[ietf78-tech] nac/portal operator documentation

kemp kemp at network-services.uoregon.edu
Sat Jul 24 16:23:02 PDT 2010 

Easiest way to verify stuff is: ssh to admin at nac1.portal.ietf.org
Two most useful scripts are the captivator start/stop script
and the "fwbr" utility script.  Usage output for each is below.

/etc/init.d/captivator:

> Usage: /etc/init.d/captivator {setup|start|stop|save|load|restart|daemon|flush}
> semantics are as follows:
> 
> setup:   generate the bridges and attach interfaces
> stop:    save/stop
> start:   setup/load/start/connectdb.
> restart: stop/start
> save:    fw auth rules state save.
> load:    fw auth rules load.
> flush:   flush db, and flush fw auth.
> cease:   stop without save.
> daemon:  kill and relaunch db/iptables command daemon.
> 
> note: to restart mysqld use /etc/init.d/mysqld

/usr/bin/fwbr:

> 
> fwbr -- captivator/ipset/database command-line operator tools
> 
> usage: fwbr [command]
> 
> commands: list, listv4, listv6  	<-- list the iptables rules
> commands: matchip {ip} 		<-- list then egrep
> commands: matchmac {mac} 		<-- list then egrep
> commands: listdb 			<-- list the mysql database
> commands: adduser 7804892151 130.129.135.250 01:ab:23:cd:45:ff

For general verification, I would do things like:

/usr/bin/fwbr list | less -N
/usr/bin/fwbr listdb | less -N
/usr/bin/fwbr matchmac 01:ab:23:cd:45:ff

...

For a failover to nac2 if nac1 dies horribly:

-- decable nac1 if no reachability to prevent recovery conflicts
-- if nac1 is reachable, you can do theses steps to fail it to passive:

	/etc/init.d/captivator stop
	/etc/init.d/bridges stop
	/etc/init.d/httpd stop
	/etc/init.d/httpd2 stop
	/etc/init.d/mysqld stop
	pkill httpd
	pkill httpd2
	chkconfig bridges off
	chkconfig captivator off
	chkconfig httpd off
	chkconfig httpd2 off

-- now you can start nac2
-- login to admin at nac2.portal.ietf.org and issue these commands:

	/etc/init.d/bridges start
	/etc/init.d/httpd start
	/etc/init.d/httpd2 start
	/etc/init.d/captivator start
	chkconfig bridges on
	chkconfig httpd on
	chkconfig httpd2 on
	chkconfig captivator on

That's about it.  We have a manual "adduser", which is what I was
working on tonight.  Tweaking the Rewrite redirect apache rules is
the only outstanding issue.  Things should work OK anyway, but this will
be the high priority task during the morning on Sunday...

-- 
John Kemp
kemp at network-services.uoregon.edu
RouteViews Engineer
541-346-1714

More information about the ietf78-tech mailing list