[K12OSN] Censornet help
Brian Chivers
brian at portsmouth-college.ac.uk
Wed Apr 26 15:19:11 UTC 2006
Dimitri Yioulos wrote:
> On Wednesday April 26 2006 10:56 am, Brian Chivers wrote:
>> Dimitri Yioulos wrote:
>>> On Wednesday April 26 2006 9:34 am, Edward Holcroft wrote:
>>>> Dimitri
>>>>
>>>> I am using the latest Censornet in the way you describe in diagram one.
>>>>
>>>>> In the Censornet Web site, under Support, there's a section called
>>>>> Network
>>>>> Diagrams. I'm trying to set up the second of the schemes, Standard
>>>>> Bridge
>>>>> Mode. The write-up states:
>>>>>
>>>>> "This is the most common form of Bridged CensorNet design. Note
>>>>> that we never
>>>>> recommend the use of Bridge Mode unless you have your own firewall
>>>>> to protect
>>>>> your perimeter. Although the CensorNet still has two network cards,
>>>>> connected
>>>>> in a similar fashion to the Basic Router Mode option, it only has
>>>>> one IP
>>>>> address, purely for administration purposes. The firewall shown in the
>>>>> diagram will have an internal address on the same subnet as the
>>>>> rest of the
>>>>> local LAN."
>>>>>
>>>>> So, just as in the diagram, I've tried this:
>>>>>
>>>>> internet
>>>>>
>>>>> router
>>>>>
>>>>> firewall--------DMZ
>>>>>
>>>>> Censornet
>>>>>
>>>>> Switch
>>>>>
>>>>> LAN
>>>> This is good.
>>>>
>>>>> I'm able to get both user and workstation data from our AD server into
>>>>> Censornet. I'm able to reach the Censornet Web admin gui from my
>>>>> workstation. I'm able to ping both my workstation and an outside
>>>>> site from
>>>>> the Censornet box. I've set up the correct address and port in Web
>>>>> browser
>>>>> proxy settings. Depending on how I wire the Censornet box to the
>>>>> firewall
>>>>> and/or LAN, at worst I'm continually prompted for a uname and pw.
>>>> This is a feature, not a problem and is exactly what is supposed to
>>>> happen with Censornet. It sounds like you have everything working
>>>> just right.
>>>>
>>>>> At best,
>>>>> I'll get a Censornet "Authentication Failed" message.
>>>> If, for example, you don't have the correct proxy settings (or if a
>>>> user deliberately tries to bypass the proxy) you encounter this
>>>> message - once again exactly what should happen.
>>>>
>>>>> As to this last, there's obviously an authentication problem.
>>>>> Remember, I can
>>>>> see both isers and workstations in the Censornet Web gui. All the
>>>>> proper
>>>>> access permissions are set for both. But, I have no idea whether
>>>>> it's an
>>>>> iptables issue or a Censornet issue. A perusal of the logs on both
>>>>> systems
>>>> It sounds like you want the Windows user to automagically be logged
>>>> in as the Internet user, but that's not the way Censornet works. You
>>>> have to log in to the web independently, even if you have already
>>>> logged into Windows and authenticated against your domain (is sounds
>>>> like you're running windows on the desktop here right?). This is how
>>>> Censornet logs access. In other words Censornet is not a transparent
>>>> proxy that makes use of the user authentication login details - it a
>>>> separate and self-contained logging and authentication system. The
>>>> fact that it imports the user accounts from your AD is merely a
>>>> convenience so that you don't have to recreate them all manually. It
>>>> also means that one user can login to the Windows PC and another can
>>>> log into the Internet on the same PC oat one time - it is is the
>>>> username that logs onto the Internet that will be tracked and logged
>>>> in the Censornet Webalizer, not the Windows AD authenticated user.
>>>>
>>>> Hope this helps
>>>> ed
>>> Understood on the authentication mechanism. Now, this is the curious
>>> part - if, after entering my uname and pw (once, or a few times, doesn't
>>> matter), then cancelling the login, I get the Censornet "Authentication
>>> Failed" error message. SO, I am communicating with Censornet, but not
>>> being authenticated.
>>>
>>> As you know, Censornet isn't difficult to configure, nor are there a lot
>>> of configuration settings to make. But, just for fun, I reinstalled
>>> Censornet, to make sure I didn't futz anything up the first go-round. No
>>> luck, same issues.
>>>
>>> And, our AD server is also our system's time server. I mad sure that I
>>> configured Censornet to use it to sync the time. Both are at the same
>>> time. I think, though, that that's important mainly for user and
>>> workstation discovery.
>>>
>>> Dimitri
>> You can test the authentication via the CLI, not sure how but do a search
>> for "PAM" on the censornet forums and you should find something.
>>
>> Brian
>>
>
> You're right. It's "/usr/local/squid/libexec/pam_auth -1". When I enter my
> uname and pw, I get an "ERR" return instead of OK. The FAQ mentions says
> this about it:
>
> "If you get an OK response, then all is well. If you get an ERR response, then
> there is something wrong, but its got nothing to do with the clock (and
> probably nothing to do with the CN either)."
>
> Hmmm. What, then?
>
> Dimitri
>
Can you ping the AD ok, I added our PDC to the /etc/hosts file manually, I think I had to do it to
/etc/hosts.tmpl as well to make it survive after a reboot.
Perhaps try that also anything on the AD logs ??
Brian
---------------------------------------------------------------
The views expressed here are my own and not necessarily
the views of Portsmouth College
More information about the K12OSN
mailing list