to the number of characters in your password.  Note:  Don’t change the number of characters in the <passwd> tag.  It’s padded with 0’s.

Note: The above fix isn’t the most secure way to handle things, but it will allow two different versions of WLC hardware to use the same username and password, as passed in this file.  You should not do this at all if your WCS server is listening on a public IP for TFTP traffic.  If it’s publicly available via any insecure protocol like TFTP, someone will probably find it sooner or later.  Whether they’ll know how to exploit what they find is another question, but it’s best not to leave that to chance.

Fix B: Another, more secure alternative, is to set the password in your xml template file to be one that will work on 2504s, since that’s probably what you’ll be installing, and place another username and password in a WCS template that gets applied when the device gets provisioned.  That way, you’ll have a local user on 2504’s and once installed, you’ll have a local user (applied via WCS template) that will work on either model.

2. ACL templates are not properly pushed when autoprovisioning a WLC.  Note that if you go to the Config Group page, and do an “Apply”, the ACLs will typically get applied properly, but this is a manual process, and we want it to be completely automated.  The problem is that after a WLC comes online and gets everything applied by WCS, all ACLs that we pushed via template exist in name only.  All the individual ACL rules are missing.  This also means that any WLANs that use this ACL won’t be added, since the required ACL isn’t complete.  This is a major problem.

Fix: After much experimentation, we found that if you manually add the ACL names to the xml config template file, they will be in place when the WLC completes it’s boot, before being added to WCS.  WCS will then see the ACLs there, and will populate them with the appropriate rules.  Here’s an example:

In the <ACL-Configuration> tag, add a new section like so:

<aclTable index=0>
<ACL-name>Your ACL name here</ACL-name>

Make sure that “Your ACL name here” exactly matches the ACL name in WCS.  If you have multiple ACLs to add, copy and paste the above in multiple times, incrementing the index each time.

NOTE:  When we ran across these problems in our testing, we dropped back to the original AS_4200_startup.confg file.  It didn’t help.  We even dropped back to a 6.0 release of WCS, validated that we could get it working there, then upgraded to a 7.0 release and repeated the same process, to find that it failed.  These are definitely deficiencies in WCS.  It is possible that the password thing was a design decision they made, but the ACL issue?  Inexcusable!

Anyhow, those are the two problems we have found, and some workarounds.  We have upgraded our production system and have one 2504 that we’ve autoprovisioned using WCS with our modified xml template.  It worked just as well on the two 2106’s that we’ve loaded through this new version.   I expect that we will be rolling out the new 2504’s to remote sites within a month.


March 1, 2013 at 11:12 pm Leave a comment


March 2013

Posts by Month

Posts by Category