From ikelemen at negroup.co.uk Wed Nov 12 04:04:03 2008 From: ikelemen at negroup.co.uk (Istvan Kelemen) Date: Wed, 12 Nov 2008 12:04:03 +0000 Subject: [NoCat] NoCatAuth - Error: Your gateway token is invalid Message-ID: IMPORTANT: This message is private and confidential. If you have received this message in error, please notify us and remove it from your system. Hi All, I am trying get a NoCatAuth box working using NoCat 0.82 on a Debian Etch system with Apache Apache 2.2 and SSL. The gateway and the authentication server is installed on the same box. I have been playing around with this for a while as I encountered with several problems which eventually have been fixed except one the I am sharing with you all, hoping to be given some advice where to start solving it. When I try to access a site from a client the gateway catches my request and redirect it to a login screen as it is meant to do so. However when I enter valid credentials I got authenticated against the box (using passwd). However the pop up window comes up with an error saying: Your gateway token is undefined. Problem with gateway? Apache 2.2 error.log: SIGTERM, shutting down [Wed Nov 12 11:43:38 2008] [warn] RSA server certificate CommonName (CN) `The NE Group' does NOT match server name!? [Wed Nov 12 11:43:38 2008] [warn] RSA server certificate CommonName (CN) `The NE Group' does NOT match server name!? [Wed Nov 12 11:43:38 2008] [notice] Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c configured -- resuming normal operations [Wed Nov 12 11:44:27 2008] [error] server reached MaxClients setting, consider raising the MaxClients setting [2008-11-12 11:44:42] User UNKNOWN from 10.10.50.200 requests form [2008-11-12 11:44:50] User ikelemen from 10.10.50.200 requests form [2008-11-12 11:44:50] Request from local ip 10.10.50.200, directing to local gateway 10.10.50.1. [2008-11-12 11:44:51] Use of uninitialized value in numeric eq (==) at ../lib//NoCat/AuthService.pm line 191. [2008-11-12 11:44:51] Use of uninitialized value in concatenation (.) or string at ../lib//NoCat/AuthService.pm line 197. [2008-11-12 11:44:51] Use of uninitialized value in concatenation (.) or string at ../lib//NoCat/AuthService.pm line 197. [2008-11-12 11:44:51] Gateway returned () for 00:1C:7E:E3:CC:27. [2008-11-12 11:44:51] Request from local ip 10.10.50.200, directing to local gateway 10.10.50.1. [2008-11-12 11:44:52] User ikelemen from 10.10.50.200 requests popup [2008-11-12 11:44:57] User UNKNOWN from 10.10.50.200 requests form Nocat.log: [2008-11-12 11:44:05] Gateway running on port 5280. [2008-11-12 11:44:51] gpgv --homedir=/usr/local/nocat/gateway/bin/../pgp 2>/dev/null returned 2 [2008-11-12 11:44:51] Invalid auth message! [2008-11-12 11:44:51] Can't capture peer 10.10.50.1 without MAC The log entries do not tell me anything really. If any of you could help me I would really appreciate it as currently I am stuck at this point and cannot get any further. Also I have looked for info on the internet to solve this problem but could not find anything. If the solution is already written down somewhere then a simple link to that is also welcome. Thank you for your help in advance. Cheers, Istvan Istvan Kelemen ICT Engineer - Infrastructure The NE Group Edwinstowe House Centre for Business Excellence Edwinstowe Nottinghamshire NG21 9PR DDI: +44 (0)1623 827953 FAX: +44 (0)1623 824070 WWW: http://www.negroup.co.uk/ Save Paper - Do you really need to print this e-mail? Nottinghamshire Enterprises trading as The NE Group - Registered in England and Wales. Company No. 2408386 - A Company Limited by Guarantee Registered Address: Edwinstowe House, Centre for Business Excellence, Edwinstowe, Nottinghamshire, NG21 9PR Please note that The NE Group may monitor email traffic data and also the content of email for the purposes of security and staff training. This message contains confidential information and is intended only for nocat at lists.nocat.net. If you are not nocat at lists.nocat.net you should not disseminate, distribute or copy this e-mail. Please notify ikelemen at negroup.co.uk immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Istvan Kelemen therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. To view our customer charter: http://www.negroup.co.uk/customer-care.html From wh at msdrd.com Mon Nov 17 17:24:26 2008 From: wh at msdrd.com (Wilson Hernandez - MSD, S. A.) Date: Mon, 17 Nov 2008 21:24:26 -0400 Subject: [NoCat] splashd Not Redirecting Message-ID: <4922194A.5080602@msdrd.com> Hello. I'm glad I found a mailing list for NoCat, hopefully there are still some users here. I've been trying to get configure nocatsplash for about a month now but, can't get it to work on a Etch. It captures the packet but it doesn't' redirect to the requested page. Can anyone help me with this please. Your assistance will be very appreciated. Thanks in advanced for your help. From whiteca at gmail.com Tue Nov 18 07:07:17 2008 From: whiteca at gmail.com (Colin White) Date: Tue, 18 Nov 2008 09:07:17 -0600 Subject: [NoCat] splashd Not Redirecting In-Reply-To: <4922194A.5080602@msdrd.com> References: <4922194A.5080602@msdrd.com> Message-ID: <8cf933780811180707o25969c99wd50f006b71cbda64@mail.gmail.com> Can't speak for nocatsplash but this was my approach for nocatauth... 1. Make sure your gpg is the same version on the gateway AND the access point. (I had to downgrade both versions of gpg). 2. Check location, ownership and file perms (600) of trustedkeys.gpg. 3. Set/sync system time/date on both the access point and gateway (if the system time is way out, you'll have problems with pgp keys). The mailing lists seems to suggest ~90% of login loops and redirect failures stem from key or certificate problems. 4. Turn on verbose logging on the AP and the gateway (from within the nocat.conf) 5. tail -f, the apache access and ssl-error logs as well as the nocat access point logs. 6. Test, tweak and retest, while watching the logs. Then post any logged error msgs back to this list. Good luck Rgds Colin On Mon, Nov 17, 2008 at 7:24 PM, Wilson Hernandez - MSD, S. A. wrote: > Hello. > > I'm glad I found a mailing list for NoCat, hopefully there are still some > users here. > > I've been trying to get configure nocatsplash for about a month now but, > can't get it to work on a Etch. It captures the packet but it doesn't' > redirect to the requested page. Can anyone help me with this please. Your > assistance will be very appreciated. > > Thanks in advanced for your help. > > _______________________________________________ > NoCat mailing list > NoCat at lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat > -- Colin A. White P : +1 605 940 5863 From wh at msdrd.com Tue Nov 18 15:52:09 2008 From: wh at msdrd.com (Wilson Hernandez - MSD, S. A.) Date: Tue, 18 Nov 2008 19:52:09 -0400 Subject: [NoCat] splashd Not Redirecting In-Reply-To: <8cf933780811180707o25969c99wd50f006b71cbda64@mail.gmail.com> References: <4922194A.5080602@msdrd.com> <8cf933780811180707o25969c99wd50f006b71cbda64@mail.gmail.com> Message-ID: <49235529.20906@msdrd.com> Colin, I am running the gateway on Debian Etch, no radius server. Receiving wireless and wired connections from a Linksys Router (WRT54G) with dd-wrt but, this router is not running nocat, Can it be run like this? I do not need authentication of any type only a splash page where user must accept an agreement and proceed to the Internet. When I try to access the internet from the LAN I get this (It captures but it doesn't get redirected to the page the user first requested): Message: Read 42 config items from /usr/local/etc/nocat.conf Message: initializing static splash page Message: Got command /usr/local/libexec/NoCatSplash/initialize.fw from action ResetCmd Message: starting main loop Message: Captured peer 192.168.2.100 Message: Splashed peer 192.168.2.100 Message: Checking peers for expiration Message: Checking peers for expiration Message: Checking peers for expiration Message: Checking peers for expiration Message: Accepting peer 192.168.2.100 Message: Got command /usr/local/libexec/NoCatSplash/access.fw permit 00:2A:78:3D:58:A7 192.168.2.100 Public from action PermitCmd Message: Captured peer 192.168.2.100 Message: Splashed peer 192.168.2.100 I created a splash.html:

Here's my nocat.conf file: ##########Nocat.conf file############# Verbosity 10 ##### Gateway application settings. # # GatewayName -- The name of this gateway, to be optionally displayed # on the splash and status pages. Any short string of text will do. # GatewayName Trahersa NoCat Network ## # # GatewayMode -- Determines the mode of operation of the gateway. Possible # values are: # # Open - Simply require a user to view a splash page and accept # a use agreement. # # Only Open mode is currently supported. # GatewayMode Open ## # GatewayLog -- Optional. If unset, messages will go to STDERR. # (currently unused!) # # GatewayLog /var/log/nocat.log ## # LoginTimeout - Number of seconds after a client's last # login/renewal to terminate their connection. Probably # don't want to set this to less than 60 or a lot of # bandwidth is likely to get consumed by the client's # renewal attempts. # # For Open Mode portals, you probably want to comment out # the preceding and set LoginTimeout to # something large (like 86400, for one notification # per day). # LoginTimeout 86400 ###### Open Portal settings. # ## # HomePage -- The authservice's notion of a default # redirect. # HomePage http://nocat.net/ # DocumentRoot -- Where all of the application templates (including # SplashPage) are hiding. Can be different from Apache's DocumentRoot. # Defaults to /usr/local/share/NoCatSplash/htdocs via compile-time option. # # DocumentRoot /usr/local/share/NoCatSplash/htdocs # SplashForm -- Form displayed to users on capture. # SplashForm splash.html # StatusForm -- Page displaying status of logged in users. # NOT YET IMPLEMENTED. # StatusForm status.html # SplashURL -- URL to fetch remote splash page from. You must compile # with --with-remote-splash for this to work. SplashTimeout specifies # the reload period of the remote splash page. # # SplashURL http://example.com/get_splash_page.cgi?node=$NodeID # # SplashTimeout 21600 ###### Active/Passive Portal settings. # None of these settings affect open mode operation. # # TrustedGroups - A list of groups registered with the auth server # that a user may claim membership in order to gain Member-class # access through this portal. The default magic value "Any" indicates # that a member of *any* group is granted member-class access from # this gateway. NOT YET IMPLEMENTED. # # TrustedGroups NoCat NYCWireless PersonalTelco # TrustedGroups Any ## # Owners - Optional. List all local "owner" class users here, separated # by spaces. Owners typically get full bandwidth, and unrestricted # access to all network resources. NOT YET IMPLEMENTED. # # Owners rob at nocat.net schuyler at nocat.net ## # AuthServiceAddr - Required, for captive mode. Must be set to the address of # your authentication service. You must use an IP address # if DNS resolution isn't available at gateway startup. # # AuthServiceAddr 208.201.239.21 # AuthServiceAddr auth.nocat.net ## # AuthServiceURL - HTTPS URL to the login script at the authservice. # AuthServiceURL https://auth.nocat.net/cgi-bin/login ## # LogoutURL - HTTP URL to redirect user after logout. # LogoutURL https://auth.nocat.net/logout.html ## # PGPKeyPath -- The directory in which PGP keys are stored. # NoCat tries to find this in the pgp/ directory above # the bin/ parent directory. Set this only if you put it # somewhere that NoCat doesn't expect. # # PGPKeyPath /usr/local/share/NoCatSplash/pgp ### Network Topology # # FirewallPath - Where to find the firewall scripts. # Defaults to /usr/local/libexec/NoCatSplash via compile-time option. # # FirewallPath /usr/local/libexec/NoCatSplash # # ExternalDevice - Required if and only if NoCatAuth can't figure it out # from looking at your routing tables and picking the interface # that carries the default route. Must be set to the interface # connected to the Internet. Usually 'eth0' or 'eth1' # under Linux, or maybe even 'ppp0' if you're running # PPP or PPPoE. # ExternalDevice eth0 ## # InternalDevice - Required if and only if your machine has more than two # network interfaces. Must be set to the interface connected to your local # network, normally your wireless card. # InternalDevice eth1 ## # LocalNetwork - Required if and only if NoCatSplash can't figure it out # by polling the InternalDevice. Must be set to the network # address and net mask of your internal network. You # can use the number of bits in the netmask (e.g. /16, /24, etc.) # or the full x.x.x.x specification. # # LocalNetwork 10.0.1.0/24 LocalNetwork 192.168.2.0/24 ## # DNSAddr - Optional. *If* you choose not to run DNS on your internal network, # specify the address(es) of one or more domain name server on the Internet # that wireless clients can use to get out. Should be the same DNS that your # DHCP server hands out. # # DNSAddr 111.222.333.444 DNSAddr 196.3.81.5 200.88.127.22 ## # AllowedWebHosts - Optional. List any domains that you would like to # allow web access (TCP port 80 and 443) BEFORE logging in (this is the # pre-'skip' stage, so be careful about what you allow.) # # AllowedWebHosts nocat.net ## # RouteOnly - Required only if you DO NOT want your gateway to act as a NAT. # Uncomment this only if you're running a strictly routed network, and # don't need the gateway to enable NAT for you. # # RouteOnly 1 ## # MembersOnly - Optional. Uncomment this if you want to disable public # access (i.e. unauthenticated 'skip' button access). You'll also want to # point AuthServiceURL somewhere that doesn't include a skip button (like # at your own Auth server.) # # MembersOnly 1 ## # IncludePorts - Optional. Specify TCP ports to allow access to when # public class users login. All others will be denied. # # For a list of common services and their respective port numbers, see # your /etc/services file. Depending on your firewall, you might even # be able to specify said services here, instead of using port numbers. # # IncludePorts 22 80 443 ## # ExcludePorts - Optional. Specify TCP ports to denied access to when # public class users login. All others will be allowed. # # Note that you should use either IncludePorts or ExcludePorts, but not # both. If neither is specified, access is granted to all ports to # public class users. # # You should *always* exclude port 25, unless you want to run an portal # for wanton spam sending. Users should have their own way of sending # mail. It sucks, but that's the way it is. Comment this out *only if* # you're using IncludePorts instead. # # ExcludePorts 23 25 111 # ExcludePorts 25 ####### Syslog Options -- alter these only if you want NoCat to log to the # system log! NOT YET IMPLEMENTED. # # Log Facility - syslog or internal. Internal sends log messages # using the GatewayLog or STDERR if GatewayLog is unset. Syslog # sends all messages to the system log. # # LogFacility internal ## # SyslogSocket - inet or unix. Inet connects to an inet socket returned # by getsrvbyname(). Unix connects to a unix domain socket returned by # _PATH_LOG in syslog.ph (typically /dev/log). Defaults to unix. # # SyslogSocket unix ## # SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait # Defaults to "cons,pid". # # SyslogOptions cons,pid ## # SyslogPriority - The syslog class of message to use: In decreasing importance, # the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO, # and DEBUG. Defaults to INFO. # # SyslogPriority INFO ## # SyslogFacility - The facility used to log messages. Defaults to user. # SyslogFacility user ## # SyslogIdent - The ident of the program that is calling syslog. This will # be prepended to every log entry made by NoCat. Defaults to NoCat. # # SyslogIdent NoCat ###### Other Common Gateway Options. (stuff you probably won't have to change) # # ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset, # open and close the firewall. You probably don't need to # change these. # # ResetCmd initialize.fw # PermitCmd access.fw permit $MAC $IP $Class # DenyCmd access.fw deny $MAC $IP $Class ## # GatewayPort - The TCP port to bind the gateway # service to. 5280 is de-facto standard for NoCatAuth. # Change this only if you absolutely need to. # GatewayPort 5280 ## # # IdleTimeout -- How often to check the ARP cache, in seconds, # for expiration of idle clients. NOT YET IMPLEMENTED. # # MaxMissedARP -- How many times a client can be missing from # the ARP cache before we assume they've gone away, and log them # out. Set to 0 to disable logout based on ARP cache expiration. # MaxMissedARP 0 # # IdleTimeout 300 ### Fin! Colin White wrote: > Can't speak for nocatsplash but this was my approach for nocatauth... > > 1. Make sure your gpg is the same version on the gateway AND the > access point. (I had to downgrade both versions of gpg). > > 2. Check location, ownership and file perms (600) of trustedkeys.gpg. > > 3. Set/sync system time/date on both the access point and gateway (if > the system time is way out, you'll have problems with pgp keys). > > The mailing lists seems to suggest ~90% of login loops and redirect > failures stem from key or certificate problems. > > 4. Turn on verbose logging on the AP and the gateway (from within the > nocat.conf) > > 5. tail -f, the apache access and ssl-error logs as well as the nocat > access point logs. > > 6. Test, tweak and retest, while watching the logs. Then post any > logged error msgs back to this list. > Good luck > > Rgds > Colin > > On Mon, Nov 17, 2008 at 7:24 PM, Wilson Hernandez - MSD, S. A. > > wrote: > > Hello. > > I'm glad I found a mailing list for NoCat, hopefully there are > still some users here. > > I've been trying to get configure nocatsplash for about a month > now but, can't get it to work on a Etch. It captures the packet > but it doesn't' redirect to the requested page. Can anyone help me > with this please. Your assistance will be very appreciated. > > Thanks in advanced for your help. > > _______________________________________________ > NoCat mailing list > NoCat at lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat > > > > > -- > Colin A. White > P : +1 605 940 5863 > > -- *Wilson Hernandez* Presidente 829.848.9595 809.766.0441 www.msdrd.com Conservando el medio ambiente From whiteca at gmail.com Tue Nov 18 19:39:20 2008 From: whiteca at gmail.com (Colin White) Date: Tue, 18 Nov 2008 21:39:20 -0600 Subject: [NoCat] splashd Not Redirecting In-Reply-To: <49235529.20906@msdrd.com> References: <4922194A.5080602@msdrd.com> <8cf933780811180707o25969c99wd50f006b71cbda64@mail.gmail.com> <49235529.20906@msdrd.com> Message-ID: <8cf933780811181939t471b59a4r65fb7409375aa6a6@mail.gmail.com> Caveat: I've not worked with nocatsplash, only the older nocatauth. I have no experience with WRT54G/dd-wrt either... When you follow the README to build nocat you make two pieces. One runs on the router (the gateway) the other runs on the gateway server (authentication, logging etc). If you want to run nocat in "Open Mode" with no authenticaiton at all, I believe you only need to install Nocat on the dd-wrt router and set the nocat.conf to say "GatewayMode Open". You DO need to run a nocat deamon on the dd-wrt. This is where the 'capture and release' happens (through iptables). Rgds Colin On Tue, Nov 18, 2008 at 5:52 PM, Wilson Hernandez - MSD, S. A. wrote: > Colin, > > I am running the gateway on Debian Etch, no radius server. Receiving > wireless and wired connections from a Linksys Router (WRT54G) with dd-wrt > but, this router is not running nocat, Can it be run like this? > > I do not need authentication of any type only a splash page where user must > accept an agreement and proceed to the Internet. > > When I try to access the internet from the LAN I get this (It captures but > it doesn't get redirected to the page the user first requested): > > Message: Read 42 config items from /usr/local/etc/nocat.conf > Message: initializing static splash page > Message: Got command /usr/local/libexec/NoCatSplash/initialize.fw from > action ResetCmd > Message: starting main loop > Message: Captured peer 192.168.2.100 > Message: Splashed peer 192.168.2.100 > Message: Checking peers for expiration > Message: Checking peers for expiration > Message: Checking peers for expiration > Message: Checking peers for expiration > Message: Accepting peer 192.168.2.100 > Message: Got command /usr/local/libexec/NoCatSplash/access.fw permit > 00:2A:78:3D:58:A7 192.168.2.100 Public from action PermitCmd > Message: Captured peer 192.168.2.100 > Message: Splashed peer 192.168.2.100 > > I created a splash.html: > >

> > > > > >

>

> > Here's my nocat.conf file: > > ##########Nocat.conf file############# > Verbosity 10 > > ##### Gateway application settings. > # > # GatewayName -- The name of this gateway, to be optionally displayed > # on the splash and status pages. Any short string of text will do. > # > GatewayName Trahersa NoCat Network > > ## > # > # GatewayMode -- Determines the mode of operation of the gateway. Possible > # values are: > # # Open - Simply require a user to view a splash page and accept > # a use agreement. > # > # Only Open mode is currently supported. > # > GatewayMode Open > > ## > # GatewayLog -- Optional. If unset, messages will go to STDERR. > # (currently unused!) > # > # GatewayLog /var/log/nocat.log > > ## > # LoginTimeout - Number of seconds after a client's last > # login/renewal to terminate their connection. Probably > # don't want to set this to less than 60 or a lot of > # bandwidth is likely to get consumed by the client's > # renewal attempts. > # > # For Open Mode portals, you probably want to comment out > # the preceding and set LoginTimeout to > # something large (like 86400, for one notification > # per day). > # > LoginTimeout 86400 > > ###### Open Portal settings. > # > ## > # HomePage -- The authservice's notion of a default > # redirect. > # > HomePage http://nocat.net/ > > # DocumentRoot -- Where all of the application templates (including > # SplashPage) are hiding. Can be different from Apache's DocumentRoot. > # Defaults to /usr/local/share/NoCatSplash/htdocs via compile-time > option. > # > # DocumentRoot /usr/local/share/NoCatSplash/htdocs > # SplashForm -- Form displayed to users on capture. > # > SplashForm splash.html > > # StatusForm -- Page displaying status of logged in users. > # NOT YET IMPLEMENTED. > # > StatusForm status.html > > # SplashURL -- URL to fetch remote splash page from. You must compile > # with --with-remote-splash for this to work. SplashTimeout specifies > # the reload period of the remote splash page. > # > # SplashURL http://example.com/get_splash_page.cgi?node=$NodeID > # > # SplashTimeout 21600 > > ###### Active/Passive Portal settings. > # None of these settings affect open mode operation. > # > # TrustedGroups - A list of groups registered with the auth server > # that a user may claim membership in order to gain Member-class > # access through this portal. The default magic value "Any" indicates > # that a member of *any* group is granted member-class access from > # this gateway. NOT YET IMPLEMENTED. > # > # TrustedGroups NoCat NYCWireless PersonalTelco > # > TrustedGroups Any > > ## > # Owners - Optional. List all local "owner" class users here, separated > # by spaces. Owners typically get full bandwidth, and unrestricted > # access to all network resources. NOT YET IMPLEMENTED. > # > # Owners rob at nocat.net schuyler at nocat.net > > ## > # AuthServiceAddr - Required, for captive mode. Must be set to the address > of > # your authentication service. You must use an IP address > # if DNS resolution isn't available at gateway startup. > # > # AuthServiceAddr 208.201.239.21 > # > AuthServiceAddr auth.nocat.net > > ## > # AuthServiceURL - HTTPS URL to the login script at the authservice. > # > AuthServiceURL https://auth.nocat.net/cgi-bin/login > > ## > # LogoutURL - HTTP URL to redirect user after logout. > # > LogoutURL https://auth.nocat.net/logout.html > > ## > # PGPKeyPath -- The directory in which PGP keys are stored. > # NoCat tries to find this in the pgp/ directory above > # the bin/ parent directory. Set this only if you put it > # somewhere that NoCat doesn't expect. > # > # PGPKeyPath /usr/local/share/NoCatSplash/pgp > > > ### Network Topology > # > # FirewallPath - Where to find the firewall scripts. > # Defaults to /usr/local/libexec/NoCatSplash via compile-time option. > # > # FirewallPath /usr/local/libexec/NoCatSplash > > # > # ExternalDevice - Required if and only if NoCatAuth can't figure it out > # from looking at your routing tables and picking the interface > # that carries the default route. Must be set to the interface > # connected to the Internet. Usually 'eth0' or 'eth1' > # under Linux, or maybe even 'ppp0' if you're running > # PPP or PPPoE. > # > ExternalDevice eth0 > > ## > # InternalDevice - Required if and only if your machine has more than two > # network interfaces. Must be set to the interface connected to your > local > # network, normally your wireless card. > # > InternalDevice eth1 > > ## > # LocalNetwork - Required if and only if NoCatSplash can't figure it out > # by polling the InternalDevice. Must be set to the network > # address and net mask of your internal network. You > # can use the number of bits in the netmask (e.g. /16, /24, etc.) > # or the full x.x.x.x specification. > # > # LocalNetwork 10.0.1.0/24 > LocalNetwork 192.168.2.0/24 > ## > # DNSAddr - Optional. *If* you choose not to run DNS on your internal > network, > # specify the address(es) of one or more domain name server on the > Internet > # that wireless clients can use to get out. Should be the same DNS that > your > # DHCP server hands out. > # > # DNSAddr 111.222.333.444 > DNSAddr 196.3.81.5 200.88.127.22 > > ## > # AllowedWebHosts - Optional. List any domains that you would like to > # allow web access (TCP port 80 and 443) BEFORE logging in (this is the > # pre-'skip' stage, so be careful about what you allow.) > # > # AllowedWebHosts nocat.net > > ## > # RouteOnly - Required only if you DO NOT want your gateway to act as a > NAT. > # Uncomment this only if you're running a strictly routed network, and > # don't need the gateway to enable NAT for you. > # > # RouteOnly 1 > > ## > # MembersOnly - Optional. Uncomment this if you want to disable public > # access (i.e. unauthenticated 'skip' button access). You'll also want > to > # point AuthServiceURL somewhere that doesn't include a skip button (like > # at your own Auth server.) > # > # MembersOnly 1 > > ## > # IncludePorts - Optional. Specify TCP ports to allow access to when > # public class users login. All others will be denied. > # > # For a list of common services and their respective port numbers, see > # your /etc/services file. Depending on your firewall, you might even > # be able to specify said services here, instead of using port numbers. > # > # IncludePorts 22 80 443 > > ## > # ExcludePorts - Optional. Specify TCP ports to denied access to when > # public class users login. All others will be allowed. > # > # Note that you should use either IncludePorts or ExcludePorts, but not > # both. If neither is specified, access is granted to all ports to > # public class users. > # > # You should *always* exclude port 25, unless you want to run an portal > # for wanton spam sending. Users should have their own way of sending > # mail. It sucks, but that's the way it is. Comment this out *only if* > # you're using IncludePorts instead. > # > # ExcludePorts 23 25 111 > # > ExcludePorts 25 > > ####### Syslog Options -- alter these only if you want NoCat to log to the > # system log! NOT YET IMPLEMENTED. > # > # Log Facility - syslog or internal. Internal sends log messages > # using the GatewayLog or STDERR if GatewayLog is unset. Syslog > # sends all messages to the system log. > # > # LogFacility internal > > ## > # SyslogSocket - inet or unix. Inet connects to an inet socket returned > # by getsrvbyname(). Unix connects to a unix domain socket returned by > # _PATH_LOG in syslog.ph (typically /dev/log). Defaults to unix. > # > # SyslogSocket unix > > ## > # SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait > # Defaults to "cons,pid". > # > # SyslogOptions cons,pid > > ## > # SyslogPriority - The syslog class of message to use: In decreasing > importance, > # the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, > INFO, > # and DEBUG. Defaults to INFO. > # > # SyslogPriority INFO > > ## > # SyslogFacility - The facility used to log messages. Defaults to user. > # SyslogFacility user > > ## > # SyslogIdent - The ident of the program that is calling syslog. This will > # be prepended to every log entry made by NoCat. Defaults to NoCat. > # > # SyslogIdent NoCat > > ###### Other Common Gateway Options. (stuff you probably won't have to > change) > # > # ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset, > # open and close the firewall. You probably don't need to > # change these. > # > # ResetCmd initialize.fw > # PermitCmd access.fw permit $MAC $IP $Class > # DenyCmd access.fw deny $MAC $IP $Class > > ## > # GatewayPort - The TCP port to bind the gateway > # service to. 5280 is de-facto standard for NoCatAuth. > # Change this only if you absolutely need to. > # > GatewayPort 5280 > > ## > # > # IdleTimeout -- How often to check the ARP cache, in seconds, > # for expiration of idle clients. NOT YET IMPLEMENTED. > # > # MaxMissedARP -- How many times a client can be missing from > # the ARP cache before we assume they've gone away, and log them > # out. Set to 0 to disable logout based on ARP cache expiration. > # > MaxMissedARP 0 > # > # IdleTimeout 300 > > ### Fin! > > > > Colin White wrote: > >> Can't speak for nocatsplash but this was my approach for nocatauth... >> 1. Make sure your gpg is the same version on the gateway AND the access >> point. (I had to downgrade both versions of gpg). 2. Check location, >> ownership and file perms (600) of trustedkeys.gpg. >> 3. Set/sync system time/date on both the access point and gateway (if the >> system time is way out, you'll have problems with pgp keys). >> The mailing lists seems to suggest ~90% of login loops and redirect >> failures stem from key or certificate problems. >> 4. Turn on verbose logging on the AP and the gateway (from within the >> nocat.conf) >> 5. tail -f, the apache access and ssl-error logs as well as the nocat >> access point logs. >> 6. Test, tweak and retest, while watching the logs. Then post any logged >> error msgs back to this list. >> Good luck >> Rgds >> Colin >> On Mon, Nov 17, 2008 at 7:24 PM, Wilson Hernandez - MSD, S. A. < >> wh at msdrd.com > wrote: >> >> Hello. >> >> I'm glad I found a mailing list for NoCat, hopefully there are >> still some users here. >> >> I've been trying to get configure nocatsplash for about a month >> now but, can't get it to work on a Etch. It captures the packet >> but it doesn't' redirect to the requested page. Can anyone help me >> with this please. Your assistance will be very appreciated. >> >> Thanks in advanced for your help. >> >> _______________________________________________ >> NoCat mailing list >> NoCat at lists.nocat.net >> http://lists.nocat.net/mailman/listinfo/nocat >> >> >> >> >> -- >> Colin A. White >> P : +1 605 940 5863 >> >> >> > -- > *Wilson Hernandez* > Presidente > 829.848.9595 > 809.766.0441 > www.msdrd.com > Conservando el medio ambiente > > _______________________________________________ > NoCat mailing list > NoCat at lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat > -- Colin A. White P : +1 605 940 5863 From wh at msdrd.com Wed Nov 19 11:41:22 2008 From: wh at msdrd.com (Wilson Hernandez - MSD, S. A.) Date: Wed, 19 Nov 2008 15:41:22 -0400 Subject: [NoCat] NoCat and Squid how? Message-ID: <49246BE2.7040206@msdrd.com> Hello again. Now that I finally got Nocat working to my specs I need it to work along with squid3. How can this be done? Anyone got it working with squid? Thanks in advanced for all your help. From r.santaana at comcast.net Thu Nov 20 18:03:13 2008 From: r.santaana at comcast.net (Ramon Santa Ana) Date: Thu, 20 Nov 2008 20:03:13 -0600 Subject: [NoCat] Data Transfer Interrupted Message-ID: <492616E1.4000307@comcast.net> I was trying to change the AuthServiceAddr dynamically in Captive->capture to be able to "load balance" between two auth servers. The login page would appear normally when the value of the AuthServiceAddr is equal to the value set in nocat.conf. Otherwise, the browser reports a "Data Transfer Interrupted" error. Any help would be appreciated. Ramon Santa Ana From wh at msdrd.com Tue Nov 25 08:47:28 2008 From: wh at msdrd.com (Wilson Hernandez - MSD, S. A.) Date: Tue, 25 Nov 2008 12:47:28 -0400 Subject: [NoCat] Non-Authenticating Splash Page Message-ID: <492C2C20.5050803@msdrd.com> Hello. I would like to know if there is a way of redirecting users to a splash page every hour and have the user to continue browsing the internet without authenticating or accepting an user agreement? Thanks. -- From bdaldal at gmail.com Tue Nov 25 12:08:00 2008 From: bdaldal at gmail.com (systemx) Date: Tue, 25 Nov 2008 22:08:00 +0200 Subject: [NoCat] NoCat and Squid how? In-Reply-To: <49246BE2.7040206@msdrd.com> References: <49246BE2.7040206@msdrd.com> Message-ID: Hi, I use NoCat with Squid3. and I tried to find same solution. and not easy to find. But now I work fine. here is my access.fw /usr/local/nocat/bin/access.fw Mark outbound traffic from this node. #### add this for squid ### eth0 is my internal network iptables -t nat $cmd PREROUTING -i eth0 -p tcp -m tcp -m state --state NEW $match_mac --dport 80 -j REDIRECT --to 3128 #### iptables -t mangle $cmd NoCat $match_mac -s $ip -j MARK --set-mark $mark # Mark inbound traffic to this node. #### and this for returns iptables -t mangle $cmd NoCat -d $ip -j MARK --set-mark $mark #### iptables -t filter $cmd NoCat_Inbound -d $ip -j ACCEPT This works wtih squid3 very fine. And now I'm trying to combine squid3 with squidguard. To restart squid3 takes 30sn. it's so long. I hope squidguard make it fast. I never need squidguard before and now i think i need. How do you block web sites? How do you allow some special ones? Is there a better way? better than squidguard? or else? Thanks, And hope my access.fw helps to you. Regards. 2008/11/19 Wilson Hernandez - MSD, S. A. : > Hello again. > > Now that I finally got Nocat working to my specs I need it to work along > with squid3. How can this be done? Anyone got it working with squid? > > Thanks in advanced for all your help. > > _______________________________________________ > NoCat mailing list > NoCat at lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat > Bulent DALDAL .. linux for life .. From wh at msdrd.com Tue Nov 25 14:55:09 2008 From: wh at msdrd.com (Wilson Hernandez - MSD, S. A.) Date: Tue, 25 Nov 2008 18:55:09 -0400 Subject: [NoCat] Non-Authenticating Splash Page Message-ID: <492C824D.7060707@msdrd.com> I am currently running Nocat in open mode but, the only way it would work in open mode is if I have a splash page that with a submit button accepting the agreement (see below). I don't want users to really do that. All I want is a page to show up every 60mins and let users click on the splash page' contents or proceed with whatever it was doing.

Thanks for replying. Colin White wrote: > Set the time out to 60 mins and run the gateway in Open mode. > > > > > On Tue, Nov 25, 2008 at 10:47 AM, Wilson Hernandez - MSD, S. A. > > wrote: > > Hello. > > I would like to know if there is a way of redirecting users to a > splash page every hour and have the user to continue browsing the > internet without authenticating or accepting an user agreement? > > Thanks. > -- > > _______________________________________________ > NoCat mailing list > NoCat at lists.nocat.net > http://lists.nocat.net/mailman/listinfo/nocat > > > > > -- > Colin A. White > P : +1 605 940 5863 > > -- *Wilson Hernandez* Presidente 829.848.9595 809.766.0441 www.msdrd.com Conservando el medio ambiente -- *Wilson Hernandez* Presidente 829.848.9595 809.766.0441 www.msdrd.com Conservando el medio ambiente From wh at msdrd.com Tue Nov 25 14:55:42 2008 From: wh at msdrd.com (Wilson Hernandez - MSD, S. A.) Date: Tue, 25 Nov 2008 18:55:42 -0400 Subject: [NoCat] NoCat and Squid how? Message-ID: <492C826E.7070704@msdrd.com> Systemsx. I was able to get squid and nocat working together but, not the way you posted here. All I did was: Insert my fw script at the end of the initialize.fw file. The initialize.fw script first flushes all the rules and restart all the iptables stuff. My setup is working, it took me a while to get it working correctly. I block all traffic I want from within my fw script. Thanks. systemx wrote: > Hi, > I use NoCat with Squid3. > and I tried to find same solution. and not easy to find. > > But now I work fine. > > here is my access.fw > > /usr/local/nocat/bin/access.fw > > Mark outbound traffic from this node. > #### add this for squid ### eth0 is my internal network > iptables -t nat $cmd PREROUTING -i eth0 -p tcp -m tcp -m state > --state NEW $match_mac --dport 80 -j REDIRECT --to 3128 > #### > iptables -t mangle $cmd NoCat $match_mac -s $ip -j MARK --set-mark $mark > > # Mark inbound traffic to this node. > #### and this for returns > iptables -t mangle $cmd NoCat -d $ip -j MARK --set-mark $mark > #### > iptables -t filter $cmd NoCat_Inbound -d $ip -j ACCEPT > > This works wtih squid3 very fine. > > And now I'm trying to combine squid3 with squidguard. > To restart squid3 takes 30sn. it's so long. > I hope squidguard make it fast. > I never need squidguard before and now i think i need. > > How do you block web sites? > How do you allow some special ones? > Is there a better way? better than squidguard? or else? > > Thanks, > And hope my access.fw helps to you. > Regards. > > > 2008/11/19 Wilson Hernandez - MSD, S. A. : >> Hello again. >> >> Now that I finally got Nocat working to my specs I need it to work along >> with squid3. How can this be done? Anyone got it working with squid? >> >> Thanks in advanced for all your help. >> >> _______________________________________________ >> NoCat mailing list >> NoCat at lists.nocat.net >> http://lists.nocat.net/mailman/listinfo/nocat >> > > > > Bulent DALDAL > .. linux for life .. > > -- *Wilson Hernandez* Presidente 829.848.9595 809.766.0441 www.msdrd.com Conservando el medio ambiente -- *Wilson Hernandez* Presidente 829.848.9595 809.766.0441 www.msdrd.com Conservando el medio ambiente