[PacketFence-users] device profiling discrepancy | security event

Fri, 31 Jan 2020 02:23:42 -0800 

Hi,
We are trying to ban win7-and-pre devices, and have created a security event like this: 


[1400003]
trigger=device::7535,device::7534,device::33,device::36
actions=reevaluate_access,email_admin,log,email_user
desc=Win7 and older to isolation (triggers automatically)
access_duration=14D
template=banned_os
max_enable=2
user_mail_message= <<EOT
Please upgrade your device Operating System as soon as you can. You are running 
a windows version that is no longer maintained.

You will be able to dismiss this message 1 times and the next time, your device 
will be isolated permanently. Upgrade!

EOT
redirect_url=https://www.forbes.com/sites/gordonkelly/2020/01/15/how-to-upgrade-to-windows-10-for-free-in-2020/
enabled=Y
whitelisted_roles=win7



The above should isolate pre-win7 windows devices, and generally it 
seems to work. BUT...


We are also getting faulty isolations. For example today:


Detect  : Win7 and older to isolation (triggers automatically)

MAC Address    : 14:ab:c5:f1:00:31
IP Address     : 10.20.162.94 (active)
IP Info        : IP active since 2020-01-31 10:55:14 and DHCP lease valid until 
2020-02-01 10:55:14
Owner          : username
Category       : domain_users
Status         : registered
Name           : DESKTOP-BCATNIF
VoIP           : no

DEVICE PROFILING INFORMATION
Device: Operating System/Windows OS/Microsoft Windows kernel 5.x

Device version: 
Device profiling confidence level: 30


DHCP Info      : Last DHCP request at 2020-01-31 10:55:15
Location       : port 0 (vlan 0) on switch 10.20.0.1
Connection type: Inline

802.1X Username: 
Wireless SSID  : 
Last activity  : 0000-00-00 00:00:00


BUT, when looking up the same node in the pf GUI, we see:


Device Class Windows OS
Device Manufacturer Intel Corporate
Device Type Microsoft Windows Kernel 10.0
Fully Qualified Device Name Operating System/Windows OS/Microsoft Windows 
Kernel 10.0
Version 10
Score 90%
Mobile No

DHCP Fingerprint 1,3,6,15,31,33,43,44,46,47,119,121,249,252 


So, they don't not match!


WHY is the security event triggered, with "Operating System/Windows 
OS/Microsoft Windows kernel 5.x", when in the database, the same node is 
identified as "Windows OS/Microsoft Windows Kernel 10.0"


Does not make sense..?


How are others here blocking pre-win7 clients? Are you also getting fake 
positives as well?


Thanks for any pointers,
MJ


_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to