Hi Derek,
Thanks for your reply. I've been out on vacation or I would have replied
sooner. I have tried "registration=disabled" in the [trapping] section of
pf.conf, but the result is no internet connectivity. PF is hijacking DNS and
redirecting any attempts to access internet sites to itself.
If I enable registration, the process works fine, however I don't want to put
our students through the registration process. I'm hoping we can just bypass
registration and allow any device, but still use PF to block P2P traffic.
I think PF uses ipset to authorize/redirect traffic for devices based on a
flag, and I'm admittedly not certain how it works, but I suspect ipset is
marking the IP address as unregistered so the firewall is redirecting all the
traffic from the unregistered addresses to itself. So I enabled the
"auto-register device example" and ensured that the Windows 8 OS is one of the
triggers. It creates and closes a violation, but the device is still
unregistered, so no internet access.
Here's my pf.conf:
[interface inside.1101]
enforcement=inline
ip=192.168.101.254
type=internal
mask=255.255.255.0
[interface mgmt]
ip=10.254.254.254
type=management
mask=255.255.255.0
[database]
pass=NotReallyThePassword
[general]
dhcpservers=127.0.0.1,192.168.101.254
domain=cca.greenriver.edu
hostname=pepper
logo=/common/cca_banner6.jpg
timezone=America/Los_Angeles
[alerting]
[email protected]
[email protected]
smtpserver=smtp
[guests_self_registration]
modes=email,sms
email_activation_timeout=10m
mandatory_fields=firstname,lastname,phone,mobileprovider,email
access_duration=30D
[network]
dhcpoption82logger=enabled
[inline]
interfaceSNAT=outside.101
[services]
dhcpd=enabled
named=enabled
[trapping]
range=192.168.101.0/24
detection=enabled
registration=disabled
[interface inside]
ip=172.16.16.16
mask=255.255.255.0
type=monitor
enforcement=
[registration]
auth=ldap
default_auth=ldap
skip_reminder=15m
expire_mode=deadline
expire_deadline=2013-12-23 00:00:01
expire_window=12M
#guests_self_registration=enabled
#gaming_devices_registration=enabled
skip_mode=deadline
maxnodes=0
skip_deadline=2013-10-07 12:00:00
range=192.168.101.0/24
guests_self_registration=disabled
[captive_portal]
network_detection=enabled
############################################
Here's a section of violations.conf:
[1100007]
desc=Auto-register Device example
priority=1
trigger=OS::3,OS::6,OS::7,OS::8,OS::10,OS::12,OS::13,OS::109
actions=autoreg,log
grace=5m
window=
vclose=
url=
vlan=normalVlan
enabled=Y
Thanks,
---------------------------------------------------------------------------------------
Gavin Pyle | Network Engineer | Green River Community College
[email protected]<mailto:[email protected]>
Breathe easy - Green River is now
tobacco-free!<http://www.greenriver.edu/about-grcc/policies-and-procedures/new-policies/ga-02-tobacco-use.htm>
From: Derek Wuelfrath [mailto:[email protected]]
Sent: Thursday, September 19, 2013 7:23 AM
To: [email protected]
Subject: Re: [PacketFence-users] Inline Auto-Register
Hi,
Hello Gavin,
Should the auto register violation work on an inline configuration? For me it
is not. I just want to use PacketFence to quarantine systems that are using
P2P software. I don't care who is connected to the network or if they've
registered.
If I understand correctly, you don't want users to register their devices to
access the network is this right ?
If so, please see the following:
https://github.com/inverse-inc/packetfence/blob/stable/conf/documentation.conf#L245
tl;dr
Add the following to your conf/pf.conf file:
[trapping]
registration=disabled
Cheers!
dw.
--
Derek Wuelfrath
[email protected]<mailto:[email protected]> :: +1.514.447.4918 (x110)
:: www.inverse.ca<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu/>) and
PacketFence (www.packetfence.org<http://www.packetfence.org/>)
On 2013-09-16, at 5:02 PM, Gavin Pyle
<[email protected]<mailto:[email protected]>> wrote:
Hi,
Should the auto register violation work on an inline configuration? For me it
is not. I just want to use PacketFence to quarantine systems that are using
P2P software. I don't care who is connected to the network or if they've
registered.
Thanks,
---------------------------------------------------------------------------------------
Gavin Pyle | Network Engineer | Green River Community College
[email protected]<mailto:[email protected]>
Breathe easy - Green River is now
tobacco-free!<http://www.greenriver.edu/about-grcc/policies-and-procedures/new-policies/ga-02-tobacco-use.htm>
------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13.
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
