[ietf78-tech] nac/portal operator documentation

Sat Jul 24 16:24:35 PDT 2010

That's

	admin at nac1.meeting.ietf.org (130.129.1.13)
	admin at nac2.meeting.ietf.org (130.129.1.14)

/jgk


kemp wrote:
> Easiest way to verify stuff is: ssh to admin at nac1.portal.ietf.org
> Two most useful scripts are the captivator start/stop script
> and the "fwbr" utility script.  Usage output for each is below.
> 
> /etc/init.d/captivator:
> 
>> Usage: /etc/init.d/captivator {setup|start|stop|save|load|restart|daemon|flush}
>> semantics are as follows:
>>
>> setup:   generate the bridges and attach interfaces
>> stop:    save/stop
>> start:   setup/load/start/connectdb.
>> restart: stop/start
>> save:    fw auth rules state save.
>> load:    fw auth rules load.
>> flush:   flush db, and flush fw auth.
>> cease:   stop without save.
>> daemon:  kill and relaunch db/iptables command daemon.
>>
>> note: to restart mysqld use /etc/init.d/mysqld
> 
> /usr/bin/fwbr:
> 
>> fwbr -- captivator/ipset/database command-line operator tools
>>
>> usage: fwbr [command]
>>
>> commands: list, listv4, listv6  	<-- list the iptables rules
>> commands: matchip {ip} 		<-- list then egrep
>> commands: matchmac {mac} 		<-- list then egrep
>> commands: listdb 			<-- list the mysql database
>> commands: adduser 7804892151 130.129.135.250 01:ab:23:cd:45:ff
> 
> For general verification, I would do things like:
> 
> /usr/bin/fwbr list | less -N
> /usr/bin/fwbr listdb | less -N
> /usr/bin/fwbr matchmac 01:ab:23:cd:45:ff
> 
> ...
> 
> For a failover to nac2 if nac1 dies horribly:
> 
> -- decable nac1 if no reachability to prevent recovery conflicts
> -- if nac1 is reachable, you can do theses steps to fail it to passive:
> 
> 	/etc/init.d/captivator stop
> 	/etc/init.d/bridges stop
> 	/etc/init.d/httpd stop
> 	/etc/init.d/httpd2 stop
> 	/etc/init.d/mysqld stop
> 	pkill httpd
> 	pkill httpd2
> 	chkconfig bridges off
> 	chkconfig captivator off
> 	chkconfig httpd off
> 	chkconfig httpd2 off
> 
> -- now you can start nac2
> -- login to admin at nac2.portal.ietf.org and issue these commands:
> 
> 	/etc/init.d/bridges start
> 	/etc/init.d/httpd start
> 	/etc/init.d/httpd2 start
> 	/etc/init.d/captivator start
> 	chkconfig bridges on
> 	chkconfig httpd on
> 	chkconfig httpd2 on
> 	chkconfig captivator on
> 
> That's about it.  We have a manual "adduser", which is what I was
> working on tonight.  Tweaking the Rewrite redirect apache rules is
> the only outstanding issue.  Things should work OK anyway, but this will
> be the high priority task during the morning on Sunday...
> 


-- 
John Kemp
kemp at network-services.uoregon.edu
RouteViews Engineer
541-346-1714