LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

August 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS August 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: No filter but still no web login[Scanned]
From:	"Kelley, Tim" <[log in to unmask]>
Reply To:	Perfigo SecureSmart and CleanMachines Discussion List <[log in to unmask]>
Date:	Thu, 10 Aug 2006 12:01:15 -0700
Content-Type:	text/plain
Parts/Attachments:	text/plain (167 lines)

Hi Matt,

I had to go to our networking guru for this info.  He says: "The default
gateway's are setup on the CAS and the routes we have setup are pointing
at the trusted interface (well the virtual trusted ip). We have our
interfaces setup right i think, because if we cut off the cas, they stop
responding, and they are also getting dhcp."

-Tim

Tim Kelley
ResNet Coordinator
California State University, Chico
m. 530.230.7400
o. 530.898.5148



-----Original Message-----
From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Matt Moore
Sent: Thursday, August 10, 2006 11:22 AM
To: [log in to unmask]
Subject: Re: No filter but still no web login[Scanned]

We have a layer 3 switch that we use as our core router and have our CAS
and CAM connected directly to it.  VLAN interfaces are set on it to
perform as the default gateway for our VLANs and when we put CCA in
place we had to remove the VLAN interfaces on the switch for the VLANs
that we want to go through the CAS.  It took me a while to figure this
out.  Make sure that the gateway being used is only on the CAS and that
you have routes pointing to the TRUSTED side of the CAS (I know... it
doesn't sound right, but it works.)

 

Matt Moore

Systems Administrator

Dakota Wesleyan University

605-995-2187     

________________________________

From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of King, Michael
Sent: Thursday, August 10, 2006 12:33 PM
To: [log in to unmask]
Subject: Re: No filter but still no web login[Scanned]

 

Maybe what bit me once....

 

 

Did you check that your route BACK to the CAS for the IP's that are
being handed out is correct?

 

Your CAS 's Service IP is 10.2.0.1

 

IE.  you hand out 10.0.0.x addresses, you have a route on your router
pointing 10.0.0.0 255.255.255.0 to 10.2.0.1

	 

	
________________________________


	From: Perfigo SecureSmart and CleanMachines Discussion List
[mailto:[log in to unmask]] On Behalf Of Kelley, Tim
	Sent: Thursday, August 10, 2006 1:22 PM
	To: [log in to unmask]
	Subject: No filter but still no web login

	Hi All,

	I have been banging my head against the wall for the past three
days with this problem so I thought I would submit it to the group.  

	The Setup:

	        IB, Real IP, Failover CAS & CAM bundles

	Briefly, here are the symptoms:

	No users except on one VLAN (the test VLAN in my office) are
being redirected to the login page on requesting a url.  It works as
expected on my test VLAN.

	Here is what I have done to test it:

	1)      Verified that there are no subnet filters on both the
CAS and CAM

	2)      Verified that there are no device filters on the CAS or
CAM

	3)      Checked the 'Unauthenticated' role filter and see that
there is allow access to the following (untrusted -> trusted):

	a.      UDP & TCP untrusted = *:* trusted = 132.241.66.8
/255.255.255.255 :* (our  vpn server)

	b.      TCP untrusted = *:*  trusted = 132.241.82.62
/255.255.255.255 :80 (our resnet web server)

	c.      UDP DNS

	d.      Otherwise, block all

	4)      Allowed hosts are the stock setup

	5)      Bandwidth management not enabled.

	6)      My test devices are not on the 'Certified Devices' list.

	7)      I added a 'deny' filter for my test device's MAC and I
verified that I was not able to access the Internet (to test to see if
there was a layer 3 bypass to the CAS).

	And then I started "poking it with a stick" because I was out of
ideas:

	8)      I verified that I was being issued an IP in a range
appropriate to the managed subnet.

	9)      I deleted the managed subnet from the CAS and verified
that I could not access the internet. 

	10)     I checked /proc/click/intern_validation_table on the CAS
for 00 MACs as per Kyle Evans on the ListServ:

	"We are running IB VGW, and we had a similar problem one time.
I don't know what caused it exactly, but I suspect it had to do with
managed subnets not being created properly.  Anyway, cd to
/proc/click/intern_validation_table on the CAS.  Then do "cat table".
We found that if any IP addresses in that table had mac addresses of all
0s, then whomever had that IP address could use the network unfettered."

	        No 00:00... macs

	I am out of ideas.  I would love some help.

	-Tim

	Tim Kelley

	ResNet Coordinator

	California State University, Chico

	m. 530.230.7400

	o. 530.898.5148

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU