Hi David,

Your ip4log assumption is correct.

The ip4log table contains a 1-to-1 relationship with the node table with the 
latest IPv4 address. Previous IPv4 addresses are moved to the ip4log_archive 
and ip4log_history  tables.

The PacketFence admin UI can be used with a browser debugger to inspect the 
network traffic when a Node is viewed. This page give a good example of how to 
consume many API endpoints for a specific MAC.



Cheers,


Darren Satkunas
Sr. Software Engineer

[signature_1594592603]


Office: +1.617.444.1234
Cell: +1.617.444.1234

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[signature_1141431524]<https://community.akamai.com/> [signature_92240047] 
<http://blogs.akamai.com/>  [signature_4182596858] <https://twitter.com/akamai> 
 [signature_3180933309] <http://www.facebook.com/AkamaiTechnologies>  
[signature_1228908487] <http://www.linkedin.com/company/akamai-technologies>  
[signature_3470234279] 
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>



From: David Herselman via PacketFence-users 
<packetfence-users@lists.sourceforge.net>
Reply-To: "packetfence-users@lists.sourceforge.net" 
<packetfence-users@lists.sourceforge.net>
Date: Friday, December 23, 2022 at 2:08 PM
To: "packetfence-users@lists.sourceforge.net" 
<packetfence-users@lists.sourceforge.net>
Cc: David Herselman <d...@syrex.co>
Subject: Re: [PacketFence-users] Unregistering user's devices via API call?

Hi Darren,

I appear to have a working solution but would love some comments on any 
dangerous assumptions I’m making. Namely, that searching by IP will show the 
most recent entry in the ip4log for a given IP’s node MAC address.

The following attempts to:

  *   Sanitize the input from CheckPoint SmartEvents
  *   Extract the source IP
  *   Obtains an authentication token
  *   Searches the ip4logs for the relevant IP to learn the node’s MAC
  *   Looks up the category (role) ID for ‘REJECT’
  *   Updates the node

PS: Do I need to somehow signal to PacketFence that it should re-evaluate the 
node and kick it off or is that automatically handled when the role changes?

#!/bin/bash
# CheckPoint SmartEvent custom correlation rule calls script - 
$RTDIR/bin/ext_commands/block_on_packetfence
INPUT=$(cat);
STRIPPED="${INPUT//[^a-zA-Z0-9 ().,:;+_-]}";
API='https://packetfence.redacted.com:1443/api/v1'
APIUSER='****************';
APIPSWD='****************';
NEWROLE='REJECT';
MAC='';
NEWROLEID='';
CURL_OUTPUT='';
CURL_HEADER='-H "accept: application/json"';
USERIP=`echo "$STRIPPED" | sed -r '/; IP: / s/.*; IP: ([0-9.]+).*/\1/'`;
#USERID=`echo "$STRIPPED" | sed -r '/user_name: / s/.*user_name: 
([[:alnum:]_-]+).*/\1/'`;


if [ ${#USERIP} -ge 7 ] && [ ${#USERIP} -le 15 ]; then
  TOKEN=`curl_cli -fsX POST "$API/login" "$CURL_HEADER" -d 
'{"username":"'$APIUSER'","password":"'$APIPSWD'"}' 2> /dev/null | jq -r 
.token` || exit 1;
  
DATA='{"fields":["mac"],"query":{"op":"and","values":[{"op":"or","values":[{"field":"ip","op":"equals","value":"'$USERIP'"}]}]},"limit":1}';
  MAC=`curl_cli -fsX POST "$API/ip4logs/search" "$CURL_HEADER" -H 
"Authorization: $TOKEN" -d "$DATA" 2> /dev/null | jq -r '.items[].mac'` || exit 
1;
  NEWROLEID=`curl_cli -fsX GET "$API/node_categories" "$CURL_HEADER" -H 
"Authorization: $TOKEN" 2> /dev/null | jq -r '.items[] | 
select(.name|test("'$NEWROLE'")) | .category_id'`;
  CURL_OUTPUT=`curl_cli -fsSX PATCH "$API/node/$MAC" "$CURL_HEADER" -H 
"Authorization: $TOKEN" -d '{"category_id":"'$NEWROLEID'"}' 2>&1`;
fi


if [ ${#CURL_OUTPUT} -gt 0 ]; then
  echo -e "Source: $USERIP - MAC: $MAC - Role ID: $NEWROLEID - Curl debug 
data:\n$CURL_OUTPUT";
else
  echo -e "Source: $USERIP - Curl return code: $? - Sanitised event 
data:\n$STRIPPED";
fi


Herewith an image, in case the text block above is garbled:
[cid:image009.png@01D91F5B.70B586D0]


PS: Hope the above helps someone else…


Regards
David Herselman
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to