netpass-users — Administrator/Implementor Discussions

RE: [Netpass-users] Apache error

[Jeff M. <jcm...@os...>]

On Fri, 2005-07-15 at 12:27 -0500, Harding, Troy wrote:
> Yes, the symlink is there.
> 
> No, startup.pl does not exist in that directory or anywhere else on the
> system.

oops. looks like we omitted it from the FC3 apache package. i'm guessing
that's what you're using? i attached the file for you, drop it into your
apache/conf dir. we'll fix up the FC3/apache binary package.

jeff

RE: [Netpass-users] Apache error

[Harding, T. <td...@sa...>]

Yes, the symlink is there.

No, startup.pl does not exist in that directory or anywhere else on the
system.

-----Original Message-----
From: net...@li...
[mailto:net...@li...]On Behalf Of Jeff
Murphy
Sent: Friday, July 15, 2005 10:34 AM
To: net...@li...
Subject: Re: [Netpass-users] Apache error



is the /opt/apache symlink in place?

ls -l /opt/apache/conf/startup.pl

does that exist?

jeff




-------------------------------------------------------
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
_______________________________________________
Netpass-users mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/netpass-users

Re: [Netpass-users] Apache error

[Jeff M. <jcm...@os...>]

is the /opt/apache symlink in place?

ls -l /opt/apache/conf/startup.pl

does that exist?

jeff

[Netpass-users] Apache error

[Harding, T. <td...@sa...>]

After install of NetPass it appears that apache isn't running.  I tried
starting it with the apache start command and got the following error
message.  Any suggestions?

[root@netpass init.d]# ./apache start
web daemon starting.
[Thu Jul 14 16:17:45 2005] [error] Can't locate /opt/apache/conf/startup.pl
in @INC (@INC contains: /opt/perl-5.8.6/lib/5.8.6/i686-linux
/opt/perl-5.8.6/lib/5.8.6 /opt/perl-5.8.6/lib/site_perl/5.8.6/i686-linux
/opt/perl-5.8.6/lib/site_perl/5.8.6 /opt/perl-5.8.6/lib/site_perl .
/opt/apache/ /opt/apache/lib/perl) at (eval 48) line 1.\n

Syntax error on line 315 of /opt/apache/conf/httpd.conf:
Can't locate /opt/apache/conf/startup.pl in @INC (@INC contains:
/opt/perl-5.8.6/lib/5.8.6/i686-linux /opt/perl-5.8.6/lib/5.8.6
/opt/perl-5.8.6/lib/site_perl/5.8.6/i686-linux
/opt/perl-5.8.6/lib/site_perl/5.8.6 /opt/perl-5.8.6/lib/site_perl .
/opt/apache/ /opt/apache/lib/perl) at (eval 48) line 1.

Re: [Netpass-users] snort vlan patch

[Jeff M. <jcm...@os...>]

i posted the patch and np-snort perl module to SF.

jeff


On Fri, 2005-07-08 at 11:47 -0500, Harding, Troy wrote:
> I'm following the NetPass installation guide.  I'm currently trying to
> install and configure Snort, section 2c in the installation guide.  Step
> 2c.15 say to download snort-2.3.3-vlan.patch.  Where do I download it from?
> 
> 
> Likewise, step 2c.22 says to download NetPass-Snort-0.01.tar.gz.  Is that
> file in the same place as the patch?
> 
> Thanks,
> Troy
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
> July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
> core and dual graphics technology at this free one hour event hosted by HP, 
> AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users

[Netpass-users] snort vlan patch

[Harding, T. <td...@sa...>]

I'm following the NetPass installation guide.  I'm currently trying to
install and configure Snort, section 2c in the installation guide.  Step
2c.15 say to download snort-2.3.3-vlan.patch.  Where do I download it from?


Likewise, step 2c.22 says to download NetPass-Snort-0.01.tar.gz.  Is that
file in the same place as the patch?

Thanks,
Troy

Re: [Netpass-users] Nessus Test Script Feedback

[Jeff M. <jcm...@os...>]

On Tue, 2005-06-21 at 10:48 -0400, Don Rugh wrote:
> A configuration query -- 
> 
> 
> How many Nessus test scripts do NetPass admins typically run against
> client machines? Most of the 8000+? half? 80? as many as you can in
> two minutes? only those which have custom messages defined in NetPass?
> What basis is used to determine which ones are used?

to avoid irking the students, we keep it to a small set. originally
around 40 during fall'04. we trimmed it to 17 in spring'05. we just try
to hit the ones that cause us the most problems. 

we recognize that nessus doesn't have much value in the long run because
of personal firewalls (we don't issue instructions that students open
holes for the netpass server to scan via) so we are going to be relying
on passive monitoring (snort) with auto-quarantining to catch what
nessus can't.

jeff

[Netpass-users] Nessus Test Script Feedback

[Don R. <don...@em...>]

A configuration query --

How many Nessus test scripts do NetPass admins typically run against  
client machines? Most of the 8000+? half? 80? as many as you can in  
two minutes? only those which have custom messages defined in  
NetPass? What basis is used to determine which ones are used?

Just curious to find out......

Thanks,
Don

Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

Re: [Netpass-users] Network Arch Opinions/Questions

[Jeff M. <jcm...@os...>]

On Tue, 2005-06-21 at 13:56 -0400, Don Rugh wrote:

> In this case, I'm thinking of running either MySQL Cluster or master- 
> slave replication, 

we ran (and are still running until we upgrade in a couple of weeks)
mysql replication. it's worked reliably. the doc all references Cluster
because thats the easiest way to scale to more than 2 servers.

here's some doc on M/S and M/M configurations....





Setup Mysql Replication (Master/Slave)
Note: Master = npw1.cit.buffalo.edu and Slave = npw2.cit.buffalo.edu
     1. Add the following line to /etc/my.cnf on npw1 right under
        [mysqld]
        
        log-bin
        
     2. Optionally you can add the following line to my.cnf on npw1 to
        excluded databases from being replicated
        
        binlog-ignore-db = database_name
        
     3. Start mysqld on npw1.
     4. Create an account on npw1 called repl and grant that user
        replication privileges
        
        mysql> GRANT REPLICATION SLAVE ON *.*
        -> TO 'repl'@'%.mydomain.com' IDENTIFIED BY 'password';
        
     5. Run the following cmd on npw1
        
        mysql> FLUSH TABLES WITH READ LOCK;
        
     6. Run the following cmd on npw1, and record the logfile name and
        logfile position
        
        mysql> SHOW MASTER STATUS
        
     7. On npw1 in a seperate terminal do a mysqldump of the databases
        you wish to replicate, then copy the files over to npw2. Dont
        exit out of the mysql session where the READ LOCK cmd was issued
        becuase the lock will be released. 
     8. Release the READ LOCK on npw1
        
        mysql> UNLOCK TABLES;
        
     9. Start mysqld on npw2 
    10. Restore the databases from the dump file on npw2
    11. Shutdown mysqld server on npw2
    12. Add the following lines to /etc/my.cnf right under [mysqld], on
        npw2
        
        master-host = npw1.cit.buffalo.edu
        master-user = repl
        master-password = password
        master-port = 3306
        
        
    13. Start the mysqld server on npw2
    14. Run the following cmd on npw2 to tell mysql what logfile and
        what position in the logfile to start replicating from. The
        logfile name and logfile position were obtained in a prior step
        by running the "SHOW MASTER STATUS" command on npw1.
        
        mysql> CHANGE MASTER TO
        MASTER_LOG_FILE='recorded_log_file_name',
        MASTER_LOG_POS='recorded_log_position'
        
    15. Stop and Start the slave mysql server on npw2
        
        mysql> SLAVE STOP;
        mysql> SLAVE START;
        
    16. Test and make sure it works




Setup Mysql Replication (Master/Master)



Note: The following procedure assumes that the slave mysql server is a
fresh install without any entries having been into the database.
Note: Master = npw1.cit.buffalo.edu and Slave (2nd Master server) =
npw2.cit.buffalo.edu


     1. Do all the steps in the previous section "Setup Mysql
        Replication (Master/Slave)"
     2. Shutdown mysql on npw2 and add the following line under [mysqld]
        in /etc/my.cnf
        
        log-bin
        
     3. Start mysqld on npw2
     4. Create an account on npw2 called repl and grant that user
        replication privileges
        
        mysql> GRANT REPLICATION SLAVE ON *.*
        -> TO 'repl'@'%.mydomain.com' IDENTIFIED BY 'password';
        
     5. Run the following cmd on npw2, and record the logfile name and
        logfile position
        
        mysql> SHOW MASTER STATUS
        
     6. Shutdown mysqld on npw1
     7. Add the following lines to /etc/my.cnf right under [mysqld], on
        npw1
        
        master-host = npw2.cit.buffalo.edu
        master-user = repl
        master-password = password
        master-port = 3306
        
        
     8. Start mysqld on npw1
     9. Run the following cmd on npw1 to tell mysql what logfile and
        what position in the logfile to start replicating from. The
        logfile name and logfile position were obtained in a prior step
        by running the "SHOW MASTER STATUS" command on npw2.
        
        mysql> CHANGE MASTER TO
        MASTER_LOG_FILE='recorded_log_file_name',
        MASTER_LOG_POS='recorded_log_position'
        
    10. Stop and Start the slave mysql server on npw1
        
        mysql> SLAVE STOP;
        mysql> SLAVE START;
        
    11. Test and make sure it works

[Netpass-users] netpass @ acuta

[Jeff M. <jcm...@os...>]

btw, julian (northwestern) and i will be at acuta next month presenting
netpass. just in case anyone was in the neighborhood and wanted to talk
in person.

jeff

acuta url:

http://tinyurl.com/apdlf#1507

Re: [Netpass-users] Network Arch Opinions/Questions

[Don R. <don...@em...>]

We're only servicing ~1000 resident student users in a small  
geographic location (plus we may add the remainder of campus in Phase  
II, total of around 1500), so I'm looking at two servers more for  
redundancy rather than LB. You guys have a much higher number of users.

In this case, I'm thinking of running either MySQL Cluster or master- 
slave replication, and using the built-in IP failover capabilities of  
Mac OS X Server to provide "hot" backup if primary server  
fails....may also shed some Nessus or Snort scans to the backup  
server while its doing nothing.

Don

On Jun 21, 2005, at 1:46 PM, Jeff Murphy wrote:

>
>
>> I think we're leaning towards central servers, so the two VLANs from
>> each building would be directed back to the core, and the core ports
>> for the NP servers would be tagged with _all_ the VLANs, 10 in this
>> case. Things get a little fuzzy here -- those 10 VLANs would then
>> also have to be defined on each server, so that they could be members
>> of each VLAN, correct?
>>
>
> if you use 2 servers you'll either need to manually split the  
> config in
> half or use a load balancer (e.g. www.linuxvirtualservers.org)
>
> in either case, you can use interfacecfg.pl to spit out the  
> appropriate
> ifconfig commands to bring up all of the interfaces.
>
> then your server(s) will have 5-10 interfaces (depending on what  
> sort of
> LB design you go with).
>
> we might need to examine interfacecfg.pl if you are doing a non-LVS
> deployment, as we've written it with the expectation that you are  
> doing
> an LVS deployment.
>
> you eventually wind up with something like:
>
> % ip link
> 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
> 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> 3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
> 4: sit0: <NOARP> mtu 1480 qdisc noop
> 5: eth1.813: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> 6: eth1.13: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> 7: eth1.812: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
> 8: eth1.12: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
>
>
>
> our production NP servers have ~53 interfaces (2 physical) configured.
>
> jeff
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>

Re: [Netpass-users] Network Arch Opinions/Questions

[Jeff M. <jcm...@os...>]

> I think we're leaning towards central servers, so the two VLANs from  
> each building would be directed back to the core, and the core ports  
> for the NP servers would be tagged with _all_ the VLANs, 10 in this  
> case. Things get a little fuzzy here -- those 10 VLANs would then  
> also have to be defined on each server, so that they could be members  
> of each VLAN, correct?

if you use 2 servers you'll either need to manually split the config in
half or use a load balancer (e.g. www.linuxvirtualservers.org)

in either case, you can use interfacecfg.pl to spit out the appropriate
ifconfig commands to bring up all of the interfaces.

then your server(s) will have 5-10 interfaces (depending on what sort of
LB design you go with).

we might need to examine interfacecfg.pl if you are doing a non-LVS
deployment, as we've written it with the expectation that you are doing
an LVS deployment.

you eventually wind up with something like:

% ip link
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
4: sit0: <NOARP> mtu 1480 qdisc noop
5: eth1.813: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
6: eth1.13: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
7: eth1.812: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue
8: eth1.12: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue



our production NP servers have ~53 interfaces (2 physical) configured.

jeff

Re: [Netpass-users] Network Arch Opinions/Questions

[Don R. <don...@em...>]

This is a great explanation of how all the parts & pieces work  
together -- would be nice to have this find its way at some point  
into the documentation for the project!

I think we're leaning towards central servers, so the two VLANs from  
each building would be directed back to the core, and the core ports  
for the NP servers would be tagged with _all_ the VLANs, 10 in this  
case. Things get a little fuzzy here -- those 10 VLANs would then  
also have to be defined on each server, so that they could be members  
of each VLAN, correct? (since there is only _one_ default VLAN on the  
core port for untagged traffic) Or am I making this more complicated  
than it needs to be?

Thanks,
Don

Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

On Jun 17, 2005, at 3:59 PM, Jeff Murphy wrote:

> On Fri, 2005-06-17 at 15:17 -0400, Don Rugh wrote:
>
>> Looking for some opinions on exactly how to roll NetPass out:
>>
>>
>> Present Configuration
>> - Each of 5 residence halls is on its own subnet and VLAN
>> - Switch closets in each RH collapse back into a L3 aggregation  
>> switch
>> before traveling back to the core via 1GB fiber
>>
>>
>> Possible Configurations
>> - Each building has its own NetPass/DNS/DHCP servers, so QVLAN never
>> leaves the building
>> - Could "lose" a building if a single unit fails
>> vs.
>> - 2 HA campus-wide servers
>> - would have to tag QVLAN back thru core to allow DNS/DHCP access ==>
>> or are these supposed to be routed thru the NP server(s)??
>>
>
> we do that latter. in either case you really only need your central
> DNS/DHCP servers. you dont need, even in the former case, separate
> dhcp/dns servers per-building.
>
>
>>
>>
>> Still a little fuzzy on exactly how to roll this out...any help/ 
>> advice
>> would be appreciated.
>>
>>
>
> here's a typical scenario:
>
> 1) client offline, port is quarantined
> 2) client boots
> 3) sends out dhcpdiscover
> 4) netpass relays the dhcp pkt to your central server
>     (/etc/sysconfig/dhrelay [1])
> 5) central server replies to pkt src addr (hopefully [2])
> 6) dhcp transaction proceeds thru various stages
> 7) client acquires address
> 8) client opens web browser, goes to www.msn.com
> 9) netpass server intercepts (iptables)
> 10) redirects to squid
> 11) squid consults url list
> 12) www.msn.com not on approved list
> 13) squid sends http redirect to client sending them to
> netpass.whatever.edu
> 14) clients requests that page
> 15) since that page is on the local server, iptables doesnt redirect
> to squid, allows connect to local machine
> 16) apache picks it up
> 17) scan,reg happens
> 18) netpass moves client port to 'unquar' vlan
> 19) clients traffic flows thru 'normal' network path (not thru
>     netpass server)
>
> so, assuming you want to netpass enabled port 1 on [edge sw]:
>
> [edge sw]----[bldg sw]----[core l3]
>
> to implement it per-building, you would:
>
> 1) configure [edge sw] so that both vlans (e.g. 100 and 200,
> unquar and quar respectively) are available
> 2) configure [bldg sw] likewise.
> 3) configure the uplink from edge to bldg as a trunk/tagged port  
> and add
> both vlans to it.
> 4) configure edge port 1 into vlan 200 (initial state)
> 5) hang netpass server off of one of the ports on bldg sw and
> configure /that/ port as a trunked port with both vlans on it.
> 6) configure the uplink from bldg to core with just vlan 100.
>
> at this point, vlan 100 (unq) has a path from the edge port to the  
> core.
> if port 1 is in vlan 100, plugging in a client should work as  
> normal. if
> the port is moved to vlan 200 (manually), then there is no path out of
> the building. the netpass server is lurking on that vlan.
>
> 7) configure netpass and start "garp" (/etc/init.d/garpctl start)
>
> at this point, the netpass server starts emitting ARP packets so that
> clients in the quar vlan will see it as the new gateway (same IP as  
> the
> gateway on [core] but with a new mac address. with cisco 65xx, you  
> dont
> need to do this, but in other environments, GARPs are needed.
>
> 8) configure dhrelay and restart that service[1]
> 9) plug in the client
>
> at this point client should get an address. if it does not, your DHCP
> server is probably experiencing the problem discussed below[2]
>
> 10) open web browser, client should see netpass welcome.
>
>
> for a central deployment, you'd trunk the two vlans back to a single
> location and probably use HA to ensure availability and scalability.
>
>
> jeff
>
>
>
> [1] i think this is not documented, or poorly. dhcrelay looks  
> something
> like:
>
> # Command line options here
> INTERFACES="eth0 eth1.812 eth1.813"
> DHCPSERVERS="128.205.1.32 128.205.1.33"
>
>     you probably have to do that by hand and restart that service. the
>     install script and/or web UI doesnt configure it for you.
>
> [2] http://marc.theaimsgroup.com/?l=dhcp-server&m=108558416803846&w=2
>     ISC DHCP, out of the box, replies the giaddr and not the pkt  
> source
>     addr, so the reply gets routed away from the netpass server and
>     the client cant get an address. a patch has been submitted to ISC
>     for inclusion into a future release of DHCPD. the patch is posted
>     to SF. YMMV with other DHCP servers.
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>

Re: [Netpass-users] Network Arch Opinions/Questions

[Jeff M. <jcm...@os...>]

On Fri, 2005-06-17 at 15:17 -0400, Don Rugh wrote:
> Looking for some opinions on exactly how to roll NetPass out:
> 
> 
> Present Configuration
> - Each of 5 residence halls is on its own subnet and VLAN
> - Switch closets in each RH collapse back into a L3 aggregation switch
> before traveling back to the core via 1GB fiber
> 
> 
> Possible Configurations
> - Each building has its own NetPass/DNS/DHCP servers, so QVLAN never
> leaves the building
> - Could "lose" a building if a single unit fails
> vs.
> - 2 HA campus-wide servers
> - would have to tag QVLAN back thru core to allow DNS/DHCP access ==>
> or are these supposed to be routed thru the NP server(s)??

we do that latter. in either case you really only need your central
DNS/DHCP servers. you dont need, even in the former case, separate
dhcp/dns servers per-building.

> 
> 
> Still a little fuzzy on exactly how to roll this out...any help/advice
> would be appreciated.
> 

here's a typical scenario:

1) client offline, port is quarantined
2) client boots
3) sends out dhcpdiscover
4) netpass relays the dhcp pkt to your central server 
	(/etc/sysconfig/dhrelay [1])
5) central server replies to pkt src addr (hopefully [2])
6) dhcp transaction proceeds thru various stages
7) client acquires address
8) client opens web browser, goes to www.msn.com
9) netpass server intercepts (iptables)
10) redirects to squid
11) squid consults url list
12) www.msn.com not on approved list
13) squid sends http redirect to client sending them to
netpass.whatever.edu
14) clients requests that page
15) since that page is on the local server, iptables doesnt redirect
to squid, allows connect to local machine
16) apache picks it up
17) scan,reg happens
18) netpass moves client port to 'unquar' vlan
19) clients traffic flows thru 'normal' network path (not thru
    netpass server)

so, assuming you want to netpass enabled port 1 on [edge sw]:

[edge sw]----[bldg sw]----[core l3]

to implement it per-building, you would:

1) configure [edge sw] so that both vlans (e.g. 100 and 200, 
unquar and quar respectively) are available
2) configure [bldg sw] likewise. 
3) configure the uplink from edge to bldg as a trunk/tagged port and add
both vlans to it. 
4) configure edge port 1 into vlan 200 (initial state)
5) hang netpass server off of one of the ports on bldg sw and
configure /that/ port as a trunked port with both vlans on it.
6) configure the uplink from bldg to core with just vlan 100.

at this point, vlan 100 (unq) has a path from the edge port to the core.
if port 1 is in vlan 100, plugging in a client should work as normal. if
the port is moved to vlan 200 (manually), then there is no path out of
the building. the netpass server is lurking on that vlan. 

7) configure netpass and start "garp" (/etc/init.d/garpctl start)

at this point, the netpass server starts emitting ARP packets so that
clients in the quar vlan will see it as the new gateway (same IP as the
gateway on [core] but with a new mac address. with cisco 65xx, you dont
need to do this, but in other environments, GARPs are needed.

8) configure dhrelay and restart that service[1]
9) plug in the client

at this point client should get an address. if it does not, your DHCP
server is probably experiencing the problem discussed below[2]

10) open web browser, client should see netpass welcome. 


for a central deployment, you'd trunk the two vlans back to a single
location and probably use HA to ensure availability and scalability.


jeff



[1] i think this is not documented, or poorly. dhcrelay looks something
like:

# Command line options here
INTERFACES="eth0 eth1.812 eth1.813"
DHCPSERVERS="128.205.1.32 128.205.1.33"

    you probably have to do that by hand and restart that service. the 
    install script and/or web UI doesnt configure it for you.

[2] http://marc.theaimsgroup.com/?l=dhcp-server&m=108558416803846&w=2
    ISC DHCP, out of the box, replies the giaddr and not the pkt source
    addr, so the reply gets routed away from the netpass server and 
    the client cant get an address. a patch has been submitted to ISC
    for inclusion into a future release of DHCPD. the patch is posted
    to SF. YMMV with other DHCP servers.

[Netpass-users] Network Arch Opinions/Questions

[Don R. <don...@em...>]

Looking for some opinions on exactly how to roll NetPass out:

Present Configuration
- Each of 5 residence halls is on its own subnet and VLAN
- Switch closets in each RH collapse back into a L3 aggregation  
switch before traveling back to the core via 1GB fiber

Possible Configurations
- Each building has its own NetPass/DNS/DHCP servers, so QVLAN never  
leaves the building
- Could "lose" a building if a single unit fails
vs.
- 2 HA campus-wide servers
- would have to tag QVLAN back thru core to allow DNS/DHCP access ==>  
or are these supposed to be routed thru the NP server(s)??

Still a little fuzzy on exactly how to roll this out...any help/ 
advice would be appreciated.

Thanks,
Don

Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

Re: [Netpass-users] MAC bugs?

[Jeff M. <jcm...@os...>]

On Fri, 2005-06-17 at 14:59 -0400, Don Rugh wrote:
> Jeff,
> 
> - one section for padding MACs would be in NetPass::validateMac -- I  
> added a padMac() call there, and it did fix some issues, but I'm not  
> sure that's the correct fix....some debug messages show the entire  
> (padded?) MAC, and some other don't, so I'm not exactly sure where it  
> used padded and where it's not......

ok. i'll examine that routine.

> 
> -  the progress bar does not appear while the machine is being  
> scanned -- what mechanism is being used to update? Where do we need  
> to look for problems?
> 

we were under pressure to keep the progress bar non-JS. so it's somewhat
lame. we just print out an <img>. i guess we should look at buffering
(e.g. $|=1) and make sure the output isn't getting buffered somewhere.


> - we just noticed today that after NetPass scans a few computers,  
> nessusd needs to be HUPed -- it just refuses to scan any other  
> computers. This behavior does not occur via the nessus GUI.....have  
> you seen anything like this???

i've not seen that. we did apply a patch to nessus for a "zombie"
problem a while back where the sub-procs wouldn't be reaped. i think the
nessus folks accepted the patch, but i havent checked to be sure.

> 
> BTW, the cookie problem we were having last week was due to an update  
> (that I was initially unaware of) of a Perl module == Apache::Session  
> was updated from 0.19 to 0.20, and pretty much broke cookie  
> management for us. Backing down to 0.19 fixed the problem....haven't  
> checked back at CPAN for further updates, but you may want to beware....

thanks


> 
> Thanks for all your help!!
> 
> Regards,
> Don
> 
> On Jun 16, 2005, at 7:41 PM, jeff murphy wrote:
> 
> > On Thu, 2005-06-16 at 16:09 -0400, Don Rugh wrote:
> >
> >> Have there been any bugs fixed recently concerning how MAC address  
> >> are
> >> handled??
> >>
> >
> > no...
> >
> >
> >> Some things just don't quite seem to be working correctly. Some  
> >> places
> >> in the code pad for leading zero, yet others don't -- why is this
> >>
> >>
> >
> >
> >
> > if a higher level routine pads, then we forgo it at the lower levels.
> > where, specifically, do you feel padding is not being done but should
> > be?
> >
> >
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> > _______________________________________________
> > Netpass-users mailing list
> > Net...@li...
> > https://lists.sourceforge.net/lists/listinfo/netpass-users
> >
> 
> 
> 
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
> 
-- 
Jeff Murphy <jcm...@os...>

Re: [Netpass-users] MAC bugs?

[Don R. <don...@em...>]

Jeff,

- one section for padding MACs would be in NetPass::validateMac -- I  
added a padMac() call there, and it did fix some issues, but I'm not  
sure that's the correct fix....some debug messages show the entire  
(padded?) MAC, and some other don't, so I'm not exactly sure where it  
used padded and where it's not......

-  the progress bar does not appear while the machine is being  
scanned -- what mechanism is being used to update? Where do we need  
to look for problems?

- we just noticed today that after NetPass scans a few computers,  
nessusd needs to be HUPed -- it just refuses to scan any other  
computers. This behavior does not occur via the nessus GUI.....have  
you seen anything like this???

BTW, the cookie problem we were having last week was due to an update  
(that I was initially unaware of) of a Perl module == Apache::Session  
was updated from 0.19 to 0.20, and pretty much broke cookie  
management for us. Backing down to 0.19 fixed the problem....haven't  
checked back at CPAN for further updates, but you may want to beware....

Thanks for all your help!!

Regards,
Don

On Jun 16, 2005, at 7:41 PM, jeff murphy wrote:

> On Thu, 2005-06-16 at 16:09 -0400, Don Rugh wrote:
>
>> Have there been any bugs fixed recently concerning how MAC address  
>> are
>> handled??
>>
>
> no...
>
>
>> Some things just don't quite seem to be working correctly. Some  
>> places
>> in the code pad for leading zero, yet others don't -- why is this
>>
>>
>
>
>
> if a higher level routine pads, then we forgo it at the lower levels.
> where, specifically, do you feel padding is not being done but should
> be?
>
>
>
>
>
> -------------------------------------------------------
> SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
> from IBM. Find simple to follow Roadmaps, straightforward articles,
> informative Webcasts and more! Get everything you need to get up to
> speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click
> _______________________________________________
> Netpass-users mailing list
> Net...@li...
> https://lists.sourceforge.net/lists/listinfo/netpass-users
>

Re: [Netpass-users] MAC bugs?

[jeff m. <jcm...@os...>]

On Thu, 2005-06-16 at 16:09 -0400, Don Rugh wrote:
> Have there been any bugs fixed recently concerning how MAC address are
> handled?? 

no...

> Some things just don't quite seem to be working correctly. Some places
> in the code pad for leading zero, yet others don't -- why is this
> 



if a higher level routine pads, then we forgo it at the lower levels.
where, specifically, do you feel padding is not being done but should
be?

[Netpass-users] MAC bugs?

[Don R. <don...@em...>]

Have there been any bugs fixed recently concerning how MAC address  
are handled?? Some things just don't quite seem to be working  
correctly. Some places in the code pad for leading zero, yet others  
don't -- why is this

Thanks,
Don

Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

RE: [Netpass-users] NetPass installation?

[Harding, T. <td...@sa...>]

Jeff Murphy wrote:
> when you say "the dorms are connected directly to the campus network
> through Cisco 2924 switches" can you elaborate? are you routed at all
> internally? can you provide a picture?

Our topology is pretty straight forward.  We are not routed at all
internally.  All computers on the wired lan have the same gateway address.
This includes the labs, offices, and dorms.  We have Cisco 2924 switches at
the different locations around campus and they all eventually are connected
back to a central Cisco 2924 switch in the telecom room.  All the wired
hosts are on VLAN 1.

I guess what would be easiest for us is to make the ports on the dorm
switches default to something like VLAN 800 for the quar VLAN.  Once a
client is registered and checked out, the NetPass server will change the
client's port to VLAN 1.  I don't think we'll need to have a separate unquar
VLAN set at something like 100 because it would simply be bridged to VLAN 1.


Does that make sense?

Thanks!

Troy

-----Original Message-----
From: net...@li...
[mailto:net...@li...]On Behalf Of Jeff
Murphy
Sent: Wednesday, June 08, 2005 3:49 PM
To: net...@li...
Subject: RE: [Netpass-users] NetPass installation?


On Wed, 2005-06-08 at 14:13 -0500, Harding, Troy wrote:
> Okay.  I now understand much better how things fit together.  Thanks Jeff!

> Here's answers to the questions you asked:
> 
> > did we put something in the doc about endace?
> 
> That was on Part 2c which gives instructions to "Configure Snort to work
> with endace cards".  I guess that is really more of an add-on to NetPass.

yes. that's an add-on. and you dont really need the endace cards for
snort unless you are having performance problems on your snort box (due
to high volume). certainly at FE speeds, almost any generic PC should be
able to run snort with no serious performance issues.

> 
> > what equipment(switches & routers) are you using? 
> 
> We're currently just implementing this on a small satellite campus of
> K-State University.  The dorms are connected directly to the campus
network
> through Cisco 2924 switches.  There is no router between the dorms and the
> campus network.  All SNMP traffic is currently isolated on a separate
VLAN.
> I guess that means that we'll need three interfaces on the NetPass server:
> Quar, Unquar, and SNMP VLAN.  Does that sound reasonable?

the netpass server still gets 2 physical interfaces. eth0 sits on the
routable network (facing towards your core) and snmp instructions are
sent out that interface. the switch management interfaces need to be on
a separate subnet/vlan for netpass to work. at UB, all of our resnet
switches are on a single subnet, for management, and that subnet is
assigned a separate vlan. that subnet and vlan arent part of the netpass
config.

eth1 points towards your resnet and you will bridge/trunk all of the
resnet vlans (both quar and unquar) back to the netpass server. netpass
then brings up tagged virtual interfaces for each vlan. so if you do an
ifconfig you see things like:

eth0 128.205.1.26/24
eth1 0.0.0.0
eth1.100 0.0.0.0
eth1.800 128.205.100.254/24
eth1.101 0.0.0.0
eth1.801 128.205.101.254/24

where eth1 isnt used. eth1.100 and eth1.101 are the unquarantined vlans
and are not configured with an IP address (but are still useful and in
some cases required for netpass - so make sure they are bridged back).
eth1.800 and eth1.801 are the two quarantine vlans. they are assigned
the same gateway as is assigned to the router that gateways for those
subnets. when the client is in quarantine, the gateway swings from the
router to the netpass server. 

when you say "the dorms are connected directly to the campus network
through Cisco 2924 switches" can you elaborate? are you routed at all
internally? can you provide a picture?


look at http://netpass.sf.net/ov/network1.png

it's a diagram we used a while back to help illustrate how
routing/addressing/bridging works with netpass.

jeff





-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
shotput
a projector? How fast can you ride your desk chair down the office luge
track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
Netpass-users mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/netpass-users

Re: [Netpass-users] Cisco Support

[jeff m. <jcm...@os...>]

On Fri, 2005-06-10 at 09:31 -0400, Don Rugh wrote:
> I would be interested in any comments on Cisco switch support. Looking
> the the Cisco.pm module it would appear that:
> 
> 
> - add_vlan_membership sets ONLY VLAN assigned to port (hence
> del_vlan...not needed)
> - get_vlan_membership returns present assignment
> - other, "generic" OID information calls are implemented
> 
> 
> - set_default_vlan_id not used
> - del_vlan_membership not used
> - get_default_vlan_id can't work (used Nortel OID)
> 
> 
> So, can I assume that:
> - this Cisco implementation does work?

the cisco module works. ideally, the above routines would be fully
implemented per the comments at the top of each routine. obviously they
are not for the cisco module.

the reasoning behind these routines is that, in the future, we expect
that there will be a time when you have a port with VOIP phone plugged
into it and a PC plugged into the phone. many voip architectures have
phones are on a separate vlan from the PC. if your voip architecture has
the phones on the same vlan as the PC, then this feature is moot.

we'd like to be able to quarantine the PC without affecting the phone
(this feature implies that you are trusting that the PC will not emit
tagged packets). the phone is emitting tagged packets.

so we change the default vlan that untagged packets are placed in and
remove membership in the unquarantined data vlan, but leave membership
in other vlans (the voip one) alone.

as it stands now, the cisco module will need some revising, but in the
most basic configuration where each port is a member of only one vlan at
a time, it works.




> - the Cisco switches are setup for only 1 VLAN per port, and only the
> uplinks are tagged to pass VLAN info?

yes

> - the first three items are the "core" functions required for NetPass
> to work? so if we can get these to work, we're OK?
> 

yes

Re: [Netpass-users] Cisco Support

[Julian Y. K. <ko...@no...>]

-----BEGIN PGP SIGNED MESSAGE-----

At 09:31 -0400 06/10/2005, Don Rugh wrote:
>So, can I assume that:
>- this Cisco implementation does work?

That is correct.  We at Northwestern have been using NetPass since last
fall with Cisco 3524/3548XL switches as well as 3550 switches.  There's
currently a wrinkle involved in that the XL-series switches have a
different ifindex scheme than the 3550s.  On a 3550, Fa0/10 = ifindex 10.
On a 3524/3548XL, Fa0/10 = ifindex 11.  So in the netpass.conf file, you
need to make this adjustment depending on the type of switch you have.

Cisco.pm could likely be improved to detect model number and adjust the
ifindex accordingly, so you would only have to specify the port number in
the conf file.

>- the Cisco switches are setup for only 1 VLAN per port, and only the
>uplinks are tagged to pass VLAN info?

Correct.

>- the first three items are the "core" functions required for NetPass to
>work? so if we can get these to work, we're OK?

Yep.


-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.1 (Build 2185)
Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

iQEVAwUBQqmKJi5elU+tqml1AQHq6AgAw+/Hbut1sfs86DidPiSv6ubQv2YX3NW/
xhkyONN61jbPHG0HM0hov227d+D9dlTFyBuVMG/lP/66oDSLFB5PSlp6A0ERn10c
auONqTgIC1NvJHaDOA844+rasGziBjgbi3IijUxkd9HEWWSP/T6G9tA+Fuo8NhFR
tG7jkXAGjaLVor8KQb51az0x7EbOtGBEjt723bQSB9fzdC2qqE2WggXlLgsBLt1k
tK6reXMLMoxj9NFThRGxe5LLCcYFh85a0JDYuS651+nP674rlhiww/5fAezdK1dP
VgARB2nKhL5dgkRshhPpcwzVlU0SAnNyvH2UdUmuCh/w87AueY2adg==
=sFE2
-----END PGP SIGNATURE-----

-- 
Julian Y. Koh                         <mailto:ko...@no...>
Network Engineer                                   <phone:847-467-5780>
Telecommunications and Network Services         Northwestern University
PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html>

[Netpass-users] Cisco Support

[Don R. <don...@em...>]

I would be interested in any comments on Cisco switch support.  
Looking the the Cisco.pm module it would appear that:

- add_vlan_membership sets ONLY VLAN assigned to port (hence  
del_vlan...not needed)
- get_vlan_membership returns present assignment
- other, "generic" OID information calls are implemented

- set_default_vlan_id not used
- del_vlan_membership not used
- get_default_vlan_id can't work (used Nortel OID)

So, can I assume that:
- this Cisco implementation does work?
- the Cisco switches are setup for only 1 VLAN per port, and only the  
uplinks are tagged to pass VLAN info?
- the first three items are the "core" functions required for NetPass  
to work? so if we can get these to work, we're OK?

FYI, we're close to having NetPass up and running on Mac OS X Server,  
and will probably end up using SMC switches at the edge -- once the  
device module is completed.

Thanks...

Regards,
Donald G. Rugh
Director of Network Services
Information Services
Saint Vincent College
300 Fraser Purchase Road
Latrobe, PA 15650
724-805-2559
don...@em...

RE: [Netpass-users] NetPass installation?

[Jeff M. <jcm...@os...>]

On Wed, 2005-06-08 at 14:13 -0500, Harding, Troy wrote:
> Okay.  I now understand much better how things fit together.  Thanks Jeff! 
> Here's answers to the questions you asked:
> 
> > did we put something in the doc about endace?
> 
> That was on Part 2c which gives instructions to "Configure Snort to work
> with endace cards".  I guess that is really more of an add-on to NetPass.

yes. that's an add-on. and you dont really need the endace cards for
snort unless you are having performance problems on your snort box (due
to high volume). certainly at FE speeds, almost any generic PC should be
able to run snort with no serious performance issues.

> 
> > what equipment(switches & routers) are you using? 
> 
> We're currently just implementing this on a small satellite campus of
> K-State University.  The dorms are connected directly to the campus network
> through Cisco 2924 switches.  There is no router between the dorms and the
> campus network.  All SNMP traffic is currently isolated on a separate VLAN.
> I guess that means that we'll need three interfaces on the NetPass server:
> Quar, Unquar, and SNMP VLAN.  Does that sound reasonable?

the netpass server still gets 2 physical interfaces. eth0 sits on the
routable network (facing towards your core) and snmp instructions are
sent out that interface. the switch management interfaces need to be on
a separate subnet/vlan for netpass to work. at UB, all of our resnet
switches are on a single subnet, for management, and that subnet is
assigned a separate vlan. that subnet and vlan arent part of the netpass
config.

eth1 points towards your resnet and you will bridge/trunk all of the
resnet vlans (both quar and unquar) back to the netpass server. netpass
then brings up tagged virtual interfaces for each vlan. so if you do an
ifconfig you see things like:

eth0 128.205.1.26/24
eth1 0.0.0.0
eth1.100 0.0.0.0
eth1.800 128.205.100.254/24
eth1.101 0.0.0.0
eth1.801 128.205.101.254/24

where eth1 isnt used. eth1.100 and eth1.101 are the unquarantined vlans
and are not configured with an IP address (but are still useful and in
some cases required for netpass - so make sure they are bridged back).
eth1.800 and eth1.801 are the two quarantine vlans. they are assigned
the same gateway as is assigned to the router that gateways for those
subnets. when the client is in quarantine, the gateway swings from the
router to the netpass server. 

when you say "the dorms are connected directly to the campus network
through Cisco 2924 switches" can you elaborate? are you routed at all
internally? can you provide a picture?


look at http://netpass.sf.net/ov/network1.png

it's a diagram we used a while back to help illustrate how
routing/addressing/bridging works with netpass.

jeff

RE: [Netpass-users] NetPass installation?

[Harding, T. <td...@sa...>]

Okay.  I now understand much better how things fit together.  Thanks Jeff! 
Here's answers to the questions you asked:

> did we put something in the doc about endace?

That was on Part 2c which gives instructions to "Configure Snort to work
with endace cards".  I guess that is really more of an add-on to NetPass.

> what equipment(switches & routers) are you using? 

We're currently just implementing this on a small satellite campus of
K-State University.  The dorms are connected directly to the campus network
through Cisco 2924 switches.  There is no router between the dorms and the
campus network.  All SNMP traffic is currently isolated on a separate VLAN.
I guess that means that we'll need three interfaces on the NetPass server:
Quar, Unquar, and SNMP VLAN.  Does that sound reasonable?

Thanks again,
Troy

-----Original Message-----
From: net...@li...
[mailto:net...@li...]On Behalf Of Jeff
Murphy
Sent: Tuesday, June 07, 2005 10:02 PM
To: net...@li...
Subject: Re: [Netpass-users] NetPass installation?


Harding, Troy wrote:
> Thanks!  From reading through the guide it looks like I'll need an Endace
> card.  Is that right?  So for a 100Base-T network I should get something
> like a DAG 3.6EP.
> 

hmm. no. did we put something in the doc about endace?

> I'm still a little fuzzy on the configuration... so I will have a NetPass
> server inline between the quarantined VLAN and the campus network, right?

no, it works out-of-band... sort of. it is inline for the quarantine 
vlans. but once the client is outside of quarantine, the netpass server 
is no longer inline.

http://netpass.sf.net/ov/

has some diagrams. check out "np1.png"



> But don't I also need to be able to analyze traffic on all the dorm switch
> ports, so the NetPass server will also need to be connected to a SPAN
> monitoring port on the switches? 

no, you'll bridge the vlans back to the netpass server. what equipment 
(switches & routers) are you using? how many ports total?

  Do I need another network card in the
> NetPass server or will the Endace card be adequate.  Or maybe I'm just
> thinking about this all wrong.
> 
> Sorry about the newbie questions.



what you'll need is roughly 1 CPU, 1G ram per 1000 users (ports) in 
order to handle startup and mass-quarantining. for 6000-8000 users, 
we've had success with 2 dual 2.8ghz machines with 3-4G ram each. we're 
running in a load-balancing configuration.

each machine has 2 nics, which is pretty much standard these days on 
rackable servers.

the inside nic (eth1), as shown in np1.png, sits in the quarantine vlan 
and is configured with the IP address of the client's subnet gateway. 
either using gratuitous arp, or by having the appropriate cisco gear, 
you can convince the clients to quickly pickup any change in the gateway 
as they swing between the quar and unquar vlans.

when in the unquar vlan, the netpass servers are out of the picture. the 
client is routed as normal thru your network.



-------------------------------------------------------
This SF.Net email is sponsored by: NEC IT Guy Games.  How far can you
shotput
a projector? How fast can you ride your desk chair down the office luge
track?
If you want to score the big prize, get to know the little guy.  
Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20
_______________________________________________
Netpass-users mailing list
Net...@li...
https://lists.sourceforge.net/lists/listinfo/netpass-users