[K12OSN] Censornet help
Edward Holcroft
edward at netday.org.za
Wed Apr 26 13:34:58 UTC 2006
Dimitri
I am using the latest Censornet in the way you describe in diagram one.
>
> In the Censornet Web site, under Support, there's a section called
> Network
> Diagrams. I'm trying to set up the second of the schemes, Standard
> Bridge
> Mode. The write-up states:
>
> "This is the most common form of Bridged CensorNet design. Note
> that we never
> recommend the use of Bridge Mode unless you have your own firewall
> to protect
> your perimeter. Although the CensorNet still has two network cards,
> connected
> in a similar fashion to the Basic Router Mode option, it only has
> one IP
> address, purely for administration purposes. The firewall shown in the
> diagram will have an internal address on the same subnet as the
> rest of the
> local LAN."
>
> So, just as in the diagram, I've tried this:
>
> internet
> |
> router
> |
> firewall--------DMZ
> |
> Censornet
> |
> Switch
> |
> LAN
>
This is good.
>
> I'm able to get both user and workstation data from our AD server into
> Censornet. I'm able to reach the Censornet Web admin gui from my
> workstation. I'm able to ping both my workstation and an outside
> site from
> the Censornet box. I've set up the correct address and port in Web
> browser
> proxy settings. Depending on how I wire the Censornet box to the
> firewall
> and/or LAN, at worst I'm continually prompted for a uname and pw.
This is a feature, not a problem and is exactly what is supposed to
happen with Censornet. It sounds like you have everything working
just right.
> At best,
> I'll get a Censornet "Authentication Failed" message.
If, for example, you don't have the correct proxy settings (or if a
user deliberately tries to bypass the proxy) you encounter this
message - once again exactly what should happen.
>
> As to this last, there's obviously an authentication problem.
> Remember, I can
> see both isers and workstations in the Censornet Web gui. All the
> proper
> access permissions are set for both. But, I have no idea whether
> it's an
> iptables issue or a Censornet issue. A perusal of the logs on both
> systems
It sounds like you want the Windows user to automagically be logged
in as the Internet user, but that's not the way Censornet works. You
have to log in to the web independently, even if you have already
logged into Windows and authenticated against your domain (is sounds
like you're running windows on the desktop here right?). This is how
Censornet logs access. In other words Censornet is not a transparent
proxy that makes use of the user authentication login details - it a
separate and self-contained logging and authentication system. The
fact that it imports the user accounts from your AD is merely a
convenience so that you don't have to recreate them all manually. It
also means that one user can login to the Windows PC and another can
log into the Internet on the same PC oat one time - it is is the
username that logs onto the Internet that will be tracked and logged
in the Censornet Webalizer, not the Windows AD authenticated user.
Hope this helps
ed
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2423 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/k12osn/attachments/20060426/3e4ddd0c/attachment.p7s>
More information about the K12OSN
mailing list