Hi Fabrice, Update no 2: I could be wrong but I think for some reason "condition=security_event.id == "3000008"" is not honoured (On GUI I can see security even is in "open" state). Because just to verify I changed "condition=username == "hodtest"" and form the logs I see that condition is honored and node is assigned to "isolation" vlan.
Logs: Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac => (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username => "hodtest", ssid => aolicnet (pf::radius::authorize) Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap (pf::Connection::ProfileFactory::_from_profile) *Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Match rule Disable_auto_reg (pf::access_filter::test)*Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] highest priority security_event is 3000008. Target Role for security_event: isolation (pf::role::getIsolationRole) Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] (192.168.2.27) Added VLAN 19 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Sep 19 17:30:58 aolicnac packetfence_httpd.aaa[284027]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] No parameter isolationRole found in conf/switches.conf for the switch 192.168.2.27 (pf::Switch::getRoleByName) Sep 19 17:31:06 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) Sep 19 17:31:06 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] Firewall SSO Notify (pf::api::firewallsso_accounting) Sep 19 17:31:06 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Update' request for MAC '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso) Sep 19 17:31:06 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Request to /api/v1/firewall_sso/update is unauthorized, will perform a login (pf::api::unifiedapiclient::call) Sep 19 17:31:07 aolicnac pfqueue[476302]: pfqueue(476302) INFO: [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Update' request for MAC '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso) Sep 19 17:31:07 aolicnac pfqueue[476302]: pfqueue(476302) WARN: [mac:38:ba:f8:de:a7:10] Unable to match MAC address to IP '192.168.10.58' (pf::ip4log::ip2mac) Sep 19 17:31:07 aolicnac pfqueue[478327]: pfqueue(478327) INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap (pf::Connection::ProfileFactory::_from_profile) Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] Firewall SSO Notify (pf::api::firewallsso_accounting) Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Stop' request for MAC '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso) Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Updating locationlog from accounting request (pf::api::handle_accounting_metadata) Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] Firewall SSO Notify (pf::api::firewallsso_accounting) Sep 19 17:31:14 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Update' request for MAC '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso) Sep 19 17:31:15 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device 38:ba:f8:de:a7:10. The history set doesn't exist yet. (pf::accounting_events_history::latest_mac_history) Sep 19 17:31:15 aolicnac pfqueue[476998]: pfqueue(476998) INFO: [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Update' request for MAC '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso) Sep 19 17:31:15 aolicnac packetfence_httpd.aaa[463999]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device 38:ba:f8:de:a7:10. The history set doesn't exist yet. (pf::accounting_events_history::latest_mac_history) Sep 19 17:31:15 aolicnac pfqueue[478332]: pfqueue(478332) INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap (pf::Connection::ProfileFactory::_from_profile) Sep 19 17:31:16 aolicnac packetfence_httpd.portal[476285]: httpd.portal(476285) INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap (pf::Connection::ProfileFactory::_from_profile) Sep 19 17:31:16 aolicnac packetfence_httpd.portal[476292]: httpd.portal(476292) INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap (pf::Connection::ProfileFactory::_from_profile) Sep 19 17:31:16 aolicnac packetfence_httpd.portal[476292]: httpd.portal(476292) INFO: [mac:38:ba:f8:de:a7:10] Showing the security_events/banned_os.html remediation page. (captiveportal::PacketFence::Controller::SecurityEvent::index) Sep 19 17:31:30 aolicnac pfqueue[476506]: pfqueue(476506) INFO: [mac:38:ba:f8:de:a7:10] Sending a firewall SSO 'Update' request for MAC '38:ba:f8:de:a7:10' and IP '192.168.10.58' (pf::firewallsso::do_sso) more /usr/local/pf/conf/security_events.conf [3000008] access_duration=12h enabled=Y trigger=internal::is_max_reg_nodes_reached desc=Max nodes reached actions=reevaluate_access more /usr/local/pf/conf/vlan_filters.conf [Disable_auto_reg] status=enabled condition=username == "hodtest" run_actions=enabled scopes=AutoRegister top_op=and Thanks, - Arun On Fri, Sep 17, 2021 at 1:03 AM Arun Kangle <akan...@gmail.com> wrote: > Sorry Fabrice, filter for the packefence.log was wrong so please ignore > the earlier email. > > Update is, I see the security event triggered but node is not assigned to > Isolation VLAN: > > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip > => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac => > (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username => > "hodtest", ssid => aolicnet (pf::radius::authorize) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap > (pf::Connection::ProfileFactory::_from_profile) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) : > 'set-group-based-role' for realm 'null' > (pf::config::util::filter_authentication_sources) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for > matching (pf::authentication::match2) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed] > Searching for > (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)), > from DC=AOLIC,DC=NET, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching > for > (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)), > from DC=AOLIC,DC=NET, with scope sub > (pf::Authentication::Source::LDAPSource::match_in_subclass) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source > set-group-based-role, returning actions. > (pf::Authentication::Source::match_rule) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source > set-group-based-role, returning actions. (pf::Authentication::Source::match) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > INFO: [mac:38:ba:f8:de:a7:10] per-role max nodes per-user limit reached: 1 > are already registered to pid hodtest for role HOD > (pf::node::is_max_reg_nodes_reached) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device > 38:ba:f8:de:a7:10. The history set doesn't exist yet. > (pf::accounting_events_history::latest_mac_history) > > *Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > INFO: [mac:38:ba:f8:de:a7:10] security_event 3000008 (trigger > internal::is_max_reg_nodes_reached) already exists for 38:ba:f8:de:a7:10, > not adding again (pf::security_event::security_event_trigger)*Sep 17 > 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) ERROR: > [mac:38:ba:f8:de:a7:10] max nodes per pid met or exceeded - registration of > 38:ba:f8:de:a7:10 to hodtest failed > (pf::registration::setup_node_for_registration) > Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) > ERROR: [mac:38:ba:f8:de:a7:10] auto-registration of node failed max nodes > per pid met or exceeded (pf::radius::authorize) > > > root@aolicnac:/usr/local/pf/conf# more security_events.conf > > [3000008] > access_duration=12h > enabled=Y > trigger=internal::is_max_reg_nodes_reached > desc=Max nodes reached > actions=reevaluate_access > window=dynamic > > > root@aolicnac:/usr/local/pf/conf# more vlan_filters.conf > > [Disable_auto_reg] > status=enabled > condition=security_event.id == "3000008" > run_actions=enabled > scopes=AutoRegister > top_op=and > description=Disable auto registration on security event > role=REJECT > > On Thu, Sep 16, 2021 at 7:23 PM Arun Kangle <akan...@gmail.com> wrote: > >> Fabrice, >> The Problem is I don't see security even getting triggered. What i mean >> is, *for example*, i don't see security event trigger message like the >> one below (this one is for random_mac) in the packetfence.log for >> event_id=3000008 >> >> 2021-09-16T19:09:43+05:30aolicnacpfqueuepfqueueinfo pfqueue(234785) INFO: >> [mac:d2:41:be:48:3a:1f] calling security_event_add with >> security_event_id=3000007 mac=d2:41:be:48:3a:1f release_date=0000-00-00 >> 00:00:00 (trigger internal::new_dhcp_info) >> (pf::security_event::security_event_trigger) >> >> And because of that under report or under node, I don't see any "Security >> events" entry. >> >> root@aolicnac:/usr/local/pf/conf# more security_events.conf >> [3000007] >> desc=Private MAC Address detection >> actions=log,reevaluate_access >> enabled=Y >> whitelisted_roles=default,v-guest,r-guest,registration >> >> [3000008] >> access_duration=12h >> enabled=Y >> trigger=internal::is_max_reg_nodes_reached >> desc=Max nodes reached >> actions=reevaluate_access >> window=dynamic >> >> >> root@aolicnac:/usr/local/pf/conf# more vlan_filters.conf >> [ster,RegistrationRole >> >> [Disable_auto_reg] >> status=enabled >> condition=security_event.id == "3000008" >> run_actions=enabled >> scopes=AutoRegister >> top_op=and >> description=Disable auto registration on security event >> role=REJECT >> >> Thanks in advance, >> - Arun >> >> On Wed, Sep 15, 2021 at 7:21 PM Fabrice Durand <oeufd...@gmail.com> >> wrote: >> >>> In fact it´s a little bit more complicate since you do autoregistration. >>> >>> What you can do is to trigger the security event with action isolate. >>> Then create a vlan filter that disable the autoregistration if the >>> security event is open for this device. >>> >>> Then the first request will be rejected (security event triggered) and >>> once the device reconnect it will go in the isolation vlan. >>> >>> >>> Vlan filter: >>> >>> [Disable_Auto_reg] >>> description=Disable Auto Reg on security event >>> run_actions=enabled >>> status=enabled >>> condition=security_event.id == "3000009" >>> top_op=and >>> scopes=AutoRegister >>> role=REJECT >>> >>> Security event: >>> >>> [3000009] >>> trigger=internal::is_max_reg_nodes_reached >>> desc=Max node >>> access_duration=12h >>> actions=reevaluate_access >>> window=dynamic >>> enabled=Y >>> >>> >>> >>> Le lun. 13 sept. 2021 à 13:04, Arun Kangle <akan...@gmail.com> a écrit : >>> >>>> Hi Fabrice, >>>> I did quick testing, it's not triggering. I am using V 11.0, upgraded >>>> from 10.3.9 >>>> 1) while creating the security event, GUI shows the error (attached >>>> screenshot) but event is created successfully >>>> 2) event is not getting triggered, so no further actions (like >>>> assign isoalation role and not getting redirected to web-page) >>>> >>>> security_event.conf >>>> more security_events.conf >>>> [3000007] >>>> desc=Private MAC Address detection >>>> actions=log,reevaluate_access >>>> enabled=Y >>>> whitelisted_roles=default,v-guest,r-guest,registration >>>> >>>> [3000008] >>>> access_duration=12h >>>> enabled=Y >>>> template=banned_os >>>> trigger=internal::is_max_reg_nodes_reached >>>> desc=Max nodes reached >>>> actions=reevaluate_access >>>> # Copyright (C) Inverse inc. >>>> >>>> >>>> Logs: >>>> >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip >>>> => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac => >>>> (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username => >>>> "hodtest", ssid => aolicnet (pf::radius::authorize) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap >>>> (pf::Connection::ProfileFactory::_from_profile) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) : >>>> 'set-group-based-role' for realm 'null' >>>> (pf::config::util::filter_authentication_sources) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for >>>> matching (pf::authentication::match2) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed] >>>> Searching for >>>> (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)), >>>> from DC=AOLIC,DC=NET, with scope sub >>>> (pf::Authentication::Source::LDAPSource::match_in_subclass) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching >>>> for >>>> (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)), >>>> from DC=AOLIC,DC=NET, with scope sub >>>> (pf::Authentication::Source::LDAPSource::match_in_subclass) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source >>>> set-group-based-role, returning actions. >>>> (pf::Authentication::Source::match_rule) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source >>>> set-group-based-role, returning actions. >>>> (pf::Authentication::Source::match) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> INFO: [mac:38:ba:f8:de:a7:10] per-role max nodes per-user limit reached: 1 >>>> are already registered to pid hodtest for role HOD >>>> (pf::node::is_max_reg_nodes_reached) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device >>>> 38:ba:f8:de:a7:10. The history set doesn't exist yet. >>>> (pf::accounting_events_history::latest_mac_history) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> INFO: [mac:38:ba:f8:de:a7:10] security_event 3000008 (trigger >>>> internal::is_max_reg_nodes_reached) already exists for 38:ba:f8:de:a7:10, >>>> not adding again (pf::security_event::security_event_trigger) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> ERROR: [mac:38:ba:f8:de:a7:10] max nodes per pid met or exceeded - >>>> registration of 38:ba:f8:de:a7:10 to hodtest failed >>>> (pf::registration::setup_node_for_registration) >>>> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >>>> ERROR: [mac:38:ba:f8:de:a7:10] auto-registration of node failed max nodes >>>> per pid met or exceeded (pf::radius::authorize) >>>> >>>> >>>> On Mon, Sep 13, 2021 at 1:33 PM Arun Kangle <akan...@gmail.com> wrote: >>>> >>>>> Thanks a lot for your help Fabrice. I patched my server. Will do some >>>>> testing and let you know. >>>>> >>>>> Regards, >>>>> - Arun >>>>> >>>>> On Mon, Sep 13, 2021 at 5:56 AM Fabrice Durand <oeufd...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hello Arun, >>>>>> >>>>>> try that. >>>>>> cd /usr/local/pf >>>>>> patch -p1 --dry-run < max_node.diff >>>>>> if there is no error: >>>>>> patch -p1 < max_node.diff >>>>>> >>>>>> Then restart packetfence. >>>>>> >>>>>> Regards >>>>>> Fabrice >>>>>> >>>>>> Le sam. 11 sept. 2021 à 10:40, Arun Kangle <akan...@gmail.com> a >>>>>> écrit : >>>>>> >>>>>>> Hi Fabrice, >>>>>>> Thanks for your reply. I will need help on this. >>>>>>> >>>>>>> Thanks again, >>>>>>> - Arun >>>>>>> >>>>>>> On Sat, Sep 11, 2021 at 7:25 AM Fabrice Durand <oeufd...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hello Arun, >>>>>>>> >>>>>>>> there is no security event that trigger that but it´s not something >>>>>>>> really complicate to add in packetfence. >>>>>>>> >>>>>>>> If you look at is_max_reg_nodes_reached in node.pm, you can >>>>>>>> trigger a security event from there. >>>>>>>> >>>>>>>> Let me know if you need help on that, it won´t take me so much time >>>>>>>> to code it. >>>>>>>> >>>>>>>> Regards >>>>>>>> Fabrice >>>>>>>> >>>>>>>> >>>>>>>> Le mer. 25 août 2021 à 05:54, Arun Kangle via PacketFence-users < >>>>>>>> packetfence-users@lists.sourceforge.net> a écrit : >>>>>>>> >>>>>>>>> Hello All, >>>>>>>>> I went through the install guide and this list but I did not find >>>>>>>>> information on how to configure a customer security event. >>>>>>>>> Basically I wanted to trigger a custom security event when " max >>>>>>>>> nodes per pid met or exceeded" and move the node to the isolation >>>>>>>>> vlan so >>>>>>>>> that the user can deregister one of the nodes to proceed. >>>>>>>>> >>>>>>>>> Thanks on advance, >>>>>>>>> - Arun >>>>>>>>> _______________________________________________ >>>>>>>>> PacketFence-users mailing list >>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>> >>>>>>>>
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
