Also I am having the following message after added the script in /usr/local/pf/lib/pf/vlan/custom.pm.
[root@vmpf vlan]# service packetfence status Global symbol "$node_info" requires explicit package name at /usr/local/pf/lib/pf/vlan/custom.pm line 196. Global symbol "$node_info" requires explicit package name at /usr/local/pf/lib/pf/vlan/custom.pm line 200. Sorry for sending out so many questions. Please shed me a light on this. Thanks. On Wed, Apr 2, 2014 at 1:58 PM, forbmsyn <[email protected]> wrote: > Hi Fabrice, > > In the last line of the function getViolationVlan I replaced the following > statement: > return $vlan_number; > > with this one : return 7; > > 7 is the vlan number I am testing. I have had this vlan configured on the > switch and PF as well. I expected the vlan should be changed to 7 after the > violation happen. > > I did see packetfence.log mention that the vlan should be changed from 3 > to 7 but it did not happen. Below is part of the log: > > > Apr 02 13:31:14 pfcmd.pl(27984) INFO: violation for mac dc:0e:a1:8a:d4:8f > vid 1200001 modified (pf::violation::violation_modify) > Apr 02 13:31:14 pfcmd.pl(27984) INFO: Calling /usr/local/pf/bin/pfcmd > manage vclose dc:0e:a1:8a:d4:8f 1200001 (pf::scan::run_scan) > Apr 02 13:31:14 pfcmd.pl(29354) INFO: violation 1200001 closed for > dc:0e:a1:8a:d4:8f (pf::violation::violation_close) > Apr 02 13:31:14 pfcmd.pl(29354) INFO: re-evaluating access for node > dc:0e:a1:8a:d4:8f (manage_vclose called) > (pf::enforcement::reevaluate_access) > Apr 02 13:31:14 pfcmd.pl(29354) INFO: dc:0e:a1:8a:d4:8f is currentlog > connected at 172.16.123.22 ifIndex 10101 in VLAN 3 > (pf::enforcement::_should_we_reasign_vlan) > Apr 02 13:31:15 pfcmd.pl(29354) INFO: highest priority violation for > dc:0e:a1:8a:d4:8f is 1100001. Target VLAN for violation: isolation (3) > pf::vlan::custom::getViolationVlan) > Apr 02 13:31:15 pfcmd.pl(29354) INFO: VLAN reassignment required for > dc:0e:a1:8a:d4:8f (current VLAN = 3 but should be in VLAN 7) > (pf::enforcement::_shoud_we_reassign_vlan) > > > Anything else I should look at? > > > > > On Wed, Apr 2, 2014 at 12:05 PM, forbmsyn <[email protected]> wrote: > >> Hi Fabrice, >> >> Thank you for the tips, but could you please give me more details on how >> to get this done as I am not good at programming. >> >> I have copied the function "sub getViolationVlan {....}" from >> /usr/local/pf/lib/pf/vlan.pm and pasted to /usr/local/pf/lib/pf/vlan/ >> custom.pm. >> >> Then how do I do the test? Where should I put the script you mentioned >> below? Are 666 and 777 in your script the vlan id of isolation vlan? >> Thanks again for your help. >> >> >> >> On Fri, Mar 28, 2014 at 8:18 AM, Fabrice DURAND <[email protected]>wrote: >> >>> Hello, >>> >>> i suppose that you set roles based on the registration source, like AD >>> -> Employee and Sponsor -> Guest. >>> >>> In fact you have to overwrite the vlan id of the isolation vlan, look at >>> the vlan/custom.pm and add function getViolationVlan (copy and paste >>> from vlan.pm). >>> >>> Now you will be able to write your own test like: >>> >>> if ($node_info->{'category'} eq 'Employee') { >>> return 666; >>> elsif ($node_info->{'category'} eq 'Guest') { >>> return 777; >>> } >>> >>> >>> Regards >>> Fabrice >>> >>> Le 2014-03-27 12:17, forbmsyn a écrit : >>> >>> Hi, >>> >>> I have two types of user: one registered via sponsor, I call it >>> client; the other one is Active Directory user, I call it employee. >>> >>> After the device being scanned by Nessus and a violation was >>> triggered, I would like to redirect the device to different vlans depends >>> on the type of the login user. For example the client will be switched to >>> isolation_client vlan, while the employee will be switched to >>> isolation_employee vlan. Is there a way to accomplish this? >>> >>> Thanks a lot in advance. >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> >>> >>> _______________________________________________ >>> PacketFence-users mailing >>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>> -- >>> Fabrice [email protected] :: +1.514.447.4918 (x135) :: >>> www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >> >
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
