Sorry Fabrice, filter for the packefence.log was wrong so please ignore the earlier email.
Update is, I see the security event triggered but node is not assigned to Isolation VLAN: Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac => (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username => "hodtest", ssid => aolicnet (pf::radius::authorize) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap (pf::Connection::ProfileFactory::_from_profile) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) : 'set-group-based-role' for realm 'null' (pf::config::util::filter_authentication_sources) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for matching (pf::authentication::match2) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed] Searching for (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)), from DC=AOLIC,DC=NET, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching for (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)), from DC=AOLIC,DC=NET, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source set-group-based-role, returning actions. (pf::Authentication::Source::match_rule) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source set-group-based-role, returning actions. (pf::Authentication::Source::match) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] per-role max nodes per-user limit reached: 1 are already registered to pid hodtest for role HOD (pf::node::is_max_reg_nodes_reached) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device 38:ba:f8:de:a7:10. The history set doesn't exist yet. (pf::accounting_events_history::latest_mac_history) *Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] security_event 3000008 (trigger internal::is_max_reg_nodes_reached) already exists for 38:ba:f8:de:a7:10, not adding again (pf::security_event::security_event_trigger)*Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) ERROR: [mac:38:ba:f8:de:a7:10] max nodes per pid met or exceeded - registration of 38:ba:f8:de:a7:10 to hodtest failed (pf::registration::setup_node_for_registration) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) ERROR: [mac:38:ba:f8:de:a7:10] auto-registration of node failed max nodes per pid met or exceeded (pf::radius::authorize) root@aolicnac:/usr/local/pf/conf# more security_events.conf [3000008] access_duration=12h enabled=Y trigger=internal::is_max_reg_nodes_reached desc=Max nodes reached actions=reevaluate_access window=dynamic root@aolicnac:/usr/local/pf/conf# more vlan_filters.conf [Disable_auto_reg] status=enabled condition=security_event.id == "3000008" run_actions=enabled scopes=AutoRegister top_op=and description=Disable auto registration on security event role=REJECT On Thu, Sep 16, 2021 at 7:23 PM Arun Kangle <akan...@gmail.com> wrote: > Fabrice, > The Problem is I don't see security even getting triggered. What i mean > is, *for example*, i don't see security event trigger message like the > one below (this one is for random_mac) in the packetfence.log for > event_id=3000008 > > 2021-09-16T19:09:43+05:30aolicnacpfqueuepfqueueinfo pfqueue(234785) INFO: > [mac:d2:41:be:48:3a:1f] calling security_event_add with > security_event_id=3000007 mac=d2:41:be:48:3a:1f release_date=0000-00-00 > 00:00:00 (trigger internal::new_dhcp_info) > (pf::security_event::security_event_trigger) > > And because of that under report or under node, I don't see any "Security > events" entry. > > root@aolicnac:/usr/local/pf/conf# more security_events.conf > [3000007] > desc=Private MAC Address detection > actions=log,reevaluate_access > enabled=Y > whitelisted_roles=default,v-guest,r-guest,registration > > [3000008] > access_duration=12h > enabled=Y > trigger=internal::is_max_reg_nodes_reached > desc=Max nodes reached > actions=reevaluate_access > window=dynamic > > > root@aolicnac:/usr/local/pf/conf# more vlan_filters.conf > [ster,RegistrationRole > > [Disable_auto_reg] > status=enabled > condition=security_event.id == "3000008" > run_actions=enabled > scopes=AutoRegister > top_op=and > description=Disable auto registration on security event > role=REJECT > > Thanks in advance, > - Arun > > On Wed, Sep 15, 2021 at 7:21 PM Fabrice Durand <oeufd...@gmail.com> wrote: > >> In fact it´s a little bit more complicate since you do autoregistration. >> >> What you can do is to trigger the security event with action isolate. >> Then create a vlan filter that disable the autoregistration if the >> security event is open for this device. >> >> Then the first request will be rejected (security event triggered) and >> once the device reconnect it will go in the isolation vlan. >> >> >> Vlan filter: >> >> [Disable_Auto_reg] >> description=Disable Auto Reg on security event >> run_actions=enabled >> status=enabled >> condition=security_event.id == "3000009" >> top_op=and >> scopes=AutoRegister >> role=REJECT >> >> Security event: >> >> [3000009] >> trigger=internal::is_max_reg_nodes_reached >> desc=Max node >> access_duration=12h >> actions=reevaluate_access >> window=dynamic >> enabled=Y >> >> >> >> Le lun. 13 sept. 2021 à 13:04, Arun Kangle <akan...@gmail.com> a écrit : >> >>> Hi Fabrice, >>> I did quick testing, it's not triggering. I am using V 11.0, upgraded >>> from 10.3.9 >>> 1) while creating the security event, GUI shows the error (attached >>> screenshot) but event is created successfully >>> 2) event is not getting triggered, so no further actions (like >>> assign isoalation role and not getting redirected to web-page) >>> >>> security_event.conf >>> more security_events.conf >>> [3000007] >>> desc=Private MAC Address detection >>> actions=log,reevaluate_access >>> enabled=Y >>> whitelisted_roles=default,v-guest,r-guest,registration >>> >>> [3000008] >>> access_duration=12h >>> enabled=Y >>> template=banned_os >>> trigger=internal::is_max_reg_nodes_reached >>> desc=Max nodes reached >>> actions=reevaluate_access >>> # Copyright (C) Inverse inc. >>> >>> >>> Logs: >>> >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip >>> => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac => >>> (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username => >>> "hodtest", ssid => aolicnet (pf::radius::authorize) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap >>> (pf::Connection::ProfileFactory::_from_profile) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) : >>> 'set-group-based-role' for realm 'null' >>> (pf::config::util::filter_authentication_sources) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for >>> matching (pf::authentication::match2) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed] >>> Searching for >>> (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)), >>> from DC=AOLIC,DC=NET, with scope sub >>> (pf::Authentication::Source::LDAPSource::match_in_subclass) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching >>> for >>> (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)), >>> from DC=AOLIC,DC=NET, with scope sub >>> (pf::Authentication::Source::LDAPSource::match_in_subclass) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source >>> set-group-based-role, returning actions. >>> (pf::Authentication::Source::match_rule) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source >>> set-group-based-role, returning actions. (pf::Authentication::Source::match) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> INFO: [mac:38:ba:f8:de:a7:10] per-role max nodes per-user limit reached: 1 >>> are already registered to pid hodtest for role HOD >>> (pf::node::is_max_reg_nodes_reached) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device >>> 38:ba:f8:de:a7:10. The history set doesn't exist yet. >>> (pf::accounting_events_history::latest_mac_history) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> INFO: [mac:38:ba:f8:de:a7:10] security_event 3000008 (trigger >>> internal::is_max_reg_nodes_reached) already exists for 38:ba:f8:de:a7:10, >>> not adding again (pf::security_event::security_event_trigger) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> ERROR: [mac:38:ba:f8:de:a7:10] max nodes per pid met or exceeded - >>> registration of 38:ba:f8:de:a7:10 to hodtest failed >>> (pf::registration::setup_node_for_registration) >>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>> ERROR: [mac:38:ba:f8:de:a7:10] auto-registration of node failed max nodes >>> per pid met or exceeded (pf::radius::authorize) >>> >>> >>> On Mon, Sep 13, 2021 at 1:33 PM Arun Kangle <akan...@gmail.com> wrote: >>> >>>> Thanks a lot for your help Fabrice. I patched my server. Will do some >>>> testing and let you know. >>>> >>>> Regards, >>>> - Arun >>>> >>>> On Mon, Sep 13, 2021 at 5:56 AM Fabrice Durand <oeufd...@gmail.com> >>>> wrote: >>>> >>>>> Hello Arun, >>>>> >>>>> try that. >>>>> cd /usr/local/pf >>>>> patch -p1 --dry-run < max_node.diff >>>>> if there is no error: >>>>> patch -p1 < max_node.diff >>>>> >>>>> Then restart packetfence. >>>>> >>>>> Regards >>>>> Fabrice >>>>> >>>>> Le sam. 11 sept. 2021 à 10:40, Arun Kangle <akan...@gmail.com> a >>>>> écrit : >>>>> >>>>>> Hi Fabrice, >>>>>> Thanks for your reply. I will need help on this. >>>>>> >>>>>> Thanks again, >>>>>> - Arun >>>>>> >>>>>> On Sat, Sep 11, 2021 at 7:25 AM Fabrice Durand <oeufd...@gmail.com> >>>>>> wrote: >>>>>> >>>>>>> Hello Arun, >>>>>>> >>>>>>> there is no security event that trigger that but it´s not something >>>>>>> really complicate to add in packetfence. >>>>>>> >>>>>>> If you look at is_max_reg_nodes_reached in node.pm, you can trigger >>>>>>> a security event from there. >>>>>>> >>>>>>> Let me know if you need help on that, it won´t take me so much time >>>>>>> to code it. >>>>>>> >>>>>>> Regards >>>>>>> Fabrice >>>>>>> >>>>>>> >>>>>>> Le mer. 25 août 2021 à 05:54, Arun Kangle via PacketFence-users < >>>>>>> packetfence-users@lists.sourceforge.net> a écrit : >>>>>>> >>>>>>>> Hello All, >>>>>>>> I went through the install guide and this list but I did not find >>>>>>>> information on how to configure a customer security event. >>>>>>>> Basically I wanted to trigger a custom security event when " max >>>>>>>> nodes per pid met or exceeded" and move the node to the isolation vlan >>>>>>>> so >>>>>>>> that the user can deregister one of the nodes to proceed. >>>>>>>> >>>>>>>> Thanks on advance, >>>>>>>> - Arun >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> >>>>>>>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users