Hi Again Michael,
Yes, it worked Monday morning but now it doesn't. We have had it
installed, and working, most of the summer.
-Tim
Tim Kelley
ResNet Coordinator
California State University, Chico
m. 530.230.7400
o. 530.898.5148
-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of King, Michael
Sent: Thursday, August 10, 2006 11:34 AM
To: [log in to unmask]
Subject: Re: No filter but still no web login
Tim..
Are you setting this up for the first time, IE, has it ever worked? :-)
I was making the assumption that it worked, and now doesn't.
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of Kelley, Tim
> Sent: Thursday, August 10, 2006 2:24 PM
> To: [log in to unmask]
> Subject: Re: No filter but still no web login
>
> Hi Dennis,
>
> Thank you, too, for the quick response.
>
> I am hesitant to potentially break my test network by putting
> my port on one of the non-authenticating networks so instead
> I wandered over to a hall (thus the delay), released/renewed,
> and verified that the IP I got wasn't on our management
> subnet (we use a completely different range for
> management: 10... vs a real IP 132... the students are assigned.)
>
> -Tim
>
> Tim Kelley
> ResNet Coordinator
> California State University, Chico
> m. 530.230.7400
> o. 530.898.5148
>
>
>
> -----Original Message-----
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of Dennis Xu
> Sent: Thursday, August 10, 2006 10:39 AM
> To: [log in to unmask]
> Subject: Re: No filter but still no web login
>
> Can other users get IP correctly?
>
>
>
> Once I have seen one specific user could not being directed
> to web login page because he got the same IP as CAS IP in
> management subnet. Make sure to exclude CAS IP in management
> subnet from central DHCP range.
>
>
>
> ------------
>
> Dennis Xu
>
> Network Analyst (CCS)
>
> University of Guelph
>
> 519-824-4120 x 56217
>
> [log in to unmask]
>
> ________________________________
>
> From: Perfigo SecureSmart and CleanMachines Discussion List
> [mailto:[log in to unmask]] On Behalf Of Kelley, Tim
> Sent: Thursday, August 10, 2006 1:22 PM
> To: [log in to unmask]
> Subject: No filter but still no web login
>
>
>
> Hi All,
>
> I have been banging my head against the wall for the past
> three days with this problem so I thought I would submit it
> to the group.
>
> The Setup:
>
> IB, Real IP, Failover CAS & CAM bundles
>
> Briefly, here are the symptoms:
>
> No users except on one VLAN (the test VLAN in my office) are
> being redirected to the login page on requesting a url. It
> works as expected on my test VLAN.
>
> Here is what I have done to test it:
>
> 1) Verified that there are no subnet filters on both the CAS and
> CAM
>
> 2) Verified that there are no device filters on the CAS or CAM
>
> 3) Checked the 'Unauthenticated' role filter and see
> that there is
> allow access to the following (untrusted -> trusted):
>
> a. UDP & TCP untrusted = *:* trusted = 132.241.66.8
> /255.255.255.255 :* (our vpn server)
>
> b. TCP untrusted = *:* trusted = 132.241.82.62 /255.255.255.255
> :80 (our resnet web server)
>
> c. UDP DNS
>
> d. Otherwise, block all
>
> 4) Allowed hosts are the stock setup
>
> 5) Bandwidth management not enabled.
>
> 6) My test devices are not on the 'Certified Devices' list.
>
> 7) I added a 'deny' filter for my test device's MAC and
> I verified
> that I was not able to access the Internet (to test to see if
> there was a layer 3 bypass to the CAS).
>
> And then I started "poking it with a stick" because I was out
> of ideas:
>
> 8) I verified that I was being issued an IP in a range
> appropriate
> to the managed subnet.
>
> 9) I deleted the managed subnet from the CAS and verified that I
> could not access the internet.
>
> 10) I checked /proc/click/intern_validation_table on the
> CAS for 00
> MACs as per Kyle Evans on the ListServ:
>
> "We are running IB VGW, and we had a similar problem one
> time. I don't know what caused it exactly, but I suspect it
> had to do with managed subnets not being created properly.
> Anyway, cd to /proc/click/intern_validation_table on the CAS.
> Then do "cat table".
> We found that if any IP addresses in that table had mac
> addresses of all 0s, then whomever had that IP address could
> use the network unfettered."
>
> No 00:00... macs
>
> I am out of ideas. I would love some help.
>
> -Tim
>
> Tim Kelley
>
> ResNet Coordinator
>
> California State University, Chico
>
> m. 530.230.7400
>
> o. 530.898.5148
>
>
>
|