Hello list! I need help with the following scenario. When consultant/guests come I would like to let them access the network only if AV is up to date. I've made a script that creates a known user and allows it to run wmi queries, the outdate av triggers violation as expected. What I wanted to do is to present a portal page if the WMI scans fails where the user can download and execute the script but I'm not succeeding there. I thought violation 1200005 would trigger (Pre Reg Scan) but it seems to trigger during scan and close after that. Is there a way to trigger a violation on the NT_STATUS_ACCESS_DENIED or WMI scan didnt start. So I can hold on that violation to show the user the message to download and execute the script, then hit enable network?
Here's an example of the log : INFO: [mac:] violation 1200005 added for (pf::violation::violation_add) INFO: [mac:] executing action 'log' on class 1200005 (pf::action::action_execute) INFO: [mac:] /usr/local/pf/logs/violation.log 2018-03-15 21:34:19: Pre Reg System Scan (1200005) detected on node () (pf::action::action_log) INFO: [mac:] Instantiate profile NON_802.1X_MACHINES (pf::Connection::ProfileFactory::_from_profile) INFO: [mac:] New ID generated: 1521149660669f4c (pf::util::generate_id) ERROR: [mac:] Error rule wmi rule 'Antivirus_Up_Updated': NTSTATUS: NT_STATUS_ACCESS_DENIED - Access denied (pf::scan::wmi::rules::test) WARN: [mac:] WMI scan didnt start (pf::scan::wmi::startScan) INFO: [mac:] violation 1200005 closed for (pf::violation::violation_close) Any help would be appreciated. Thank you! Regards, Maximo Naccarato [email protected] ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
