Hi Fabrice, The new changes worked. The error no longer exist and the switch port can be switched to the vlan I want.
But there is another issue comes up. Nessus scan was not started. After the user login, the switch port was changed right away to the vlan as I configured in custom.pm. My intention is: 1) User login. 2) Device scanned by Nessus. 3) If violation was triggered, the switch port will be switched to either isolation_client vlan or isolation_employee vlan, depends on the type of the user account. 4) If no violation was triggered, the switch port will be switched to either client vlan or employee vlan, depends on the type of the user account. Now it seems step 2 was skipped, and go to step 3 directly. Can you please help? Thank you! On Wed, Apr 2, 2014 at 3:28 PM, Fabrice DURAND <[email protected]> wrote: > Hi, > > in vlan.pm in the sub fetchVlanForNode change the line: > > my $violation = $this->getViolationVlan($switch, $ifIndex, $mac, > $connection_type, $user_name, $ssid); > to > my $violation = $this->getViolationVlan($switch, $ifIndex, $mac, > $node_info, $connection_type, $user_name, $ssid); > > And change the function getViolationVlan like that: > > sub getViolationVlan { > # $switch is the switch object (pf::Switch) > # $ifIndex is the ifIndex of the computer connected to > # $mac is the mac connected > # $conn_type is set to the connnection type expressed as the constant > in pf::config > # $user_name is set to the RADIUS User-Name attribute (802.1X Username > or MAC address under MAC Authentication) > # $ssid is the name of the SSID (Be careful: will be empty string if > radius non-wireless and undef if not radius) > my ($this, $switch, $ifIndex, $mac, $connection_type, $user_name, > $ssid) = @_; > > > Regards > Fabrice > > Le 2014-04-02 15:09, forbmsyn a écrit : > > Also I am having the following message after added the script in > /usr/local/pf/lib/pf/vlan/custom.pm. > > [root@vmpf vlan]# service packetfence status > Global symbol "$node_info" requires explicit package name at > /usr/local/pf/lib/pf/vlan/custom.pm line 196. > Global symbol "$node_info" requires explicit package name at > /usr/local/pf/lib/pf/vlan/custom.pm line 200. > > > Sorry for sending out so many questions. Please shed me a light on this. > Thanks. > > > On Wed, Apr 2, 2014 at 1:58 PM, forbmsyn <[email protected]> wrote: > >> Hi Fabrice, >> >> In the last line of the function getViolationVlan I replaced the >> following statement: >> return $vlan_number; >> >> with this one : return 7; >> >> 7 is the vlan number I am testing. I have had this vlan configured on >> the switch and PF as well. I expected the vlan should be changed to 7 after >> the violation happen. >> >> I did see packetfence.log mention that the vlan should be changed from >> 3 to 7 but it did not happen. Below is part of the log: >> >> >> Apr 02 13:31:14 pfcmd.pl(27984) INFO: violation for mac >> dc:0e:a1:8a:d4:8f vid 1200001 modified (pf::violation::violation_modify) >> Apr 02 13:31:14 pfcmd.pl(27984) INFO: Calling /usr/local/pf/bin/pfcmd >> manage vclose dc:0e:a1:8a:d4:8f 1200001 (pf::scan::run_scan) >> Apr 02 13:31:14 pfcmd.pl(29354) INFO: violation 1200001 closed for >> dc:0e:a1:8a:d4:8f (pf::violation::violation_close) >> Apr 02 13:31:14 pfcmd.pl(29354) INFO: re-evaluating access for node >> dc:0e:a1:8a:d4:8f (manage_vclose called) >> (pf::enforcement::reevaluate_access) >> Apr 02 13:31:14 pfcmd.pl(29354) INFO: dc:0e:a1:8a:d4:8f is currentlog >> connected at 172.16.123.22 ifIndex 10101 in VLAN 3 >> (pf::enforcement::_should_we_reasign_vlan) >> Apr 02 13:31:15 pfcmd.pl(29354) INFO: highest priority violation for >> dc:0e:a1:8a:d4:8f is 1100001. Target VLAN for violation: isolation (3) >> pf::vlan::custom::getViolationVlan) >> Apr 02 13:31:15 pfcmd.pl(29354) INFO: VLAN reassignment required for >> dc:0e:a1:8a:d4:8f (current VLAN = 3 but should be in VLAN 7) >> (pf::enforcement::_shoud_we_reassign_vlan) >> >> >> Anything else I should look at? >> >> >> >> >> On Wed, Apr 2, 2014 at 12:05 PM, forbmsyn <[email protected]> wrote: >> >>> Hi Fabrice, >>> >>> Thank you for the tips, but could you please give me more details on >>> how to get this done as I am not good at programming. >>> >>> I have copied the function "sub getViolationVlan {....}" from >>> /usr/local/pf/lib/pf/vlan.pm and pasted to /usr/local/pf/lib/pf/vlan/ >>> custom.pm. >>> >>> Then how do I do the test? Where should I put the script you mentioned >>> below? Are 666 and 777 in your script the vlan id of isolation vlan? >>> Thanks again for your help. >>> >>> >>> >>> On Fri, Mar 28, 2014 at 8:18 AM, Fabrice DURAND <[email protected]>wrote: >>> >>>> Hello, >>>> >>>> i suppose that you set roles based on the registration source, like AD >>>> -> Employee and Sponsor -> Guest. >>>> >>>> In fact you have to overwrite the vlan id of the isolation vlan, look >>>> at the vlan/custom.pm and add function getViolationVlan (copy and >>>> paste from vlan.pm). >>>> >>>> Now you will be able to write your own test like: >>>> >>>> if ($node_info->{'category'} eq 'Employee') { >>>> return 666; >>>> elsif ($node_info->{'category'} eq 'Guest') { >>>> return 777; >>>> } >>>> >>>> >>>> Regards >>>> Fabrice >>>> >>>> Le 2014-03-27 12:17, forbmsyn a écrit : >>>> >>>> Hi, >>>> >>>> I have two types of user: one registered via sponsor, I call it >>>> client; the other one is Active Directory user, I call it employee. >>>> >>>> After the device being scanned by Nessus and a violation was >>>> triggered, I would like to redirect the device to different vlans depends >>>> on the type of the login user. For example the client will be switched to >>>> isolation_client vlan, while the employee will be switched to >>>> isolation_employee vlan. Is there a way to accomplish this? >>>> >>>> Thanks a lot in advance. >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing >>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>>> >>>> -- >>>> Fabrice [email protected] :: +1.514.447.4918 (x135) :: >>>> www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>>> >>> >> > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > PacketFence-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > -- > Fabrice [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
