Hi Fabrice,
Can you please shed me a light on this?
After the device being scanned by Nessus, if there is violation opened, I
want the device to be put in different vlans depends on the user type, How
do I do that?
The way you told me before is the vlan being changed before Nessus scan.
What I want is after the Nessus scan.
Thank you!
Regards,
On Wed, Apr 2, 2014 at 4:42 PM, forbmsyn <[email protected]> wrote:
> Below are the statements I added to the function getViolationVlan in
> /usr/local/pf/lib/pf/vlan/custom.pm. I also commented the statement
> return $vlan_number;
>
> # return $vlan_number;
>
> if ($node_info->{'category'} eq 'employee_role') {
> $logger->info("return vlan 4, employee_role");
> return 4;
> }
> elsif ($node_info->{'category'} eq 'guest') {
> $logger->info("return vlan 7, guest");
> return 7;
> }
>
>
> Maybe this is not the right file I should edit and put those statements?
>
>
>
> On Wed, Apr 2, 2014 at 4:30 PM, forbmsyn <[email protected]> wrote:
>
>> Hi Fabrice,
>>
>> The new changes worked. The error no longer exist and the switch port can
>> be switched to the vlan I want.
>>
>> But there is another issue comes up.
>>
>> Nessus scan was not started. After the user login, the switch port was
>> changed right away to the vlan as I configured in custom.pm.
>>
>> My intention is:
>>
>> 1) User login.
>> 2) Device scanned by Nessus.
>> 3) If violation was triggered, the switch port will be switched to either
>> isolation_client vlan or isolation_employee vlan, depends on the type of
>> the user account.
>> 4) If no violation was triggered, the switch port will be switched to
>> either client vlan or employee vlan, depends on the type of the user
>> account.
>>
>> Now it seems step 2 was skipped, and go to step 3 directly.
>>
>> Can you please help? Thank you!
>>
>>
>>
>>
>>
>> On Wed, Apr 2, 2014 at 3:28 PM, Fabrice DURAND <[email protected]>wrote:
>>
>>> Hi,
>>>
>>> in vlan.pm in the sub fetchVlanForNode change the line:
>>>
>>> my $violation = $this->getViolationVlan($switch, $ifIndex, $mac,
>>> $connection_type, $user_name, $ssid);
>>> to
>>> my $violation = $this->getViolationVlan($switch, $ifIndex, $mac,
>>> $node_info, $connection_type, $user_name, $ssid);
>>>
>>> And change the function getViolationVlan like that:
>>>
>>> sub getViolationVlan {
>>> # $switch is the switch object (pf::Switch)
>>> # $ifIndex is the ifIndex of the computer connected to
>>> # $mac is the mac connected
>>> # $conn_type is set to the connnection type expressed as the
>>> constant in pf::config
>>> # $user_name is set to the RADIUS User-Name attribute (802.1X
>>> Username or MAC address under MAC Authentication)
>>> # $ssid is the name of the SSID (Be careful: will be empty string if
>>> radius non-wireless and undef if not radius)
>>> my ($this, $switch, $ifIndex, $mac, $connection_type, $user_name,
>>> $ssid) = @_;
>>>
>>>
>>> Regards
>>> Fabrice
>>>
>>> Le 2014-04-02 15:09, forbmsyn a écrit :
>>>
>>> Also I am having the following message after added the script in
>>> /usr/local/pf/lib/pf/vlan/custom.pm.
>>>
>>> [root@vmpf vlan]# service packetfence status
>>> Global symbol "$node_info" requires explicit package name at
>>> /usr/local/pf/lib/pf/vlan/custom.pm line 196.
>>> Global symbol "$node_info" requires explicit package name at
>>> /usr/local/pf/lib/pf/vlan/custom.pm line 200.
>>>
>>>
>>> Sorry for sending out so many questions. Please shed me a light on
>>> this. Thanks.
>>>
>>>
>>> On Wed, Apr 2, 2014 at 1:58 PM, forbmsyn <[email protected]> wrote:
>>>
>>>> Hi Fabrice,
>>>>
>>>> In the last line of the function getViolationVlan I replaced the
>>>> following statement:
>>>> return $vlan_number;
>>>>
>>>> with this one : return 7;
>>>>
>>>> 7 is the vlan number I am testing. I have had this vlan configured on
>>>> the switch and PF as well. I expected the vlan should be changed to 7 after
>>>> the violation happen.
>>>>
>>>> I did see packetfence.log mention that the vlan should be changed
>>>> from 3 to 7 but it did not happen. Below is part of the log:
>>>>
>>>>
>>>> Apr 02 13:31:14 pfcmd.pl(27984) INFO: violation for mac
>>>> dc:0e:a1:8a:d4:8f vid 1200001 modified (pf::violation::violation_modify)
>>>> Apr 02 13:31:14 pfcmd.pl(27984) INFO: Calling /usr/local/pf/bin/pfcmd
>>>> manage vclose dc:0e:a1:8a:d4:8f 1200001 (pf::scan::run_scan)
>>>> Apr 02 13:31:14 pfcmd.pl(29354) INFO: violation 1200001 closed for
>>>> dc:0e:a1:8a:d4:8f (pf::violation::violation_close)
>>>> Apr 02 13:31:14 pfcmd.pl(29354) INFO: re-evaluating access for node
>>>> dc:0e:a1:8a:d4:8f (manage_vclose called)
>>>> (pf::enforcement::reevaluate_access)
>>>> Apr 02 13:31:14 pfcmd.pl(29354) INFO: dc:0e:a1:8a:d4:8f is currentlog
>>>> connected at 172.16.123.22 ifIndex 10101 in VLAN 3
>>>> (pf::enforcement::_should_we_reasign_vlan)
>>>> Apr 02 13:31:15 pfcmd.pl(29354) INFO: highest priority violation for
>>>> dc:0e:a1:8a:d4:8f is 1100001. Target VLAN for violation: isolation (3)
>>>> pf::vlan::custom::getViolationVlan)
>>>> Apr 02 13:31:15 pfcmd.pl(29354) INFO: VLAN reassignment required for
>>>> dc:0e:a1:8a:d4:8f (current VLAN = 3 but should be in VLAN 7)
>>>> (pf::enforcement::_shoud_we_reassign_vlan)
>>>>
>>>>
>>>> Anything else I should look at?
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Apr 2, 2014 at 12:05 PM, forbmsyn <[email protected]> wrote:
>>>>
>>>>> Hi Fabrice,
>>>>>
>>>>> Thank you for the tips, but could you please give me more details on
>>>>> how to get this done as I am not good at programming.
>>>>>
>>>>> I have copied the function "sub getViolationVlan {....}" from
>>>>> /usr/local/pf/lib/pf/vlan.pm and pasted to /usr/local/pf/lib/pf/vlan/
>>>>> custom.pm.
>>>>>
>>>>> Then how do I do the test? Where should I put the script you
>>>>> mentioned below? Are 666 and 777 in your script the vlan id of isolation
>>>>> vlan? Thanks again for your help.
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Mar 28, 2014 at 8:18 AM, Fabrice DURAND <[email protected]>wrote:
>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> i suppose that you set roles based on the registration source, like
>>>>>> AD -> Employee and Sponsor -> Guest.
>>>>>>
>>>>>> In fact you have to overwrite the vlan id of the isolation vlan, look
>>>>>> at the vlan/custom.pm and add function getViolationVlan (copy and
>>>>>> paste from vlan.pm).
>>>>>>
>>>>>> Now you will be able to write your own test like:
>>>>>>
>>>>>> if ($node_info->{'category'} eq 'Employee') {
>>>>>> return 666;
>>>>>> elsif ($node_info->{'category'} eq 'Guest') {
>>>>>> return 777;
>>>>>> }
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>> Fabrice
>>>>>>
>>>>>> Le 2014-03-27 12:17, forbmsyn a écrit :
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I have two types of user: one registered via sponsor, I call it
>>>>>> client; the other one is Active Directory user, I call it employee.
>>>>>>
>>>>>> After the device being scanned by Nessus and a violation was
>>>>>> triggered, I would like to redirect the device to different vlans depends
>>>>>> on the type of the login user. For example the client will be switched
>>>>>> to
>>>>>> isolation_client vlan, while the employee will be switched to
>>>>>> isolation_employee vlan. Is there a way to accomplish this?
>>>>>>
>>>>>> Thanks a lot in advance.
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing
>>>>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>>>>> www.inverse.ca
>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>>>>> (http://packetfence.org)
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>>
>>>>>> _______________________________________________
>>>>>> PacketFence-users mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> --
>>> Fabrice [email protected] :: +1.514.447.4918 (x135) ::
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
>>> (http://packetfence.org)
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>
>
------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
