netpass-users Mailing List for NetPass (Page 5)
Brought to you by:
jeffmurphy
Menu
▾
▴
netpass-users — Administrator/Implementor Discussions
You can subscribe to this list here.
| 2004 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(5) |
Oct
(4) |
Nov
(1) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(2) |
Jun
(27) |
Jul
(15) |
Aug
(14) |
Sep
(22) |
Oct
|
Nov
(5) |
Dec
(1) |
| 2006 |
Jan
|
Feb
|
Mar
(18) |
Apr
(4) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2007 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(2) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jeff M. <jcm...@os...> - 2005-06-08 15:24:49
|
On Wed, 2005-06-08 at 10:42 -0400, Don Rugh wrote: > ...is this module still in use? does not appear to work OOTB, unless I > am doing something wrong. If it's not needed, there are then several > calls not required in the device driver modules.... we havent touched it since using it to help convert our network, so it likely doesnt work in NP2.0. we can examine it and get it working again. the intent of the script was to go out, lookup all the ports in netpass vlans and spit out the appropriate <vlanmap> lines (we had a lot of switches and we didnt want to type it all in manually). jeff |
|
From: Jeff M. <jcm...@os...> - 2005-06-08 15:22:19
|
On Wed, 2005-06-08 at 08:45 -0400, Don Rugh wrote: > Is the "standard" config to run with a single quarantine VLAN and a > single authenticated VLAN? per subnet. at UB, we might have 128.205.100.0/24 enabled for NetPass. we assign 100 as the unquar vlan and 800 as the quar vlan. if we then add 128.205.105.0/24 we'd assign 105 and 805 to that subnet. unlike some similar products, NetPass does not use a single large quarantine vlan for all networks. > Or have some implementations segmented this further??? The sketches > seems to indicate a single VLAN for each, though this could also be > for simplicity in the diagrams... i'll make this more clear on the diagrams. > > > We presently have each residence hall on its own VLAN, and I was > considering leaving it that way and adding a QVLAN for each building. > This approach will complicate the network setup a bit, though... it does, yes, but it made achieving the goal of allowing the client to keep their "normal" IP address at all times easier. |
|
From: Don R. <don...@em...> - 2005-06-08 14:42:40
|
...is this module still in use? does not appear to work OOTB, unless I am doing something wrong. If it's not needed, there are then several calls not required in the device driver modules.... Thanks, Don Donald G. Rugh Director of Network Services Information Services Saint Vincent College 300 Fraser Purchase Road Latrobe, PA 15650 724-805-2559 don...@em... |
|
From: Don R. <don...@em...> - 2005-06-08 12:46:26
|
Is the "standard" config to run with a single quarantine VLAN and a single authenticated VLAN? Or have some implementations segmented this further??? The sketches seems to indicate a single VLAN for each, though this could also be for simplicity in the diagrams... We presently have each residence hall on its own VLAN, and I was considering leaving it that way and adding a QVLAN for each building. This approach will complicate the network setup a bit, though... Thanks, Donald G. Rugh Director of Network Services Information Services Saint Vincent College 300 Fraser Purchase Road Latrobe, PA 15650 724-805-2559 don...@em... |
|
From: Jeff M. <jcm...@os...> - 2005-06-08 03:01:47
|
Harding, Troy wrote: > Thanks! From reading through the guide it looks like I'll need an Endace > card. Is that right? So for a 100Base-T network I should get something > like a DAG 3.6EP. > hmm. no. did we put something in the doc about endace? > I'm still a little fuzzy on the configuration... so I will have a NetPass > server inline between the quarantined VLAN and the campus network, right? no, it works out-of-band... sort of. it is inline for the quarantine vlans. but once the client is outside of quarantine, the netpass server is no longer inline. http://netpass.sf.net/ov/ has some diagrams. check out "np1.png" > But don't I also need to be able to analyze traffic on all the dorm switch > ports, so the NetPass server will also need to be connected to a SPAN > monitoring port on the switches? no, you'll bridge the vlans back to the netpass server. what equipment (switches & routers) are you using? how many ports total? Do I need another network card in the > NetPass server or will the Endace card be adequate. Or maybe I'm just > thinking about this all wrong. > > Sorry about the newbie questions. what you'll need is roughly 1 CPU, 1G ram per 1000 users (ports) in order to handle startup and mass-quarantining. for 6000-8000 users, we've had success with 2 dual 2.8ghz machines with 3-4G ram each. we're running in a load-balancing configuration. each machine has 2 nics, which is pretty much standard these days on rackable servers. the inside nic (eth1), as shown in np1.png, sits in the quarantine vlan and is configured with the IP address of the client's subnet gateway. either using gratuitous arp, or by having the appropriate cisco gear, you can convince the clients to quickly pickup any change in the gateway as they swing between the quar and unquar vlans. when in the unquar vlan, the netpass servers are out of the picture. the client is routed as normal thru your network. |
|
From: Harding, T. <td...@sa...> - 2005-06-07 22:10:43
|
Thanks! From reading through the guide it looks like I'll need an Endace card. Is that right? So for a 100Base-T network I should get something like a DAG 3.6EP. I'm still a little fuzzy on the configuration... so I will have a NetPass server inline between the quarantined VLAN and the campus network, right? But don't I also need to be able to analyze traffic on all the dorm switch ports, so the NetPass server will also need to be connected to a SPAN monitoring port on the switches? Do I need another network card in the NetPass server or will the Endace card be adequate. Or maybe I'm just thinking about this all wrong. Sorry about the newbie questions. Troy -----Original Message----- From: net...@li... [mailto:net...@li...]On Behalf Of Jeff Murphy Sent: Monday, June 06, 2005 9:46 PM To: net...@li... Subject: Re: [Netpass-users] NetPass installation? Harding, Troy wrote: > > Does anyone have an installation guide and/or information to help me get > started with downloading the latest files and getting a test server > configured? I'm starting from scratch, so any help would be appreciated. > read thru http://netpass.sf.net/install.html we're (finally) finished with the 2.0 feature set and will be just ironing out bugs and finalizing doc over the next couple of weeks. if you wont be running in HA mode (load balancing) then you can ignore anything about kernel rebuilds and redirectors. jeff ------------------------------------------------------- This SF.Net email is sponsored by: NEC IT Guy Games. How far can you shotput a projector? How fast can you ride your desk chair down the office luge track? If you want to score the big prize, get to know the little guy. Play to win an NEC 61" plasma display: http://www.necitguy.com/?r=20 _______________________________________________ Netpass-users mailing list Net...@li... https://lists.sourceforge.net/lists/listinfo/netpass-users |
|
From: Jeff M. <jcm...@os...> - 2005-06-07 02:46:28
|
Harding, Troy wrote: > > Does anyone have an installation guide and/or information to help me get > started with downloading the latest files and getting a test server > configured? I'm starting from scratch, so any help would be appreciated. > read thru http://netpass.sf.net/install.html we're (finally) finished with the 2.0 feature set and will be just ironing out bugs and finalizing doc over the next couple of weeks. if you wont be running in HA mode (load balancing) then you can ignore anything about kernel rebuilds and redirectors. jeff |
|
From: Harding, T. <td...@sa...> - 2005-06-06 22:10:02
|
Hi, I'm Troy Harding at Kansas State University. We are very interested in implementing something like NetPass here. Our original plan was to start out with NetReg and then gradually work on using VLANs to control access. I come across NetPass the other day and was very excited to see that someone else has already done development work on using VLANs. The plan now is to skip NetReg and work on getting NetPass setup for the Fall. Does anyone have an installation guide and/or information to help me get started with downloading the latest files and getting a test server configured? I'm starting from scratch, so any help would be appreciated. Thanks! Troy |
|
From: Matt B. <mt...@os...> - 2005-05-27 14:48:37
|
Hi Donald, in the defualt netpass install there is no snmptrapd.conf file we pass all the config options for netpass to the snmptrapd daemon as arguments shown below. OPTIONS="-n -Lf /opt/netpass/log/snmptraps.log -p /var/run/snmptrapd.pid -F '%#04.4y-%#02.2m-%02.2l %#02.2h:%#02.2j:%#02.2k TRAP %N;%w ;%q;%A;%v\n' " if you wanted to use a conf file instead you could probably match each of the arguments above to their corresponding config option for snmptrapd.conf. -Matt On Fri, 27 May 2005, Don Rugh wrote: > Hello, > > We are working towards implementing NetPass on Mac OS X Server. All > is moving along relatively well -- I'll be happy to post installation > notes once we have completed our efforts. > > I'm interested in this point at seeing an example snmptrapd.conf file > targeted towards a NetPass installation. If anyone could send me one, > I'd appreciate it!! > > Regards, > Donald G. Rugh > Director of Network Services > Information Services > Saint Vincent College > 300 Fraser Purchase Road > Latrobe, PA 15650 > 724-805-2559 > don...@em... > > > |
|
From: Don R. <don...@em...> - 2005-05-27 14:20:49
|
Hello, We are working towards implementing NetPass on Mac OS X Server. All is moving along relatively well -- I'll be happy to post installation notes once we have completed our efforts. I'm interested in this point at seeing an example snmptrapd.conf file targeted towards a NetPass installation. If anyone could send me one, I'd appreciate it!! Regards, Donald G. Rugh Director of Network Services Information Services Saint Vincent College 300 Fraser Purchase Road Latrobe, PA 15650 724-805-2559 don...@em... |
|
From: Julian Y. K. <ko...@no...> - 2004-11-17 16:01:48
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 21:31 -0400 10/23/2004, jeff murphy wrote: >the API is our primary concern right now. if we can, we'll finish up >macscan within the next week and a half as well. Is there a status update on these items? We would like to schedule our upgrade and rollout of the API features over our winter break, which begins in early December. Thanks! -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBQZtn0w5UB5zJHgFjEQK1RACeNEIpbSvMbC5ef9Azf4u915g0tksAoKwF URuvmHKOxAPSNbpc8nm0GvDp =skxw -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:ko...@no...> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> |
|
From: jeff m. <jcm...@os...> - 2004-10-24 01:31:26
|
On Thu, 2004-10-21 at 16:18, Julian Y. Koh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > We are particularly interested in 2 areas of NetPass progress: > > 1.) Snort/general external API functionality > Obviously snort integration is on the to-do list. My question is > when is > this projected to be completed, the API feature should be available this week or next. > and how extensible is this API going to be? > ie, will we be able to use any external program to send quar/unquar commands > to NetPass? yes. >2.) macscan > We've come across multiple situations where a user has a > hublet/switchlet > connected to a wall port w/ only one machine connected and registered/scanned > just fine. Later, the user brings on a second machine, but because link > never went down on the port, that machine is not registered or scanned. It > was my understanding that the macscan process was supposed to take care of > this situation by periodically looking at all the switch ports and quar'ing > any of them that had unregistered MAC addresses connected. When will this be > up and running? > the macscan piece needs testing before i can give the go-ahead to use it. the biggest issue with it concerns the use of threads. our success at using perlthreads has been mixed. we recently begun using perl 5.8.5 (we were on 5.8.3) and that seems to have improved things. under 5.8.3, long-running scripts using threads wouldnt run very long ;) the API is our primary concern right now. if we can, we'll finish up macscan within the next week and a half as well. |
|
From: Julian Y. K. <ko...@no...> - 2004-10-21 20:18:21
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We are particularly interested in 2 areas of NetPass progress: 1.) Snort/general external API functionality Obviously snort integration is on the to-do list. My question is when is this projected to be completed, and how extensible is this API going to be? ie, will we be able to use any external program to send quar/unquar commands to NetPass? 2.) macscan We've come across multiple situations where a user has a hublet/switchlet connected to a wall port w/ only one machine connected and registered/scanned just fine. Later, the user brings on a second machine, but because link never went down on the port, that machine is not registered or scanned. It was my understanding that the macscan process was supposed to take care of this situation by periodically looking at all the switch ports and quar'ing any of them that had unregistered MAC addresses connected. When will this be up and running? Thanks!! -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBQXgLdA5UB5zJHgFjEQIijwCgj8C9RpCwH7JC6JrSdCXS99AGr3sAnA+N MVY30jQL61Vr4YYFXmcBCvC/ =nDnt -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:ko...@no...> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> |
|
From: Jeff M. <jcm...@os...> - 2004-10-21 16:01:34
|
On Thu, 2004-10-21 at 09:56 -0500, Julian Y. Koh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > So, when we look at users in the QuarControl page, it seems like the > "Registered On" date is often something very recent. It looks like this is > actually the last time that the MAC address was validated on the network, not > when the actual registration took place. The "First Seen" column seems to > have that date/time. > > Clarification, please? you're correct. it's a misnomer. registered on is really "last seen" and first seen is "registered on". this has been corrected in the current source tree so that the html table columns are called "first seen" and "last seen". the actual column names in the database are not renamed tho. jeff |
|
From: Julian Y. K. <ko...@no...> - 2004-10-21 14:57:02
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 So, when we look at users in the QuarControl page, it seems like the "Registered On" date is often something very recent. It looks like this is actually the last time that the MAC address was validated on the network, not when the actual registration took place. The "First Seen" column seems to have that date/time. Clarification, please? -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBQXfAKg5UB5zJHgFjEQLQhgCg8AUDU6yDvmIBQiDjkni5PvdP3YYAni32 mOnEK2NP4NFNv85u3j2P3AN7 =mFVQ -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:ko...@no...> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> |
|
From: Julian Y. K. <ko...@no...> - 2004-09-27 19:06:34
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 At 13:00 -0400 09/27/2004, Jeff Murphy wrote: >when you say "move a host from PQUAR to UNQUAR" do you mean "when they >change the status in the quarctrl form and click 'save changes'"? That is correct. >can you verify that this is really happening (i just tried to duplicate >it and could not)? Yep, it just happened again. I'll mail you the audit logs directly. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBQVhWLQ5UB5zJHgFjEQIbygCgqmJ/33QHvQELF+0pB/3JpMY2p64AnjWs hcstinKW+AoFicXCTJVNjXM8 =+fdH -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:ko...@no...> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> |
|
From: Jeff M. <jcm...@os...> - 2004-09-27 17:00:35
|
On Mon, 2004-09-27 at 11:31 -0500, Julian Y. Koh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > We've got student consultants with QuarControl rights. It seems that when > they move a host from PQUAR to UNQUAR, their username/netid gets associated > with that host instead of the username/netid that was previously used to > register the host in NetPass. If they move the host to QUAR instead, then > the user has to re-register and scan again, which of course has the desired > effect of having the correct username associated with the host in question. > > Is there any way to have NetPass keep the old username registered when moving > a host to UNQUAR? when you say "move a host from PQUAR to UNQUAR" do you mean "when they change the status in the quarctrl form and click 'save changes'"? if so, i dont see how this could occur. the quarctl form will only update the status and message settings of the record. it will not touch the username, or any other field. can you verify that this is really happening (i just tried to duplicate it and could not)? jeff |
|
From: Julian Y. K. <ko...@no...> - 2004-09-27 16:31:10
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 We've got student consultants with QuarControl rights. It seems that when they move a host from PQUAR to UNQUAR, their username/netid gets associated with that host instead of the username/netid that was previously used to register the host in NetPass. If they move the host to QUAR instead, then the user has to re-register and scan again, which of course has the desired effect of having the correct username associated with the host in question. Is there any way to have NetPass keep the old username registered when moving a host to UNQUAR? -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 Comment: <http://bt.ittns.northwestern.edu/julian/pgppubkey.html> iQA/AwUBQVgyOw5UB5zJHgFjEQJqwwCgv3CAs5FQuNzXJP1mKnIkXcvzy/IAn2O+ U/3/Isx3pbOHmDcbmVnNTB9U =Mp27 -----END PGP SIGNATURE----- -- Julian Y. Koh <mailto:ko...@no...> Network Engineer <phone:847-467-5780> Telecommunications and Network Services Northwestern University PGP Public Key:<http://bt.ittns.northwestern.edu/julian/pgppubkey.html> |
|
From: Jeff M. <jcm...@os...> - 2004-09-24 14:59:32
|
On Fri, 2004-09-24 at 00:22 -0500, Julian Y. Koh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > In addition to specifying a message for a host in PQUAR, it would be cool if > we had a way to insert host-specific "notes" for a host in that situation. > > We've got a lot of Botnet-compromised hosts here, as I'm sure you do too. We > have a nice generic Botnet message that we're dumping on all those hosts in > PQUAR, but it'd be cool if we could have a way to put in notes for the tech > support people who are going to be taking care of the machines. For example, > saying things like "this host is doing DNS lookups for irc.ofloo.net, trying > to contact that host on port 16667, etc etc etc." > > But we don't want to create customized full-blown messages in NetPass for > each of those hosts. That would make the list of messages incredibly long, > not to mention putting in the time to create all those messages. > > What do you think? sounds good. i'll work it in for the next release. time frame would be 2-4 weeks out. jeff |
|
From: jeff m. <jcm...@os...> - 2004-09-02 01:05:29
|
initial message |
