CLEANACCESS Archives

August 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
"Kelley, Tim" <[log in to unmask]>
Reply To:
Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:
Thu, 10 Aug 2006 11:11:23 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (145 lines)
Hi Michael,

Thanks for your quick response.

I did not think to check this so I thought "Eureka!" ...and then I
checked...  Sadly my test network (which works) and my hall networks
have the same configurations and they are all routing back to the CAS
service address.

-Tim

Tim Kelley
ResNet Coordinator
California State University, Chico
m. 530.230.7400
o. 530.898.5148



-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of King, Michael
Sent: Thursday, August 10, 2006 10:33 AM
To: [log in to unmask]
Subject: Re: No filter but still no web login

Maybe what bit me once....
 
 
Did you check that your route BACK to the CAS for the IP's that are
being handed out is correct?
 
Your CAS 's Service IP is 10.2.0.1
 
IE.  you hand out 10.0.0.x addresses, you have a route on your router
pointing 10.0.0.0 255.255.255.0 to 10.2.0.1


________________________________

	From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Kelley, Tim
	Sent: Thursday, August 10, 2006 1:22 PM
	To: [log in to unmask]
	Subject: No filter but still no web login
	
	

	Hi All,

	I have been banging my head against the wall for the past three
days with this problem so I thought I would submit it to the group.  

	The Setup:

	        IB, Real IP, Failover CAS & CAM bundles

	

	Briefly, here are the symptoms:

	No users except on one VLAN (the test VLAN in my office) are
being redirected to the login page on requesting a url.  It works as
expected on my test VLAN.

	

	Here is what I have done to test it:

	1)      Verified that there are no subnet filters on both the
CAS and CAM

	2)      Verified that there are no device filters on the CAS or
CAM

	3)      Checked the 'Unauthenticated' role filter and see that
there is allow access to the following (untrusted -> trusted):

	a.      UDP & TCP untrusted = *:* trusted = 132.241.66.8
/255.255.255.255 :* (our  vpn server)

	b.      TCP untrusted = *:*  trusted = 132.241.82.62
/255.255.255.255 :80 (our resnet web server)

	c.      UDP DNS

	d.      Otherwise, block all

	4)      Allowed hosts are the stock setup

	5)      Bandwidth management not enabled.

	6)      My test devices are not on the 'Certified Devices' list.

	7)      I added a 'deny' filter for my test device's MAC and I
verified that I was not able to access the Internet (to test to see if
there was a layer 3 bypass to the CAS).

	

	And then I started "poking it with a stick" because I was out of
ideas:

	8)      I verified that I was being issued an IP in a range
appropriate to the managed subnet.

	9)      I deleted the managed subnet from the CAS and verified
that I could not access the internet. 

	10)     I checked /proc/click/intern_validation_table on the CAS
for 00 MACs as per Kyle Evans on the ListServ:

					"We are running IB VGW, and we
had a similar problem one time.  I don't know what caused it exactly,
but I suspect it had to do with managed subnets not being created
properly.  Anyway, cd to /proc/click/intern_validation_table on the CAS.
Then do "cat table".  We found that if any IP addresses in that table
had mac addresses of all 0s, then whomever had that IP address could use
the network unfettered."

	        No 00:00... macs

	

	I am out of ideas.  I would love some help.

	

	-Tim

	

	Tim Kelley

	ResNet Coordinator

	California State University, Chico

	m. 530.230.7400

	o. 530.898.5148


	

ATOM RSS1 RSS2