[K12OSN] Censornet help

Brian Chivers brian at portsmouth-college.ac.uk
Wed Apr 26 14:56:53 UTC 2006 

Dimitri Yioulos wrote:
> On Wednesday April 26 2006 9:34 am, Edward Holcroft wrote:
>> Dimitri
>>
>> I am using the latest Censornet in the way you describe in diagram one.
>>
>>> In the Censornet Web site, under Support, there's a section called
>>> Network
>>> Diagrams.  I'm trying to set up the second of the schemes, Standard
>>> Bridge
>>> Mode.  The write-up states:
>>>
>>> "This is the most common form of Bridged CensorNet design. Note
>>> that we never
>>> recommend the use of Bridge Mode unless you have your own firewall
>>> to protect
>>> your perimeter. Although the CensorNet still has two network cards,
>>> connected
>>> in a similar fashion to the Basic Router Mode option, it only has
>>> one IP
>>> address, purely for administration purposes. The firewall shown in the
>>> diagram will have an internal address on the same subnet as the
>>> rest of the
>>> local LAN."
>>>
>>> So, just as in the diagram, I've tried this:
>>>
>>>                       internet
>>>
>>>                        router
>>>
>>>                        firewall--------DMZ
>>>
>>>                      Censornet
>>>
>>>                        Switch
>>>
>>>                          LAN
>> This is good.
>>
>>> I'm able to get both user and workstation data from our AD server into
>>> Censornet.  I'm able to reach the Censornet Web admin gui from my
>>> workstation.  I'm able to ping both my workstation and an outside
>>> site from
>>> the Censornet box.  I've set up the correct address and port in Web
>>> browser
>>> proxy settings.  Depending on how I wire the Censornet box to the
>>> firewall
>>> and/or LAN, at worst I'm continually prompted for a uname and pw.
>> This is a feature, not a problem and is exactly what is supposed to
>> happen with Censornet. It sounds like you have everything working
>> just right.
>>
>>> At best,
>>> I'll get a Censornet "Authentication Failed" message.
>> If, for example, you don't have the correct proxy settings (or if a
>> user deliberately tries to bypass the proxy) you encounter this
>> message - once again exactly what should happen.
>>
>>> As to this last, there's obviously an authentication problem.
>>> Remember, I can
>>> see both isers and workstations in the Censornet Web gui.  All the
>>> proper
>>> access permissions are set for both.  But, I have no idea whether
>>> it's an
>>> iptables issue or a Censornet issue.  A perusal of the logs on both
>>> systems
>> It sounds like you want the Windows user to automagically be logged
>> in as the Internet user, but that's not the way Censornet works. You
>> have to log in to the web independently, even if you have already
>> logged into Windows and authenticated against your domain (is sounds
>> like you're running windows on the desktop here right?). This is how
>> Censornet logs access. In other words Censornet is not a transparent
>> proxy that makes use of the user authentication login details - it a
>> separate and self-contained logging and authentication system.  The
>> fact that it imports the user accounts from your AD is merely a
>> convenience so that you don't have to recreate them all manually. It
>> also means that one user can login to the Windows PC and another can
>> log into the Internet on the same PC oat one time - it is is the
>> username that logs onto the Internet that will be tracked and logged
>> in the Censornet Webalizer, not the Windows AD authenticated user.
>>
>> Hope this helps
>> ed
> 
> Understood on the authentication mechanism.  Now, this is the curious part - 
> if, after entering my uname and pw (once, or a few times, doesn't matter), 
> then cancelling the login, I get the Censornet "Authentication Failed" error 
> message.  SO, I am communicating with Censornet, but not being authenticated.
> 
> As you know, Censornet isn't difficult to configure, nor are there a lot of 
> configuration settings to make.  But, just for fun, I reinstalled Censornet, 
> to make sure I didn't futz anything up the first go-round.  No luck, same 
> issues.
> 
> And, our AD server is also our system's time server.  I mad sure that I 
> configured Censornet to use it to sync the time.  Both are at the same time.  
> I think, though, that that's important mainly for user and workstation 
> discovery.
> 
> Dimitri
> 
You can test the authentication via the CLI, not sure how but do a search for "PAM" on the censornet 
forums and you should find something.

Brian

---------------------------------------------------------------
    The views expressed here are my own and not necessarily 
                the views of Portsmouth College

More information about the K12OSN mailing list