search

SkyzohKey / kanet

Automatically exported from code.google.com/p/kanet
GNU General Public License v3.0
0 stars 0 forks source link

Install on Ubuntu as described in Wiki #11

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. Followed network setup on wiki
2. followed config in wiki for ubuntu using cas for login
3. everything starts fine

What is the expected output? What do you see instead?

after logiing into CAS should be redirected to portal or internet

What version of the product are you using? On what operating system?
kanet_0.2-3_amd64_lucid.deb

Please provide any additional information below.

After successfully getting an IP, I open internet explorer and am immediatley 
redirected to our CAS login. After i login it redirects to
https://kanet ip/login_cas/?ticket=ST***********

after which says server is not respodning, unable to connect 

Please Help,

Jason

Original issue reported on code.google.com by jason.ev...@gmail.com on 20 Jun 2012 at 7:04

GoogleCodeExporter commented 8 years ago 
I did some more testing, server port 443 is not responding, here is my config 
below
-----------------------------------------------------------------
/*
    Configuration file for kanet
*/

{
    /*
        Server configuration
        SERVER_MODE="STANDALONE" (default) or "PROXY"
    */
    "SERVER_MODE" : "STANDALONE",
    "SERVER_URL" : "https://10.200.0.254",
    "SERVER_PORT" : "443",
    "SERVER_IP" : "10.200.0.254",
    "REDIRECT_SERVER_PORT" : "8080",
    "QUEUE_NUM" : "0",
    "SSL_CERT_FILE" : "/etc/kanet/ssl-kanet.crt",
    "SSL_KEY_FILE" : "/etc/kanet/ssl-kanet.key",
    "DEBUG" : "0",
    /*
        Persistent data,
        only sqlite is available.
    */
    "database" : "sqlite",
    "sqlite_connection_string" : "/var/lib/kanet/kanet.sqlite",
    "mysql_connection_string" : "Server=xxx; Port=3306; Database=xxx; uid=xxx; pwd=xxx;",
    /*
        Server behavior
    */
    "login_page" : "https://login.bshp.edu/cas/login?service=https://10.200.0.254/login_cas/",
    "captive_portal_page" : "https://10.200.0.254/update.html",
    "cas_url" : "https://login.bshp.edu/cas",
    "www_path" : "/usr/share/kanet/",
    "module_path" : "/usr/lib",
    "auth_module_name" : "kanet-radiusclient",

    /*
        blacklist acls
        always rejected.
    */
    "KANET_ACL_TYPE_BLACKLIST": [
        { "address" : "127.0.0.1", "port" : 9090 },
        { "port" : 8089 }
    ],
    /*
        open acls
        always open
    */
    "KANET_ACL_TYPE_OPEN": [
        { "address" : "10.200.0.254" },
        { "address" : "10.200.0.254", "port" : 443 },
        { "address" : "login.bshp.edu" },
        { "address" : "login.bshp.edu", "port" : 443 },
        { "port" : 60 }
    ],
    /*
        default acls
        open to authenticated users.
    */
    "KANET_ACL_TYPE_DEFAULT": [
        { "port" : 8089 },
        { "port" : 443 },
        { "port" : 80 }
    ],

    /* Admins : comma separated login list */
    "admins": "colin,colin@upvm",
    /* 
        blacklist_part
    */
    "blacklist_users" : [
        { "login" : "colin", "message" : "hi foo ! you're login have been locked .." },
        { "login" : "johndoe", "message" : "hi john doe ! this account is locked .." }
    ],
    "default_blacklist_message" : "Your account have been locked",

    /* 
        auto_blacklist_acl
        used to inform user they are probably infected, if a user try to join
        one of this address, the user is automatically blacklisted and the message
        display on is login window
    */
    "auto_blacklist_acls": [
        { "address" : "192.168.1.45", "message" : "You're account have been temporarily locked <br/> because you're probably infected by a virus" },
        { "port" : 45678, "message" : "You're account have been temporarily locked <br/> because you're probably infected by a virus" }
    ],
    /*
        quota, in bytes or seconds. 0 is unlimited.
    */
    "bytes_quota" : "0",
    "time_quota" : "0",
    /*
        message
        variables : $upbytes $downbytes $duration
    */
    "update_msg" : "Up : $upbytes, Down: $downbytes, Time: $duration",
    "over_quota_msg" : "Sorry you exceed your quota",
    "blacklist_msg" : "Sorry, you're account have been locked",
        "update_error_msg" : "An error occured during authentication process, please restart your browser",

}

Original comment by jason.ev...@gmail.com on 20 Jun 2012 at 7:23

GoogleCodeExporter commented 8 years ago 
Hi jason,
start kanet in console mode and watch if there's error message about certificat.
Is  "SSL_CERT_FILE" : "/etc/kanet/ssl-kanet.crt",
    "SSL_KEY_FILE" : "/etc/kanet/ssl-kanet.key",
exists ?
Cyrille

Original comment by cymo...@gmail.com on 20 Jun 2012 at 9:47

GoogleCodeExporter commented 8 years ago 
OK I didn't get any errors, and yes the cert paths exist and are correct, I 
created self signed for testing and named them the same as in the default 
config;

Also if I browse to https://kanet IP/update.HTML I get server not responding, 
it responds on port 8080 and i get the redirect to my CAS login , I am guessing 
its because its not responding on port 443 is why its not going through. I do 
not have Apache installed or any other using that port and is why I left in 
stand-alone mode. Does the cert path need certain permissions on the folder for 
kanet to read?

Original comment by jason.ev...@gmail.com on 20 Jun 2012 at 10:15

GoogleCodeExporter commented 8 years ago 
try with debug set to "1", kanet should be start as a superuser. do you set the 
correct ip in the iptables file (kanet-rules) ?

Original comment by cymo...@gmail.com on 21 Jun 2012 at 10:50

GoogleCodeExporter commented 8 years ago 
Ok i got it working on HTTPS now and can browse it, BUT when using cas what 
should the redirect url be for cas? https://kanet ip/update.html ? or 
https://kanet ip/login_cas/ ? the first option seems to not respond, firefox 
says the server is redirecting the request for this address in a way that will 
never complete

Original comment by jason.ev...@gmail.com on 21 Jun 2012 at 1:42

GoogleCodeExporter commented 8 years ago 
the address used to authenticate with CAS is :
https://CAS_SERVER/index.jsp?service=https://KANET_PRIVATE_ADDRESS/login_cas/
and if cas authentitcation success, you should received a redirect to 
"captive_portal_page"

Original comment by cymo...@gmail.com on 21 Jun 2012 at 1:52

GoogleCodeExporter commented 8 years ago 
Ok i did that and it the cas authentication goes through, I verified on my CAS 
logs that a ST and TGT are created and it is, but i am not getting a redirect 
to the captive portal page, it just stays at https://KANET 
IP/login_cas/?ticket=****  see the attached screenshot, oh and btw when i 
changed the certificate files to a .pem format instead of .crt is when it fixed 
the https issue

Original comment by jason.ev...@gmail.com on 21 Jun 2012 at 2:11

Attachments:

GoogleCodeExporter commented 8 years ago 
I see now, it is looking for a module

un 21 09:19:28 SHPWAUTH kanet: [KANET-ERROR] Unable to load module 
/usr/lib/libmod_auth_cas.so in /usr/lib

but within my install it is labeled , mod_auth_cas.so not limod_auth_cas.so
or am i missing something?

Original comment by jason.ev...@gmail.com on 21 Jun 2012 at 2:20

GoogleCodeExporter commented 8 years ago 
CAS Authentication is embedded. Do you change your kanet.conf / 
"auth_module_name" ?

Original comment by cymo...@gmail.com on 21 Jun 2012 at 2:33

GoogleCodeExporter commented 8 years ago 
also make a try with :

    "cas_url" : "https://login.bshp.edu/"  or 
    "cas_url" : "https://login.bshp.edu/cas/" <- with a final slash
Verify if login.bshp.edu is correctly resolved on server

Original comment by cymo...@gmail.com on 21 Jun 2012 at 2:38

GoogleCodeExporter commented 8 years ago 
hah!!! all it was was that trailing slash for the CAS server and also i had 
https://KANET IP/update.html and I changed to https://kanet ip/www/update.html 
AND IT WORKS,!!! OMG Finally, after a week a messing around with it! Awesome!!!

Original comment by jason.ev...@gmail.com on 21 Jun 2012 at 2:41

GoogleCodeExporter commented 8 years ago 
:D cool ...
in anyway prefer the proxy mode .. much better !
for the next week ;)

Original comment by cymo...@gmail.com on 21 Jun 2012 at 2:44

GoogleCodeExporter commented 8 years ago 
yeah Im good for now, lol, Question,

If i wanted to block access to certain ports, I would just add the Kanet rules?

Like I want to block SSH, RDP, MYSQL, and MSSQL ports, I would just add to 
kanet-rules right?

Original comment by jason.ev...@gmail.com on 21 Jun 2012 at 2:48

GoogleCodeExporter commented 8 years ago 
you don't have to modify kanet-rules but kanet.conf instead. The default 
behavior is to reject all.

use blaclist to ovveride rules define after like to block an ip that shoulb be 
open with the generic rules prot = 80 :
* KANET_ACL_TYPE_BLACKLIST
* KANET_ACL_TYPE_OPEN : is for address always open (without authentication 
useful for CAS, Certificat check server etc ...
* KANET_ACL_TYPE_DEFAULT : the main rules, here you choose what you want to 
open :
        { "port" : 8089 },
        { "port" : 443 },
        { "port" : 80 }
    ],

in that case SSH is not open.
Please close the issue

Original comment by cymo...@gmail.com on 21 Jun 2012 at 3:02

GoogleCodeExporter commented 8 years ago 
Ok thanks

Will not let me close, says only project owners can close

Original comment by jason.ev...@gmail.com on 21 Jun 2012 at 3:07