Anonymous | Login | 2024-11-21 22:13 EST |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | |||||||
ID | Project | Category | View Status | Date Submitted | Last Update | |||
0001160 | PacketFence | core | public | 2011-01-19 17:07 | 2011-01-26 15:44 | |||
Reporter | obilodeau | |||||||
Assigned To | obilodeau | |||||||
Priority | high | Severity | major | Reproducibility | have not tried | |||
Status | closed | Resolution | fixed | |||||
Platform | OS | OS Version | ||||||
Product Version | 2.0.0 | |||||||
Target Version | 2.0.1 | Fixed in Version | 2.0.1 | |||||
Summary | 0001160: pfcmd initiated VLAN re-evaluation doesn't include new locationlog parameters | |||||||
Description | This introduces subtle problems. pfcmd's generate_switchport_vlan_assignment() will be triggered by a server-side modification of a node entry (violation opened or closed, node edited, etc.). The current code only fetches switch / port / vlan information from the locationlog table so when the fetchVlanForNode call is made, the answer is not the same as if a vanilla fetchVlanForNode call is made. Let me give an example: We use custom code to assign VLANs based on SSID. RADIUS request comes and we assign the user VLAN 100 because of his SSID. Then we modify his node entry (only the note portion for example). Then pfcmd's generate_switchport_vlan_assignment will check what VLAN a node in switch X, port Y should have. Since it is lacking the SSID context, a different VLAN will be return and this will result in a call to flip and re-assignment. The opposite can happen too. A user that should be flipped would not because fetchVlan... would fetch the same VLAN as what is currently in locationlog. Only because the call to fetchVlanForNode lacked all the locationlog's context. A nasty one. | |||||||
Tags | No tags attached. | |||||||
fixed in git revision | ||||||||
fixed in mtn revision | 7c75542894a1a37bdc44af73feca6e78fd11f1b4 | |||||||
Attached Files | ||||||||
Notes | |
(0001821) obilodeau (reporter) 2011-01-21 12:16 |
Important re-work of VLAN evaluation to allow proper VLAN re-evaluation (with the proper dot1x, MAC Auth context for correct VLAN assigment) Also fixed some inconsistencies in setVlan (removed error handling after locationlog_sync) Reduced code by merging pf::radius' _findNodeVlan into pf::vlan's fetchVlanForNode. Fixed RADIUS tests Warning: fetchVlanForNode's method signature changed. |
Issue History | |||
Date Modified | Username | Field | Change |
2011-01-19 17:07 | obilodeau | New Issue | |
2011-01-21 11:12 | obilodeau | Status | new => assigned |
2011-01-21 11:12 | obilodeau | Assigned To | => obilodeau |
2011-01-21 12:16 | obilodeau | mtn revision | => 7c75542894a1a37bdc44af73feca6e78fd11f1b4 |
2011-01-21 12:16 | obilodeau | Note Added: 0001821 | |
2011-01-21 12:16 | obilodeau | Status | assigned => resolved |
2011-01-21 12:16 | obilodeau | Fixed in Version | => 2.0.1 |
2011-01-21 12:16 | obilodeau | Resolution | open => fixed |
2011-01-26 15:44 | obilodeau | Status | resolved => closed |
Copyright © 2000 - 2012 MantisBT Group |