I am using PacketFence 10.2.0 My entire setup is in INTRANET where neither my end devices nor PacketFence server has access to internet. Though I can download packages and install.
Unable to execute grep -i -A7 scan conf/violation.conf, No such file or directory. Please suggest what to do next. On Wed, Mar 10, 2021, 18:40 Ludovic Zammit <[email protected]> wrote: > grep -i -A7 scan conf/violation.conf > > You are not using the latest version of PF make sure to apply all bug fix > with: > > /usr/local/pf/addons/pf-maint.pl > > /usr/local/pf/bin/pfcmd service pf restart > > Thanks, > > > Ludovic Zammit > [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence > (http://packetfence.org) > > > > > > > > > On Mar 10, 2021, at 7:55 AM, NITISH AGGARWAL <[email protected]> > wrote: > > grep: conf/security_events.conf : No such file or directory > > grep: conf/security_events.conf.defaults : No such file or directory > > > On Wed, Mar 10, 2021, 18:18 Ludovic Zammit <[email protected]> wrote: > >> Hello, >> >> Show me the output of those commands: >> >> grep -i -A7 scan conf/security_events.conf >> >> And >> >> grep -i -A7 scan conf/security_events.conf.defaults >> >> Thanks, >> >> >> Ludovic Zammit >> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> >> >> >> >> >> >> On Mar 9, 2021, at 2:50 AM, NITISH AGGARWAL <[email protected]> >> wrote: >> >> The error is removed but still wmi scan is not triggered on my end points >> >> On Tue, Mar 9, 2021, 12:34 NITISH AGGARWAL <[email protected]> >> wrote: >> >>> I can one error log in my PacketFence.log file. >>> >>> It is pfperl-api(10859) ERROR: 1: parameter found outside a section >>> (pfconfig:: namespaces::config::Wmi::cleanup_after_read) >>> >>> Multiple events generated having same information. >>> Wmi rule is as:- >>> >>> Namespace : ROOT\cimv2 >>> Request : select NAME from WIN32_Process >>> Action : [ccSvcHst] >>> Attribute = Name >>> Operator = match >>> Value = ccSvcHst.exe >>> [1:ccSvcHst] >>> Action = trigger_security_event >>> Action_param = mac = $mac, tid = 1200345, type = Internal >>> On_tab = 1 >>> >>> I was using EOT previously, but in logs it was showing error against >>> that so I removed it but still wmi rule has not triggered. Any suggestions >>> please.... >>> >>> On Mon, Mar 8, 2021, 20:33 NITISH AGGARWAL <[email protected]> >>> wrote: >>> >>>> I was type incorrectly in email. As per configurations on PacketFence >>>> it is ccSvcHst.exe >>>> This is not working. >>>> >>>> >>>> On Mon, Mar 8, 2021, 20:15 NITISH AGGARWAL <[email protected]> >>>> wrote: >>>> >>>>> Yes...it was an typo >>>>> >>>>> On Mon, Mar 8, 2021, 20:00 Ludovic Zammit <[email protected]> wrote: >>>>> >>>>>> Hello, >>>>>> >>>>>> Is Value = ccSvcHst.exd is typo and should be Value = ccSvcHst.exe? >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> Ludovic Zammit >>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Mar 4, 2021, at 11:55 PM, NITISH AGGARWAL <[email protected]> >>>>>> wrote: >>>>>> >>>>>> But I am using option "Scan on registration". >>>>>> >>>>>> In PacketFence log, there is no log for scanning or of any security >>>>>> event generation. I guess, I am doing something wrong with WMI rule >>>>>> setup. >>>>>> Can you help me with there? >>>>>> >>>>>> I am using rule as :- >>>>>> >>>>>> [ccSvcHst] >>>>>> Attribute = Name >>>>>> Operator = match >>>>>> Value = ccSvcHst.exd >>>>>> [1:ccSvcHst] >>>>>> Action = trigger_security_event >>>>>> Action_param =mac = $mac, tid= 1300987, type = custom >>>>>> on_tab = 1 >>>>>> >>>>>> >>>>>> Tid as I mentioned here is also configure in one security events, >>>>>> that detects this tid under condition and executes events as described in >>>>>> it. >>>>>> >>>>>> >>>>>> >>>>>> On Thu, Mar 4, 2021, 19:14 Ludovic Zammit <[email protected]> wrote: >>>>>> >>>>>>> Hello, >>>>>>> >>>>>>> There is a grace time period for the security event that trigger the >>>>>>> scan, in your case it’s the "Post Reg System Scan” and it has 1 hour >>>>>>> grace >>>>>>> time, meaning that it would only do a scan per hour. >>>>>>> >>>>>>> Lower it maybe to 2 mins. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> >>>>>>> Ludovic Zammit >>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>> PacketFence (http://packetfence.org) >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Mar 2, 2021, at 8:34 PM, NITISH AGGARWAL via PacketFence-users < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>> Hello all, >>>>>>> >>>>>>> I have setup WMI scan in my PacketFence but I can't see any results, >>>>>>> no tab generated for wmi scan under nodes neither I can see anything >>>>>>> logs >>>>>>> for scan. >>>>>>> >>>>>>> When using wmic command from PacketFence server, I can see the >>>>>>> results but nothing in my Web API. What could be the problem? >>>>>>> >>>>>>> On Tue, Mar 2, 2021, 18:12 NITISH AGGARWAL <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Sorry to disturb you again, Ludovic. >>>>>>>> >>>>>>>> I have setup WMI scan in PacketFence. In WMI rule I am using >>>>>>>> antivirus check rule and added wmi scan engine in connection profile as >>>>>>>> well. >>>>>>>> >>>>>>>> After this, I cant see any event generated by wmi scan on my node, >>>>>>>> neither can I see security event generated nor new tab created for wmi >>>>>>>> scan. >>>>>>>> >>>>>>>> When I check wmi connectivity to end point using "wmic" command >>>>>>>> from PacketFence server, I can see successful response. Can you help me >>>>>>>> what went wrong with this? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Mon, Mar 1, 2021, 18:31 Ludovic Zammit <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hello, >>>>>>>>> >>>>>>>>> I believe it’s because it’s an internal check to see if that. Node >>>>>>>>> needs something to be done. >>>>>>>>> >>>>>>>>> You can try it out to see if it works, for a Symantec check that >>>>>>>>> could work because it does not requires the IP address of the device >>>>>>>>> to do >>>>>>>>> that check on the Symantec service. >>>>>>>>> >>>>>>>>> Most of the Scans requires the IP address of the device in order >>>>>>>>> to start to scan the host for example the WMI, that why the DHCP ACK >>>>>>>>> is >>>>>>>>> very important. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> >>>>>>>>> >>>>>>>>> Ludovic Zammit >>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 27, 2021, at 12:15 AM, NITISH AGGARWAL < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>> Thank you Ludovic for your help so far. >>>>>>>>> >>>>>>>>> I have one more question, if PacketFence is not checking for >>>>>>>>> provisioning without DHCP then why it is generating security events as >>>>>>>>> Provisioning Enforcement against node. >>>>>>>>> >>>>>>>>> On Fri, Feb 26, 2021, 23:00 Ludovic Zammit <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Yes, you could do a WMI scan on post registration that checks if >>>>>>>>>> a process is there or not. >>>>>>>>>> >>>>>>>>>> You need a account that has administrative rights on the device >>>>>>>>>> that you check. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Ludovic Zammit >>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Feb 26, 2021, at 12:03 PM, NITISH AGGARWAL < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>> But I can see security event triggered for SEPM provisioning on >>>>>>>>>> node. But the problem is it actually not restricting access. >>>>>>>>>> >>>>>>>>>> Can I use wmi scan in my environment?? >>>>>>>>>> >>>>>>>>>> Thanks. >>>>>>>>>> >>>>>>>>>> On Fri, Feb 26, 2021, 22:31 Ludovic Zammit <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> No DHCP, no provisioner. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Ludovic Zammit >>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Feb 26, 2021, at 11:52 AM, NITISH AGGARWAL < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>> I donot have DHCP server installed, no provisioning for DHCP. >>>>>>>>>>> It's all static ip. >>>>>>>>>>> >>>>>>>>>>> On Fri, Feb 26, 2021, 22:21 Ludovic Zammit <[email protected]> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>>> Does PF receives DHCP ACK from the production DHCP server ? >>>>>>>>>>>> >>>>>>>>>>>> Did you install the DHCP sensor ? >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_microsoft_dhcp_sensor >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Ludovic Zammit >>>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Feb 26, 2021, at 11:44 AM, NITISH AGGARWAL < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>> As such there is no restriction on when to check for >>>>>>>>>>>> provisioning although I have selected option of checking after >>>>>>>>>>>> registration >>>>>>>>>>>> of device. >>>>>>>>>>>> >>>>>>>>>>>> On Fri, Feb 26, 2021, 22:11 Ludovic Zammit <[email protected]> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> Provisioner workflow are triggered by DHCP traffic seen from >>>>>>>>>>>>> the Production or Registration networks. >>>>>>>>>>>>> >>>>>>>>>>>>> When do you want to check if Symantec is installed ? >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Ludovic Zammit >>>>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Feb 26, 2021, at 11:40 AM, NITISH AGGARWAL < >>>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Yes....as I connects the device it went into registration vlan >>>>>>>>>>>>> and then if it is in domain it gets authenticated and vlan >>>>>>>>>>>>> changes as per >>>>>>>>>>>>> switch. >>>>>>>>>>>>> >>>>>>>>>>>>> Dot1x is working fine...but problem is with Symantec. How to >>>>>>>>>>>>> check if end device has Symantec client installed and working. >>>>>>>>>>>>> >>>>>>>>>>>>> On Fri, Feb 26, 2021, 22:07 Ludovic Zammit <[email protected]> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>>> Hello, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Your devices that connect on PF are statically IP addressed? >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thanks, >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Ludovic Zammit >>>>>>>>>>>>>> [email protected] :: +1.514.447.4918 (x145) :: www.inverse.ca >>>>>>>>>>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>>>>>>>>>> PacketFence (http://packetfence.org) >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> On Feb 25, 2021, at 9:55 AM, NITISH AGGARWAL via >>>>>>>>>>>>>> PacketFence-users <[email protected]> >>>>>>>>>>>>>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi, >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have setup PacketFence zen as per guide. I can see dot1x >>>>>>>>>>>>>> authentication working with MSCHAPv2 auth, so non domain users >>>>>>>>>>>>>> are not >>>>>>>>>>>>>> getting access, which is required. I am using auto-registration >>>>>>>>>>>>>> in >>>>>>>>>>>>>> connection profile. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Second, I have to check for Symantec in my endpoints. I have >>>>>>>>>>>>>> setup SEPM provisioning as per document. During authentication, >>>>>>>>>>>>>> I can see >>>>>>>>>>>>>> security event generated for provisioning on my node in >>>>>>>>>>>>>> PacketFence but my >>>>>>>>>>>>>> end device got access to intranet no matter symantec installed >>>>>>>>>>>>>> on it or not. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I have tried everything I could. I need some help in this >>>>>>>>>>>>>> case. I am using static ips and cisco 2960. >>>>>>>>>>>>>> >>>>>>>>>>>>>> I need devices to be registered if they have both domain >>>>>>>>>>>>>> connected and SEPM installed. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Any help will be appreciated. Thanks in advance... >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>>>> [email protected] >>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> [email protected] >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>> >>>>>>> >>>>>>> >>>>>> >> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
