Hi Francois, That is odd. I restart the packetfence services after I make any changes.
Anyway, here are the packetfence.log notes from a recent attempt to connect, again all violations were triggered, despite the laptop passing the SoH in the radius.log. Feb 21 12:19:40 pf::WebAPI(32047) INFO: Evaluating SoH from client Laptop (MAC: 00-24-54-42-86-04; Port: 50002; User: host/Laptop; OS: Microsoft Windows 7 (or Server 2008 R2), sp 1; id: 0xd4ee70d8587d41fb953f54a30e2e14a501ccf093caf30582) (pf::soh::authorize) Feb 21 12:19:40 pf::WebAPI(32047) INFO: calling '/usr/local/pf/bin/pfcmd violation add vid=4000001,mac=00:24:54:42:86:04' (trigger soh::2) (pf::violation::violation_trigger) Feb 21 12:19:41 pfcmd(1185) INFO: pfcmd calling violation_add for 00:24:54:42:86:04 (main::command_param) Feb 21 12:19:41 pfcmd(1185) INFO: grace expired on violation 4000001 for node 00:24:54:42:86:04 (pf::violation::violation_add) Feb 21 12:19:41 pfcmd(1185) INFO: violation 4000001 added for 00:24:54:42:86:04 (pf::violation::violation_add) Feb 21 12:19:41 pfcmd(1185) INFO: executing action 'email' on class 4000001 (pf::action::action_execute) Feb 21 12:19:44 pfcmd(1185) INFO: email regarding 'PF Alert: SoH No antivirus enabled detection on 00:24:54:42:86:04' sent to [email protected] (pf::util::pfmailer) Feb 21 12:19:44 pfcmd(1185) INFO: executing action 'log' on class 4000001 (pf::action::action_execute) Feb 21 12:19:44 pfcmd(1185) WARN: unable to resolve 00:24:54:42:86:04 to ip (pf::iplog::mac2ip) Feb 21 12:19:44 pfcmd(1185) INFO: /usr/local/pf/logs/violation.log 2012-02-21 12:19:44: SoH No antivirus enabled (4000001) detected on node 00:24:54:42:86:04 (0) (pf::action::action_log) Feb 21 12:19:44 pfcmd(1185) INFO: executing action 'trap' on class 4000001 (pf::action::action_execute) Feb 21 12:19:44 pfcmd(1185) INFO: re-evaluating access for node 00:24:54:42:86:04 (violation_add called) (pf::enforcement::reevaluate_access) Feb 21 12:19:44 pfcmd(1185) INFO: 00:24:54:42:86:04 is currentlog connected at 10.1.1.21 ifIndex 02 in VLAN 705 (pf::enforcement::_should_we_reassign_vlan) Feb 21 12:19:44 pfcmd(1185) INFO: highest priority violation for 00:24:54:42:86:04 is 4000001. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:19:44 pf::WebAPI(32047) INFO: MAC 00:24:54:42:86:04 matched filter NoAntivirus (pf::soh::evaluate) Feb 21 12:19:45 pf::WebAPI(32047) INFO: calling '/usr/local/pf/bin/pfcmd violation add vid=4000003,mac=00:24:54:42:86:04' (trigger soh::4) (pf::violation::violation_trigger) Feb 21 12:19:45 pfcmd(1190) INFO: pfcmd calling violation_add for 00:24:54:42:86:04 (main::command_param) Feb 21 12:19:45 pfcmd(1190) INFO: grace expired on violation 4000003 for node 00:24:54:42:86:04 (pf::violation::violation_add) Feb 21 12:19:45 pfcmd(1190) INFO: violation 4000003 added for 00:24:54:42:86:04 (pf::violation::violation_add) Feb 21 12:19:45 pfcmd(1190) INFO: executing action 'email' on class 4000003 (pf::action::action_execute) Feb 21 12:19:50 pfcmd(1190) INFO: email regarding 'PF Alert: SoH Windows Updates detection on 00:24:54:42:86:04' sent to [email protected] (pf::util::pfmailer) Feb 21 12:19:50 pfcmd(1190) INFO: executing action 'log' on class 4000003 (pf::action::action_execute) Feb 21 12:19:50 pfcmd(1190) WARN: unable to resolve 00:24:54:42:86:04 to ip (pf::iplog::mac2ip) Feb 21 12:19:50 pfcmd(1190) INFO: /usr/local/pf/logs/violation.log 2012-02-21 12:19:50: SoH Windows Updates (4000003) detected on node 00:24:54:42:86:04 (0) (pf::action::action_log) Feb 21 12:19:50 pfcmd(1190) INFO: executing action 'trap' on class 4000003 (pf::action::action_execute) Feb 21 12:19:50 pfcmd(1190) INFO: re-evaluating access for node 00:24:54:42:86:04 (violation_add called) (pf::enforcement::reevaluate_access) Feb 21 12:19:50 pfcmd(1190) INFO: 00:24:54:42:86:04 is currentlog connected at 10.1.1.21 ifIndex 02 in VLAN 705 (pf::enforcement::_should_we_reassign_vlan) Feb 21 12:19:50 pfcmd(1190) INFO: highest priority violation for 00:24:54:42:86:04 is 4000001. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:19:50 pf::WebAPI(32047) INFO: MAC 00:24:54:42:86:04 matched filter WUpdates (pf::soh::evaluate) Feb 21 12:19:50 pf::WebAPI(32047) INFO: calling '/usr/local/pf/bin/pfcmd violation add vid=4000005,mac=00:24:54:42:86:04' (trigger soh::6) (pf::violation::violation_trigger) Feb 21 12:19:51 pfcmd(1195) INFO: pfcmd calling violation_add for 00:24:54:42:86:04 (main::command_param) Feb 21 12:19:51 pfcmd(1195) INFO: grace expired on violation 4000005 for node 00:24:54:42:86:04 (pf::violation::violation_add) Feb 21 12:19:51 pfcmd(1195) INFO: violation 4000005 added for 00:24:54:42:86:04 (pf::violation::violation_add) Feb 21 12:19:51 pfcmd(1195) INFO: executing action 'email' on class 4000005 (pf::action::action_execute) Feb 21 12:19:54 pfcmd(1195) INFO: email regarding 'PF Alert: SoH No Spyware detection on 00:24:54:42:86:04' sent to [email protected] (pf::util::pfmailer) Feb 21 12:19:54 pfcmd(1195) INFO: executing action 'log' on class 4000005 (pf::action::action_execute) Feb 21 12:19:54 pfcmd(1195) WARN: unable to resolve 00:24:54:42:86:04 to ip (pf::iplog::mac2ip) Feb 21 12:19:54 pfcmd(1195) INFO: /usr/local/pf/logs/violation.log 2012-02-21 12:19:54: SoH No Spyware (4000005) detected on node 00:24:54:42:86:04 (0) (pf::action::action_log) Feb 21 12:19:54 pfcmd(1195) INFO: executing action 'trap' on class 4000005 (pf::action::action_execute) Feb 21 12:19:54 pfcmd(1195) INFO: re-evaluating access for node 00:24:54:42:86:04 (violation_add called) (pf::enforcement::reevaluate_access) Feb 21 12:19:54 pfcmd(1195) INFO: 00:24:54:42:86:04 is currentlog connected at 10.1.1.21 ifIndex 02 in VLAN 705 (pf::enforcement::_should_we_reassign_vlan) Feb 21 12:19:54 pfcmd(1195) INFO: highest priority violation for 00:24:54:42:86:04 is 4000001. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:19:54 pf::WebAPI(32047) INFO: MAC 00:24:54:42:86:04 matched filter NoSpyware (pf::soh::evaluate) Feb 21 12:19:54 pf::WebAPI(32047) INFO: calling '/usr/local/pf/bin/pfcmd violation add vid=4000006,mac=00:24:54:42:86:04' (trigger soh::7) (pf::violation::violation_trigger) Feb 21 12:19:55 pfcmd(1200) INFO: pfcmd calling violation_add for 00:24:54:42:86:04 (main::command_param) Feb 21 12:19:55 pfcmd(1200) INFO: grace expired on violation 4000006 for node 00:24:54:42:86:04 (pf::violation::violation_add) Feb 21 12:19:55 pfcmd(1200) INFO: violation 4000006 added for 00:24:54:42:86:04 (pf::violation::violation_add) Feb 21 12:19:55 pfcmd(1200) INFO: executing action 'email' on class 4000006 (pf::action::action_execute) Feb 21 12:19:58 pfcmd(1200) INFO: email regarding 'PF Alert: SoH Spyware out of date detection on 00:24:54:42:86:04' sent to [email protected] (pf::util::pfmailer) Feb 21 12:19:58 pfcmd(1200) INFO: executing action 'log' on class 4000006 (pf::action::action_execute) Feb 21 12:19:58 pfcmd(1200) WARN: unable to resolve 00:24:54:42:86:04 to ip (pf::iplog::mac2ip) Feb 21 12:19:58 pfcmd(1200) INFO: /usr/local/pf/logs/violation.log 2012-02-21 12:19:58: SoH Spyware out of date (4000006) detected on node 00:24:54:42:86:04 (0) (pf::action::action_log) Feb 21 12:19:58 pfcmd(1200) INFO: executing action 'trap' on class 4000006 (pf::action::action_execute) Feb 21 12:19:58 pfcmd(1200) INFO: re-evaluating access for node 00:24:54:42:86:04 (violation_add called) (pf::enforcement::reevaluate_access) Feb 21 12:19:58 pfcmd(1200) INFO: 00:24:54:42:86:04 is currentlog connected at 10.1.1.21 ifIndex 02 in VLAN 705 (pf::enforcement::_should_we_reassign_vlan) Feb 21 12:19:58 pfcmd(1200) INFO: highest priority violation for 00:24:54:42:86:04 is 4000001. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:19:59 pf::WebAPI(32047) INFO: MAC 00:24:54:42:86:04 matched filter Spyoutofdate (pf::soh::evaluate) Feb 21 12:20:29 pf::WebAPI(32048) INFO: Evaluating SoH from client Laptop (MAC: 00-24-54-42-86-04; Port: 50002; User: sm18818; OS: Microsoft Windows 7 (or Server 2008 R2), sp 1; id: 0xd4ee70d8587d41fb953f54a30e2e14a501ccf093e84fddc0) (pf::soh::authorize) Feb 21 12:20:29 pf::WebAPI(32048) INFO: violation 4000001 (trigger soh::2) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:20:29 pf::WebAPI(32048) INFO: MAC 00:24:54:42:86:04 matched filter NoAntivirus (pf::soh::evaluate) Feb 21 12:20:29 pf::WebAPI(32048) INFO: violation 4000003 (trigger soh::4) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:20:29 pf::WebAPI(32048) INFO: MAC 00:24:54:42:86:04 matched filter WUpdates (pf::soh::evaluate) Feb 21 12:20:29 pf::WebAPI(32048) INFO: violation 4000005 (trigger soh::6) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:20:29 pf::WebAPI(32048) INFO: MAC 00:24:54:42:86:04 matched filter NoSpyware (pf::soh::evaluate) Feb 21 12:20:29 pf::WebAPI(32048) INFO: violation 4000006 (trigger soh::7) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:20:29 pf::WebAPI(32048) INFO: MAC 00:24:54:42:86:04 matched filter Spyoutofdate (pf::soh::evaluate) Feb 21 12:20:30 pf::WebAPI(32049) INFO: handling radius autz request: from switch_ip => 10.1.1.21, connection_type => Ethernet-EAP mac => 00:24:54:42:86:04, port => 50002, username => sm18818 (pf::radius::authorize) Feb 21 12:20:30 pf::WebAPI(32049) INFO: highest priority violation for 00:24:54:42:86:04 is 4000001. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:20:30 pf::WebAPI(32049) INFO: Returning ACCEPT with VLAN: 705 (pf::radius::authorize) Feb 21 12:20:30 pf::WebAPI(32050) INFO: handling radius autz request: from switch_ip => 10.1.1.21, connection_type => Ethernet-EAP mac => 00:24:54:42:86:04, port => 50002, username => sm18818 (pf::radius::authorize) Feb 21 12:20:30 pf::WebAPI(32050) INFO: highest priority violation for 00:24:54:42:86:04 is 4000001. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:20:30 pf::WebAPI(32050) INFO: Returning ACCEPT with VLAN: 705 (pf::radius::authorize) Feb 21 12:20:32 pfdhcplistener(8709) INFO: DHCPOFFER from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) (main::parse_dhcp_offer) Feb 21 12:20:32 pfdhcplistener(8709) INFO: DHCPREQUEST from 00:24:54:42:86:04 (10.1.5.20) (main::parse_dhcp_request) Feb 21 12:20:32 pfdhcplistener(8709) INFO: could not resolve 10.1.5.20 to mac in ARP table (pf::iplog::ip2macinarp) Feb 21 12:20:34 pfdhcplistener(8709) INFO: resolved 10.1.5.20 to mac (00:24:54:42:86:04) in ARP table (pf::iplog::ip2macinarp) Feb 21 12:20:34 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:20:34,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:20:34 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:20:35 pfmon(1) INFO: running expire check (main::cleanup) Feb 21 12:20:35 pfmon(1) INFO: checking registered nodes for expiration (main::cleanup) Feb 21 12:20:35 pfdhcplistener(8709) INFO: DHCPACK CIADDR from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) (main::parse_dhcp_ack) Feb 21 12:20:41 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:20:41,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:20:41 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:20:51 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:20:51,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:20:51 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:21:01 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:21:01,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:21:01 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:21:11 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:21:11,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:21:11 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:21:21 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:21:21,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:21:21 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:21:29 redir.cgi(0) INFO: 00:24:54:42:86:04 being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:21:29 redir.cgi(0) INFO: Updating node 00:24:54:42:86:04 user_agent with useragent: 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.56 Safari/535.11' (pf::web::web_node_record_user_agent) Feb 21 12:21:29 redir.cgi(0) INFO: Static User-Agent lookup data initialized (pf::useragent::_init) Feb 21 12:21:29 redir.cgi(0) INFO: captive portal redirect on violation vid: 4000001, redirect url: /remediation.php?template=noantivirus (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:21:29 redir.cgi(0) INFO: 00:24:54:42:86:04 being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:21:29 redir.cgi(0) INFO: captive portal redirect on violation vid: 4000001, redirect url: /remediation.php?template=noantivirus (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:21:31 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:21:31,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:21:31 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:21:41 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:21:41,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:21:41 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:21:43 release.pm(0) INFO: calling /usr/local/pf/bin/pfcmd manage vclose 00:24:54:42:86:04 4000001 (pf::web::release::handler) Feb 21 12:21:44 pfcmd(1381) INFO: violation 4000001 closed for 00:24:54:42:86:04 (pf::violation::violation_close) Feb 21 12:21:44 pfcmd(1381) INFO: re-evaluating access for node 00:24:54:42:86:04 (manage_vclose called) (pf::enforcement::reevaluate_access) Feb 21 12:21:44 pfcmd(1381) INFO: 00:24:54:42:86:04 is currentlog connected at 10.1.1.21 ifIndex 02 in VLAN 705 (pf::enforcement::_should_we_reassign_vlan) Feb 21 12:21:44 pfcmd(1381) INFO: highest priority violation for 00:24:54:42:86:04 is 4000003. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:21:44 release.pm(0) INFO: pfcmd manage vclose 00:24:54:42:86:04 4000001 returned 7200 (pf::web::release::handler) Feb 21 12:21:44 release.pm(0) INFO: 00:24:54:42:86:04 enabled for 7200 minutes (pf::web::release::handler) Feb 21 12:21:44 redir.cgi(0) INFO: 00:24:54:42:86:04 being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:21:44 redir.cgi(0) INFO: captive portal redirect on violation vid: 4000003, redirect url: /remediation.php?template=wupdate (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:21:44 redir.cgi(0) INFO: 00:24:54:42:86:04 being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:21:44 redir.cgi(0) INFO: captive portal redirect on violation vid: 4000003, redirect url: /remediation.php?template=wupdate (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:21:49 pf::WebAPI(1327) INFO: Evaluating SoH from client Laptop (MAC: 00-24-54-42-86-04; Port: 50002; User: sm18818; OS: Microsoft Windows 7 (or Server 2008 R2), sp 1; id: 0xd4ee70d8587d41fb953f54a30e2e14a501ccf0941800517e) (pf::soh::authorize) Feb 21 12:21:49 pf::WebAPI(1327) INFO: 7072 grace remaining on violation 4000001 (trigger soh::2) for node 00:24:54:42:86:04. Not adding violation. (pf::violation::violation_trigger) Feb 21 12:21:49 pf::WebAPI(1327) INFO: MAC 00:24:54:42:86:04 matched filter NoAntivirus (pf::soh::evaluate) Feb 21 12:21:49 pf::WebAPI(1327) INFO: violation 4000003 (trigger soh::4) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:21:49 pf::WebAPI(1327) INFO: MAC 00:24:54:42:86:04 matched filter WUpdates (pf::soh::evaluate) Feb 21 12:21:50 pf::WebAPI(1327) INFO: violation 4000005 (trigger soh::6) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:21:50 pf::WebAPI(1327) INFO: MAC 00:24:54:42:86:04 matched filter NoSpyware (pf::soh::evaluate) Feb 21 12:21:50 pf::WebAPI(1327) INFO: violation 4000006 (trigger soh::7) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:21:50 pf::WebAPI(1327) INFO: MAC 00:24:54:42:86:04 matched filter Spyoutofdate (pf::soh::evaluate) Feb 21 12:21:50 pf::WebAPI(32047) INFO: handling radius autz request: from switch_ip => 10.1.1.21, connection_type => Ethernet-EAP mac => 00:24:54:42:86:04, port => 50002, username => sm18818 (pf::radius::authorize) Feb 21 12:21:50 pf::WebAPI(32047) INFO: highest priority violation for 00:24:54:42:86:04 is 4000003. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:21:50 pf::WebAPI(32047) INFO: Returning ACCEPT with VLAN: 705 (pf::radius::authorize) Feb 21 12:21:50 pf::WebAPI(8721) INFO: handling radius autz request: from switch_ip => 10.1.1.21, connection_type => Ethernet-EAP mac => 00:24:54:42:86:04, port => 50002, username => sm18818 (pf::radius::authorize) Feb 21 12:21:50 pf::WebAPI(8721) INFO: highest priority violation for 00:24:54:42:86:04 is 4000003. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:21:50 pf::WebAPI(8721) INFO: Returning ACCEPT with VLAN: 705 (pf::radius::authorize) Feb 21 12:21:50 pfdhcplistener(8709) INFO: DHCPREQUEST from 00:24:54:42:86:04 (10.1.5.20) (main::parse_dhcp_request) Feb 21 12:21:50 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:21:50,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:21:50 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:21:52 pf::WebAPI(1326) INFO: Evaluating SoH from client Laptop (MAC: 00-24-54-42-86-04; Port: 50002; User: sm18818; OS: Microsoft Windows 7 (or Server 2008 R2), sp 1; id: 0xd4ee70d8587d41fb953f54a30e2e14a501ccf09419b9eed5) (pf::soh::authorize) Feb 21 12:21:52 pf::WebAPI(1326) INFO: 7069 grace remaining on violation 4000001 (trigger soh::2) for node 00:24:54:42:86:04. Not adding violation. (pf::violation::violation_trigger) Feb 21 12:21:52 pf::WebAPI(1326) INFO: MAC 00:24:54:42:86:04 matched filter NoAntivirus (pf::soh::evaluate) Feb 21 12:21:52 pf::WebAPI(1326) INFO: violation 4000003 (trigger soh::4) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:21:52 pf::WebAPI(1326) INFO: MAC 00:24:54:42:86:04 matched filter WUpdates (pf::soh::evaluate) Feb 21 12:21:52 pf::WebAPI(1326) INFO: violation 4000005 (trigger soh::6) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:21:52 pf::WebAPI(1326) INFO: MAC 00:24:54:42:86:04 matched filter NoSpyware (pf::soh::evaluate) Feb 21 12:21:52 pf::WebAPI(1326) INFO: violation 4000006 (trigger soh::7) already exists for 00:24:54:42:86:04, not adding again (pf::violation::violation_trigger) Feb 21 12:21:52 pf::WebAPI(1326) INFO: MAC 00:24:54:42:86:04 matched filter Spyoutofdate (pf::soh::evaluate) Feb 21 12:21:53 pf::WebAPI(1322) INFO: handling radius autz request: from switch_ip => 10.1.1.21, connection_type => Ethernet-EAP mac => 00:24:54:42:86:04, port => 50002, username => sm18818 (pf::radius::authorize) Feb 21 12:21:53 pf::WebAPI(1322) INFO: highest priority violation for 00:24:54:42:86:04 is 4000003. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:21:53 pf::WebAPI(1322) INFO: Returning ACCEPT with VLAN: 705 (pf::radius::authorize) Feb 21 12:21:53 pf::WebAPI(32539) INFO: handling radius autz request: from switch_ip => 10.1.1.21, connection_type => Ethernet-EAP mac => 00:24:54:42:86:04, port => 50002, username => sm18818 (pf::radius::authorize) Feb 21 12:21:53 pf::WebAPI(32539) INFO: highest priority violation for 00:24:54:42:86:04 is 4000003. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:21:53 pf::WebAPI(32539) INFO: Returning ACCEPT with VLAN: 705 (pf::radius::authorize) Feb 21 12:21:55 pfdhcplistener(8709) INFO: DHCPREQUEST from 00:24:54:42:86:04 (10.1.5.20) (main::parse_dhcp_request) Feb 21 12:21:55 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:21:55,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:21:55 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:22:02 release.pm(0) INFO: calling /usr/local/pf/bin/pfcmd manage vclose 00:24:54:42:86:04 4000003 (pf::web::release::handler) Feb 21 12:22:03 pfcmd(1460) INFO: violation 4000003 closed for 00:24:54:42:86:04 (pf::violation::violation_close) Feb 21 12:22:03 pfcmd(1460) INFO: re-evaluating access for node 00:24:54:42:86:04 (manage_vclose called) (pf::enforcement::reevaluate_access) Feb 21 12:22:03 pfcmd(1460) INFO: 00:24:54:42:86:04 is currentlog connected at 10.1.1.21 ifIndex 02 in VLAN 705 (pf::enforcement::_should_we_reassign_vlan) Feb 21 12:22:03 pfcmd(1460) INFO: highest priority violation for 00:24:54:42:86:04 is 4000005. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:22:03 release.pm(0) INFO: pfcmd manage vclose 00:24:54:42:86:04 4000003 returned 7200 (pf::web::release::handler) Feb 21 12:22:03 release.pm(0) INFO: 00:24:54:42:86:04 enabled for 7200 minutes (pf::web::release::handler) Feb 21 12:22:03 redir.cgi(0) INFO: 00:24:54:42:86:04 being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:22:03 redir.cgi(0) INFO: captive portal redirect on violation vid: 4000005, redirect url: /remediation.php?template=nospyware (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:22:03 redir.cgi(0) INFO: 00:24:54:42:86:04 being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:22:03 redir.cgi(0) INFO: captive portal redirect on violation vid: 4000005, redirect url: /remediation.php?template=nospyware (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:22:06 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:22:06,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:22:06 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:22:15 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:22:15,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:22:15 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:22:19 release.pm(0) INFO: calling /usr/local/pf/bin/pfcmd manage vclose 00:24:54:42:86:04 4000005 (pf::web::release::handler) Feb 21 12:22:20 pfcmd(1506) INFO: violation 4000005 closed for 00:24:54:42:86:04 (pf::violation::violation_close) Feb 21 12:22:20 pfcmd(1506) INFO: re-evaluating access for node 00:24:54:42:86:04 (manage_vclose called) (pf::enforcement::reevaluate_access) Feb 21 12:22:20 pfcmd(1506) INFO: 00:24:54:42:86:04 is currentlog connected at 10.1.1.21 ifIndex 02 in VLAN 705 (pf::enforcement::_should_we_reassign_vlan) Feb 21 12:22:20 pfcmd(1506) INFO: highest priority violation for 00:24:54:42:86:04 is 4000006. Target VLAN for violation: isolationVlan (705) (pf::vlan::getViolationVlan) Feb 21 12:22:20 release.pm(0) INFO: pfcmd manage vclose 00:24:54:42:86:04 4000005 returned 7200 (pf::web::release::handler) Feb 21 12:22:20 release.pm(0) INFO: 00:24:54:42:86:04 enabled for 7200 minutes (pf::web::release::handler) Feb 21 12:22:20 redir.cgi(0) INFO: 00:24:54:42:86:04 being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:22:20 redir.cgi(0) INFO: captive portal redirect on violation vid: 4000006, redirect url: /remediation.php?template=spyoutofdate (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:22:21 redir.cgi(0) INFO: 00:24:54:42:86:04 being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:22:21 redir.cgi(0) INFO: captive portal redirect on violation vid: 4000006, redirect url: /remediation.php?template=spyoutofdate (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler) Feb 21 12:22:25 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:22:25,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:22:25 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:22:33 release.pm(0) INFO: calling /usr/local/pf/bin/pfcmd manage vclose 00:24:54:42:86:04 4000006 (pf::web::release::handler) Feb 21 12:22:34 pfcmd(1535) INFO: violation 4000006 closed for 00:24:54:42:86:04 (pf::violation::violation_close) Feb 21 12:22:34 pfcmd(1535) INFO: re-evaluating access for node 00:24:54:42:86:04 (manage_vclose called) (pf::enforcement::reevaluate_access) Feb 21 12:22:34 pfcmd(1535) INFO: 00:24:54:42:86:04 is currentlog connected at 10.1.1.21 ifIndex 02 in VLAN 705 (pf::enforcement::_should_we_reassign_vlan) Feb 21 12:22:34 pfcmd(1535) INFO: MAC: 00:24:54:42:86:04, PID: sm18818, Status: reg. Returned VLAN: 721 (pf::vlan::fetchVlanForNode) Feb 21 12:22:34 pfcmd(1535) INFO: VLAN reassignment required for 00:24:54:42:86:04 (current VLAN = 705 but should be in VLAN 721) (pf::enforcement::_should_we_reassign_vlan) Feb 21 12:22:34 pfcmd(1535) INFO: switch port for 00:24:54:42:86:04 is 10.1.1.21 ifIndex 02 connection type: Wired 802.1x (pf::enforcement::_vlan_reevaluation) Feb 21 12:22:34 release.pm(0) INFO: pfcmd manage vclose 00:24:54:42:86:04 4000006 returned 7200 (pf::web::release::handler) Feb 21 12:22:34 release.pm(0) INFO: 00:24:54:42:86:04 enabled for 7200 minutes (pf::web::release::handler) Feb 21 12:22:34 register.cgi(0) INFO: 10.1.5.20 - 00:24:54:42:86:04 (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_register_2ecgi::handler) Feb 21 12:22:35 pfdhcplistener(8709) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:22:35,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:22:35 pfdhcplistener(8709) INFO: DHCPACK from 10.1.5.10 (00:13:21:f1:cb:b9) to host 00:24:54:42:86:04 (10.1.5.20) for 20 seconds (main::parse_dhcp_ack) Feb 21 12:22:38 pfsetvlan(22) INFO: local (127.0.0.1) trap for switch 10.1.1.21 (main::parseTrap) Feb 21 12:22:38 pfsetvlan(3) INFO: nb of items in queue: 1; nb of threads running: 0 (main::startTrapHandlers) Feb 21 12:22:38 pfsetvlan(3) INFO: reAssignVlan trap received on 10.1.1.21 ifIndex 2 (main::handleTrap) Feb 21 12:22:38 pfsetvlan(3) INFO: Forcing 802.1x re-authentication on 10.1.1.21:2. A new VLAN will be assigned. (main::handleTrap) Feb 21 12:22:39 pfcmd_vlan(1558) INFO: wired deauthentication of a 802.1x MAC (main::) Feb 21 12:22:39 pfsetvlan(3) INFO: finished (main::cleanupAfterThread) Feb 21 12:22:39 pf::WebAPI(1463) INFO: Evaluating SoH from client Laptop (MAC: 00-24-54-42-86-04; Port: 50002; User: sm18818; OS: Microsoft Windows 7 (or Server 2008 R2), sp 1; id: 0xd4ee70d8587d41fb953f54a30e2e14a501ccf09435ad99d5) (pf::soh::authorize) Feb 21 12:22:39 pf::WebAPI(1463) INFO: 7022 grace remaining on violation 4000001 (trigger soh::2) for node 00:24:54:42:86:04. Not adding violation. (pf::violation::violation_trigger) Feb 21 12:22:39 pf::WebAPI(1463) INFO: MAC 00:24:54:42:86:04 matched filter NoAntivirus (pf::soh::evaluate) Feb 21 12:22:39 pf::WebAPI(1463) INFO: 7026 grace remaining on violation 4000003 (trigger soh::4) for node 00:24:54:42:86:04. Not adding violation. (pf::violation::violation_trigger) Feb 21 12:22:39 pf::WebAPI(1463) INFO: MAC 00:24:54:42:86:04 matched filter WUpdates (pf::soh::evaluate) Feb 21 12:22:39 pf::WebAPI(1463) INFO: 7032 grace remaining on violation 4000005 (trigger soh::6) for node 00:24:54:42:86:04. Not adding violation. (pf::violation::violation_trigger) Feb 21 12:22:39 pf::WebAPI(1463) INFO: MAC 00:24:54:42:86:04 matched filter NoSpyware (pf::soh::evaluate) Feb 21 12:22:39 pf::WebAPI(1463) INFO: 7036 grace remaining on violation 4000006 (trigger soh::7) for node 00:24:54:42:86:04. Not adding violation. (pf::violation::violation_trigger) Feb 21 12:22:39 pf::WebAPI(1463) INFO: MAC 00:24:54:42:86:04 matched filter Spyoutofdate (pf::soh::evaluate) Feb 21 12:22:40 pf::WebAPI(1540) INFO: handling radius autz request: from switch_ip => 10.1.1.21, connection_type => Ethernet-EAP mac => 00:24:54:42:86:04, port => 50002, username => sm18818 (pf::radius::authorize) Feb 21 12:22:40 pf::WebAPI(1540) INFO: MAC: 00:24:54:42:86:04, PID: sm18818, Status: reg. Returned VLAN: 721 (pf::vlan::fetchVlanForNode) Feb 21 12:22:40 pf::WebAPI(1540) INFO: Returning ACCEPT with VLAN: 721 (pf::radius::authorize) Feb 21 12:22:40 pf::WebAPI(32051) INFO: handling radius autz request: from switch_ip => 10.1.1.21, connection_type => Ethernet-EAP mac => 00:24:54:42:86:04, port => 50002, username => sm18818 (pf::radius::authorize) Feb 21 12:22:40 pf::WebAPI(32051) INFO: MAC: 00:24:54:42:86:04, PID: sm18818, Status: reg. Returned VLAN: 721 (pf::vlan::fetchVlanForNode) Feb 21 12:22:40 pf::WebAPI(32051) INFO: Returning ACCEPT with VLAN: 721 (pf::radius::authorize) Feb 21 12:22:40 pfdhcplistener(8710) INFO: DHCPREQUEST from 00:24:54:42:86:04 (10.1.5.20) (main::parse_dhcp_request) Feb 21 12:22:40 pfdhcplistener(8710) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:22:40,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:22:40 pfdhcplistener(8710) INFO: DHCPREQUEST from 00:24:54:42:86:04 (10.2.1.20) (main::parse_dhcp_request) Feb 21 12:22:40 pfdhcplistener(8710) INFO: could not resolve 10.2.1.20 to mac in ARP table (pf::iplog::ip2macinarp) Feb 21 12:22:40 pfdhcplistener(8710) WARN: could not resolve 10.2.1.20 to mac (pf::iplog::ip2mac) Feb 21 12:22:40 pfdhcplistener(8710) INFO: oldip (10.1.5.20) and newip (10.2.1.20) are different for 00:24:54:42:86:04 - closing iplog entry (main::update_iplog) Feb 21 12:22:41 pfdhcplistener(8710) INFO: 00:24:54:42:86:04 requested an IP. DHCP Fingerprint: OS::107 (Microsoft Windows Vista/7 or Server 2008). Modified node with last_dhcp = 2012-02-21 12:22:41,computername = Laptop,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,121,249,43 (main::listen_dhcp) Feb 21 12:27:21 pfcmd(1637) INFO: Executing pfcmd service pf status (main::service) Feb 21 12:27:21 pfcmd(1637) INFO: /usr/sbin/named status (pf::services::service_ctl) Feb 21 12:27:21 pfcmd(1637) INFO: pidof -x named returned 8671 (pf::services::service_ctl) Feb 21 12:27:21 pfcmd(1637) INFO: /usr/sbin/dhcpd status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x dhcpd returned 8677 (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: /usr/sbin/snort status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x snort returned 8759 (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: /usr/sbin/radiusd status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x radiusd returned 0 (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: /usr/sbin/httpd status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x httpd returned 32051 8692 1576 1574 1540 1534 1513 1472 1470 1394 1327 1326 (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: /usr/sbin/snmptrapd status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x snmptrapd returned 8694 (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: /usr/local/pf/sbin/pfdetect status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x pfdetect returned 8708 (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: /usr/local/pf/sbin/pfredirect status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x pfredirect returned 0 (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: /usr/local/pf/sbin/pfsetvlan status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x pfsetvlan returned 8714 (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: /usr/local/pf/sbin/pfdhcplistener status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x pfdhcplistener returned 8711 8710 8709 (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: /usr/local/pf/sbin/pfmon status (pf::services::service_ctl) Feb 21 12:27:22 pfcmd(1637) INFO: pidof -x pfmon returned 8712 (pf::services::service_ctl) Cheers, Andi -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: 20 February 2012 17:07 To: [email protected] Subject: Re: [Packetfence-users] Violations retriggering & vlans still not quite behaving correctly Hi Andi, The debug files you sent us is not matching the violations ids.... Exemple: Feb 10 09:44:20 pf::WebAPI(27348) INFO: MAC 00:24:54:42:86:04 matched filter NoAntivirus (pf::soh::evaluate) Feb 10 09:44:20 pf::WebAPI(27348) INFO: calling '/usr/local/pf/bin/pfcmd violation add vid=4000003,mac=00:24:54:42:86:04' (trigger soh::4) [4000003] desc=SoH Windows Updates ... trigger=soh::4 Said that, I believe you did not reload the violations. Can you give us updated logs that represents the actual filters? Please reload PacketFence before doing your tests (service packetfence restart). Thanks. On 12-02-20 8:35 AM, Morris, Andi wrote: > Did the files given shed any light on these violations retriggering? > > Cheers, > Andi > > -----Original Message----- > From: Morris, Andi [mailto:[email protected]] > Sent: 15 February 2012 10:33 > To: [email protected] > Subject: Re: [Packetfence-users] Violations retriggering& vlans still > not quite behaving correctly > > Hi Francois, > Thanks for looking at the logs. > > Yesterday afternoon I had a bit of a brainwave and found where the problem > lay with the clients booting into the registration vlan. > On the switch I have a line on the interface config ' authentication event > no-response action authorize vlan 704'. This puts any non dot1x supplicant > into the registration vlan so that they can access a ringfenced network and > download the dot1x configuration tool. For some reason with that line in the > supplicant times out on boot. If I remove that line the registered > supplicant goes into the production vlan every time. So I need to do some > research and try and find out why this is happening on the switch level. > > As for the violations. Below is the relevant sections of the > violations.conf [defaults] > priority=4 > max_enable=3 > actions=email,log > auto_enable=Y > enabled=N > grace=120m > button_text=Enable Network > snort_rules=local.rules,emerging-attack_response.rules,emerging-botcc. > rules,emerging-exploit.rules,emerging-malware.rules,emerging-p2p.rules > ,emerging-scan.rules,emerging-shellcode.rules,emerging-trojan.rules,em > erging-virus.rules,emerging-worm.rules > # vlan: The vlan parameter allows you to define in what vlan a node with a > violation will be put in. > # accepted values are the vlan names: isolationVlan, normalVlan, > registrationVlan, macDetectionVlan, guestVlan, > # customVlan1, customVlan2, customVlan3, > customVlan4, customVlan5 > # (see switches.conf) > vlan=isolationVlan > > ............................ > > # 4000000 - 4099999 Custom violations > [4000001] > desc=SoH No antivirus enabled > url=/remediation.php?template=noantivirus > actions=email,log,trap > enabled=Y > #max-enable=1 > trigger=soh::2 > priority=3 > > [4000002] > desc=SoH Antivirus out-of-date > enabled=Y > actions=email,log,trap > url=/remediation.php?template=avoutofdate > trigger=soh::3 > > [4000003] > desc=SoH Windows Updates > enabled=Y > actions=email,log,trap > url=/remediation.php?template=wupdate > trigger=soh::4 > priority=5 > > [4000004] > desc=SoH Firewall > enabled=Y > actions=email,log,trap > priority=8 > url=/remediation.php?template=firewall > trigger=soh::5 > > [4000005] > desc=SoH No Spyware > enabled=Y > actions=email,log,trap > priority=8 > url=/remediation.php?template=nospyware > trigger=soh::6 > > [4000006] > desc=SoH Spyware out of date > enabled=Y > actions=email,log,trap > priority=8 > url=/remediation.php?template=spyoutofdate > trigger=soh::7 > > > The SoH declarations in the web interface are: > Filter: No Antivirus > Action: Trigger Violation 4000001 > Conditions: Anti-virus is not installed > > Filter: AVoutofdate > Action: Trigger violation 4000002 > Conditions: Anti-virus is not up-to-date > > Filter: WUpdates > Action: Trigger Violation 4000003 > Conditions: Security updates is not up-to-date > > Filter: Firewall > Action: Trigger violation 4000004 > Conditions: Firewall is not enabled > > Filter: NoSpyware > Action: Trigger violation 4000005 > Conditions: Antispyware is not installed > > Filter: Spyoutofdate > Action: Trigger violation 4000006 > Conditions: Anti-spyware is not up-to-date > > I don't know if there's a better way I could've sent you these. > > Cheers, > Andi > > > > > -----Original Message----- > From: Francois Gaudreault [mailto:[email protected]] > Sent: 15 February 2012 03:49 > To: [email protected] > Subject: Re: [Packetfence-users] Violations retriggering& vlans still > not quite behaving correctly > > Hi Andi, > > I looked at the debug and in no situation, RADIUS returned the registration > VLAN. I only see 705 and 721. > > For the soh violation, something appears to be wrong with the filters. > Can you show me your filters? Did you reload the violations after > updating/changing the filters? > > On 12-02-10 5:36 AM, Morris, Andi wrote: >> Hi Francois, thanks for looking into this. >> Here is the debug output, it is quite long sorry. The processes that were >> taking place during this time were: >> Power on registered laptop >> Plug in network cable - received production vlan (this is the first >> this has happened!!!!!) Unplugged cable and replugged - received >> production vlan (wow it's working!!!) Rebooted laptop - received >> registration vlan ( !£&^!$*&) Unplugged cable and replugged - received >> production vlan. > > -- > Francois Gaudreault, ing. jr > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > ---------------------------------------------------------------------- > -------- Virtualization& Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing also > focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ________________________________ > >> From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >>University. From the 6th December, as part of this change, all email >>addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. >> All emails sent from Cardiff Metropolitan University will now be sent >>from the new @cardiffmet.ac.uk address. Please could you ensure that >>all of your contact records and databases are updated to reflect this >>change. Further information can be found on the website >>here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> > > ---------------------------------------------------------------------- > -------- Virtualization& Cloud Management Using Capacity Planning > Cloud computing makes use of virtualization - but cloud computing also > focuses on allowing computing to be delivered as a service. > http://www.accelacomm.com/jaw/sfnl/114/51521223/ > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ________________________________ > >> From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >> University. From the 6th December, as part of this change, all email >> addresses which included @uwic.ac.uk have changed to >> @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan >> University will now be sent from the new @cardiffmet.ac.uk address. >> Please could you ensure that all of your contact records and >> databases are updated to reflect this change. Further information can >> be found on the website >> here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx >> > > > ---------------------------------------------------------------------- > -------- Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft > developers is just $99.99! Visual Studio, SharePoint, SQL - plus > HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you > subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ________________________________ >From 1st November 2011 UWIC changed its title to Cardiff Metropolitan >University. From the 6th December, as part of this change, all email addresses >which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All emails sent >from Cardiff Metropolitan University will now be sent from the new >@cardiffmet.ac.uk address. Please could you ensure that all of your contact >records and databases are updated to reflect this change. Further information >can be found on the website >here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> ------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/ _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
