[K12OSN] Censornet help

Wed Apr 26 15:13:34 UTC 2006

On Wednesday April 26 2006 10:56 am, Brian Chivers wrote:
> Dimitri Yioulos wrote:
> > On Wednesday April 26 2006 9:34 am, Edward Holcroft wrote:
> >> Dimitri
> >>
> >> I am using the latest Censornet in the way you describe in diagram one.
> >>
> >>> In the Censornet Web site, under Support, there's a section called
> >>> Network
> >>> Diagrams.  I'm trying to set up the second of the schemes, Standard
> >>> Bridge
> >>> Mode.  The write-up states:
> >>>
> >>> "This is the most common form of Bridged CensorNet design. Note
> >>> that we never
> >>> recommend the use of Bridge Mode unless you have your own firewall
> >>> to protect
> >>> your perimeter. Although the CensorNet still has two network cards,
> >>> connected
> >>> in a similar fashion to the Basic Router Mode option, it only has
> >>> one IP
> >>> address, purely for administration purposes. The firewall shown in the
> >>> diagram will have an internal address on the same subnet as the
> >>> rest of the
> >>> local LAN."
> >>>
> >>> So, just as in the diagram, I've tried this:
> >>>
> >>>                       internet
> >>>
> >>>                        router
> >>>
> >>>                        firewall--------DMZ
> >>>
> >>>                      Censornet
> >>>
> >>>                        Switch
> >>>
> >>>                          LAN
> >>
> >> This is good.
> >>
> >>> I'm able to get both user and workstation data from our AD server into
> >>> Censornet.  I'm able to reach the Censornet Web admin gui from my
> >>> workstation.  I'm able to ping both my workstation and an outside
> >>> site from
> >>> the Censornet box.  I've set up the correct address and port in Web
> >>> browser
> >>> proxy settings.  Depending on how I wire the Censornet box to the
> >>> firewall
> >>> and/or LAN, at worst I'm continually prompted for a uname and pw.
> >>
> >> This is a feature, not a problem and is exactly what is supposed to
> >> happen with Censornet. It sounds like you have everything working
> >> just right.
> >>
> >>> At best,
> >>> I'll get a Censornet "Authentication Failed" message.
> >>
> >> If, for example, you don't have the correct proxy settings (or if a
> >> user deliberately tries to bypass the proxy) you encounter this
> >> message - once again exactly what should happen.
> >>
> >>> As to this last, there's obviously an authentication problem.
> >>> Remember, I can
> >>> see both isers and workstations in the Censornet Web gui.  All the
> >>> proper
> >>> access permissions are set for both.  But, I have no idea whether
> >>> it's an
> >>> iptables issue or a Censornet issue.  A perusal of the logs on both
> >>> systems
> >>
> >> It sounds like you want the Windows user to automagically be logged
> >> in as the Internet user, but that's not the way Censornet works. You
> >> have to log in to the web independently, even if you have already
> >> logged into Windows and authenticated against your domain (is sounds
> >> like you're running windows on the desktop here right?). This is how
> >> Censornet logs access. In other words Censornet is not a transparent
> >> proxy that makes use of the user authentication login details - it a
> >> separate and self-contained logging and authentication system.  The
> >> fact that it imports the user accounts from your AD is merely a
> >> convenience so that you don't have to recreate them all manually. It
> >> also means that one user can login to the Windows PC and another can
> >> log into the Internet on the same PC oat one time - it is is the
> >> username that logs onto the Internet that will be tracked and logged
> >> in the Censornet Webalizer, not the Windows AD authenticated user.
> >>
> >> Hope this helps
> >> ed
> >
> > Understood on the authentication mechanism.  Now, this is the curious
> > part - if, after entering my uname and pw (once, or a few times, doesn't
> > matter), then cancelling the login, I get the Censornet "Authentication
> > Failed" error message.  SO, I am communicating with Censornet, but not
> > being authenticated.
> >
> > As you know, Censornet isn't difficult to configure, nor are there a lot
> > of configuration settings to make.  But, just for fun, I reinstalled
> > Censornet, to make sure I didn't futz anything up the first go-round.  No
> > luck, same issues.
> >
> > And, our AD server is also our system's time server.  I mad sure that I
> > configured Censornet to use it to sync the time.  Both are at the same
> > time. I think, though, that that's important mainly for user and
> > workstation discovery.
> >
> > Dimitri
>
> You can test the authentication via the CLI, not sure how but do a search
> for "PAM" on the censornet forums and you should find something.
>
> Brian
>

You're right.  It's "/usr/local/squid/libexec/pam_auth -1".  When I enter my 
uname and pw, I get an "ERR" return instead of OK.  The FAQ mentions says 
this about it:

"If you get an OK response, then all is well. If you get an ERR response, then 
there is something wrong, but its got nothing to do with the clock (and 
probably nothing to do with the CN either)."

Hmmm.  What, then?

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.