I was type incorrectly in email. As per configurations on PacketFence it is ccSvcHst.exe This is not working.
On Mon, Mar 8, 2021, 20:15 NITISH AGGARWAL <[email protected]> wrote: > Yes...it was an typo > > On Mon, Mar 8, 2021, 20:00 Ludovic Zammit <[email protected]> wrote: > >> Hello, >> >> Is Value = ccSvcHst.exd is typo and should be Value = ccSvcHst.exe? >> >> Thanks, >> >> >> Ludovic Zammit >> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> >> >> >> On Mar 4, 2021, at 11:55 PM, NITISH AGGARWAL <[email protected]> >> wrote: >> >> But I am using option "Scan on registration". >> >> In PacketFence log, there is no log for scanning or of any security event >> generation. I guess, I am doing something wrong with WMI rule setup. Can >> you help me with there? >> >> I am using rule as :- >> >> [ccSvcHst] >> Attribute = Name >> Operator = match >> Value = ccSvcHst.exd >> [1:ccSvcHst] >> Action = trigger_security_event >> Action_param =mac = $mac, tid= 1300987, type = custom >> on_tab = 1 >> >> >> Tid as I mentioned here is also configure in one security events, that >> detects this tid under condition and executes events as described in it. >> >> >> >> On Thu, Mar 4, 2021, 19:14 Ludovic Zammit <[email protected]> wrote: >> >>> Hello, >>> >>> There is a grace time period for the security event that trigger the >>> scan, in your case it’s the "Post Reg System Scan” and it has 1 hour grace >>> time, meaning that it would only do a scan per hour. >>> >>> Lower it maybe to 2 mins. >>> >>> Thanks, >>> >>> >>> Ludovic Zammit >>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>> (http://packetfence.org) >>> >>> >>> >>> >>> >>> >>> >>> >>> On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users < >>> [email protected]> wrote: >>> >>> Hello all, >>> >>> I have setup WMI scan in my PacketFence but I can't see any results, no >>> tab generated for wmi scan under nodes neither I can see anything logs for >>> scan. >>> >>> When using wmic command from PacketFence server, I can see the results >>> but nothing in my Web API. What could be the problem? >>> >>> On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected]> >>> wrote: >>> >>>> Sorry to disturb you again, Ludovic. >>>> >>>> I have setup WMI scan in PacketFence. In WMI rule I am using antivirus >>>> check rule and added wmi scan engine in connection profile as well. >>>> >>>> After this, I cant see any event generated by wmi scan on my node, >>>> neither can I see security event generated nor new tab created for wmi >>>> scan. >>>> >>>> When I check wmi connectivity to end point using "wmic" command from >>>> PacketFence server, I can see successful response. Can you help me what >>>> went wrong with this? >>>> >>>> >>>> >>>> On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected]> wrote: >>>> >>>>> Hello, >>>>> >>>>> I believe it’s because it’s an internal check to see if that. Node >>>>> needs something to be done. >>>>> >>>>> You can try it out to see if it works, for a Symantec check that could >>>>> work because it does not requires the IP address of the device to do that >>>>> check on the Symantec service. >>>>> >>>>> Most of the Scans requires the IP address of the device in order to >>>>> start to scan the host for example the WMI, that why the DHCP ACK is very >>>>> important. >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> Ludovic Zammit >>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>> (http://packetfence.org) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL <[email protected]> >>>>> wrote: >>>>> >>>>> Thank you Ludovic for your help so far. >>>>> >>>>> I have one more question, if PacketFence is not checking for >>>>> provisioning without DHCP then why it is generating security events as >>>>> Provisioning Enforcement against node. >>>>> >>>>> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected]> wrote: >>>>> >>>>>> Yes, you could do a WMI scan on post registration that checks if a >>>>>> process is there or not. >>>>>> >>>>>> You need a account that has administrative rights on the device that >>>>>> you check. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL < >>>>>> [email protected]> wrote: >>>>>> >>>>>> But I can see security event triggered for SEPM provisioning on node. >>>>>> But the problem is it actually not restricting access. >>>>>> >>>>>> Can I use wmi scan in my environment?? >>>>>> >>>>>> Thanks. >>>>>> >>>>>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> No DHCP, no provisioner. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>> PacketFence (http://packetfence.org) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> I donot have DHCP server installed, no provisioning for DHCP. It's >>>>>>> all static ip. >>>>>>> >>>>>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>>>>> >>>>>>>> Did you install the DHCP sensor ? >>>>>>>> >>>>>>>> >>>>>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> >>>>>>>> Ludovic Zammit >>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>> PacketFence (http://packetfence.org) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>> As such there is no restriction on when to check for provisioning >>>>>>>> although I have selected option of checking after registration of >>>>>>>> device. >>>>>>>> >>>>>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Provisioner workflow are triggered by DHCP traffic seen from the >>>>>>>>> Production or Registration networks. >>>>>>>>> >>>>>>>>> When do you want to check if Symantec is installed ? >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> >>>>>>>>> Ludovic Zammit >>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> Yes....as I connects the device it went into registration vlan and >>>>>>>>> then if it is in domain it gets authenticated and vlan changes as per >>>>>>>>> switch. >>>>>>>>> >>>>>>>>> Dot1x is working fine...but problem is with Symantec. How to check >>>>>>>>> if end device has Symantec client installed and working. >>>>>>>>> >>>>>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hello, >>>>>>>>>> >>>>>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Ludovic Zammit >>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via >>>>>>>>>> PacketFence-users <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>>>>> authentication working with MSCHAPv2 auth, so non domain users are >>>>>>>>>> not >>>>>>>>>> getting access, which is required. I am using auto-registration in >>>>>>>>>> connection profile. >>>>>>>>>> >>>>>>>>>> Second, I have to check for Symantec in my endpoints. I have >>>>>>>>>> setup SEPM provisioning as per document. During authentication, I >>>>>>>>>> can see >>>>>>>>>> security event generated for provisioning on my node in PacketFence >>>>>>>>>> but my >>>>>>>>>> end device got access to intranet no matter symantec installed on it >>>>>>>>>> or not. >>>>>>>>>> >>>>>>>>>> I have tried everything I could. I need some help in this case. I >>>>>>>>>> am using static ips and cisco 2960. >>>>>>>>>> >>>>>>>>>> I need devices to be registered if they have both domain >>>>>>>>>> connected and SEPM installed. >>>>>>>>>> >>>>>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> PacketFence-users mailing list >>>>>>>>>> [email protected] >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> >>> >>> >>
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
