Hello Brian,
Le 2017-01-25 à 13:42, Cuttler, Brian R (HEALTH) a écrit : > Hello PF users, > > We are running v5.0.2 and are seeing that some of our printers, intended for > the default_vlan are being flagged for "violation" when their DHCP packets > are fingerprinted. This results in the printer being dropped into our > NonComplient vlan, for obsolete OS. > > Our noncompliant vlan is older operating systems that we wanted to segregate > and protect but were we can not be upgraded the computer's OS for one reason > or another. > > The problem at its root is probably a DHCP fingerprinting issue, and I'm not > sure how to fix that correctly. Upgrade ;-) > What I did find was that the NODE "info" page provides a "bypass vlan" and > "bypass role" option. > > While I have had no success at all with "bypass role", I have found that if I > specify the "bypass vlan" as the id of our default_vlan, and clear the > violation and reevaluate the node, then the node will return to the > default_vlan. > > I'd hoped that would solve the issue of white listing the few particular > printers we have issues with, but I have noted that overnight, I don't know > quite when or why, the nodes "Role" will be (spontaneously) change and will > show a selection for "Noncompliant", and with that selected, I can not > "bypass" the selection and put it back into the default_vlan. I must manually > change the Role, clear the violation, and then "reevaluate". > > I am not certain how to permanently fix it so the printer is in the default > vlan. I have the option of stripping the settings from the switch port the > printer in collected to, but would rather not, it seems poor form and likely > to trip us up later on. Violation take precedence on bypass vlan, so you will need to patch your setup, add that there https://github.com/inverse-inc/packetfence/blob/packetfence-5.0.2/lib/pf/vlan.pm#L108 : $vlan = _check_bypass($mac, $node_info, $switch); if( $vlan ) { $pf::StatsD::statsd->end(called() . ".timing" , $start, 0.05 ); return $vlan; } > Help and guidance appreciated, > Brian > > Computer/Network Admin > Wadsworth Center/NYS Dept of Health > Albany, NY > > > . > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users Regards Fabrice ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
