Hi Andi, The debug files you sent us is not matching the violations ids....
Exemple: Feb 10 09:44:20 pf::WebAPI(27348) INFO: MAC 00:24:54:42:86:04 matched filter NoAntivirus (pf::soh::evaluate) Feb 10 09:44:20 pf::WebAPI(27348) INFO: calling '/usr/local/pf/bin/pfcmd violation add vid=4000003,mac=00:24:54:42:86:04' (trigger soh::4) [4000003] desc=SoH Windows Updates ... trigger=soh::4 Said that, I believe you did not reload the violations. Can you give us updated logs that represents the actual filters? Please reload PacketFence before doing your tests (service packetfence restart). Thanks. On 12-02-20 8:35 AM, Morris, Andi wrote: > Did the files given shed any light on these violations retriggering? > > Cheers, > Andi > > -----Original Message----- > From: Morris, Andi [mailto:[email protected]] > Sent: 15 February 2012 10:33 > To: [email protected] > Subject: Re: [Packetfence-users] Violations retriggering& vlans still not > quite behaving correctly > > Hi Francois, > Thanks for looking at the logs. > > Yesterday afternoon I had a bit of a brainwave and found where the problem > lay with the clients booting into the registration vlan. > On the switch I have a line on the interface config ' authentication event > no-response action authorize vlan 704'. This puts any non dot1x supplicant > into the registration vlan so that they can access a ringfenced network and > download the dot1x configuration tool. For some reason with that line in the > supplicant times out on boot. If I remove that line the registered > supplicant goes into the production vlan every time. So I need to do some > research and try and find out why this is happening on the switch level. > > As for the violations. Below is the relevant sections of the violations.conf > [defaults] > priority=4 > max_enable=3 > actions=email,log > auto_enable=Y > enabled=N > grace=120m > button_text=Enable Network > snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc.rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,emerging-virus.rules,emerging-worm.rules > # vlan: The vlan parameter allows you to define in what vlan a node with a > violation will be put in. > # accepted values are the vlan names: isolationVlan, normalVlan, > registrationVlan, macDetectionVlan, guestVlan, > # customVlan1, customVlan2, customVlan3, > customVlan4, customVlan5 > # (see switches.conf) > vlan=isolationVlan > > ............................ > > # 4000000 - 4099999 Custom violations > [4000001] > desc=SoH No antivirus enabled > url=/remediation.php?template=noantivirus > actions=email,log,trap > enabled=Y > #max-enable=1 > trigger=soh::2 > priority=3 > > [4000002] > desc=SoH Antivirus out-of-date > enabled=Y > actions=email,log,trap > url=/remediation.php?template=avoutofdate > trigger=soh::3 > > [4000003] > desc=SoH Windows Updates > enabled=Y > actions=email,log,trap > url=/remediation.php?template=wupdate > trigger=soh::4 > priority=5 > > [4000004] > desc=SoH Firewall > enabled=Y > actions=email,log,trap > priority=8 > url=/remediation.php?template=firewall > trigger=soh::5 > > [4000005] > desc=SoH No Spyware > enabled=Y > actions=email,log,trap > priority=8 > url=/remediation.php?template=nospyware > trigger=soh::6 > > [4000006] > desc=SoH Spyware out of date > enabled=Y > actions=email,log,trap > priority=8 > url=/remediation.php?template=spyoutofdate > trigger=soh::7 > > > The SoH declarations in the web interface are: > Filter: No Antivirus > Action: Trigger Violation 4000001 > Conditions: Anti-virus is not installed > > Filter: AVoutofdate > Action: Trigger violation 4000002 > Conditions: Anti-virus is not up-to-date > > Filter: WUpdates > Action: Trigger Violation 4000003 > Conditions: Security updates is not up-to-date > > Filter: Firewall > Action: Trigger violation 4000004 > Conditions: Firewall is not enabled > > Filter: NoSpyware > Action: Trigger violation 4000005 > Conditions: Antispyware is not installed > > Filter: Spyoutofdate > Action: Trigger violation 4000006 > Conditions: Anti-spyware is not up-to-date > > I don't know if there's a better way I could've sent you these. > > Cheers, > Andi > > > > > -----Original Message----- > From: Francois Gaudreault [mailto:[email protected]] > Sent: 15 February 2012 03:49 > To: [email protected] > Subject: Re: [Packetfence-users] Violations retriggering& vlans still not > quite behaving correctly > > Hi Andi, > > I looked at the debug and in no situation, RADIUS returned the registration > VLAN. I only see 705 and 721. > > For the soh violation, something appears to be wrong with the filters. > Can you show me your filters? Did you reload the violations after > updating/changing the filters? > > On 12-02-10 5:36 AM, Morris, Andi wrote: >> Hi Francois, thanks for looking into this. >> Here is the debug output, it is quite long sorry. The processes that were >> taking place during this time were: >> Power on registered laptop >> Plug in network cable - received production vlan (this is the first >> this has happened!!!!!) Unplugged cable and replugged - received >> production vlan (wow it's working!!!) Rebooted laptop - received >> registration vlan ( !£&^!$*&) Unplugged cable and replugged - received >> production vlan. > > -- > Francois Gaudreault, ing. jr > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse > inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > ------------------------------------------------------------------------------ > Virtualization& Cloud Management Using Capacity Planning Cloud computing > makes use of virtualization - but cloud computing also focuses on allowing > computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ________________________________ > >> From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >> University. From the 6th December, as part of this change, all email >> addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. >> All emails sent from Cardiff Metropolitan University will now be sent >>from the new @cardiffmet.ac.uk address. Please could you ensure that >> all of your contact records and databases are updated to reflect this >> change. Further information can be found on the website >> here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> > > ------------------------------------------------------------------------------ > Virtualization& Cloud Management Using Capacity Planning Cloud computing > makes use of virtualization - but cloud computing also focuses on allowing > computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ________________________________ > >> From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >> University. From the 6th December, as part of this change, all email >> addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All >> emails sent from Cardiff Metropolitan University will now be sent from the >> new @cardiffmet.ac.uk address. Please could you ensure that all of your >> contact records and databases are updated to reflect this change. Further >> information can be found on the website >> here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
