Sorry Fabrice, filter for the packefence.log was wrong so please ignore the
earlier email.

Update is, I see the security event triggered but node is not assigned to
Isolation VLAN:

Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip
=> (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac =>
(00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username =>
"hodtest", ssid => aolicnet (pf::radius::authorize)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap
(pf::Connection::ProfileFactory::_from_profile)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) :
'set-group-based-role' for realm 'null'
(pf::config::util::filter_authentication_sources)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for
matching (pf::authentication::match2)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed]
Searching for
(&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)),
from DC=AOLIC,DC=NET, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching
for
(&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)),
from DC=AOLIC,DC=NET, with scope sub
(pf::Authentication::Source::LDAPSource::match_in_subclass)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source
set-group-based-role, returning actions.
(pf::Authentication::Source::match_rule)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source
set-group-based-role, returning actions. (pf::Authentication::Source::match)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
INFO: [mac:38:ba:f8:de:a7:10] per-role max nodes per-user limit reached: 1
are already registered to pid hodtest for role HOD
(pf::node::is_max_reg_nodes_reached)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device
38:ba:f8:de:a7:10. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)

*Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
INFO: [mac:38:ba:f8:de:a7:10] security_event 3000008 (trigger
internal::is_max_reg_nodes_reached) already exists for 38:ba:f8:de:a7:10,
not adding again (pf::security_event::security_event_trigger)*Sep 17
00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) ERROR:
[mac:38:ba:f8:de:a7:10] max nodes per pid met or exceeded - registration of
38:ba:f8:de:a7:10 to hodtest failed
(pf::registration::setup_node_for_registration)
Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065)
ERROR: [mac:38:ba:f8:de:a7:10] auto-registration of node failed max nodes
per pid met or exceeded (pf::radius::authorize)


root@aolicnac:/usr/local/pf/conf# more security_events.conf

[3000008]
access_duration=12h
enabled=Y
trigger=internal::is_max_reg_nodes_reached
desc=Max nodes reached
actions=reevaluate_access
window=dynamic


root@aolicnac:/usr/local/pf/conf# more vlan_filters.conf

[Disable_auto_reg]
status=enabled
condition=security_event.id == "3000008"
run_actions=enabled
scopes=AutoRegister
top_op=and
description=Disable auto registration on security event
role=REJECT

On Thu, Sep 16, 2021 at 7:23 PM Arun Kangle <akan...@gmail.com> wrote:

> Fabrice,
> The Problem is I don't see security even getting triggered. What i mean
> is, *for example*, i don't see security event trigger message like the
> one below (this one is for random_mac) in the packetfence.log for
> event_id=3000008
>
> 2021-09-16T19:09:43+05:30aolicnacpfqueuepfqueueinfo pfqueue(234785) INFO:
> [mac:d2:41:be:48:3a:1f] calling security_event_add with
> security_event_id=3000007 mac=d2:41:be:48:3a:1f release_date=0000-00-00
> 00:00:00 (trigger internal::new_dhcp_info)
> (pf::security_event::security_event_trigger)
>
> And because of that under report or under node, I don't see any "Security
> events" entry.
>
> root@aolicnac:/usr/local/pf/conf# more security_events.conf
> [3000007]
> desc=Private MAC Address detection
> actions=log,reevaluate_access
> enabled=Y
> whitelisted_roles=default,v-guest,r-guest,registration
>
> [3000008]
> access_duration=12h
> enabled=Y
> trigger=internal::is_max_reg_nodes_reached
> desc=Max nodes reached
> actions=reevaluate_access
> window=dynamic
>
>
> root@aolicnac:/usr/local/pf/conf# more vlan_filters.conf
> [ster,RegistrationRole
>
> [Disable_auto_reg]
> status=enabled
> condition=security_event.id == "3000008"
> run_actions=enabled
> scopes=AutoRegister
> top_op=and
> description=Disable auto registration on security event
> role=REJECT
>
> Thanks in advance,
> - Arun
>
> On Wed, Sep 15, 2021 at 7:21 PM Fabrice Durand <oeufd...@gmail.com> wrote:
>
>> In fact it´s a little bit more complicate since you do autoregistration.
>>
>> What you can do is to trigger the security event with action isolate.
>> Then create a vlan filter that disable the autoregistration if the
>> security event is open for this device.
>>
>> Then the first request will be rejected (security event triggered) and
>> once the device reconnect it will go in the isolation vlan.
>>
>>
>> Vlan filter:
>>
>> [Disable_Auto_reg]
>> description=Disable Auto Reg on security event
>> run_actions=enabled
>> status=enabled
>> condition=security_event.id == "3000009"
>> top_op=and
>> scopes=AutoRegister
>> role=REJECT
>>
>> Security event:
>>
>> [3000009]
>> trigger=internal::is_max_reg_nodes_reached
>> desc=Max node
>> access_duration=12h
>> actions=reevaluate_access
>> window=dynamic
>> enabled=Y
>>
>>
>>
>> Le lun. 13 sept. 2021 à 13:04, Arun Kangle <akan...@gmail.com> a écrit :
>>
>>> Hi Fabrice,
>>> I did quick testing,  it's not triggering. I am using V 11.0, upgraded
>>> from 10.3.9
>>> 1) while creating the security event, GUI shows the error (attached
>>> screenshot) but event is created successfully
>>> 2) event is not getting triggered, so no further actions (like
>>> assign isoalation role and not getting redirected to web-page)
>>>
>>> security_event.conf
>>>  more security_events.conf
>>> [3000007]
>>> desc=Private MAC Address detection
>>> actions=log,reevaluate_access
>>> enabled=Y
>>> whitelisted_roles=default,v-guest,r-guest,registration
>>>
>>> [3000008]
>>> access_duration=12h
>>> enabled=Y
>>> template=banned_os
>>> trigger=internal::is_max_reg_nodes_reached
>>> desc=Max nodes reached
>>> actions=reevaluate_access
>>> # Copyright (C) Inverse inc.
>>>
>>>
>>> Logs:
>>>
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip
>>> => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac =>
>>> (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username =>
>>> "hodtest", ssid => aolicnet (pf::radius::authorize)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap
>>> (pf::Connection::ProfileFactory::_from_profile)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) :
>>> 'set-group-based-role' for realm 'null'
>>> (pf::config::util::filter_authentication_sources)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for
>>> matching (pf::authentication::match2)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed]
>>> Searching for
>>> (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)),
>>> from DC=AOLIC,DC=NET, with scope sub
>>> (pf::Authentication::Source::LDAPSource::match_in_subclass)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching
>>> for
>>> (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)),
>>> from DC=AOLIC,DC=NET, with scope sub
>>> (pf::Authentication::Source::LDAPSource::match_in_subclass)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source
>>> set-group-based-role, returning actions.
>>> (pf::Authentication::Source::match_rule)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source
>>> set-group-based-role, returning actions. (pf::Authentication::Source::match)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> INFO: [mac:38:ba:f8:de:a7:10] per-role max nodes per-user limit reached: 1
>>> are already registered to pid hodtest for role HOD
>>> (pf::node::is_max_reg_nodes_reached)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device
>>> 38:ba:f8:de:a7:10. The history set doesn't exist yet.
>>> (pf::accounting_events_history::latest_mac_history)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> INFO: [mac:38:ba:f8:de:a7:10] security_event 3000008 (trigger
>>> internal::is_max_reg_nodes_reached) already exists for 38:ba:f8:de:a7:10,
>>> not adding again (pf::security_event::security_event_trigger)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> ERROR: [mac:38:ba:f8:de:a7:10] max nodes per pid met or exceeded -
>>> registration of 38:ba:f8:de:a7:10 to hodtest failed
>>> (pf::registration::setup_node_for_registration)
>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029)
>>> ERROR: [mac:38:ba:f8:de:a7:10] auto-registration of node failed max nodes
>>> per pid met or exceeded (pf::radius::authorize)
>>>
>>>
>>> On Mon, Sep 13, 2021 at 1:33 PM Arun Kangle <akan...@gmail.com> wrote:
>>>
>>>> Thanks a lot for your help Fabrice. I patched my server. Will do some
>>>> testing and let you know.
>>>>
>>>> Regards,
>>>> - Arun
>>>>
>>>> On Mon, Sep 13, 2021 at 5:56 AM Fabrice Durand <oeufd...@gmail.com>
>>>> wrote:
>>>>
>>>>> Hello Arun,
>>>>>
>>>>> try that.
>>>>> cd /usr/local/pf
>>>>> patch -p1 --dry-run < max_node.diff
>>>>> if there is no error:
>>>>> patch -p1 < max_node.diff
>>>>>
>>>>> Then restart packetfence.
>>>>>
>>>>> Regards
>>>>> Fabrice
>>>>>
>>>>> Le sam. 11 sept. 2021 à 10:40, Arun Kangle <akan...@gmail.com> a
>>>>> écrit :
>>>>>
>>>>>> Hi Fabrice,
>>>>>> Thanks for your reply. I will need help on this.
>>>>>>
>>>>>> Thanks again,
>>>>>> - Arun
>>>>>>
>>>>>> On Sat, Sep 11, 2021 at 7:25 AM Fabrice Durand <oeufd...@gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hello Arun,
>>>>>>>
>>>>>>> there is no security event that trigger that but it´s not something
>>>>>>> really complicate to add in packetfence.
>>>>>>>
>>>>>>> If you look at is_max_reg_nodes_reached in node.pm, you can trigger
>>>>>>> a security event from there.
>>>>>>>
>>>>>>> Let me know if you need help on that, it won´t take me so much time
>>>>>>> to code it.
>>>>>>>
>>>>>>> Regards
>>>>>>> Fabrice
>>>>>>>
>>>>>>>
>>>>>>> Le mer. 25 août 2021 à 05:54, Arun Kangle via PacketFence-users <
>>>>>>> packetfence-users@lists.sourceforge.net> a écrit :
>>>>>>>
>>>>>>>> Hello All,
>>>>>>>> I went through the install guide and this list but I did not find
>>>>>>>> information on how to configure a customer security event.
>>>>>>>> Basically I wanted to trigger a custom security event when " max
>>>>>>>> nodes per pid met or exceeded" and move the node to the isolation vlan 
>>>>>>>> so
>>>>>>>> that the user can deregister one of the nodes to proceed.
>>>>>>>>
>>>>>>>> Thanks on advance,
>>>>>>>> - Arun
>>>>>>>> _______________________________________________
>>>>>>>> PacketFence-users mailing list
>>>>>>>> PacketFence-users@lists.sourceforge.net
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>
>>>>>>>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to