Hi Fabrice,
In the last line of the function getViolationVlan I replaced the following
statement:
return $vlan_number;
with this one : return 7;
7 is the vlan number I am testing. I have had this vlan configured on the
switch and PF as well. I expected the vlan should be changed to 7 after the
violation happen.
I did see packetfence.log mention that the vlan should be changed from 3 to
7 but it did not happen. Below is part of the log:
Apr 02 13:31:14 pfcmd.pl(27984) INFO: violation for mac dc:0e:a1:8a:d4:8f
vid 1200001 modified (pf::violation::violation_modify)
Apr 02 13:31:14 pfcmd.pl(27984) INFO: Calling /usr/local/pf/bin/pfcmd
manage vclose dc:0e:a1:8a:d4:8f 1200001 (pf::scan::run_scan)
Apr 02 13:31:14 pfcmd.pl(29354) INFO: violation 1200001 closed for
dc:0e:a1:8a:d4:8f (pf::violation::violation_close)
Apr 02 13:31:14 pfcmd.pl(29354) INFO: re-evaluating access for node
dc:0e:a1:8a:d4:8f (manage_vclose called)
(pf::enforcement::reevaluate_access)
Apr 02 13:31:14 pfcmd.pl(29354) INFO: dc:0e:a1:8a:d4:8f is currentlog
connected at 172.16.123.22 ifIndex 10101 in VLAN 3
(pf::enforcement::_should_we_reasign_vlan)
Apr 02 13:31:15 pfcmd.pl(29354) INFO: highest priority violation for
dc:0e:a1:8a:d4:8f is 1100001. Target VLAN for violation: isolation (3)
pf::vlan::custom::getViolationVlan)
Apr 02 13:31:15 pfcmd.pl(29354) INFO: VLAN reassignment required for
dc:0e:a1:8a:d4:8f (current VLAN = 3 but should be in VLAN 7)
(pf::enforcement::_shoud_we_reassign_vlan)
Anything else I should look at?
On Wed, Apr 2, 2014 at 12:05 PM, forbmsyn <[email protected]> wrote:
> Hi Fabrice,
>
> Thank you for the tips, but could you please give me more details on how
> to get this done as I am not good at programming.
>
> I have copied the function "sub getViolationVlan {....}" from
> /usr/local/pf/lib/pf/vlan.pm and pasted to /usr/local/pf/lib/pf/vlan/
> custom.pm.
>
> Then how do I do the test? Where should I put the script you mentioned
> below? Are 666 and 777 in your script the vlan id of isolation vlan?
> Thanks again for your help.
>
>
>
> On Fri, Mar 28, 2014 at 8:18 AM, Fabrice DURAND <[email protected]>wrote:
>
>> Hello,
>>
>> i suppose that you set roles based on the registration source, like AD ->
>> Employee and Sponsor -> Guest.
>>
>> In fact you have to overwrite the vlan id of the isolation vlan, look at
>> the vlan/custom.pm and add function getViolationVlan (copy and paste
>> from vlan.pm).
>>
>> Now you will be able to write your own test like:
>>
>> if ($node_info->{'category'} eq 'Employee') {
>> return 666;
>> elsif ($node_info->{'category'} eq 'Guest') {
>> return 777;
>> }
>>
>>
>> Regards
>> Fabrice
>>
>> Le 2014-03-27 12:17, forbmsyn a écrit :
>>
>> Hi,
>>
>> I have two types of user: one registered via sponsor, I call it client;
>> the other one is Active Directory user, I call it employee.
>>
>> After the device being scanned by Nessus and a violation was triggered,
>> I would like to redirect the device to different vlans depends on the type
>> of the login user. For example the client will be switched to
>> isolation_client vlan, while the employee will be switched to
>> isolation_employee vlan. Is there a way to accomplish this?
>>
>> Thanks a lot in advance.
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
