Also don't want firewalls inadvertently updated with the
registration/isolation network IPs.
Im trying to dig through the code to find the module that will supply the
variable to match the configured registration/isolation network ups, but
this works for me for now.
All my registration/isolation networks are in 10.11 or 10.12.
return 0 if ($ip =~ /^10\.1[12]\.[0-255]{1,3}\.[0-255]{1,3}$/);
On Thu, Aug 14, 2014 at 1:15 PM, Tim DeNike <[email protected]> wrote:
> Couple problems with the Palo SSO module.
>
>
> One I haven't looked into fixing yet: If there are 2 SSO devices listed,
> it appears to round-robin between the 2 of them. It should post to all
> devices for every record. Might want to set a low timeout in case one of
> them is down for some reason?
>
> The rest:
>
> (Same changes for stop section)
>
> sub action {
> my ($self,$firewall_conf,$method,$mac,$ip,$timeout) = @_;
> my $logger = Log::Log4perl::get_logger(ref($self));
>
> if ($method eq 'Start') {
> my $node_info = node_view($mac);
> my $domain = "mccad\\"; ### Makes sense below. Want the Palo to
> act on users that are domain members for group based policies.
> my $username = lc $node_info->{'pid'}; ###Just my preference,
> lowercase username to normalize.
> return 0 if ($username eq 'admin'); ###Dont act if its a
> particular user. Might be good to add a list of pids to exclude. Admin
> has all of our phones, desktop PCs and so-on.
> $username = $node_info->{'last_dot1x_username'} if (
> $ConfigFirewallSSO{$firewall_conf}->{'uid'} eq '802.1x'); ###Dont really
> know what this is for, but we get our 802.1x IPs for wireless users from
> the AP itself, so we don't really need it.
> return 0 if ( $ConfigFirewallSSO{$firewall_conf}->{'uid'} eq
> '802.1x' && $node_info->{'last_dot1x_username'} eq '');
> $username = $domain . $username if ( $username !~ /^.*@.*$/ );
> ##If username isn't an email address, prepend the AD domain before sending
> to the palo. We already strip off [email protected] in the radius virtual
> servers before they hit PF.
>
> if (defined($node_info) && (ref($node_info) eq 'HASH') &&
> ($node_info->{'status'} eq $pf::node::STATUS_REGISTERED) && (grep { lc
> $node_info->{'category'} } (
> $ConfigFirewallSSO{$firewall_conf}->{'categories'}))) { ###Works with more
> than one category is included
> #if (defined($node_info) && (ref($node_info) eq 'HASH') &&
> $node_info->{'status'} eq $pf::node::STATUS_REGISTERED && grep { lc
> $node_info->{'category'} eq $_ } (
> $ConfigFirewallSSO{$firewall_conf}->{'categories'})) { ###Fails if more
> than one category is included
>
> my $message = <<"XML";
> <uid-message>
> <version>1.0</version>
> <type>update</type>
> <payload>
> <login>
> <entry name=\"$username\" ip=\"$ip\"
> timeout=\"$timeout\"/>
> </login>
> </payload>
> </uid-message>
> XML
> #my $webpage = "https://
> ".$firewall_conf."/api/?type=user-id&action=set&key=".$ConfigFirewallSSO{$firewall_conf}->{'password'};
> my $webpage =
> "https://".$firewall_conf."/api/?type=user-id&action=set";;
> ### We don't post directly to the palo, we post to the userid agent
> running on our AD servers. You should also be aware of different
> parameters if using a system on the palo.
> my $ua = LWP::UserAgent->new;
> my $response = $ua->post($webpage, Content => $message );
> ### Works
> #my $response = $ua->post($webpage, Content => [ cmd =>
> $message ]); ### Doesn't work
> if ($response->is_success) {
> $logger->info("Node $mac registered and allowed to pass
> the Firewall");
> return 1;
> } else {
> $logger->info("XML send error :".$response->status_line);
> return 0;
> }
> }
>
>
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
