Fabrice, The Problem is I don't see security even getting triggered. What i mean is, *for example*, i don't see security event trigger message like the one below (this one is for random_mac) in the packetfence.log for event_id=3000008
2021-09-16T19:09:43+05:30aolicnacpfqueuepfqueueinfo pfqueue(234785) INFO: [mac:d2:41:be:48:3a:1f] calling security_event_add with security_event_id=3000007 mac=d2:41:be:48:3a:1f release_date=0000-00-00 00:00:00 (trigger internal::new_dhcp_info) (pf::security_event::security_event_trigger) And because of that under report or under node, I don't see any "Security events" entry. root@aolicnac:/usr/local/pf/conf# more security_events.conf [3000007] desc=Private MAC Address detection actions=log,reevaluate_access enabled=Y whitelisted_roles=default,v-guest,r-guest,registration [3000008] access_duration=12h enabled=Y trigger=internal::is_max_reg_nodes_reached desc=Max nodes reached actions=reevaluate_access window=dynamic root@aolicnac:/usr/local/pf/conf# more vlan_filters.conf [ster,RegistrationRole [Disable_auto_reg] status=enabled condition=security_event.id == "3000008" run_actions=enabled scopes=AutoRegister top_op=and description=Disable auto registration on security event role=REJECT Thanks in advance, - Arun On Wed, Sep 15, 2021 at 7:21 PM Fabrice Durand <oeufd...@gmail.com> wrote: > In fact it´s a little bit more complicate since you do autoregistration. > > What you can do is to trigger the security event with action isolate. > Then create a vlan filter that disable the autoregistration if the > security event is open for this device. > > Then the first request will be rejected (security event triggered) and > once the device reconnect it will go in the isolation vlan. > > > Vlan filter: > > [Disable_Auto_reg] > description=Disable Auto Reg on security event > run_actions=enabled > status=enabled > condition=security_event.id == "3000009" > top_op=and > scopes=AutoRegister > role=REJECT > > Security event: > > [3000009] > trigger=internal::is_max_reg_nodes_reached > desc=Max node > access_duration=12h > actions=reevaluate_access > window=dynamic > enabled=Y > > > > Le lun. 13 sept. 2021 à 13:04, Arun Kangle <akan...@gmail.com> a écrit : > >> Hi Fabrice, >> I did quick testing, it's not triggering. I am using V 11.0, upgraded >> from 10.3.9 >> 1) while creating the security event, GUI shows the error (attached >> screenshot) but event is created successfully >> 2) event is not getting triggered, so no further actions (like >> assign isoalation role and not getting redirected to web-page) >> >> security_event.conf >> more security_events.conf >> [3000007] >> desc=Private MAC Address detection >> actions=log,reevaluate_access >> enabled=Y >> whitelisted_roles=default,v-guest,r-guest,registration >> >> [3000008] >> access_duration=12h >> enabled=Y >> template=banned_os >> trigger=internal::is_max_reg_nodes_reached >> desc=Max nodes reached >> actions=reevaluate_access >> # Copyright (C) Inverse inc. >> >> >> Logs: >> >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip >> => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac => >> (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username => >> "hodtest", ssid => aolicnet (pf::radius::authorize) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap >> (pf::Connection::ProfileFactory::_from_profile) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) : >> 'set-group-based-role' for realm 'null' >> (pf::config::util::filter_authentication_sources) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for >> matching (pf::authentication::match2) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed] >> Searching for >> (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)), >> from DC=AOLIC,DC=NET, with scope sub >> (pf::Authentication::Source::LDAPSource::match_in_subclass) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching >> for >> (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)), >> from DC=AOLIC,DC=NET, with scope sub >> (pf::Authentication::Source::LDAPSource::match_in_subclass) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source >> set-group-based-role, returning actions. >> (pf::Authentication::Source::match_rule) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source >> set-group-based-role, returning actions. (pf::Authentication::Source::match) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] per-role max nodes per-user limit reached: 1 >> are already registered to pid hodtest for role HOD >> (pf::node::is_max_reg_nodes_reached) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device >> 38:ba:f8:de:a7:10. The history set doesn't exist yet. >> (pf::accounting_events_history::latest_mac_history) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] security_event 3000008 (trigger >> internal::is_max_reg_nodes_reached) already exists for 38:ba:f8:de:a7:10, >> not adding again (pf::security_event::security_event_trigger) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> ERROR: [mac:38:ba:f8:de:a7:10] max nodes per pid met or exceeded - >> registration of 38:ba:f8:de:a7:10 to hodtest failed >> (pf::registration::setup_node_for_registration) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> ERROR: [mac:38:ba:f8:de:a7:10] auto-registration of node failed max nodes >> per pid met or exceeded (pf::radius::authorize) >> >> >> On Mon, Sep 13, 2021 at 1:33 PM Arun Kangle <akan...@gmail.com> wrote: >> >>> Thanks a lot for your help Fabrice. I patched my server. Will do some >>> testing and let you know. >>> >>> Regards, >>> - Arun >>> >>> On Mon, Sep 13, 2021 at 5:56 AM Fabrice Durand <oeufd...@gmail.com> >>> wrote: >>> >>>> Hello Arun, >>>> >>>> try that. >>>> cd /usr/local/pf >>>> patch -p1 --dry-run < max_node.diff >>>> if there is no error: >>>> patch -p1 < max_node.diff >>>> >>>> Then restart packetfence. >>>> >>>> Regards >>>> Fabrice >>>> >>>> Le sam. 11 sept. 2021 à 10:40, Arun Kangle <akan...@gmail.com> a >>>> écrit : >>>> >>>>> Hi Fabrice, >>>>> Thanks for your reply. I will need help on this. >>>>> >>>>> Thanks again, >>>>> - Arun >>>>> >>>>> On Sat, Sep 11, 2021 at 7:25 AM Fabrice Durand <oeufd...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hello Arun, >>>>>> >>>>>> there is no security event that trigger that but it´s not something >>>>>> really complicate to add in packetfence. >>>>>> >>>>>> If you look at is_max_reg_nodes_reached in node.pm, you can trigger >>>>>> a security event from there. >>>>>> >>>>>> Let me know if you need help on that, it won´t take me so much time >>>>>> to code it. >>>>>> >>>>>> Regards >>>>>> Fabrice >>>>>> >>>>>> >>>>>> Le mer. 25 août 2021 à 05:54, Arun Kangle via PacketFence-users < >>>>>> packetfence-users@lists.sourceforge.net> a écrit : >>>>>> >>>>>>> Hello All, >>>>>>> I went through the install guide and this list but I did not find >>>>>>> information on how to configure a customer security event. >>>>>>> Basically I wanted to trigger a custom security event when " max >>>>>>> nodes per pid met or exceeded" and move the node to the isolation vlan >>>>>>> so >>>>>>> that the user can deregister one of the nodes to proceed. >>>>>>> >>>>>>> Thanks on advance, >>>>>>> - Arun >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>> >>>>>>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
