[K12OSN] Censornet help

Wed Apr 26 14:36:13 UTC 2006

On Wednesday April 26 2006 9:34 am, Edward Holcroft wrote:
> Dimitri
>
> I am using the latest Censornet in the way you describe in diagram one.
>
> > In the Censornet Web site, under Support, there's a section called
> > Network
> > Diagrams.  I'm trying to set up the second of the schemes, Standard
> > Bridge
> > Mode.  The write-up states:
> >
> > "This is the most common form of Bridged CensorNet design. Note
> > that we never
> > recommend the use of Bridge Mode unless you have your own firewall
> > to protect
> > your perimeter. Although the CensorNet still has two network cards,
> > connected
> > in a similar fashion to the Basic Router Mode option, it only has
> > one IP
> > address, purely for administration purposes. The firewall shown in the
> > diagram will have an internal address on the same subnet as the
> > rest of the
> > local LAN."
> >
> > So, just as in the diagram, I've tried this:
> >
> >                       internet
> >
> >                        router
> >
> >                        firewall--------DMZ
> >
> >                      Censornet
> >
> >                        Switch
> >
> >                          LAN
>
> This is good.
>
> > I'm able to get both user and workstation data from our AD server into
> > Censornet.  I'm able to reach the Censornet Web admin gui from my
> > workstation.  I'm able to ping both my workstation and an outside
> > site from
> > the Censornet box.  I've set up the correct address and port in Web
> > browser
> > proxy settings.  Depending on how I wire the Censornet box to the
> > firewall
> > and/or LAN, at worst I'm continually prompted for a uname and pw.
>
> This is a feature, not a problem and is exactly what is supposed to
> happen with Censornet. It sounds like you have everything working
> just right.
>
> > At best,
> > I'll get a Censornet "Authentication Failed" message.
>
> If, for example, you don't have the correct proxy settings (or if a
> user deliberately tries to bypass the proxy) you encounter this
> message - once again exactly what should happen.
>
> > As to this last, there's obviously an authentication problem.
> > Remember, I can
> > see both isers and workstations in the Censornet Web gui.  All the
> > proper
> > access permissions are set for both.  But, I have no idea whether
> > it's an
> > iptables issue or a Censornet issue.  A perusal of the logs on both
> > systems
>
> It sounds like you want the Windows user to automagically be logged
> in as the Internet user, but that's not the way Censornet works. You
> have to log in to the web independently, even if you have already
> logged into Windows and authenticated against your domain (is sounds
> like you're running windows on the desktop here right?). This is how
> Censornet logs access. In other words Censornet is not a transparent
> proxy that makes use of the user authentication login details - it a
> separate and self-contained logging and authentication system.  The
> fact that it imports the user accounts from your AD is merely a
> convenience so that you don't have to recreate them all manually. It
> also means that one user can login to the Windows PC and another can
> log into the Internet on the same PC oat one time - it is is the
> username that logs onto the Internet that will be tracked and logged
> in the Censornet Webalizer, not the Windows AD authenticated user.
>
> Hope this helps
> ed

Understood on the authentication mechanism.  Now, this is the curious part - 
if, after entering my uname and pw (once, or a few times, doesn't matter), 
then cancelling the login, I get the Censornet "Authentication Failed" error 
message.  SO, I am communicating with Censornet, but not being authenticated.

As you know, Censornet isn't difficult to configure, nor are there a lot of 
configuration settings to make.  But, just for fun, I reinstalled Censornet, 
to make sure I didn't futz anything up the first go-round.  No luck, same 
issues.

And, our AD server is also our system's time server.  I mad sure that I 
configured Censornet to use it to sync the time.  Both are at the same time.  
I think, though, that that's important mainly for user and workstation 
discovery.

Dimitri

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.