[K12OSN] Censornet help

Edward Holcroft edward at netday.org.za
Wed Apr 26 13:34:58 UTC 2006 

Dimitri

I am using the latest Censornet in the way you describe in diagram one.
>
> In the Censornet Web site, under Support, there's a section called  
> Network
> Diagrams.  I'm trying to set up the second of the schemes, Standard  
> Bridge
> Mode.  The write-up states:
>
> "This is the most common form of Bridged CensorNet design. Note  
> that we never
> recommend the use of Bridge Mode unless you have your own firewall  
> to protect
> your perimeter. Although the CensorNet still has two network cards,  
> connected
> in a similar fashion to the Basic Router Mode option, it only has  
> one IP
> address, purely for administration purposes. The firewall shown in the
> diagram will have an internal address on the same subnet as the  
> rest of the
> local LAN."
>
> So, just as in the diagram, I've tried this:
>
>                       internet
> 			   |
>                        router
> 			   |
>                        firewall--------DMZ
> 			   |
>                      Censornet
> 			   |
>                        Switch
>                            |
>                          LAN
>

This is good.

>
> I'm able to get both user and workstation data from our AD server into
> Censornet.  I'm able to reach the Censornet Web admin gui from my
> workstation.  I'm able to ping both my workstation and an outside  
> site from
> the Censornet box.  I've set up the correct address and port in Web  
> browser
> proxy settings.  Depending on how I wire the Censornet box to the  
> firewall
> and/or LAN, at worst I'm continually prompted for a uname and pw.

This is a feature, not a problem and is exactly what is supposed to  
happen with Censornet. It sounds like you have everything working  
just right.

> At best,
> I'll get a Censornet "Authentication Failed" message.

If, for example, you don't have the correct proxy settings (or if a  
user deliberately tries to bypass the proxy) you encounter this  
message - once again exactly what should happen.

>
> As to this last, there's obviously an authentication problem.   
> Remember, I can
> see both isers and workstations in the Censornet Web gui.  All the  
> proper
> access permissions are set for both.  But, I have no idea whether  
> it's an
> iptables issue or a Censornet issue.  A perusal of the logs on both  
> systems

It sounds like you want the Windows user to automagically be logged  
in as the Internet user, but that's not the way Censornet works. You  
have to log in to the web independently, even if you have already  
logged into Windows and authenticated against your domain (is sounds  
like you're running windows on the desktop here right?). This is how  
Censornet logs access. In other words Censornet is not a transparent  
proxy that makes use of the user authentication login details - it a  
separate and self-contained logging and authentication system.  The  
fact that it imports the user accounts from your AD is merely a  
convenience so that you don't have to recreate them all manually. It  
also means that one user can login to the Windows PC and another can  
log into the Internet on the same PC oat one time - it is is the  
username that logs onto the Internet that will be tracked and logged  
in the Censornet Webalizer, not the Windows AD authenticated user.

Hope this helps
ed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/k12osn/attachments/20060426/3e4ddd0c/attachment.p7s>

More information about the K12OSN mailing list