Francois, (or anyone else willing to chime in) Thanks for the help. My replies to your questions/statements are below...
Francois> Hmm... can you "manually" check into the locationlog table to see the data? It sounds weird to me. Is it possible that the switch didn't send any traps to PF, and just authorized the node to the new port because it was already authorized somewhere else on the switch? Is your port configuration aligned with what we have in the guide? I'm definitely receiving port-security traps. In fact this is for a student housing complex, so on some ports I'm hitting the trap limit because they've connected a WAP or Router to our switch port. For those ports does it make sense (and is it okay) to increase the maximum secure addresses (ie - switchport port-security maximum 10 vlan access)? I want every device to be authorized, however, and I have trapping.registration set to disabled. I think I've identified the port mapping issue as an issue with the ifIndex values on the switch, and I thought reconfiguring the initial port security "dummy" secure mac addresses on the switch with the proper corresponding ifIndex values would solve the issue, but after implementing this I've found that it helps only for the first MAC address detected on a port. Any other way to fix this??? I've checked the locationlog table and it is definitely seeing traps... here's an excerpt: '28:6a:ba:2c:30:b5', '10.101.12.181', '13', '108', 'SNMP-Traps', '', '', '2012-09-28 16:20:43', '2012-09-28 16:20:46' '08:86:3b:19:cb:75', '10.101.12.181', '13', '108', 'SNMP-Traps', '', '', '2012-09-28 16:20:46', '2012-09-28 16:20:50' '28:6a:ba:2c:30:b5', '10.101.12.181', '13', '108', 'SNMP-Traps', '', '', '2012-09-28 16:20:50', '2012-09-28 16:20:54' '08:86:3b:19:cb:75', '10.101.12.181', '13', '108', 'SNMP-Traps', '', '', '2012-09-28 16:20:54', '2012-09-28 16:20:58' So this is one of the interfaces that has several MAC addresses hanging off it (such as a WAP, switch or SOHO Router). Francois> Please let me know the IOS version, and switch model. One of the switch models having this issue is a WS-C3550-48-EMI, Cisco IOS Software, C3550 Software (C3550-IPBASEK9-M), Version 12.2(50)SE, RELEASE SOFTWARE (fc1). I don't seem to be having the issue with the HP Procurve 2510 model switch that is also in use. We plan on replacing the Cisco switches with the cheaper HP 2510's as budget allows (3yrs to completion). Francois> Ok so the rule have been triggered for an OUTSIDER IP (Tracker response to a local client). We just validate outgoing traffic, not incoming. I want snort to validate the outgoing traffic, but it doesn't seem to be catching that. Something wrong with my snort config? I haven't modified it in any way from what was provided with PacketFence. Do I need to? Francois> To trap the user, you need the "trap" actions, and you also need the proper trapping.range configured in pf.conf. trapping.range represents the internal subnets in your network (ie. 10.0.0.0/8 will catch all 10 ips) I've not set the trap action yet because I'm not receiving any e-mail alerts, nor seeing any violations in the violations.log yet. I have the trapping parameters defined as follows: [trapping] detection=enabled range=192.168.0.0/16,172.20.0.0/16,10.0.0.0/8,172.168.0.0/16 registration=disabled We've got some Comcast modems that were incorrectly configured (by Comcast) to hand out 172.168.x.x/24 addresses, so that is why I have the 172.168.0.0/16 range defined. I plan on reconfiguring all the modems soon and then they'll all fall into the 172.20.x.x/16 range. Thanks again, --------------------------------------------------------------------------------------- Gavin Pyle | Network Engineer | Green River Community College [email protected] -----Original Message----- From: Francois Gaudreault [mailto:[email protected]] Sent: Tuesday, October 02, 2012 08:30 AM To: [email protected] Subject: Re: [PacketFence-users] Two oddities Hi Gavin, > I'm in the middle of implementing PacketFence and I'm running into a couple > strange things. The first oddity is that PacketFence is mapping the MAC > address of some clients to the wrong switch port on some interfaces on my > Cisco switches. > > #### Figure 1 #### > #sh port-security address > Secure Mac Address Table > ------------------------------------------------------------------------ > Vlan Mac Address Type Ports Remaining Age > (mins) > ---- ----------- ---- ----- ------------- > 112 0200.0001.0001 SecureConfigured Fa0/1 - > 112 0200.0001.0002 SecureConfigured Fa0/2 - > 112 c42c.030d.6cdf SecureConfigured Fa0/7 - > ... (truncated) > 112 20aa.4be3.eeb0 SecureConfigured Fa0/18 - > ------------------------------------------------------------------------ > Total Addresses in System (excluding one mac per port) : 0 > Max Addresses limit in System (excluding one mac per port) : 5120 > > #### Figure 2 #### > [root@mint conf]# ../bin/pfcmd locationhistorymac c4:2c:03:0d:6c:df > mac|switch|port|vlan|connection_type|dot1x_username|ssid|start_time|en > mac|switch|port|vlan|d_time > c4:2c:03:0d:6c:df|10.101.12.231|7|112|Wired SNMP|||2012-09-28 > 12:11:16| [root@mint conf]# > > #### Figure 3 #### > [root@mint conf]# ../bin/pfcmd locationhistorymac 20:aa:4b:e3:ee:b0 > mac|switch|port|vlan|connection_type|dot1x_username|ssid|start_time|en > mac|switch|port|vlan|d_time > 20:aa:4b:e3:ee:b0|10.101.12.231|14|112|Wired SNMP|||2012-09-28 > 10:14:02| [root@mint conf]# > > As you can see in Figure 1 & 2, the switch shows that c42c.030d.6cdf is on > fa0/7, and in this case PF agrees. However when comparing Figure 1 & 3, the > switch secure MAC address table thinks that 20aa.4be3.eeb0 is on fa0/18, but > PF thinks it is on fa0/14. What could cause this? Hmm... can you "manually" check into the locationlog table to see the data? It sounds weird to me. Is it possible that the switch didn't send any traps to PF, and just authorized the node to the new port because it was already authorized somewhere else on the switch? Is your port configuration aligned with what we have in the guide? Please let me know the IOS version, and switch model. > > The second oddity is that I'm trying to detect P2P programs and for now only > send e-mail alerts, but eventually, we'll want to isolate these offenders. > Anyway I'm not getting any violations to appear in the GUI, but I'm see them > in the packetfence.log. > > ### Figure 4 ### > Sep 28 12:29:04 pfdetect(27330) INFO: alert received: 09/28-12:29:04.551222 > [**] [1:2003313:3] ET P2P Edonkey Connect Reply and Server List [**] > [Classification: Potential Corporate Privacy Violation] [Priority: 1] {UDP} > 124.81.143.187:6783 -> 10.1.10.21:16634 > (main::) > Sep 28 12:29:04 pfdetect(27330) INFO: could not resolve 124.81.143.187 > to mac in ARP table (pf::iplog::ip2macinarp) Sep 28 12:29:04 > pfdetect(27330) WARN: could not resolve 124.81.143.187 to mac > (pf::iplog::ip2mac) Sep 28 12:29:04 pfdetect(27330) WARN: pfdetect: > 124.81.143.187 MAC NOT FOUND for violation 2003313 [ET] (main::) > > It appears that snort is seeing these violations, but it is comparing the > remote IP address to the PF database and not finding a match. I'm thinking > the correct behavior would be to search the DB for the local address > (10.1.10.21) and resolve that to a MAC and send the alert. Is there > something I can look for in my configs to fix this issue? Ok so the rule have been triggered for an OUTSIDER IP (Tracker response to a local client). We just validate outgoing traffic, not incoming. > violations.conf > ----------------- > [1100006] > desc=P2P Isolation (snort example) > url=/remediation.php?template=p2p > trigger=Detect::2001808,Detect::2000334,Detect::2000357,Detect::200036 > 9,Detect::2000330,Detect::2000331,Detect::2000332,Detect::2000333,Dete > ct::2001296,Detect::2001297,Detect::2001298,Detect::2001299,Detect::20 > 01305,Detect::2001300,Detect::2001664,Detect::2002760,Detect::2002761, > Detect::2001796,Detect::2001812 > enabled=Y > window= > vclose= > actions=email,log To trap the user, you need the "trap" actions, and you also need the proper trapping.range configured in pf.conf. trapping.range represents the internal subnets in your network (ie. 10.0.0.0/8 will catch all 10 ips) Hope it helps. -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Don't let slow site performance ruin your business. Deploy New Relic APM Deploy New Relic app performance management and know exactly what is happening inside your Ruby, Python, PHP, Java, and .NET app Try New Relic at no cost today and get our sweet Data Nerd shirt too! http://p.sf.net/sfu/newrelic-dev2dev _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
