I suppose you are referring to these 1200004 Post Reg System Scan Log message isolation 1200005 Pre Reg System Scan Log message registration
In my case the wmi is configured only to scan on production network and it works:
Aug 4 17:40:00 srvpf pfqueue: pfqueue(4604) INFO: [mac:20:cf:30:36:7c:bb] grace expired on violation 1200004 for node 20:cf:30:36:7c:bb (pf::violation::violation_add) Aug 4 17:40:00 srvpf pfqueue: pfqueue(4604) INFO: [mac:20:cf:30:36:7c:bb] violation 1200004 added for 20:cf:30:36:7c:bb (pf::violation::violation_add) Aug 4 17:40:00 srvpf pfqueue: pfqueue(4604) INFO: [mac:20:cf:30:36:7c:bb] executing action 'log' on class 1200004 (pf::action::action_execute) Aug 4 17:40:00 srvpf pfqueue: pfqueue(4604) INFO: [mac:20:cf:30:36:7c:bb] /usr/local/pf/logs/violation.log 2017-08-04 17:40:00: Post Reg System Scan (1200004) detected on node 20:cf:30:36:7c:bb (192.168.15.81) (pf::action::action_log) Aug 4 17:40:12 srvpf packetfence_httpd.webservices: httpd.webservices(3188) INFO: [mac:20:cf:30:36:7c:bb] violation 1200004 closed for 20:cf:30:36:7c:bb (pf::violation::violation_close)
Just a doubt, are you forwarding dhcp packets to pf on the production network? Does PF know the correct IP of the node?
Can't check the logs anymore now as I'm leaving for holidays till september and I have powered off my test vms
Il 11/08/2017 14:28, Akala Kehinde ha scritto:
I expect id 100024 to be triggered when in Production vlan but it doesn't.
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
