Hi,
in vlan.pm in the sub fetchVlanForNode change the line:
my $violation = $this->getViolationVlan($switch, $ifIndex, $mac,
$connection_type, $user_name, $ssid);
to
my $violation = $this->getViolationVlan($switch, $ifIndex, $mac,
$node_info, $connection_type, $user_name, $ssid);
And change the function getViolationVlan like that:
sub getViolationVlan {
# $switch is the switch object (pf::Switch)
# $ifIndex is the ifIndex of the computer connected to
# $mac is the mac connected
# $conn_type is set to the connnection type expressed as the
constant in pf::config
# $user_name is set to the RADIUS User-Name attribute (802.1X
Username or MAC address under MAC Authentication)
# $ssid is the name of the SSID (Be careful: will be empty string
if radius non-wireless and undef if not radius)
my ($this, $switch, $ifIndex, $mac, $connection_type, $user_name,
$ssid) = @_;
Regards
Fabrice
Le 2014-04-02 15:09, forbmsyn a écrit :
Also I am having the following message after added the script in
/usr/local/pf/lib/pf/vlan/custom.pm <http://custom.pm>.
[root@vmpf vlan]# service packetfence status
Global symbol "$node_info" requires explicit package name at
/usr/local/pf/lib/pf/vlan/custom.pm <http://custom.pm> line 196.
Global symbol "$node_info" requires explicit package name at
/usr/local/pf/lib/pf/vlan/custom.pm <http://custom.pm> line 200.
Sorry for sending out so many questions. Please shed me a light on
this. Thanks.
On Wed, Apr 2, 2014 at 1:58 PM, forbmsyn <[email protected]
<mailto:[email protected]>> wrote:
Hi Fabrice,
In the last line of the function getViolationVlan I replaced the
following statement:
return $vlan_number;
with this one : return 7;
7 is the vlan number I am testing. I have had this vlan configured
on the switch and PF as well. I expected the vlan should be
changed to 7 after the violation happen.
I did see packetfence.log mention that the vlan should be changed
from 3 to 7 but it did not happen. Below is part of the log:
Apr 02 13:31:14 pfcmd.pl <http://pfcmd.pl>(27984) INFO: violation
for mac dc:0e:a1:8a:d4:8f vid 1200001 modified
(pf::violation::violation_modify)
Apr 02 13:31:14 pfcmd.pl <http://pfcmd.pl>(27984) INFO: Calling
/usr/local/pf/bin/pfcmd manage vclose dc:0e:a1:8a:d4:8f 1200001
(pf::scan::run_scan)
Apr 02 13:31:14 pfcmd.pl <http://pfcmd.pl>(29354) INFO: violation
1200001 closed for dc:0e:a1:8a:d4:8f (pf::violation::violation_close)
Apr 02 13:31:14 pfcmd.pl <http://pfcmd.pl>(29354) INFO:
re-evaluating access for node dc:0e:a1:8a:d4:8f (manage_vclose
called) (pf::enforcement::reevaluate_access)
Apr 02 13:31:14 pfcmd.pl <http://pfcmd.pl>(29354) INFO:
dc:0e:a1:8a:d4:8f is currentlog connected at 172.16.123.22 ifIndex
10101 in VLAN 3 (pf::enforcement::_should_we_reasign_vlan)
Apr 02 13:31:15 pfcmd.pl <http://pfcmd.pl>(29354) INFO: highest
priority violation for dc:0e:a1:8a:d4:8f is 1100001. Target VLAN
for violation: isolation (3) pf::vlan::custom::getViolationVlan)
Apr 02 13:31:15 pfcmd.pl <http://pfcmd.pl>(29354) INFO: VLAN
reassignment required for dc:0e:a1:8a:d4:8f (current VLAN = 3 but
should be in VLAN 7) (pf::enforcement::_shoud_we_reassign_vlan)
Anything else I should look at?
On Wed, Apr 2, 2014 at 12:05 PM, forbmsyn <[email protected]
<mailto:[email protected]>> wrote:
Hi Fabrice,
Thank you for the tips, but could you please give me more
details on how to get this done as I am not good at programming.
I have copied the function "sub getViolationVlan {....}" from
/usr/local/pf/lib/pf/vlan.pm <http://vlan.pm> and pasted to
/usr/local/pf/lib/pf/vlan/custom.pm <http://custom.pm>.
Then how do I do the test? Where should I put the script you
mentioned below? Are 666 and 777 in your script the vlan id
of isolation vlan? Thanks again for your help.
On Fri, Mar 28, 2014 at 8:18 AM, Fabrice DURAND
<[email protected] <mailto:[email protected]>> wrote:
Hello,
i suppose that you set roles based on the registration
source, like AD -> Employee and Sponsor -> Guest.
In fact you have to overwrite the vlan id of the isolation
vlan, look at the vlan/custom.pm <http://custom.pm> and
add function getViolationVlan (copy and paste from vlan.pm
<http://vlan.pm>).
Now you will be able to write your own test like:
if ($node_info->{'category'} eq 'Employee') {
return 666;
elsif ($node_info->{'category'} eq 'Guest') {
return 777;
}
Regards
Fabrice
Le 2014-03-27 12:17, forbmsyn a écrit :
Hi,
I have two types of user: one registered via sponsor, I
call it client; the other one is Active Directory user, I
call it employee.
After the device being scanned by Nessus and a violation
was triggered, I would like to redirect the device to
different vlans depends on the type of the login user.
For example the client will be switched to
isolation_client vlan, while the employee will be
switched to isolation_employee vlan. Is there a way to
accomplish this?
Thanks a lot in advance.
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] <mailto:[email protected]> ::+1.514.447.4918
<tel:%2B1.514.447.4918> (x135) ::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
PacketFence (http://packetfence.org)
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
