Thank you very much Durand, I will forward to our guy that installed/patches packetfence.
Would be _way_ good to have this switch rather than stripping our edge protection, glad that both the patch and the upgrade will allow us to keep the exceptions within PF itself. Thanks, Brian -----Original Message----- From: Durand fabrice [mailto:[email protected]] Sent: Wednesday, January 25, 2017 9:35 PM To: [email protected] Subject: Re: [PacketFence-users] bypass vlan? ATTENTION: This email came from an external source. Do not open attachments or click on links from unknown senders or unexpected emails. Hello Brian, Le 2017-01-25 à 13:42, Cuttler, Brian R (HEALTH) a écrit : > Hello PF users, > > We are running v5.0.2 and are seeing that some of our printers, intended for > the default_vlan are being flagged for "violation" when their DHCP packets > are fingerprinted. This results in the printer being dropped into our > NonComplient vlan, for obsolete OS. > > Our noncompliant vlan is older operating systems that we wanted to segregate > and protect but were we can not be upgraded the computer's OS for one reason > or another. > > The problem at its root is probably a DHCP fingerprinting issue, and I'm not > sure how to fix that correctly. Upgrade ;-) > What I did find was that the NODE "info" page provides a "bypass vlan" and > "bypass role" option. > > While I have had no success at all with "bypass role", I have found that if I > specify the "bypass vlan" as the id of our default_vlan, and clear the > violation and reevaluate the node, then the node will return to the > default_vlan. > > I'd hoped that would solve the issue of white listing the few particular > printers we have issues with, but I have noted that overnight, I don't know > quite when or why, the nodes "Role" will be (spontaneously) change and will > show a selection for "Noncompliant", and with that selected, I can not > "bypass" the selection and put it back into the default_vlan. I must manually > change the Role, clear the violation, and then "reevaluate". > > I am not certain how to permanently fix it so the printer is in the default > vlan. I have the option of stripping the settings from the switch port the > printer in collected to, but would rather not, it seems poor form and likely > to trip us up later on. Violation take precedence on bypass vlan, so you will need to patch your setup, add that there https://github.com/inverse-inc/packetfence/blob/packetfence-5.0.2/lib/pf/vlan.pm#L108 : $vlan = _check_bypass($mac, $node_info, $switch); if( $vlan ) { $pf::StatsD::statsd->end(called() . ".timing" , $start, 0.05 ); return $vlan; } > Help and guidance appreciated, > Brian > > Computer/Network Admin > Wadsworth Center/NYS Dept of Health > Albany, NY > > > . > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users Regards Fabrice ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
