Couple problems with the Palo SSO module.
One I haven't looked into fixing yet: If there are 2 SSO devices listed,
it appears to round-robin between the 2 of them. It should post to all
devices for every record. Might want to set a low timeout in case one of
them is down for some reason?
The rest:
(Same changes for stop section)
sub action {
my ($self,$firewall_conf,$method,$mac,$ip,$timeout) = @_;
my $logger = Log::Log4perl::get_logger(ref($self));
if ($method eq 'Start') {
my $node_info = node_view($mac);
my $domain = "mccad\\"; ### Makes sense below. Want the Palo to
act on users that are domain members for group based policies.
my $username = lc $node_info->{'pid'}; ###Just my preference,
lowercase username to normalize.
return 0 if ($username eq 'admin'); ###Dont act if its a
particular user. Might be good to add a list of pids to exclude. Admin
has all of our phones, desktop PCs and so-on.
$username = $node_info->{'last_dot1x_username'} if (
$ConfigFirewallSSO{$firewall_conf}->{'uid'} eq '802.1x'); ###Dont really
know what this is for, but we get our 802.1x IPs for wireless users from
the AP itself, so we don't really need it.
return 0 if ( $ConfigFirewallSSO{$firewall_conf}->{'uid'} eq
'802.1x' && $node_info->{'last_dot1x_username'} eq '');
$username = $domain . $username if ( $username !~ /^.*@.*$/ );
##If username isn't an email address, prepend the AD domain before sending
to the palo. We already strip off [email protected] in the radius virtual
servers before they hit PF.
if (defined($node_info) && (ref($node_info) eq 'HASH') &&
($node_info->{'status'} eq $pf::node::STATUS_REGISTERED) && (grep { lc
$node_info->{'category'} } (
$ConfigFirewallSSO{$firewall_conf}->{'categories'}))) { ###Works with more
than one category is included
#if (defined($node_info) && (ref($node_info) eq 'HASH') &&
$node_info->{'status'} eq $pf::node::STATUS_REGISTERED && grep { lc
$node_info->{'category'} eq $_ } (
$ConfigFirewallSSO{$firewall_conf}->{'categories'})) { ###Fails if more
than one category is included
my $message = <<"XML";
<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<login>
<entry name=\"$username\" ip=\"$ip\"
timeout=\"$timeout\"/>
</login>
</payload>
</uid-message>
XML
#my $webpage = "https://
".$firewall_conf."/api/?type=user-id&action=set&key=".$ConfigFirewallSSO{$firewall_conf}->{'password'};
my $webpage =
"https://".$firewall_conf."/api/?type=user-id&action=set";;
### We don't post directly to the palo, we post to the userid agent
running on our AD servers. You should also be aware of different
parameters if using a system on the palo.
my $ua = LWP::UserAgent->new;
my $response = $ua->post($webpage, Content => $message ); ###
Works
#my $response = $ua->post($webpage, Content => [ cmd =>
$message ]); ### Doesn't work
if ($response->is_success) {
$logger->info("Node $mac registered and allowed to pass the
Firewall");
return 1;
} else {
$logger->info("XML send error :".$response->status_line);
return 0;
}
}
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
