Did the files given shed any light on these violations retriggering? Cheers, Andi
-----Original Message----- From: Morris, Andi [mailto:[email protected]] Sent: 15 February 2012 10:33 To: [email protected] Subject: Re: [Packetfence-users] Violations retriggering & vlans still not quite behaving correctly Hi Francois, Thanks for looking at the logs. Yesterday afternoon I had a bit of a brainwave and found where the problem lay with the clients booting into the registration vlan. On the switch I have a line on the interface config ' authentication event no-response action authorize vlan 704'. This puts any non dot1x supplicant into the registration vlan so that they can access a ringfenced network and download the dot1x configuration tool. For some reason with that line in the supplicant times out on boot. If I remove that line the registered supplicant goes into the production vlan every time. So I need to do some research and try and find out why this is happening on the switch level. As for the violations. Below is the relevant sections of the violations.conf [defaults] priority=4 max_enable=3 actions=email,log auto_enable=Y enabled=N grace=120m button_text=Enable Network snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-virus.rules,emerging-worm.rules # vlan: The vlan parameter allows you to define in what vlan a node with a violation will be put in. # accepted values are the vlan names: isolationVlan, normalVlan, registrationVlan, macDetectionVlan, guestVlan, # customVlan1, customVlan2, customVlan3, customVlan4, customVlan5 # (see switches.conf) vlan=isolationVlan ............................ # 4000000 - 4099999 Custom violations [4000001] desc=SoH No antivirus enabled url=/remediation.php?template=noantivirus actions=email,log,trap enabled=Y #max-enable=1 trigger=soh::2 priority=3 [4000002] desc=SoH Antivirus out-of-date enabled=Y actions=email,log,trap url=/remediation.php?template=avoutofdate trigger=soh::3 [4000003] desc=SoH Windows Updates enabled=Y actions=email,log,trap url=/remediation.php?template=wupdate trigger=soh::4 priority=5 [4000004] desc=SoH Firewall enabled=Y actions=email,log,trap priority=8 url=/remediation.php?template=firewall trigger=soh::5 [4000005] desc=SoH No Spyware enabled=Y actions=email,log,trap priority=8 url=/remediation.php?template=nospyware trigger=soh::6 [4000006] desc=SoH Spyware out of date enabled=Y actions=email,log,trap priority=8 url=/remediation.php?template=spyoutofdate trigger=soh::7 The SoH declarations in the web interface are: Filter: No Antivirus Action: Trigger Violation 4000001 Conditions: Anti-virus is not installed Filter: AVoutofdate Action: Trigger violation 4000002 Conditions: Anti-virus is not up-to-date Filter: WUpdates Action: Trigger Violation 4000003 Conditions: Security updates is not up-to-date Filter: Firewall Action: Trigger violation 4000004 Conditions: Firewall is not enabled Filter: NoSpyware Action: Trigger violation 4000005 Conditions: Antispyware is not installed Filter: Spyoutofdate Action: Trigger violation 4000006 Conditions: Anti-spyware is not up-to-date I don't know if there's a better way I could've sent you these. Cheers, Andi -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: 15 February 2012 03:49 To: [email protected] Subject: Re: [Packetfence-users] Violations retriggering & vlans still not quite behaving correctly Hi Andi, I looked at the debug and in no situation, RADIUS returned the registration VLAN. I only see 705 and 721. For the soh violation, something appears to be wrong with the filters. Can you show me your filters? Did you reload the violations after updating/changing the filters? On 12-02-10 5:36 AM, Morris, Andi wrote: > Hi Francois, thanks for looking into this. > Here is the debug output, it is quite long sorry. The processes that were > taking place during this time were: > Power on registered laptop > Plug in network cable - received production vlan (this is the first > this has happened!!!!!) Unplugged cable and replugged - received > production vlan (wow it's working!!!) Rebooted laptop - received > registration vlan ( !£&^!$*&) Unplugged cable and replugged - received > production vlan. -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ >From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >University. From the 6th December, as part of this change, all email >addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. >All emails sent from Cardiff Metropolitan University will now be sent >from the new @cardiffmet.ac.uk address. Please could you ensure that >all of your contact records and databases are updated to reflect this >change. Further information can be found on the website >here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ >From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >University. From the 6th December, as part of this change, all email addresses >which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent >from Cardiff Metropolitan University will now be sent from the new >@cardiffmet.ac.uk address. Please could you ensure that all of your contact >records and databases are updated to reflect this change. Further information >can be found on the website >here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
