PacketFence
Bug Tracking System

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001160PacketFencecorepublic2011-01-19 17:072011-01-26 15:44
Reporterobilodeau 
Assigned Toobilodeau 
PriorityhighSeveritymajorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.0.0 
Target Version2.0.1Fixed in Version2.0.1 
Summary0001160: pfcmd initiated VLAN re-evaluation doesn't include new locationlog parameters
DescriptionThis introduces subtle problems.

pfcmd's generate_switchport_vlan_assignment() will be triggered by a server-side modification of a node entry (violation opened or closed, node edited, etc.). The current code only fetches switch / port / vlan information from the locationlog table so when the fetchVlanForNode call is made, the answer is not the same as if a vanilla fetchVlanForNode call is made.

Let me give an example:
We use custom code to assign VLANs based on SSID. RADIUS request comes and we assign the user VLAN 100 because of his SSID.

Then we modify his node entry (only the note portion for example). Then pfcmd's generate_switchport_vlan_assignment will check what VLAN a node in switch X, port Y should have. Since it is lacking the SSID context, a different VLAN will be return and this will result in a call to flip and re-assignment.

The opposite can happen too. A user that should be flipped would not because fetchVlan... would fetch the same VLAN as what is currently in locationlog. Only because the call to fetchVlanForNode lacked all the locationlog's context.

A nasty one.
TagsNo tags attached.
fixed in git revision
fixed in mtn revision7c75542894a1a37bdc44af73feca6e78fd11f1b4
Attached Files

- Relationships

-  Notes
(0001821)
obilodeau (reporter)
2011-01-21 12:16

Important re-work of VLAN evaluation to allow proper VLAN re-evaluation (with the proper dot1x, MAC Auth context for correct VLAN assigment)
Also fixed some inconsistencies in setVlan (removed error handling after locationlog_sync)
Reduced code by merging pf::radius' _findNodeVlan into pf::vlan's fetchVlanForNode.
Fixed RADIUS tests
Warning: fetchVlanForNode's method signature changed.

- Issue History
Date Modified Username Field Change
2011-01-19 17:07 obilodeau New Issue
2011-01-21 11:12 obilodeau Status new => assigned
2011-01-21 11:12 obilodeau Assigned To => obilodeau
2011-01-21 12:16 obilodeau mtn revision => 7c75542894a1a37bdc44af73feca6e78fd11f1b4
2011-01-21 12:16 obilodeau Note Added: 0001821
2011-01-21 12:16 obilodeau Status assigned => resolved
2011-01-21 12:16 obilodeau Fixed in Version => 2.0.1
2011-01-21 12:16 obilodeau Resolution open => fixed
2011-01-26 15:44 obilodeau Status resolved => closed


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker