Antoine Benkemoun's questions

We currently have a NAC server set up to authenticate against a Samba4 AD using the ntlm_auth utility and would like to make it more tolerant to network outages.

Currently, when the NAC loses connectivity to the Samba4 Active Directory, every login attempt fails. This situation used to be acceptable but has become more problematic now that our network topology has changed.

I have added "winbind offline logon = true" in the smb.conf of the NAC and of the Samba4 AD as per the Samba documentation.

In order to test offline authentication, I added two iptables rules that drop all traffic to the Samba4 Active Directory server.

When I try to authenticate using winbind, it works as expected :

16:52:11-root@hq-networkserv@-
/var/log/samba: wbinfo -K COMPANY\\super-user%superpassword
plaintext kerberos password authentication for [COMPANY\super-user%superpassword] succeeded (requesting cctype: FILE)
user_flgs: NETLOGON_CACHED_ACCOUNT
credentials were put in: FILE:/tmp/krb5cc_0

On the other hand, if I try with ntlm_auth using the following options, it fails :

16:52:35-root@hq-networkserv@-
/var/log/samba: ntlm_auth --use-cached-creds  --username=super-user --password=superpassword --domain= COMPANY
NT_STATUS_NO_LOGON_SERVERS: No logon servers (0xc000005e)

The NAC server is joined to the Samba4 domain and everything works just fine as long as connectivity is maintained. I understand that this proposed solution would only allow authentication of previously authenticated clients but that would already be a great improvement.

Is there any way I can get ntlm_auth to authenticate successfully during a period where it is unable to connect to the AD as winbind is able to do ?

The setup

We have a Debian Linux set up with MySQL v5.1.73 (innoDB storage engine) and puppet-dashboard version 1.2.23. As you probably guessed, puppet-dashboard is using MySQL as its backend.

Also, it shouldn't be relevant but this a VMware virtual machine on vSphere 5.5.

The problem

The problem is that, despite the number of puppet nodes and run frequency staying relatively the same, the disk space used by MySQL keeps on increasing in a disturbing fashion to the point where it is now becoming an issue.

The following graph illustrates the issue.

We have put in place the two cron jobs that should allow disk space to be freed. They are the following and both run daily :

• rake RAILS_ENV=production db:raw:optimize
• rake RAILS_ENV=production reports:prune:orphaned upto=3 unit=mon

The drops you can see in the graph are the cron jobs running and eating up more space trying to free some space.

MySQL binary logs are not enabled. 95% of the disk space used on this server is located in the /var/lib/mysql/dashboard_production which is the directory where the MySQL data is stored.

We have had this issue before with a different application (Zabbix monitoring) and had to dump the DB and re-import in order to free up space. This was a very painful process and not a very elegant solution but it ultimately worked.

Is there any way we can reclaim this disk space ? What we can do this stop this behavior ?

Edit 1

We are indeed using innoDB and we are not using configuration directive "innodb_file_per_table".

As requested by Felix, the output of the command is the following :

+----------------------+-------------------+-------------+
| table_schema         | table_name        | data_length |
+----------------------+-------------------+-------------+
| dashboard_production | resource_statuses | 39730544640 |
| dashboard_production | metrics           |   643825664 |
| dashboard_production | report_logs       |   448675840 |
| dashboard_production | timeline_events   |    65634304 |
| dashboard_production | reports           |    50937856 |
| dashboard_production | resource_events   |    38338560 |
| glpidb               | glpi_crontasklogs |    21204608 |
| ocsweb               | softwares         |     8912896 |
| ocsweb               | deploy            |     5044208 |
| phpipam              | logs              |     1269584 |
+----------------------+-------------------+-------------+

Also, I will be trying the reports:prune task without the "orphaned" option as mentionned as well as the other alternatives and will keep this question updated.

Edit 2

I ran the reports:prune rake task and, despite deleting 230000 reports, it kept on eating more space... I will therefore move on to the other options.

The solution

After deleting two thirds of the entries in the database, it only freed up 200MB of disk space which is senseless. We ended up dumping the content and re-importing it taking care to enable "innodb_file_per_table".

We will just have to wait and see if this fixes the solution in the long term but it seems to be the case for the moment.

The setup

We currently have a Freeradius server used to authenticate our Wifi users against our Active Directory server. The link between Freeradius and the Active Directory is done by Winbind.

In order for the user to be able to obtain authorization, it needs to be belong to a group in the Activer Directory. This is done by adding an argument to the ntlm_auth command.

What we are trying to achieve

We are now adding 802.1X to our cabled networks and would like to re-use the existing Radius server to authenticate against the same Active Directory.

Everything will be the same except the authorization will need to be based on whether the user belongs to a different one than that of the Wifi networks.

What we have already tried

I have read many things on freeradius in the documentation and have seen that it is possible to use conditionnals and variables. My plan therefore was to put a variable in the ntlm_auth command that would contain the group SID (as suggested on Freeradius mailing-lists). The group SID would be dependent on the IP of the network device which should be contained in "NAS-IP-Address".

This should just be a case of writing a simple conditionnal statement and setting a variable. Nonetheless, I have not been able to do this as Freeradius will not start everytime I try to add a conditionnal to the configuration files.

So my questions are :

• How do I set a variable in function of the NAS-IP-Address ?

• In which files can such syntax be used ?

The setup

Currently, we have an Apache2 webserver acting as load balancer for our web architecture. The backends are Xen virtual machines accessible via IPv6 for the public Internet and via IPv4 for our VPN. The problem is that the Apache 2 loadbalancer doesn't perform as well as we would like it to so we're switching to nginx.

The configuration

The version of nginx installed is 1.3.10 which was compiled with standard Debian options. We had to go for this version because it was the only one that supports IPv6 backends which is a requirement for these VMs. For the moment, nginx only has one "virtual host" or server block and it is the following.

upstream backend-cookissime-prod  {
  server cookissime-prod.cookissime1.vm.cob:80 max_fails=5;
  server cookissime-prod.cookissime2.vm.cob:80 max_fails=5;
}

server {
  listen 37.59.6.220:80;
#  listen [::]:80;
  server_name www.cookissime.fr;

  access_log  /var/log/nginx/cookissime-prod.log;
  error_log  /var/log/nginx/cookissime-prod.log;

  ## send request back to apache1 ##
  location / {
    proxy_pass  http://backend-cookissime-prod;
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
    proxy_redirect off;
    proxy_buffering off;
    proxy_set_header        Host            $host;
    proxy_set_header        X-Real-IP       $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
   }
}

upstream backend-cookissime-dev  {
  server cookissime-dev.cookissime1.vm.cob:80 max_fails=5;
  server cookissime-dev.cookissime2.vm.cob:80 max_fails=5;
}

There is also a second code block which takes the above information and replaces prod with dev. The domain names cookissime-prod.cookissime1.vm.cob and cookissime-prod.cookissime2.vm.cob resolve to an IPv6 on our internal DNS.

The problem

The above configuration seems to be good syntax-wise. The problem is that most of the time, this configuration displays the default "Welcome to nginx" page but sporadically it will display the website for a few minutes then return to the default page.

This very setup works correctly with Apache2 so the virtual machines are functionnal.

What am I missing ? What could cause these problems ?

In order to avoid having to setup a NAS system, I am considering the possibility of setting up a dual-primary with DRBD to handle RAID1 over IP.

Concerning filesystems, I know of OCFS and GFS as distributed filesystem. I am leaning towards OCFS as that seems like the more reliable option.

Do you have any production experience with such a system ? Am I heading towards trouble ? What should I expect/plan ?

We have a number of Soekris boxes running Debian Squeeze. They were installed through an automated process consisting of using deboostrap and copying it unto a Compact Flash card. We use puppet to manage the configuration of all these boxes.

Before Debian Squeeze, they were running Voyage Linux which is just a "lighter" version of Debian. Since we have switched, we're seeing the /lib/udev/net.agent process take up an aweful lot of CPU. We have so far been unable to find any clue as to what this really does and why it's taking up some much CPU time.

In htop we see the following :

We are seeing absolutly no syslog messages related to this process so we're a bit lost... So, I am looking for pointers as to what this process does in general and what could be the potential cause of such CPU usage.

EDIT :

My /etc/network/interfaces is the following :

auto eth0
iface eth0 inet dhcp
       up iptables-restore < /etc/iptables.conf

auto br0
iface br0 inet static
       address 192.168.51.1
       netmask 255.255.255.0
       network 192.168.51.0
       broadcast 192.168.51.255
       bridge_ports eth1 eth3

EDIT2 :

After doing a bit more investigation, this issue only comes up after somewhere around 6 days and is solved for another 6 days by just rebooting the system. Now it makes even less sense. I would like to avoid scheduling a reboot every few days as this doesn't sound like a decent solution.

EDIT3 :

This doesn't seem to happen on a regular frequency as it just happened after 3 days.

Context

The company sells access to a sort of cash register web application. Access to the application is given through a VPN. The VPN entrypoint for the clients is a Soekris board running Voyage Linux (a trimmed down version of Debian). These boards have run for 3 years MySQL with replication and a RoR application stack.

The storage support for these boards is a Compact Flash 4GB card.

The problem

We are getting regular errors and random application crashes on these boards. The most frequent errors are the following :

Aug 24 14:54:44 box45 puppetd[3669]: Could not run Puppet::Network::Client::Master: Stale NFS file handle - /var/lib/puppet/state/state.yaml

Aug 24 13:37:01 box76 kernel: [ 2091.575622] EXT2-fs error (device hda1): read_block_bitmap: Cannot read block bitmap - block_group = 30, block_bitmap = 983040

If these were HDD-based, I would run SMART monitoring tools to check for bad sectors and general disk health. Except, due to them being CF cards, I am in the dark and have difficulty measuring how bad (or good !) the situation is.

What can I do to monitor the health of these cards and measure their health ? I insist on "measure" as I need to give some hard facts that will eventually motivate the change of all the CF cards.

And to make things a little more complex, I do not have physical access to the Soekris boards so all this needs to be remote.

I am trying to create a user with Puppet but everything I have been trying has failed.

I am trying to create a user named "capistrano" that will be placed in the "www-data" group. I have done the following configuration.

class capistranoDeps::user {
    user { "capistrano":
        ensure => present,
        comment => "Capistrano user",
        gid => 33,
        shell => "/bin/bash",
        require => Group["capistrano"],
    }
    group {"capistrano":
        ensure => present,
    }
}


class capistranoDeps::config {
    require capistranoDeps::user
    # Set permissions on webserver directories
    file {"/var/www/":
        ensure => directory,
        owner  => "capistrano",
        group  => "www-data",
        mode   => "775",
    }
...
}
class capistranoDeps {
    require tools
    include capistranoDeps::user,capistranoDeps::config
}

When I try to execute this config on my host, I get the following error :

root@app1:/etc/openvpn# puppet agent --server=puppet.domain --no-daemonize --verbose
notice: Starting Puppet client version 2.6.2
info: Caching catalog for app1.domain
err: Could not run Puppet configuration client: Could not find user capistrano

The user has not already been created on the host as it is Puppet's job to do so. The examples I have found all over seem to be the same as this but since this isn't working, I am definitely missing something.

I am trying to configure Apache Virtual Hosts with Puppet and have been trying different things with little success.

I have defined a node as the following :

node 'test1.cob' inherits serveurClient {
        $smcvhost = 'all'
}

The serveurClient class includes the apache class. This works fine as Apache gets installed and all the configuration gets applied correctly, except the virtual hosts.

The configuration relating to the virtual hosts is the following :

class apache::config {
    File{
        require => Class["apache::install"],
        notify  => Class["apache::service"],
        ensure  => present,
        owner   => "www-data",
        group   => "www-data",
        mode    => 755
    }
    ...
    if ( $smcvhost == 'belleville' ) or ( $smcvhost == 'all' ) {
        apache::smcvhost{'belleville':
            client => 'belleville',
        }
    }
    ...
}

The apache::smcvhost definition works correctly because if I specify it directly in the node without the condition, the virtual host gets created correctly with no errors. If I remove the if statement, it will also get created correctly. I have tried only specifying the second condition but that did not make it work.

When this fails to be executed, I do not get any error. The puppet report just ignores this configuration part.

I am thinking that this is some sort of variable scoping problem but from what I have read, this practice seems correct and I imagine puppet would give me some error if I tried to evaluate a non-existing variable.

I would like Nagios to execute a Bash command/script when it detects a host down or up. This would allow me to react to down hosts to some degree which would be very interesting.

How would I do this ?

The setup

The setup is very simple and straightforward. It's a pair of Debian servers with a Gigabit link in between. MySQL is stable Debian Lenny version and OS is Debian Lenny.

Configuration

The dump has been inserted on both nodes and replication has been activated.

The "SHOW MASTER STATUS" commands on the master gives the following information :

+------------------+----------+--------------------------------------------------------------------------------------------------------------------------------+------------------+
| File             | Position | Binlog_Do_DB                                                                                                                   | Binlog_Ignore_DB |
+------------------+----------+--------------------------------------------------------------------------------------------------------------------------------+------------------+
| mysql-bin.000025 |       98 | smc, smc_allais, smc_montgenevre, smc_preprod, smc_resto, smc_resto, smc_richermoz, smc_sct, smc_skd, smc_skishop, smc_skiteam |                  | 
+------------------+----------+--------------------------------------------------------------------------------------------------------------------------------+------------------+

The "SHOW SLAVE STATUS" command on the slave gives the following information :

*************************** 1. row ***************************
             Slave_IO_State: Waiting for master to send event
                Master_Host: 188.165.xxx.xxx
                Master_User: bdd1
                Master_Port: 3306
              Connect_Retry: 10
            Master_Log_File: mysql-bin.000025
        Read_Master_Log_Pos: 98
             Relay_Log_File: mysqld-relay-bin.000003
              Relay_Log_Pos: 235
      Relay_Master_Log_File: mysql-bin.000025
           Slave_IO_Running: Yes
          Slave_SQL_Running: Yes
            Replicate_Do_DB: smc, smc_allais, smc_montgenevre, smc_preprod, smc_resto, smc_resto, smc_richermoz, smc_sct, smc_skd, smc_skishop, smc_skiteam
        Replicate_Ignore_DB: 
         Replicate_Do_Table: 
     Replicate_Ignore_Table: 
    Replicate_Wild_Do_Table: 
Replicate_Wild_Ignore_Table: 
                 Last_Errno: 0
                 Last_Error: 
               Skip_Counter: 0
        Exec_Master_Log_Pos: 98
            Relay_Log_Space: 235
            Until_Condition: None
             Until_Log_File: 
              Until_Log_Pos: 0
         Master_SSL_Allowed: Yes
         Master_SSL_CA_File: /etc/mysql/ca-cert.pem
         Master_SSL_CA_Path: 
            Master_SSL_Cert: /etc/mysql/client-cert.pem
          Master_SSL_Cipher: 
             Master_SSL_Key: /etc/mysql/client-key.pem
      Seconds_Behind_Master: 0

The "SHOW PROCESSLIST" command on the slave gives the following information :

+-----+-------------+-----------+-------------+---------+------+-----------------------------------------------------------------------+------------------+
| Id  | User        | Host      | db          | Command | Time | State                                                                 | Info             |
+-----+-------------+-----------+-------------+---------+------+-----------------------------------------------------------------------+------------------+
| 366 | root        | localhost | smc_preprod | Query   |    0 | NULL                                                                  | show processlist | 
| 369 | system user |           | NULL        | Connect | 1097 | Waiting for master to send event                                      | NULL             | 
| 370 | system user |           | NULL        | Connect | 1096 | Has read all relay log; waiting for the slave I/O thread to update it | NULL             | 
+-----+-------------+-----------+-------------+---------+------+-----------------------------------------------------------------------+------------------+

The "SHOW PROCESSLIST" on the master gives the following information :

+-----+------+----------------------+-------------+-------------+------+----------------------------------------------------------------+------------------+
| Id  | User | Host                 | db          | Command     | Time | State                                                          | Info             |
+-----+------+----------------------+-------------+-------------+------+----------------------------------------------------------------+------------------+
| 410 | user | 91.121.xx.xx:45479   | smc_allais  | Sleep       |   42 |                                                                | NULL             | 
| 415 | user | 91.121.xx.xx:45481   | smc_preprod | Sleep       | 1463 |                                                                | NULL             | 
| 420 | user | 91.121.xx.xx:46106  | smc_preprod | Sleep       | 1528 |                                                                | NULL             | 
| 432 | user | 91.121.xx.xx:46155 | NULL        | Binlog Dump | 1114 | Has sent all binlog to slave; waiting for binlog to be updated | NULL             | 
| 434 | user | 91.121.xx.xx:60088  | smc_allais  | Sleep       |   79 |                                                                | NULL             | 
| 453 | user | localhost            | smc_preprod | Query       |    0 | NULL                                                           | show processlist | 
+-----+------+----------------------+-------------+-------------+------+----------------------------------------------------------------+------------------

EDIT - Logs

In the slave logs, I get the following information :

Oct 27 11:48:37 bdd2 mysqld[28477]: 101027 11:48:37 [Note] Slave SQL thread initialized, starting replication in log 'mysql-bin.000027' at position 98, relay log './mysqld-relay-bin.000001' position: 4
Oct 27 11:48:37 bdd2 mysqld[28477]: 101027 11:48:37 [Note] Slave I/O thread: connected to master '[email protected]:3306',  replication started in log 'mysql-bin.000027' at position 98

EDIT - Disk space

Disk space on both servers is sufficient. MySQL is in /data for bdd1 and in /home for bdd2.

bdd1:~# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/md1               20G  3.4G   16G  19% /
tmpfs                 5.9G     0  5.9G   0% /lib/init/rw
udev                   10M  2.8M  7.3M  28% /dev
tmpfs                 5.9G     0  5.9G   0% /dev/shm
/dev/md2               51G  2.7G   48G   6% /data

bdd2:~# df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/md1               10G  2.6G  6.9G  27% /
tmpfs                 5.9G     0  5.9G   0% /lib/init/rw
udev                   10M  2.8M  7.3M  28% /dev
tmpfs                 5.9G     0  5.9G   0% /dev/shm
/dev/md2               64G  8.0G   53G  14% /home

Considering the above information, everything seems to be running perfectly fine yet in reality no data gets copied over. I modify the master database and no changes show up on the slave database.

What am I doing wrong ?

The Setup

I have an OpenVPN server that acts as a central router. It is configured with "topology subnet" command. Clients are Debian Linux nodes and each have one (or more) subnets directly connected to them.

The objective is for any client connected to the VPN to be able to access the subnets connected behind each other client.

In order to spread the routing information, we have installed Quagga on the clients and on the server. This works fine using the OSPF daemon. Routing is enabled on all the clients and the server as well.

Routing table

The routing table on the server is the following :

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.2.10.1       10.8.0.4        255.255.255.255 UGH   20     0        0 tun0
192.168.100.0   10.8.0.4        255.255.255.0   UG    20     0        0 tun0
192.168.1.0     10.8.0.4        255.255.255.0   UG    20     0        0 tun0

The subnet I want to access is 192.168.100.0/24. The gateway in question responds perfectly fine and I can connect to it alright.

I don't think this will be of any use but here is part of the client routing table :

10.2.10.1       0.0.0.0         255.255.255.255 UH    0      0        0 tun0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 eth1
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0

Where things start going south

Pinging from the server (10.8.0.1) to any hosts (including the VPN client interface) in the 192.168.100.0/24 subnet fails. If I tcpdump the tun interface on the VPN client, I see no relevant package. If I tcpdump the tun interface on the VPN server, I see the package in question being sent out.

The real edgy thing is that when I traceroute to a valid IP in the 192.168.100.0 subnet, it doesn't discover any hops (there should be just one). If I traceroute directly to the next hop (10.8.0.4), it responds fine.

I really hope I am being clear as this is quite a complex problem. I'll be happy to provide extra information at your request.

I am needing help in the configuration process of my Cisco ASA 5510. I have set up 4 Cisco ASA interconnected together via a big LAN. Each Cisco ASA has 3 or 4 LANs attached to them. The IP routing part is taken care of by OSPF. My problem is on another level.

A computer connected to one of the LANs attached to an ASA has no problem communicating with the outside world. The outside world being anything "after" the ASA. My problem is that I am completely unable to have them communicate with another LAN connected to the same ASA. To rephrase this, I am unable to send traffic from one interface of a given ASA to another interface of the same ASA.

My configuration is the following :

!
hostname Fuji
!
interface Ethernet0/0
 speed 100
 duplex full
 nameif outside
 security-level 0
 ip address 10.0.0.2 255.255.255.0  no shutdown
!
interface Ethernet0/1
 speed 100
 duplex full
 nameif cs4  no shutdown
 security-level 100
 ip address 10.1.4.1 255.255.255.0
! 
interface Ethernet0/2  
speed 100  
duplex full  
no shutdown 
!
interface Ethernet0/2.15  vlan 15
 nameif cs5
 security-level 100
 ip address 10.1.5.1 255.255.255.0
!
interface Ethernet0/2.16  vlan 16
 nameif cs6
 security-level 100
 ip address 10.1.6.1 255.255.255.0
!
interface Management0/0
 speed 100
 duplex full
 nameif management
 security-level 100
 ip address 10.6.0.252 255.255.255.0
!
access-list nat_cs4 extended permit ip 10.1.4.0 255.255.255.0 any
access-list acl_cs4 extended permit ip 10.1.4.0 255.255.255.0 any
access-list nat_cs5 extended permit ip 10.1.5.0 255.255.255.0 any
access-list acl_cs5 extended permit ip 10.1.5.0 255.255.255.0 any
access-list nat_cs6 extended permit ip 10.1.6.0 255.255.255.0 any
access-list acl_cs6 extended permit ip 10.1.6.0 255.255.255.0 any
!
access-list nat_outside extended permit ip any any
access-list acl_outside extended permit ip any 10.1.4.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.5.0 255.255.255.0
access-list acl_outside extended permit ip any 10.1.6.0 255.255.255.0
!
nat (outside) 0 access-list nat_outside
nat (cs4) 0 access-list nat_cs4
nat (cs5) 0 access-list nat_cs5
nat (cs6) 0 access-list nat_cs6
!
static (outside,cs4) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs5) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
static (outside,cs6) 0.0.0.0 0.0.0.0 netmask 0.0.0.0
!
static (cs4,outside) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
static (cs4,cs5) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
static (cs4,cs6) 10.1.4.0 10.1.4.0 netmask 255.255.255.0
!
static (cs5,outside) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
static (cs5,cs4) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
static (cs5,cs6) 10.1.5.0 10.1.5.0 netmask 255.255.255.0
!
static (cs6,outside) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
static (cs6,cs4) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
static (cs6,cs5) 10.1.6.0 10.1.6.0 netmask 255.255.255.0
!
access-group acl_outside in interface outside
access-group acl_cs4 in interface cs4
access-group acl_cs5 in interface cs5
access-group acl_cs6 in interface cs6
!
router ospf 1
 network 10.0.0.0 255.255.255.0 area 1
 network 10.1.4.0 255.255.255.0 area 1
 network 10.1.5.0 255.255.255.0 area 1
 network 10.1.6.0 255.255.255.0 area 1
 log-adj-changes
!

There is nothing really complicated in this configuration. It just NATs from one interface to another and that's it. I have tried enabling same-security-traffic permit inter-interface but that doesn't help.

I therefore must be missing something a little bit more complicated. Does anyone know why I cannot foward traffic from one interface to another ?

Thank you in advance for your help,

Antoine

This seemed to me like a really simple question that I would be able to answer by myself but I have not been able to find any info on this subject.

I have a Cisco ASA 5510 which has 4 FastEthernet interfaces. I was wondering if it would be possible to use 2 or 3 of these interfaces as a port-channel in order to agregate bandwidth for multiple VLANs.

I have found no info on the Cisco website nor on Google. Is this just a stupid/crazy idea or am I missing something ?

Thank you in advance for your help,

Antoine

Edit : I checked the Cisco ASA command reference guide and there is no port-channel command...

I am currently planning to implement 802.1X authentication for all the wired computers at the office where I work at currently.

We have successfully implemented 802.1X authentication with login/password credentials. It authenticates against a RADIUS server. The RADIUS server is a Microsoft IAS.

Alongside the wired network, we have an ARUBA wifi controller which does 802.1X authentication with certificates.

We are wishing to use the same certificates to authenticate wired computers. This just does not seem to work. The problem seems to be at the Cisco switch level. The computer sends the credentials to the switch but the switch just ends the EAP session with an error. The RADIUS server is never contacted.

There my question is the following : do Cisco switches support 802.1X EAP authentication with certificates ? If yes, what are the specifics to this type of setup ?

Thank you in advance for your help,

Antoine

I am working on setting up new web proxies at my job. We were initialy planning on buying Blue Coat proxys but the economic downturn came along and we're not buying them anymore...

The great feature that these proxys had was that they offered the possibility to authenticate users against several LDAP proxies. For example, a certain subnet of users authenticate against a specific LDAP serve while another subnet of users authenticate against another LDAP server.

Is this possible using open source software such as Squid ? I really like Pfsense because the interface is really simple and pretty, would it be possible to do such thing with it ?

Thank you in advance for your help,

Antoine

I am planning an new network. All the traffic coming out of this network will be fowarded into a VPN in order to exit out onto the Internet on a distant server. This will be done via OpenVPN. There will be only one tunnel.

We're looking at a very high speed Internet connection with a downstream speed of 100 Mbit/s and an upstream speed of 5 Mbit/s.

What sort of hardware will I need to support such speeds ? Are there any thumb rules for hardware sizing of OpenVPN servers ?

Will an atom board be sufficient ? What about an AMD Geode 800Mhz ?

Thank you in advance for your help,