[K12OSN] Censornet help

Brian Chivers brian at portsmouth-college.ac.uk
Wed Apr 26 15:19:11 UTC 2006 

Dimitri Yioulos wrote:
> On Wednesday April 26 2006 10:56 am, Brian Chivers wrote:
>> Dimitri Yioulos wrote:
>>> On Wednesday April 26 2006 9:34 am, Edward Holcroft wrote:
>>>> Dimitri
>>>>
>>>> I am using the latest Censornet in the way you describe in diagram one.
>>>>
>>>>> In the Censornet Web site, under Support, there's a section called
>>>>> Network
>>>>> Diagrams.  I'm trying to set up the second of the schemes, Standard
>>>>> Bridge
>>>>> Mode.  The write-up states:
>>>>>
>>>>> "This is the most common form of Bridged CensorNet design. Note
>>>>> that we never
>>>>> recommend the use of Bridge Mode unless you have your own firewall
>>>>> to protect
>>>>> your perimeter. Although the CensorNet still has two network cards,
>>>>> connected
>>>>> in a similar fashion to the Basic Router Mode option, it only has
>>>>> one IP
>>>>> address, purely for administration purposes. The firewall shown in the
>>>>> diagram will have an internal address on the same subnet as the
>>>>> rest of the
>>>>> local LAN."
>>>>>
>>>>> So, just as in the diagram, I've tried this:
>>>>>
>>>>>                       internet
>>>>>
>>>>>                        router
>>>>>
>>>>>                        firewall--------DMZ
>>>>>
>>>>>                      Censornet
>>>>>
>>>>>                        Switch
>>>>>
>>>>>                          LAN
>>>> This is good.
>>>>
>>>>> I'm able to get both user and workstation data from our AD server into
>>>>> Censornet.  I'm able to reach the Censornet Web admin gui from my
>>>>> workstation.  I'm able to ping both my workstation and an outside
>>>>> site from
>>>>> the Censornet box.  I've set up the correct address and port in Web
>>>>> browser
>>>>> proxy settings.  Depending on how I wire the Censornet box to the
>>>>> firewall
>>>>> and/or LAN, at worst I'm continually prompted for a uname and pw.
>>>> This is a feature, not a problem and is exactly what is supposed to
>>>> happen with Censornet. It sounds like you have everything working
>>>> just right.
>>>>
>>>>> At best,
>>>>> I'll get a Censornet "Authentication Failed" message.
>>>> If, for example, you don't have the correct proxy settings (or if a
>>>> user deliberately tries to bypass the proxy) you encounter this
>>>> message - once again exactly what should happen.
>>>>
>>>>> As to this last, there's obviously an authentication problem.
>>>>> Remember, I can
>>>>> see both isers and workstations in the Censornet Web gui.  All the
>>>>> proper
>>>>> access permissions are set for both.  But, I have no idea whether
>>>>> it's an
>>>>> iptables issue or a Censornet issue.  A perusal of the logs on both
>>>>> systems
>>>> It sounds like you want the Windows user to automagically be logged
>>>> in as the Internet user, but that's not the way Censornet works. You
>>>> have to log in to the web independently, even if you have already
>>>> logged into Windows and authenticated against your domain (is sounds
>>>> like you're running windows on the desktop here right?). This is how
>>>> Censornet logs access. In other words Censornet is not a transparent
>>>> proxy that makes use of the user authentication login details - it a
>>>> separate and self-contained logging and authentication system.  The
>>>> fact that it imports the user accounts from your AD is merely a
>>>> convenience so that you don't have to recreate them all manually. It
>>>> also means that one user can login to the Windows PC and another can
>>>> log into the Internet on the same PC oat one time - it is is the
>>>> username that logs onto the Internet that will be tracked and logged
>>>> in the Censornet Webalizer, not the Windows AD authenticated user.
>>>>
>>>> Hope this helps
>>>> ed
>>> Understood on the authentication mechanism.  Now, this is the curious
>>> part - if, after entering my uname and pw (once, or a few times, doesn't
>>> matter), then cancelling the login, I get the Censornet "Authentication
>>> Failed" error message.  SO, I am communicating with Censornet, but not
>>> being authenticated.
>>>
>>> As you know, Censornet isn't difficult to configure, nor are there a lot
>>> of configuration settings to make.  But, just for fun, I reinstalled
>>> Censornet, to make sure I didn't futz anything up the first go-round.  No
>>> luck, same issues.
>>>
>>> And, our AD server is also our system's time server.  I mad sure that I
>>> configured Censornet to use it to sync the time.  Both are at the same
>>> time. I think, though, that that's important mainly for user and
>>> workstation discovery.
>>>
>>> Dimitri
>> You can test the authentication via the CLI, not sure how but do a search
>> for "PAM" on the censornet forums and you should find something.
>>
>> Brian
>>
> 
> You're right.  It's "/usr/local/squid/libexec/pam_auth -1".  When I enter my 
> uname and pw, I get an "ERR" return instead of OK.  The FAQ mentions says 
> this about it:
> 
> "If you get an OK response, then all is well. If you get an ERR response, then 
> there is something wrong, but its got nothing to do with the clock (and 
> probably nothing to do with the CN either)."
> 
> Hmmm.  What, then?
> 
> Dimitri
> 
Can you ping the AD ok, I added our PDC to the /etc/hosts file manually, I think I had to do it to 
/etc/hosts.tmpl as well to make it survive after a reboot.

Perhaps try that also anything on the AD logs ??

Brian

---------------------------------------------------------------
    The views expressed here are my own and not necessarily 
                the views of Portsmouth College

More information about the K12OSN mailing list