Due to a dumb bug in Palo Alto Networks firewall OS (starting at version 5.0.3,
DHCP replies broken for VLAN interfaces), I recently lost DHCP visibility for
half of my PF clients.
I see four potential sources of DHCP lease information for the iplog. I'm
leaning towards #2, unless #1 already exists:
1. Radius accounting logs. Does PacketFence already take these into
account? Could it?
2. Syslog. The firewall could send syslog packets including " dhcp lease
started ip 137.22.254.189 --> mac 1c:2d:3e:4f:5a:6b, interface
ethernet1/10.185" to PF and then I would write something a lot like
pfdhcplistener to process them. Complication: Do the functions like
iplog_open() and iplog_close_now() continue to exist in PF 4.0?
3. Forged DHCP packets. In theory, I could create a syslog listener that
reinjected raw, forged DHCP packets into pfdhcplistener.
4. (R)SPAN port or ACL capture. This is substantially complicated by the
firewall, Aruba hardware, and Cisco Nexus hardware that changes how ACL capture
works.
Should I spend some time on #2?
I'm running a patched PacketFence 3.5 , to be 4.0 in June, probably.
--
Rich Graves http://claimid.com/rcgraves
Carleton.edu Sr UNIX and Security Admin
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
