Hi Gavin,
> I'm in the middle of implementing PacketFence and I'm running into a couple
> strange things. The first oddity is that PacketFence is mapping the MAC
> address of some clients to the wrong switch port on some interfaces on my
> Cisco switches.
>
> #### Figure 1 ####
> #sh port-security address
> Secure Mac Address Table
> ------------------------------------------------------------------------
> Vlan Mac Address Type Ports Remaining Age
> (mins)
> ---- ----------- ---- ----- -------------
> 112 0200.0001.0001 SecureConfigured Fa0/1 -
> 112 0200.0001.0002 SecureConfigured Fa0/2 -
> 112 c42c.030d.6cdf SecureConfigured Fa0/7 -
> ... (truncated)
> 112 20aa.4be3.eeb0 SecureConfigured Fa0/18 -
> ------------------------------------------------------------------------
> Total Addresses in System (excluding one mac per port) : 0
> Max Addresses limit in System (excluding one mac per port) : 5120
>
> #### Figure 2 ####
> [root@mint conf]# ../bin/pfcmd locationhistorymac c4:2c:03:0d:6c:df
> mac|switch|port|vlan|connection_type|dot1x_username|ssid|start_time|end_time
> c4:2c:03:0d:6c:df|10.101.12.231|7|112|Wired SNMP|||2012-09-28 12:11:16|
> [root@mint conf]#
>
> #### Figure 3 ####
> [root@mint conf]# ../bin/pfcmd locationhistorymac 20:aa:4b:e3:ee:b0
> mac|switch|port|vlan|connection_type|dot1x_username|ssid|start_time|end_time
> 20:aa:4b:e3:ee:b0|10.101.12.231|14|112|Wired SNMP|||2012-09-28 10:14:02|
> [root@mint conf]#
>
> As you can see in Figure 1 & 2, the switch shows that c42c.030d.6cdf is on
> fa0/7, and in this case PF agrees. However when comparing Figure 1 & 3, the
> switch secure MAC address table thinks that 20aa.4be3.eeb0 is on fa0/18, but
> PF thinks it is on fa0/14. What could cause this?
Hmm... can you "manually" check into the locationlog table to see the
data? It sounds weird to me. Is it possible that the switch didn't
send any traps to PF, and just authorized the node to the new port
because it was already authorized somewhere else on the switch? Is your
port configuration aligned with what we have in the guide?
Please let me know the IOS version, and switch model.
>
> The second oddity is that I'm trying to detect P2P programs and for now only
> send e-mail alerts, but eventually, we'll want to isolate these offenders.
> Anyway I'm not getting any violations to appear in the GUI, but I'm see them
> in the packetfence.log.
>
> ### Figure 4 ###
> Sep 28 12:29:04 pfdetect(27330) INFO: alert received: 09/28-12:29:04.551222
> [**] [1:2003313:3] ET P2P Edonkey Connect Reply and Server List [**]
> [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP}
> 124.81.143.187:6783 -> 10.1.10.21:16634
> (main::)
> Sep 28 12:29:04 pfdetect(27330) INFO: could not resolve 124.81.143.187 to mac
> in ARP table (pf::iplog::ip2macinarp)
> Sep 28 12:29:04 pfdetect(27330) WARN: could not resolve 124.81.143.187 to mac
> (pf::iplog::ip2mac)
> Sep 28 12:29:04 pfdetect(27330) WARN: pfdetect: 124.81.143.187 MAC NOT FOUND
> for violation 2003313 [ET] (main::)
>
> It appears that snort is seeing these violations, but it is comparing the
> remote IP address to the PF database and not finding a match. I'm thinking
> the correct behavior would be to search the DB for the local address
> (10.1.10.21) and resolve that to a MAC and send the alert. Is there
> something I can look for in my configs to fix this issue?
Ok so the rule have been triggered for an OUTSIDER IP (Tracker response
to a local client). We just validate outgoing traffic, not incoming.
> violations.conf
> -----------------
> [1100006]
> desc=P2P Isolation (snort example)
> url=/remediation.php?template=p2p
> trigger=Detect::2001808,Detect::2000334,Detect::2000357,Detect::2000369,Detect::2000330,Detect::2000331,Detect::2000332,Detect::2000333,Detect::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::2001305,Detect::2001300,Detect::2001664,Detect::2002760,Detect::2002761,Detect::2001796,Detect::2001812
> enabled=Y
> window=
> vclose=
> actions=email,log
To trap the user, you need the "trap" actions, and you also need the
proper trapping.range configured in pf.conf. trapping.range represents
the internal subnets in your network (ie. 10.0.0.0/8 will catch all 10 ips)
Hope it helps.
--
Francois Gaudreault, ing. jr
[email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Don't let slow site performance ruin your business. Deploy New Relic APM
Deploy New Relic app performance management and know exactly
what is happening inside your Ruby, Python, PHP, Java, and .NET app
Try New Relic at no cost today and get our sweet Data Nerd shirt too!
http://p.sf.net/sfu/newrelic-dev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
