Re: [Netpass-users] Quarantine Issue?
Brought to you by:
jeffmurphy
Menu
▾
▴
Re: [Netpass-users] Quarantine Issue?
|
From: Jeff M. <jcm...@os...> - 2005-08-31 20:08:04
|
On Wed, 2005-08-31 at 15:56 -0400, Don Rugh wrote: > ...is this something that would be of interest to the larger group?? > how do others handle this type of situation??? > > (I'm guessing best way would be to insert code into macscan that if > macIsRegistered returns true would call macStatus and reset port to > proper vlan if it's not there already...??) yes. if it's registered, grab the status and if it's not P/UNQUAR, move the port back to quarantine by calling "requestPortmove()" requestMovePort(-switch => switch, -port => port, -vlan => <quarantine | unquarantine>) you wouldnt need to figure out what the correct vlan number is. that'll happen automatically for you with portmover does the actual work. jeff > > don > > > On Aug 31, 2005, at 3:07 PM, Jeff Murphy wrote: > > > On Wed, 2005-08-31 at 10:42 -0400, Don Rugh wrote: > > > >> Consider the following scenario: > >> > >> > >> - User transgresses policy and needs to be quarantined > >> - Admin q's user > >> - DB is updated, but port reset fails b/c user's MAC is not found on > >> the switch. We also believe that computer is plugged into a > >> switch/router, such that computer wake/sleep does not generate > >> linkup/down events to the switch -- link always up, MAC may or may > >> not > >> be present > >> - QUESTION: when user's computer wakes up, no event generated, they > >> are on the network since there appears to be no mechanism to verify > >> that all ports are in their correct states > >> > >> > >> This could also occur if the SNMP UDP packet doesn't make it to the > >> switch....are we missing something here?? or have you extended the > >> MAC > >> aging time on your switches?? > >> > > > > > > > > it's possible that macscan can be modified to not simply check that > > the > > port only has registered clients - but also that each client's > > status is > > P/UNQUAR. if the port contains unregistered or quarantined clients > > then > > it would be switched to the quarantine. > > > > another, less likely, possibility would be to determine if the switch > > can trap when it detects a new mac. even if that worked, it would > > require more effort than modifying macscan. > > > > jeff > > > > > > > > > > > > ------------------------------------------------------- > > SF.Net email is Sponsored by the Better Software Conference & EXPO > > September 19-22, 2005 * San Francisco, CA * Development Lifecycle > > Practices > > Agile & Plan-Driven Development * Managing Projects & Teams * > > Testing & QA > > Security * Process Improvement & Measurement * http://www.sqe.com/ > > bsce5sf > > _______________________________________________ > > Netpass-users mailing list > > Net...@li... > > https://lists.sourceforge.net/lists/listinfo/netpass-users > > > > > > ------------------------------------------------------- > SF.Net email is Sponsored by the Better Software Conference & EXPO > September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices > Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA > Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf > _______________________________________________ > Netpass-users mailing list > Net...@li... > https://lists.sourceforge.net/lists/listinfo/netpass-users > -- Jeff Murphy <jcm...@os...> |
