Below are the statements I added to the function getViolationVlan in
/usr/local/pf/lib/pf/vlan/custom.pm. I also commented the statement return
$vlan_number;
# return $vlan_number;
if ($node_info->{'category'} eq 'employee_role') {
$logger->info("return vlan 4, employee_role");
return 4;
}
elsif ($node_info->{'category'} eq 'guest') {
$logger->info("return vlan 7, guest");
return 7;
}
Maybe this is not the right file I should edit and put those statements?
On Wed, Apr 2, 2014 at 4:30 PM, forbmsyn <[email protected]> wrote:
> Hi Fabrice,
>
> The new changes worked. The error no longer exist and the switch port can
> be switched to the vlan I want.
>
> But there is another issue comes up.
>
> Nessus scan was not started. After the user login, the switch port was
> changed right away to the vlan as I configured in custom.pm.
>
> My intention is:
>
> 1) User login.
> 2) Device scanned by Nessus.
> 3) If violation was triggered, the switch port will be switched to either
> isolation_client vlan or isolation_employee vlan, depends on the type of
> the user account.
> 4) If no violation was triggered, the switch port will be switched to
> either client vlan or employee vlan, depends on the type of the user
> account.
>
> Now it seems step 2 was skipped, and go to step 3 directly.
>
> Can you please help? Thank you!
>
>
>
>
>
> On Wed, Apr 2, 2014 at 3:28 PM, Fabrice DURAND <[email protected]> wrote:
>
>> Hi,
>>
>> in vlan.pm in the sub fetchVlanForNode change the line:
>>
>> my $violation = $this->getViolationVlan($switch, $ifIndex, $mac,
>> $connection_type, $user_name, $ssid);
>> to
>> my $violation = $this->getViolationVlan($switch, $ifIndex, $mac,
>> $node_info, $connection_type, $user_name, $ssid);
>>
>> And change the function getViolationVlan like that:
>>
>> sub getViolationVlan {
>> # $switch is the switch object (pf::Switch)
>> # $ifIndex is the ifIndex of the computer connected to
>> # $mac is the mac connected
>> # $conn_type is set to the connnection type expressed as the constant
>> in pf::config
>> # $user_name is set to the RADIUS User-Name attribute (802.1X
>> Username or MAC address under MAC Authentication)
>> # $ssid is the name of the SSID (Be careful: will be empty string if
>> radius non-wireless and undef if not radius)
>> my ($this, $switch, $ifIndex, $mac, $connection_type, $user_name,
>> $ssid) = @_;
>>
>>
>> Regards
>> Fabrice
>>
>> Le 2014-04-02 15:09, forbmsyn a écrit :
>>
>> Also I am having the following message after added the script in
>> /usr/local/pf/lib/pf/vlan/custom.pm.
>>
>> [root@vmpf vlan]# service packetfence status
>> Global symbol "$node_info" requires explicit package name at
>> /usr/local/pf/lib/pf/vlan/custom.pm line 196.
>> Global symbol "$node_info" requires explicit package name at
>> /usr/local/pf/lib/pf/vlan/custom.pm line 200.
>>
>>
>> Sorry for sending out so many questions. Please shed me a light on
>> this. Thanks.
>>
>>
>> On Wed, Apr 2, 2014 at 1:58 PM, forbmsyn <[email protected]> wrote:
>>
>>> Hi Fabrice,
>>>
>>> In the last line of the function getViolationVlan I replaced the
>>> following statement:
>>> return $vlan_number;
>>>
>>> with this one : return 7;
>>>
>>> 7 is the vlan number I am testing. I have had this vlan configured on
>>> the switch and PF as well. I expected the vlan should be changed to 7 after
>>> the violation happen.
>>>
>>> I did see packetfence.log mention that the vlan should be changed from
>>> 3 to 7 but it did not happen. Below is part of the log:
>>>
>>>
>>> Apr 02 13:31:14 pfcmd.pl(27984) INFO: violation for mac
>>> dc:0e:a1:8a:d4:8f vid 1200001 modified (pf::violation::violation_modify)
>>> Apr 02 13:31:14 pfcmd.pl(27984) INFO: Calling /usr/local/pf/bin/pfcmd
>>> manage vclose dc:0e:a1:8a:d4:8f 1200001 (pf::scan::run_scan)
>>> Apr 02 13:31:14 pfcmd.pl(29354) INFO: violation 1200001 closed for
>>> dc:0e:a1:8a:d4:8f (pf::violation::violation_close)
>>> Apr 02 13:31:14 pfcmd.pl(29354) INFO: re-evaluating access for node
>>> dc:0e:a1:8a:d4:8f (manage_vclose called)
>>> (pf::enforcement::reevaluate_access)
>>> Apr 02 13:31:14 pfcmd.pl(29354) INFO: dc:0e:a1:8a:d4:8f is currentlog
>>> connected at 172.16.123.22 ifIndex 10101 in VLAN 3
>>> (pf::enforcement::_should_we_reasign_vlan)
>>> Apr 02 13:31:15 pfcmd.pl(29354) INFO: highest priority violation for
>>> dc:0e:a1:8a:d4:8f is 1100001. Target VLAN for violation: isolation (3)
>>> pf::vlan::custom::getViolationVlan)
>>> Apr 02 13:31:15 pfcmd.pl(29354) INFO: VLAN reassignment required for
>>> dc:0e:a1:8a:d4:8f (current VLAN = 3 but should be in VLAN 7)
>>> (pf::enforcement::_shoud_we_reassign_vlan)
>>>
>>>
>>> Anything else I should look at?
>>>
>>>
>>>
>>>
>>> On Wed, Apr 2, 2014 at 12:05 PM, forbmsyn <[email protected]> wrote:
>>>
>>>> Hi Fabrice,
>>>>
>>>> Thank you for the tips, but could you please give me more details on
>>>> how to get this done as I am not good at programming.
>>>>
>>>> I have copied the function "sub getViolationVlan {....}" from
>>>> /usr/local/pf/lib/pf/vlan.pm and pasted to /usr/local/pf/lib/pf/vlan/
>>>> custom.pm.
>>>>
>>>> Then how do I do the test? Where should I put the script you
>>>> mentioned below? Are 666 and 777 in your script the vlan id of isolation
>>>> vlan? Thanks again for your help.
>>>>
>>>>
>>>>
>>>> On Fri, Mar 28, 2014 at 8:18 AM, Fabrice DURAND <[email protected]>wrote:
>>>>
>>>>> Hello,
>>>>>
>>>>> i suppose that you set roles based on the registration source, like AD
>>>>> -> Employee and Sponsor -> Guest.
>>>>>
>>>>> In fact you have to overwrite the vlan id of the isolation vlan, look
>>>>> at the vlan/custom.pm and add function getViolationVlan (copy and
>>>>> paste from vlan.pm).
>>>>>
>>>>> Now you will be able to write your own test like:
>>>>>
>>>>> if ($node_info->{'category'} eq 'Employee') {
>>>>> return 666;
>>>>> elsif ($node_info->{'category'} eq 'Guest') {
>>>>> return 777;
>>>>> }
>>>>>
>>>>>
>>>>> Regards
>>>>> Fabrice
>>>>>
>>>>> Le 2014-03-27 12:17, forbmsyn a écrit :
>>>>>
>>>>> Hi,
>>>>>
>>>>> I have two types of user: one registered via sponsor, I call it
>>>>> client; the other one is Active Directory user, I call it employee.
>>>>>
>>>>> After the device being scanned by Nessus and a violation was
>>>>> triggered, I would like to redirect the device to different vlans depends
>>>>> on the type of the login user. For example the client will be switched to
>>>>> isolation_client vlan, while the employee will be switched to
>>>>> isolation_employee vlan. Is there a way to accomplish this?
>>>>>
>>>>> Thanks a lot in advance.
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing
>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>>> www.inverse.ca
>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>> (http://packetfence.org)
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing
>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>> --
>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>> (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
