Re: [PacketFence-users] Custom Security Event
Fabrice, The Problem is I don't see security even getting triggered. What i mean is, *for example*, i don't see security event trigger message like the one below (this one is for random_mac) in the packetfence.log for event_id=308 2021-09-16T19:09:43+05:30aolicnacpfqueuepfqueueinfo pfqueue(234785) INFO: [mac:d2:41:be:48:3a:1f] calling security_event_add with security_event_id=307 mac=d2:41:be:48:3a:1f release_date=-00-00 00:00:00 (trigger internal::new_dhcp_info) (pf::security_event::security_event_trigger) And because of that under report or under node, I don't see any "Security events" entry. root@aolicnac:/usr/local/pf/conf# more security_events.conf [307] desc=Private MAC Address detection actions=log,reevaluate_access enabled=Y whitelisted_roles=default,v-guest,r-guest,registration [308] access_duration=12h enabled=Y trigger=internal::is_max_reg_nodes_reached desc=Max nodes reached actions=reevaluate_access window=dynamic root@aolicnac:/usr/local/pf/conf# more vlan_filters.conf [ster,RegistrationRole [Disable_auto_reg] status=enabled condition=security_event.id == "308" run_actions=enabled scopes=AutoRegister top_op=and description=Disable auto registration on security event role=REJECT Thanks in advance, - Arun On Wed, Sep 15, 2021 at 7:21 PM Fabrice Durand wrote: > In fact it´s a little bit more complicate since you do autoregistration. > > What you can do is to trigger the security event with action isolate. > Then create a vlan filter that disable the autoregistration if the > security event is open for this device. > > Then the first request will be rejected (security event triggered) and > once the device reconnect it will go in the isolation vlan. > > > Vlan filter: > > [Disable_Auto_reg] > description=Disable Auto Reg on security event > run_actions=enabled > status=enabled > condition=security_event.id == "309" > top_op=and > scopes=AutoRegister > role=REJECT > > Security event: > > [309] > trigger=internal::is_max_reg_nodes_reached > desc=Max node > access_duration=12h > actions=reevaluate_access > window=dynamic > enabled=Y > > > > Le lun. 13 sept. 2021 à 13:04, Arun Kangle a écrit : > >> Hi Fabrice, >> I did quick testing, it's not triggering. I am using V 11.0, upgraded >> from 10.3.9 >> 1) while creating the security event, GUI shows the error (attached >> screenshot) but event is created successfully >> 2) event is not getting triggered, so no further actions (like >> assign isoalation role and not getting redirected to web-page) >> >> security_event.conf >> more security_events.conf >> [307] >> desc=Private MAC Address detection >> actions=log,reevaluate_access >> enabled=Y >> whitelisted_roles=default,v-guest,r-guest,registration >> >> [308] >> access_duration=12h >> enabled=Y >> template=banned_os >> trigger=internal::is_max_reg_nodes_reached >> desc=Max nodes reached >> actions=reevaluate_access >> # Copyright (C) Inverse inc. >> >> >> Logs: >> >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip >> => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac => >> (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username => >> "hodtest", ssid => aolicnet (pf::radius::authorize) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap >> (pf::Connection::ProfileFactory::_from_profile) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) : >> 'set-group-based-role' for realm 'null' >> (pf::config::util::filter_authentication_sources) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for >> matching (pf::authentication::match2) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed] >> Searching for >> (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)), >> from DC=AOLIC,DC=NET, with scope sub >> (pf::Authentication::Source::LDAPSource::match_in_subclass) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching >> for >> (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)), >> from DC=AOLIC,DC=NET, with scope sub >> (pf::Authentication::Source::LDAPSource::match_in_subclass) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source >> set-group-based-role, returning actions. >> (pf::Authentication::Source::match_rule) >> Sep 13 22:27:49 aolicnac packetfence_httpd.aaa[3379]: httpd.aaa(2029) >> INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in
Re: [PacketFence-users] Custom Security Event
Sorry Fabrice, filter for the packefence.log was wrong so please ignore the earlier email. Update is, I see the security event triggered but node is not assigned to Isolation VLAN: Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] handling radius autz request: from switch_ip => (192.168.2.27), connection_type => Wireless-802.11-EAP,switch_mac => (00:4e:35:cc:8d:ee), mac => [38:ba:f8:de:a7:10], port => 0, username => "hodtest", ssid => aolicnet (pf::radius::authorize) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Instantiate profile dot1x-eap (pf::Connection::ProfileFactory::_from_profile) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Found authentication source(s) : 'set-group-based-role' for realm 'null' (pf::config::util::filter_authentication_sources) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Using sources set-group-based-role for matching (pf::authentication::match2) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-Bypassed] Searching for (&(sAMAccountName=hodtest)(memberOf=CN=Bypassed,OU=AOL-Group,DC=AOLIC,DC=NET)), from DC=AOLIC,DC=NET, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] [set-group-based-role set-role-HOD] Searching for (&(sAMAccountName=hodtest)(memberOf=CN=HOD,OU=AOL-Group,DC=AOLIC,DC=NET)), from DC=AOLIC,DC=NET, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source set-group-based-role, returning actions. (pf::Authentication::Source::match_rule) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] Matched rule (set-role-HOD) in source set-group-based-role, returning actions. (pf::Authentication::Source::match) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] per-role max nodes per-user limit reached: 1 are already registered to pid hodtest for role HOD (pf::node::is_max_reg_nodes_reached) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) WARN: [mac:38:ba:f8:de:a7:10] Unable to pull accounting history for device 38:ba:f8:de:a7:10. The history set doesn't exist yet. (pf::accounting_events_history::latest_mac_history) *Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) INFO: [mac:38:ba:f8:de:a7:10] security_event 308 (trigger internal::is_max_reg_nodes_reached) already exists for 38:ba:f8:de:a7:10, not adding again (pf::security_event::security_event_trigger)*Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) ERROR: [mac:38:ba:f8:de:a7:10] max nodes per pid met or exceeded - registration of 38:ba:f8:de:a7:10 to hodtest failed (pf::registration::setup_node_for_registration) Sep 17 00:59:13 aolicnac packetfence_httpd.aaa[250198]: httpd.aaa(249065) ERROR: [mac:38:ba:f8:de:a7:10] auto-registration of node failed max nodes per pid met or exceeded (pf::radius::authorize) root@aolicnac:/usr/local/pf/conf# more security_events.conf [308] access_duration=12h enabled=Y trigger=internal::is_max_reg_nodes_reached desc=Max nodes reached actions=reevaluate_access window=dynamic root@aolicnac:/usr/local/pf/conf# more vlan_filters.conf [Disable_auto_reg] status=enabled condition=security_event.id == "308" run_actions=enabled scopes=AutoRegister top_op=and description=Disable auto registration on security event role=REJECT On Thu, Sep 16, 2021 at 7:23 PM Arun Kangle wrote: > Fabrice, > The Problem is I don't see security even getting triggered. What i mean > is, *for example*, i don't see security event trigger message like the > one below (this one is for random_mac) in the packetfence.log for > event_id=308 > > 2021-09-16T19:09:43+05:30aolicnacpfqueuepfqueueinfo pfqueue(234785) INFO: > [mac:d2:41:be:48:3a:1f] calling security_event_add with > security_event_id=307 mac=d2:41:be:48:3a:1f release_date=-00-00 > 00:00:00 (trigger internal::new_dhcp_info) > (pf::security_event::security_event_trigger) > > And because of that under report or under node, I don't see any "Security > events" entry. > > root@aolicnac:/usr/local/pf/conf# more security_events.conf > [307] > desc=Private MAC Address detection > actions=log,reevaluate_access > enabled=Y > whitelisted_roles=default,v-guest,r-guest,registration > > [308] > access_duration=12h > enabled=Y > trigger=internal::is_max_reg_nodes_reached > desc=Max nodes reached > actions=reevaluate_access > window=dynamic > > >
Re: [PacketFence-users] CaptivePortal Problem with Apple ios14
Hello, what a surprise ... , it´s not like always. On my side to troubleshoot that, i use a mac to connect to the phone and check the console log. Also i am doing a network capture on the PacketFence side (filter the ip address of the device) and see if there is any traffic coming from the device. It can be the CA who sign the certificate is not in the certificate store of the device, certificate validity issues, a network configuration issue... Regards Fabrice Le jeu. 16 sept. 2021 à 08:08, Zestermann, Ronald via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hello, > > > > we use the captive portal for access to an open WLAN. We have an official > certificate from Swisssign and the chain of certificates as well as the > certificate are valid. > > > > Windows 10 clients have no problems. Apple devices with iOS 12.5.4 also > work without problems. Unfortunately, Apple devices with iOS 14 do not > work. These devices are not forwarded to the portal page. > > > > What can that be? How can I further isolate the error? > > > > > > > > mit besten Grüßen > > > > Ronald Zestermann > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] CaptivePortal Problem with Apple ios14
Hello, we use the captive portal for access to an open WLAN. We have an official certificate from Swisssign and the chain of certificates as well as the certificate are valid. Windows 10 clients have no problems. Apple devices with iOS 12.5.4 also work without problems. Unfortunately, Apple devices with iOS 14 do not work. These devices are not forwarded to the portal page. What can that be? How can I further isolate the error? mit besten Grüßen Ronald Zestermann ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] [E] Re: host prefix missing
Hello Fabrice,
rollback to an older Version did not solve the problem.
But I found following error. Does this help?
(430) Thu Sep 16 12:13:56 2021: Debug: sql_reject: EXPAND %{User-Name}
(430) Thu Sep 16 12:13:56 2021: Debug: sql_reject:-->
host/WEFA-SEG.custulm.local
(430) Thu Sep 16 12:13:56 2021: Debug: sql_reject: SQL-User-Name set to
'host/WEFA-SEG.custulm.local'
(430) Thu Sep 16 12:13:56 2021: ERROR: sql_reject: Insufficient space to store
pair string, needed 2088 bytes have 2048 bytes
Regards
Stephan
-
Hello Stephan,
it looks that you strip the username somewhere, do you have a realm or a radius
filter who do that ?
Regards
Fabrice
Le lun. 13 sept. 2021 à 16:41, Kaufhold, Stephan via PacketFence-users
mailto:packetfence-users@lists.sourceforge.net>>
a écrit :
Hello,
the client host/cust-SEG.custulm.local can't authenticate.
In packetfence.log I see cust-SEG.custulm.local without "host/" prefix.
/usr/local/pf/bin/pftest authentication host/cust-SEG.custulm.local "" is
working well.
/usr/local/pf/bin/pftest authentication cust-SEG.custulm.local "" is not
working.
What can be the reason to remove the host prefix?
Thanks in advance
radius.log...
Sep 13 13:44:06 cust-NAC01 auth[1674]: Adding client
10.1.40.1/32
Sep 13 13:44:06 cust-NAC01 auth[1674]: [mac:10:7b:44:18:ed:3a] Rejected user:
host/cust-SEG.custulm.local
Sep 13 13:44:06 cust-NAC01 auth[1674]: (150) Rejected in post-auth:
[host/cust-SEG.custulm.local] (from client 10.1.40.1/32
port 260 cli 10:7b:44:18:ed:3a)
Sep 13 13:44:06 cust-NAC01 auth[1674]: (150) Login incorrect (sql_reject:
Insufficient space to store pair string, needed 2088 bytes have 2048 bytes):
[host/cust-SEG.custulm.local] (from client 10.1.40.1/32
port 260 cli 10:7b:44:18:ed:3a)
packetfence.log...
Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) WARN:
[mac:10:7b:44:18:ed:3a] [AS-custulm INSEL] Searching for
(servicePrincipalName=cust-SEG.custulm.local), from DC=custulm,DC=local, with
scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass)
Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) INFO:
[mac:10:7b:44:18:ed:3a] No rules matches or no category defined for the node,
set it as unreg. (pf::role::getNodeInfoForAutoReg)
Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) WARN:
[mac:10:7b:44:18:ed:3a] No category computed for autoreg
(pf::role::getNodeInfoForAutoReg)
Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) WARN:
[mac:10:7b:44:18:ed:3a] No role specified or found for pid
cust-SEG.custulm.local (MAC 10:7b:44:18:ed:3a); assume maximum number of
registered nodes is reached (pf::node::is_max_reg_nodes_reached)
Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) ERROR:
[mac:10:7b:44:18:ed:3a] max nodes per pid met or exceeded - registration of
10:7b:44:18:ed:3a to cust-SEG.custulm.local failed
(pf::registration::setup_node_for_registration)
Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) ERROR:
[mac:10:7b:44:18:ed:3a] auto-registration of node failed max nodes per pid met
or exceeded (pf::radius::authorize)
Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) ERROR:
[mac:10:7b:44:18:ed:3a] Database query failed with non retryable error: Cannot
add or update a child row: a foreign key constraint fails (`pf`.`node`,
CONSTRAINT `0_57` FOREIGN KEY (`tenant_id`, `pid`) REFERENCES `person`
(`tenant_id`, `pid`) ON DELETE CASCADE ON UPDATE CASCADE) (errno: 1452) [INSERT
INTO `node` ( `autoreg`, `bandwidth_balance`, `bypass_role_id`, `bypass_vlan`,
`category_id`, `computername`, `detect_date`, `device_class`,
`device_manufacturer`, `device_score`, `device_type`, `device_version`,
`dhcp6_enterprise`, `dhcp6_fingerprint`, `dhcp_fingerprint`, `dhcp_vendor`,
`last_arp`, `last_dhcp`, `last_seen`, `lastskip`, `mac`, `machine_account`,
`notes`, `pid`, `regdate`, `sessionid`, `status`, `tenant_id`, `time_balance`,
`unregdate`, `user_agent`, `voip`) VALUES ( ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?,
?, ?, ?, ?, ?, ?, NOW(), ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? ) ON DUPLICATE
KEY UPDATE `autoreg` = ?, `last_seen` = NOW(), `pid` = ?, `tenant_id` = ?]{yes,
NULL, NULL, NULL, NULL, NULL, 2021-09-13 11:21:11, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, -00-00 00:00:00, -00-00 00:00:00,
-00-00 00:00:00, 10:7b:44:18:ed:3a, NULL, NULL, cust-SEG.custulm.local,
-00-00 00:00:00, NULL, unreg, 1, NULL, -00-00 00:00:00, NULL, no, yes,
cust-SEG.custulm.local, 1} (pf::dal::db_execute)
Sep 13 13:44:06 cust-NAC01 packetfence_httpd.aaa: httpd.aaa(1047) ERROR:
[mac:10:7b:44:18:ed:3a] Cannot save 10:7b:44:18:ed:3a error (500)
(pf::radius::authorize)
Kind regards
[cid:image001.jpg@01D7AAFF.B9960CC0]
Celos Computer GmbH | Liststraße 1 | 89079 Ulm
www.celos.de
[PacketFence-users] Packetfence fingerbank
Hello, I tried to implement fingerbank in my lab PacketFence. But when i connect PC to the network i cannot see any fingerbank information. If i click on „Refresh Fingerbank“ i´ll get the fingerbank information. Can anyone explain me, how it works because i thought it will work atomatically. Or is it possible to get fingerbank information automatically? After manually refresh fingerbank: Thank you Marek Hrbac ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
