netpass-users — Administrator/Implementor Discussions

Re: [Netpass-users] list sorting

[Jeff M. <jcm...@os...>]

added to cvs


On Tue, 2005-09-06 at 10:58 -0500, Julian Y. Koh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Would it be possible to sort lists of networks, switches, etc by IP address
> instead of by pure number sorting?
> 
> For example, switch 1.2.3.46 appears before 1.2.3.5.  Network 1.2.99.0/24
> appears after 1.2.104.0/24.
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.0.2 (Build 2425)
> Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>
> 
> iQA/AwUBQx28uQ5UB5zJHgFjEQIuMgCfZh3nF6bmWb51nc14MkLcD46tDtUAnRIr
> +Jej6chiUGwaKUSGA07ltL2v
> =jUS7
> -----END PGP SIGNATURE-----

[Netpass-users] list sorting

[Julian Y. K. <ko...@no...>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Would it be possible to sort lists of networks, switches, etc by IP address
instead of by pure number sorting?

For example, switch 1.2.3.46 appears before 1.2.3.5.  Network 1.2.99.0/24
appears after 1.2.104.0/24.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

iQA/AwUBQx28uQ5UB5zJHgFjEQIuMgCfZh3nF6bmWb51nc14MkLcD46tDtUAnRIr
+Jej6chiUGwaKUSGA07ltL2v
=jUS7
-----END PGP SIGNATURE-----

-- 
Julian Y. Koh                         <mailto:ko...@no...>
Network Engineer                                   <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

Re: [Netpass-users] Quarantine Issue?

[Jeff M. <jcm...@os...>]

On Wed, 2005-08-31 at 15:56 -0400, Don Rugh wrote:
> ...is this something that would be of interest to the larger group??  
> how do others handle this type of situation???
> 
> (I'm guessing best way would be to insert code into macscan that  if  
> macIsRegistered returns true would call macStatus and reset port to  
> proper vlan if it's not there already...??)


yes. if it's registered, grab the status and if it's not P/UNQUAR, move
the port back to quarantine by calling "requestPortmove()"

requestMovePort(-switch => switch, -port => port, -vlan => <quarantine |
unquarantine>)

you wouldnt need to figure out what the correct vlan number is. that'll
happen automatically for you with portmover does the actual work.


jeff

> 
> don
> 
> 
> On Aug 31, 2005, at 3:07 PM, Jeff Murphy wrote:
> 
> > On Wed, 2005-08-31 at 10:42 -0400, Don Rugh wrote:
> >
> >> Consider the following scenario:
> >>
> >>
> >> - User transgresses policy and needs to be quarantined
> >> - Admin q's user
> >> - DB is updated, but port reset fails b/c user's MAC is not found on
> >> the switch. We also believe that computer is plugged into a
> >> switch/router, such that computer wake/sleep does not generate
> >> linkup/down events to the switch -- link always up, MAC may or may  
> >> not
> >> be present
> >> - QUESTION: when user's computer wakes up, no event generated, they
> >> are on the network since there appears to be no mechanism to verify
> >> that all ports are in their correct states
> >>
> >>
> >> This could also occur if the SNMP UDP packet doesn't make it to the
> >> switch....are we missing something here?? or have you extended the  
> >> MAC
> >> aging time on your switches??
> >>
> >
> >
> >
> > it's possible that macscan can be modified to not simply check that  
> > the
> > port only has registered clients - but also that each client's  
> > status is
> > P/UNQUAR. if the port contains unregistered or quarantined clients  
> > then
> > it would be switched to the quarantine.
> >
> > another, less likely, possibility would be to determine if the switch
> > can trap when it detects a new mac. even if that worked, it would
> > require more effort than modifying macscan.
> >
> > jeff
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is Sponsored by the Better Software Conference & EXPO
> > September 19-22, 2005 * San Francisco, CA * Development Lifecycle  
> > Practices
> > Agile & Plan-Driven Development * Managing Projects & Teams *  
> > Testing & QA
> > Security * Process Improvement & Measurement * http://www.sqe.com/ 
> > bsce5sf
> > _______________________________________________
> > Netpass-users mailing list
> > Net...@li...
> > https://lists.sourceforge.net/lists/listinfo/netpass-users
> >
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
> 
-- 
Jeff Murphy <jcm...@os...>

Re: [Netpass-users] Quarantine Issue?

[Don R. <don...@em...>]

...is this something that would be of interest to the larger group??  
how do others handle this type of situation???

(I'm guessing best way would be to insert code into macscan that  if  
macIsRegistered returns true would call macStatus and reset port to  
proper vlan if it's not there already...??)

don


On Aug 31, 2005, at 3:07 PM, Jeff Murphy wrote:

> On Wed, 2005-08-31 at 10:42 -0400, Don Rugh wrote:
>
>> Consider the following scenario:
>>
>>
>> - User transgresses policy and needs to be quarantined
>> - Admin q's user
>> - DB is updated, but port reset fails b/c user's MAC is not found on
>> the switch. We also believe that computer is plugged into a
>> switch/router, such that computer wake/sleep does not generate
>> linkup/down events to the switch -- link always up, MAC may or may  
>> not
>> be present
>> - QUESTION: when user's computer wakes up, no event generated, they
>> are on the network since there appears to be no mechanism to verify
>> that all ports are in their correct states
>>
>>
>> This could also occur if the SNMP UDP packet doesn't make it to the
>> switch....are we missing something here?? or have you extended the  
>> MAC
>> aging time on your switches??
>>
>
>
>
> it's possible that macscan can be modified to not simply check that  
> the
> port only has registered clients - but also that each client's  
> status is
> P/UNQUAR. if the port contains unregistered or quarantined clients  
> then
> it would be switched to the quarantine.
>
> another, less likely, possibility would be to determine if the switch
> can trap when it detects a new mac. even if that worked, it would
> require more effort than modifying macscan.
>
> jeff
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle  
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *  
> Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/ 
> bsce5sf
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>

[Netpass-users] messages

[Jeff M. <jcm...@os...>]

a quick note about message naming. i'm recommending that you name
messages as

msg:xxxxx
nessus:xxxxx
snort:xxxxx


instead of calling them all 'msg:xxxxx'. in other words, prefix them
with either snort or nessus as appropriate and tie the scans to those
messages in scan config. 

eventually, to make things more manageable, i'll use a hierarchical menu
in scanconfig, etc, based on the prefix... as the current scan config
drop down can get quiet long.

jeff

Re: [Netpass-users] Quarantine Issue?

[Jeff M. <jcm...@os...>]

On Wed, 2005-08-31 at 10:42 -0400, Don Rugh wrote:
> Consider the following scenario:
> 
> 
> - User transgresses policy and needs to be quarantined
> - Admin q's user
> - DB is updated, but port reset fails b/c user's MAC is not found on
> the switch. We also believe that computer is plugged into a
> switch/router, such that computer wake/sleep does not generate
> linkup/down events to the switch -- link always up, MAC may or may not
> be present
> - QUESTION: when user's computer wakes up, no event generated, they
> are on the network since there appears to be no mechanism to verify
> that all ports are in their correct states
> 
> 
> This could also occur if the SNMP UDP packet doesn't make it to the
> switch....are we missing something here?? or have you extended the MAC
> aging time on your switches??



it's possible that macscan can be modified to not simply check that the
port only has registered clients - but also that each client's status is
P/UNQUAR. if the port contains unregistered or quarantined clients then
it would be switched to the quarantine. 

another, less likely, possibility would be to determine if the switch
can trap when it detects a new mac. even if that worked, it would
require more effort than modifying macscan.

jeff

[Netpass-users] important notes about latest NP bug fixes

[Jeff M. <jcm...@os...>]

I'm going to make some CVS commits today but before you use them, you'll
need to make a few manual adjustments. 

- Audit report changes

  The audit report will now attempt to connect to your other NP 
  servers (if any) and fetch audit history from those servers and then
  coalesce it into the final report.

  This was done because the audit table is not replicated amongst 
  the NP servers. That, in turn, was done because MySQL cluster is
  limited by the amount of RAM in the machine, and the audit table
  can grow quite large over time. So there was a need to fetch the
  audit results from the various servers and present them in a 
  single report.

  To make this happen, you need to grant access so that each server
  can connect to the other. IPTables should already be configured
  to allow this. Assuming you have two NP servers called "npw1" 
  and "npw2", MySQL must be configured as follows:


  npw1% mysql -u root mysql
  mysql> insert into user values ('npw2.cit.buffalo.edu', 'root', '', 
           'y','n','n','n','n','n','n','n','n','n','n','n','n','n','n',
           'n','n','n','n','n','n','','','','',0,0,0);
  npw1% mysqladmin -u root reload

  npw2% mysql -u root mysql
  mysql> insert into user values ('npw1.cit.buffalo.edu', 'root', '', 
           'y','n','n','n','n','n','n','n','n','n','n','n','n','n','n',
           'n','n','n','n','n','n','','','','',0,0,0);
  npw2% mysqladmin -u root reload


- Removal of reliance on cookies

  During semester startup, we discovered an issue with cookies and IE
  toolbars causing sessions to be corrupted. This caused the clients
  to return to the login page repeatedly without ever fully completing
  the registration process.

  The root of the problem seems to be that the toolbars, not
  surprisingly, share the same cookie store as IE itself. When you go
  to, e.g., www.cnn.com, NetPass captures the session, displays its
  welcome page and issues a cookie. 

  Next, the client authenticates by entering credentials and clicking
  'I Accept...'.  The transaction is posted to the NP server and the
  session is then updated to reflect that they are authenticated. 

  Immediately following that, the toolbar (e.g. google toolbar) sends
  the same URL to Google. NetPass captures that transaction and sends
  it to Apache. Apache assigns the transaction to a random httpd 
  process. That process has a copy of the session, but lacks the
  bit of information indicating that it's an authenticated session. 
  The welcome page is sent back to the toolbar (which ignores it)
  and the session is stored, over-writing the state information 
  indicating that the other session is authenticated. 

  When the user finishes the scan, they get the welcome page instead
  of the final or remediation pages. 

  We looked at a few different solutions to this, and the one that
  required the least amount of changes, and therefor the least amount
  of potential for introduction of bugs, was to stop using cookies
  and instead move the session ID into the CGI POSTed information that 
  is sent by the client back to the web server. 

  To activate this, you must edit

       /opt/netpass/lib/NetPass/WWW/Session.pm 

  and in the "new HTML::Mason::ApacheHandler" section, change
  "session_use_cookie" to zero like this:

        session_use_cookie      => 0,

  and also add this line:

        session_args_param      => 'npsess',

  note the trailing comma (just check your edits for syntax). 

  Save your changes and do the "sudo make install" and everything
  should continue to work. The session ID is embedded in the client
  forms as a hidden field. For the Admin interface, it appears 
  as part of the URL.

  Log into the Admin site and be sure to set COOKIE_DETECT to "no".
  That final piece isn't critical, but the cookie detection is 
  pointless now, so you might as well disable it.

  The installation procedure has these changes in it, although I haven't
  yet trimmed out the portions of the code that deal with cookie
  configuration.

[Netpass-users] Quarantine Issue?

[Don R. <don...@em...>]

Consider the following scenario:

- User transgresses policy and needs to be quarantined
- Admin q's user
- DB is updated, but port reset fails b/c user's MAC is not found on  
the switch. We also believe that computer is plugged into a switch/ 
router, such that computer wake/sleep does not generate linkup/down  
events to the switch -- link always up, MAC may or may not be present
- QUESTION: when user's computer wakes up, no event generated, they  
are on the network since there appears to be no mechanism to verify  
that all ports are in their correct states

This could also occur if the SNMP UDP packet doesn't make it to the  
switch....are we missing something here?? or have you extended the  
MAC aging time on your switches??

Thanks,
Don

Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

Re: [Netpass-users] Resetport errors?

[Jeff M. <jcm...@os...>]

i forgot the attachment

make sure you edit it and change the email address

Re: [Netpass-users] Resetport errors?

[Jeff M. <jcm...@os...>]

On Fri, 2005-08-26 at 08:49 -0400, Don Rugh wrote:

> 
> These repeat over and over -- is there a config problem? coding
> problem? looks like it's stuck on the processing queue....
> 


this is normal. we see them too and i've verified that the ports really
dont have macs on them. im working on a feature in resetport that will
let those age out so after a while it wont bother checking any more and
anything connected to the port will just use the default unquar
mechanism - which is to hit the web server.



> 
> Also, even though the "-D" is not set for resetport, the debug
> messages are printed to the logfile -- looking at the code, it would
> appear this is by design. Am I missing something, or can you not turn
> these off??


right now, no they cant be turned off. i'll change that probably with a
-v flag or something. the debug messages are useful so i leave them
going to the log regardless. the -D flag really just means "dont detach"
so the process runs in the foreground and sends all output to stdout


as an aside, resetport uses perl threads. perl threads, while they've
come a long way, still dont work 100% of the time. so occasionally
resetport will die. you should configure npsvc.pl by
creating /opt/netpass/etc/npsvc.conf and placing npsvc in /etc/inittab.

npsvc is a basic process watching script. if it finds a process has died
it will restart it. it was recently introduced, so it probably wasnt
installed by your version of the ./install script.

1. cvs update  
2. make install
3. vi /opt/netpass/etc/npsvc.conf (see attachment for example, change
the email address in the conf file!)
4. vi /etc/inittab

# Run npsvc in runlevel 3
npsv:3:respawn:/opt/netpass/bin/npsvc.pl -m smtp.your.edu

5. init q

then, if resetport dies, npsvc will restart it and send you mail. things
like resetport and portmover are more or less stateless. so restarting
them doesn't impact functionality. looking into the perl segv is on my
list of things to examine, but this weekend is move-in at UB, so it'll
have to wait. 3400 already registered... another 5000 to go! 


jeff


> 
> 
> Thanks,
> Don
> 
> Donald G. Rugh
> 
> Director of Network Services
> 
> Information Services
> 
> Saint Vincent College
> 
> 300 Fraser Purchase Road
> 
> Latrobe, PA 15650
> 
> 724-805-2559
> 
> don...@em...
> 
> 
> 
> 
-- 
Jeff Murphy <jcm...@os...>

[Netpass-users] Resetport errors?

[Don R. <don...@em...>]

Gang,

We're seeing a bunch of errors in the netpass log that look like this:

Aug 26 08:43:47 netpass1 resetport[12081]: [DEBUG] main::procUQ  
[506]: 2 10.0.1.135 37 possibly removing from 'q'

Aug 26 08:43:47 netpass1 resetport[12081]: [DEBUG] main::procUQ  
[506]: 2 sw=10.0.1.135 po=37 nw=10.42.0.0/16

Aug 26 08:43:48 netpass1 resetport[12081]: [DEBUG] main::procUQ  
[506]: 2 link up 10.0.1.135 37 and unq_lu=1 rppt=5

Aug 26 08:43:48 netpass1 resetport[12081]: [ERROR] main::procUQ  
[506]: 2 we want to unquar on linkup, but 10.0.1.135 doesnt have mac  
information available for port 37 yet!

Aug 26 08:43:48 netpass1 resetport[12081]: [DEBUG] main::procUQ  
[506]: 2 10.0.1.135 37 possibly removing from 'q'

Aug 26 08:43:49 netpass1 resetport[12081]: [DEBUG] main::procUQ  
[506]: 2 sw=10.0.1.135 po=37 nw=10.42.0.0/16

Aug 26 08:43:49 netpass1 resetport[12081]: [DEBUG] main::procUQ  
[506]: 2 link up 10.0.1.135 37 and unq_lu=1 rppt=5

Aug 26 08:43:49 netpass1 resetport[12081]: [ERROR] main::procUQ  
[506]: 2 we want to unquar on linkup, but 10.0.1.135 doesnt have mac  
information available for port 37 yet!

Aug 26 08:43:49 netpass1 resetport[12081]: [DEBUG] main::procUQ  
[506]: 2 10.0.1.135 37 possibly removing from 'q'

Aug 26 08:43:50 netpass1 resetport[12081]: [DEBUG] main::procUQ  
[506]: 2 sw=10.0.1.135 po=37 nw=10.42.0.0/16

Aug 26 08:43:50 netpass1 resetport[12081]: [DEBUG] main::procUQ  
[506]: 2 link up 10.0.1.135 37 and unq_lu=1 rppt=5

Aug 26 08:43:50 netpass1 resetport[12081]: [ERROR] main::procUQ  
[506]: 2 we want to unquar on linkup, but 10.0.1.135 doesnt have mac  
information available for port 37 yet!

These repeat over and over -- is there a config problem? coding  
problem? looks like it's stuck on the processing queue....

Also, even though the "-D" is not set for resetport, the debug  
messages are printed to the logfile -- looking at the code, it would  
appear this is by design. Am I missing something, or can you not turn  
these off??

Thanks,
Don

Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

RE: [Netpass-users] Network Arch Opinions/Questions

[White, S. P. <wh...@um...>]

On our core router/switch you can create a VLAN with no IP address, so =
here is how I will handle this when/if we implement netpass. (assuming =
my understanding of its mechanisms is complete.)

Create the actual vlan with a router interface, IP address, and default =
gateway of X.

the quarrantine VLAN you would create with no router interface and put =
the default gateway IP on the quarrantine card of the netpass box. We do =
this all the time when we want a firewall or smaller router to be the =
default gateway of a particular network.

take care,

Steve

-----Original Message-----
From: net...@li... on behalf of Don Rugh
Sent: Fri 8/12/2005 7:51 AM
To: net...@li...
Subject: Re: [Netpass-users] Network Arch Opinions/Questions
=20
..quick questions about the nic described below, with all the VLANs =20
on it: does each vlan have it own subnet to it?? and does each subnet =20
have an IP address on the NP server nic??

The reason I'm asking -- looks like there may be an issue on our core =20
that we cannot assign a 2 vlans to the same subnet (won't let us put =20
the same subnet router on 2 vlans), which is causing us some problems =20
at the moment -- but assigning an address for each subnet to the NP =20
server nic would solve this problem....thought, opinions?

Thanks,
Don

On Jun 21, 2005, at 1:46 PM, Jeff Murphy wrote:

>
>
>> I think we're leaning towards central servers, so the two VLANs from
>> each building would be directed back to the core, and the core ports
>> for the NP servers would be tagged with _all_ the VLANs, 10 in this
>> case. Things get a little fuzzy here -- those 10 VLANs would then
>> also have to be defined on each server, so that they could be members
>> of each VLAN, correct?
>>
>
> if you use 2 servers you'll either need to manually split the =20
> config in
> half or use a load balancer (e.g. www.linuxvirtualservers.org)
>
> in either case, you can use interfacecfg.pl to spit out the =20
> appropriate
> ifconfig commands to bring up all of the interfaces.
>
> then your server(s) will have 5-10 interfaces (depending on what =20
> sort of
> LB design you go with).
>
> we might need to examine interfacecfg.pl if you are doing a non-LVS
> deployment, as we've written it with the expectation that you are =20
> doing
> an LVS deployment.
>
> you eventually wind up with something like:
>
> % ip link
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> 4: sit0: <NOARP> mtu 1480 qdisc noop
> 5: eth1.813: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> 6: eth1.13: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> 7: eth1.812: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> 8: eth1.12: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
>
>
>
> our production NP servers have ~53 interfaces (2 physical) configured.
>
> jeff
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. =
http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle =
Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & =
QA
Security * Process Improvement & Measurement * =
http://www.sqe.com/bsce5sf
_______________________________________________
Netpass-users mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/netpass-users

Re: [Netpass-users] Network Arch Opinions/Questions

[Don R. <don...@em...>]

..quick questions about the nic described below, with all the VLANs  
on it: does each vlan have it own subnet to it?? and does each subnet  
have an IP address on the NP server nic??

The reason I'm asking -- looks like there may be an issue on our core  
that we cannot assign a 2 vlans to the same subnet (won't let us put  
the same subnet router on 2 vlans), which is causing us some problems  
at the moment -- but assigning an address for each subnet to the NP  
server nic would solve this problem....thought, opinions?

Thanks,
Don

On Jun 21, 2005, at 1:46 PM, Jeff Murphy wrote:

>
>
>> I think we're leaning towards central servers, so the two VLANs from
>> each building would be directed back to the core, and the core ports
>> for the NP servers would be tagged with _all_ the VLANs, 10 in this
>> case. Things get a little fuzzy here -- those 10 VLANs would then
>> also have to be defined on each server, so that they could be members
>> of each VLAN, correct?
>>
>
> if you use 2 servers you'll either need to manually split the  
> config in
> half or use a load balancer (e.g. www.linuxvirtualservers.org)
>
> in either case, you can use interfacecfg.pl to spit out the  
> appropriate
> ifconfig commands to bring up all of the interfaces.
>
> then your server(s) will have 5-10 interfaces (depending on what  
> sort of
> LB design you go with).
>
> we might need to examine interfacecfg.pl if you are doing a non-LVS
> deployment, as we've written it with the expectation that you are  
> doing
> an LVS deployment.
>
> you eventually wind up with something like:
>
> % ip link
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> 4: sit0: <NOARP> mtu 1480 qdisc noop
> 5: eth1.813: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> 6: eth1.13: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> 7: eth1.812: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> 8: eth1.12: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
>
>
>
> our production NP servers have ~53 interfaces (2 physical) configured.
>
> jeff
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>

[Netpass-users] doc draft1

[Jeff M. <jcm...@os...>]

i've uploaded a draft version of the doc to SF

https://sourceforge.net/project/showfiles.php?group_id=116014&package_id=125946

Re: [Netpass-users] RE: Cisco.pm errors?

[Jeff M. <jcm...@os...>]

>>line 282 read:
>>	my $cfg = new NetPass::Config('/opt/netpass/etc/netpass.conf');
>>I changed it to:
>>	my $cfg = new NetPass::Config(-db=>NetPass::DB);
>>
>>Does that sound right?
>>

no. i forgot that this code was in there. i changed it so it doesnt 
refer to netpass.conf which is no longer used. i checked an updated 
version into CVS.

i'm assuming that NU has already made the change since they haven't said 
anything to me about this...

>>After doing this I get another error.  I'm not sure if I this is related
>>to the change or if there are other issues.  Here's the error from the
>>client's browser:
>>
>>Can't locate object method "log" via package "SNMP::Device::Cisco" at
>>/opt/netpass/lib/SNMP/Device.pm line 73. 
>>I'll attach the full error report.  
>>By the way, is there something I need to do with Cisco.pm or the
>>configuration file to make it work with the 2950 model?


this is most likely caused by the "=> NetPass::DB" line above, which 
would've caused the module to not load due to incorrect syntax.


as for the 2950, i dont know. if it supports vlan'ing, trunking and 
looks (from the SNMP point of view) like the 35xx series, then the 
existing Cisco.pm should work.

i only have access to 35xx series equipment.

jeff

[Netpass-users] RE: Cisco.pm errors?

[Harding, T. <td...@sa...>]

When I access the netpass server via a browser on the server itself I get
the login screen.  I seem to be able to log in fine.

However, when I access the netpass server via a remote browser I get the
following error message:

error:  Can't locate object method "log" via package "SNMP::Device::Cisco"
at /opt/netpass/lib/SNMP/Device.pm line 73.
 
context:  ...   
69:   
70:  if($self->plugin) { 
71:  $class = $self->plugin;  
72:  bless $self, ref($class) || $class; 
73:  $self->log("SNMP::Device has changed to a " . ref($self) . "
object..."); 
74:  } 
75:   
76:  # call optional init function in the plugin 
77:  $self->init(); 
...   
 
code stack:  /opt/netpass/lib/SNMP/Device.pm:73
/opt/netpass/lib/NetPass.pm:534
/opt/netpass/lib/NetPass.pm:613
/opt/netpass/lib/NetPass.pm:503
/opt/netpass/lib/NetPass.pm:904
/opt/netpass/www/components/Client/Validate:30
/opt/netpass/www/htdocs/index.mhtml:28
/opt/netpass/www/htdocs/autohandler:33
 
	Any ideas?  Misconfigured switch?  misconfigured server?  Can anyone
help me figure out where I screwed up this time? :-(

	Thanks,
	Troy

>  -----Original Message-----
> From: 	Harding, Troy  
> Sent:	Friday, July 29, 2005 5:27 PM
> To:	'net...@li...'
> Subject:	Cisco.pm errors?
> 
> I'm back at it with NetPass.  I'm setting up a test environment using a
> single Cisco 2950 switch and a single netpass server.  I think I'm making
> some progress, but have some questions.
> 
> When accessing the netpass server via a browser on a remote machine I got
> the following error:
> error: 	no DB object specified at
> /opt/netpass/lib/SNMP/Device/Cisco.pm line 282 	
> 
> line 282 read:
> 	my $cfg = new NetPass::Config('/opt/netpass/etc/netpass.conf');
> I changed it to:
> 	my $cfg = new NetPass::Config(-db=>NetPass::DB);
> 
> Does that sound right?
> 
> After doing this I get another error.  I'm not sure if I this is related
> to the change or if there are other issues.  Here's the error from the
> client's browser:
> 
> Can't locate object method "log" via package "SNMP::Device::Cisco" at
> /opt/netpass/lib/SNMP/Device.pm line 73. 
> I'll attach the full error report.  
> By the way, is there something I need to do with Cisco.pm or the
> configuration file to make it work with the 2950 model?
> 
> Thanks,
> Troy
> 
>  << File: error2.htm >> 

[Netpass-users] Cisco.pm errors?

[Harding, T. <td...@sa...>]

I'm back at it with NetPass.  I'm setting up a test environment using a
single Cisco 2950 switch and a single netpass server.  I think I'm making
some progress, but have some questions.

When accessing the netpass server via a browser on a remote machine I got
the following error:
error: 	no DB object specified at /opt/netpass/lib/SNMP/Device/Cisco.pm line
282 	

line 282 read:
	my $cfg = new NetPass::Config('/opt/netpass/etc/netpass.conf');
I changed it to:
	my $cfg = new NetPass::Config(-db=>NetPass::DB);

Does that sound right?

After doing this I get another error.  I'm not sure if I this is related to
the change or if there are other issues.  Here's the error from the client's
browser:

Can't locate object method "log" via package "SNMP::Device::Cisco" at
/opt/netpass/lib/SNMP/Device.pm line 73. 
I'll attach the full error report.  
By the way, is there something I need to do with Cisco.pm or the
configuration file to make it work with the 2950 model?

Thanks,
Troy

 <<error2.htm>> 

RE: [Netpass-users] User authentication using IMAP server?

[Harding, T. <td...@sa...>]

Thanks! That's good to know.  We'll have to make sure we test it thoroughly
and have procedures in place to work around those situations.  

-----Original Message-----
From: net...@li...
[mailto:net...@li...]On Behalf Of Don Rugh
Sent: Thursday, July 21, 2005 12:33 PM
To: net...@li...
Subject: Re: [Netpass-users] User authentication using IMAP server?


Troy,

may not be relevant to your circumstances, but -- we use(d) NetReg  
here last year (still in place until NetPass is fully operational),  
and used Active Directory/Exchange to provide POP authentication. We  
have several dozen accounts which would not authenticate in this  
manner for some reason (thanks again, Mr. G) -- they needed to be  
registered with NetReg manually....

Regards,
Don

Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

On Jul 21, 2005, at 12:25 PM, Harding, Troy wrote:

> Thanks.  Eventually we'll probably use LDAP for student  
> authentication.
> However, right now the entity that controls the LDAP server doesn't  
> want to
> allow outside apps to access it directly.  Thus, we have to do it  
> indirectly
> by using the mail server to authenticate.
>
>
> -----Original Message-----
> From: net...@li...
> [mailto:net...@li...]On Behalf Of  
> Rugh, Don
> Sent: Wednesday, July 20, 2005 5:49 PM
> To: net...@li...;
> net...@li...
> Subject: RE: [Netpass-users] User authentication using IMAP server?
>
>
> Troy,
>
> We have LDAP working (I still owe Jeff the module!!) -- if you are  
> going
> against AD, our LDAP module should work.
>
> Don Rugh
>
>
> -----Original Message-----
> From:    Harding, Troy [mailto:td...@sa...]
> Sent:    Wed 7/20/05 18:16
> To:    net...@li...
> Cc:
> Subject:    [Netpass-users] User authentication using IMAP server?
>
> Anyone tried using an IMAP server to authenticate users?  This  
> would work
> best for us.
>
> If this hasn't already been done, I might be able to hack together an
> IMAP.pm for authenication.  What else would need to be modified to  
> add a new
> authenication method?
>
> Thanks,
> Troy
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Netpass-users mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/netpass-users

Re: [Netpass-users] User authentication using IMAP server?

[Don R. <don...@em...>]

Troy,

may not be relevant to your circumstances, but -- we use(d) NetReg =20
here last year (still in place until NetPass is fully operational), =20
and used Active Directory/Exchange to provide POP authentication. We =20
have several dozen accounts which would not authenticate in this =20
manner for some reason (thanks again, Mr. G) -- they needed to be =20
registered with NetReg manually....

Regards,
Don

Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

On Jul 21, 2005, at 12:25 PM, Harding, Troy wrote:

> Thanks.  Eventually we'll probably use LDAP for student =20
> authentication.
> However, right now the entity that controls the LDAP server doesn't =20=

> want to
> allow outside apps to access it directly.  Thus, we have to do it =20
> indirectly
> by using the mail server to authenticate.
>
>
> -----Original Message-----
> From: net...@li...
> [mailto:net...@li...]On Behalf Of =20
> Rugh, Don
> Sent: Wednesday, July 20, 2005 5:49 PM
> To: net...@li...;
> net...@li...
> Subject: RE: [Netpass-users] User authentication using IMAP server?
>
>
> Troy,
>
> We have LDAP working (I still owe Jeff the module!!) -- if you are =20
> going
> against AD, our LDAP module should work.
>
> Don Rugh
>
>
> -----Original Message-----
> From:    Harding, Troy [mailto:td...@sa...]
> Sent:    Wed 7/20/05 18:16
> To:    net...@li...
> Cc:
> Subject:    [Netpass-users] User authentication using IMAP server?
>
> Anyone tried using an IMAP server to authenticate users?  This =20
> would work
> best for us.
>
> If this hasn't already been done, I might be able to hack together an
> IMAP.pm for authenication.  What else would need to be modified to =20
> add a new
> authenication method?
>
> Thanks,
> Troy
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dcli=
ck
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id=16492&op=3Dclick
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dcli=
ck
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>

RE: [Netpass-users] User authentication using IMAP server?

[Harding, T. <td...@sa...>]

Thanks.  Eventually we'll probably use LDAP for student authentication.
However, right now the entity that controls the LDAP server doesn't want to
allow outside apps to access it directly.  Thus, we have to do it indirectly
by using the mail server to authenticate.  


-----Original Message-----
From: net...@li...
[mailto:net...@li...]On Behalf Of Rugh, Don
Sent: Wednesday, July 20, 2005 5:49 PM
To: net...@li...;
net...@li...
Subject: RE: [Netpass-users] User authentication using IMAP server?


Troy,

We have LDAP working (I still owe Jeff the module!!) -- if you are going
against AD, our LDAP module should work.

Don Rugh


-----Original Message-----
From:	Harding, Troy [mailto:td...@sa...]
Sent:	Wed 7/20/05 18:16
To:	net...@li...
Cc:	
Subject:	[Netpass-users] User authentication using IMAP server?

Anyone tried using an IMAP server to authenticate users?  This would work
best for us.  

If this hasn't already been done, I might be able to hack together an
IMAP.pm for authenication.  What else would need to be modified to add a new
authenication method?

Thanks,
Troy


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Netpass-users mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/netpass-users





-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
_______________________________________________
Netpass-users mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/netpass-users

RE: [Netpass-users] User authentication using IMAP server?

[Harding, T. <td...@sa...>]

Sounds good.  I'll add it to my list of things to do.  Thanks! 

-----Original Message-----
From: net...@li...
[mailto:net...@li...]On Behalf Of Jeff
Murphy
Sent: Wednesday, July 20, 2005 8:09 PM
To: net...@li...
Subject: Re: [Netpass-users] User authentication using IMAP server?


Harding, Troy wrote:

>Anyone tried using an IMAP server to authenticate users?  This would work
>best for us.  
>
>If this hasn't already been done, I might be able to hack together an
>IMAP.pm for authenication.  What else would need to be modified to add a
new
>authenication method?
>  
>


just the module. add it to the NetPass/Auth/ directory and change your 
auth method (you'll need use coconf and ciconf since the web ui wont 
know about your module) to use your module and it should "just work"

you might want to add a configuration section like <imap 
server:port>var1=foo</imap> and work that into Config.pm just to be 
thorough.

jeff



-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Netpass-users mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/netpass-users

Re: [Netpass-users] User authentication using IMAP server?

[Jeff M. <jcm...@os...>]

Harding, Troy wrote:

>Anyone tried using an IMAP server to authenticate users?  This would work
>best for us.  
>
>If this hasn't already been done, I might be able to hack together an
>IMAP.pm for authenication.  What else would need to be modified to add a new
>authenication method?
>  
>


just the module. add it to the NetPass/Auth/ directory and change your 
auth method (you'll need use coconf and ciconf since the web ui wont 
know about your module) to use your module and it should "just work"

you might want to add a configuration section like <imap 
server:port>var1=foo</imap> and work that into Config.pm just to be 
thorough.

jeff

RE: [Netpass-users] User authentication using IMAP server?

[Rugh, D. <don...@em...>]

Troy,

We have LDAP working (I still owe Jeff the module!!) -- if you are going =
against AD, our LDAP module should work.

Don Rugh


-----Original Message-----
From:	Harding, Troy [mailto:td...@sa...]
Sent:	Wed 7/20/05 18:16
To:	net...@li...
Cc:=09
Subject:	[Netpass-users] User authentication using IMAP server?

Anyone tried using an IMAP server to authenticate users?  This would =
work
best for us. =20

If this hasn't already been done, I might be able to hack together an
IMAP.pm for authenication.  What else would need to be modified to add a =
new
authenication method?

Thanks,
Troy


-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. =
http://ads.osdn.com/?ad_id=3D7477&alloc_id=3D16492&op=3Dclick
_______________________________________________
Netpass-users mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/netpass-users

[Netpass-users] User authentication using IMAP server?

[Harding, T. <td...@sa...>]

Anyone tried using an IMAP server to authenticate users?  This would work
best for us.  

If this hasn't already been done, I might be able to hack together an
IMAP.pm for authenication.  What else would need to be modified to add a new
authenication method?

Thanks,
Troy

RE: [Netpass-users] Apache error

[Harding, T. <td...@sa...>]

Yes, I'm using FC3.  Thanks!	

-----Original Message-----
From: net...@li...
[mailto:net...@li...]On Behalf Of Jeff
Murphy
Sent: Friday, July 15, 2005 12:36 PM
To: net...@li...
Subject: RE: [Netpass-users] Apache error


On Fri, 2005-07-15 at 12:27 -0500, Harding, Troy wrote:
> Yes, the symlink is there.
> 
> No, startup.pl does not exist in that directory or anywhere else on the
> system.

oops. looks like we omitted it from the FC3 apache package. i'm guessing
that's what you're using? i attached the file for you, drop it into your
apache/conf dir. we'll fix up the FC3/apache binary package.

jeff