Menu
▾
▴
[PacketFence-users] device profiling discrepancy | security event
|
From: mj <li...@me...> - 2020-01-31 10:20:40
|
Hi, We are trying to ban win7-and-pre devices, and have created a security event like this: > [1400003] > trigger=device::7535,device::7534,device::33,device::36 > actions=reevaluate_access,email_admin,log,email_user > desc=Win7 and older to isolation (triggers automatically) > access_duration=14D > template=banned_os > max_enable=2 > user_mail_message= <<EOT > Please upgrade your device Operating System as soon as you can. You are running a windows version that is no longer maintained. > > You will be able to dismiss this message 1 times and the next time, your device will be isolated permanently. Upgrade! > > EOT > redirect_url=https://www.forbes.com/sites/gordonkelly/2020/01/15/how-to-upgrade-to-windows-10-for-free-in-2020/ > enabled=Y > whitelisted_roles=win7 The above should isolate pre-win7 windows devices, and generally it seems to work. BUT... We are also getting faulty isolations. For example today: > Detect : Win7 and older to isolation (triggers automatically) > > MAC Address : 14:ab:c5:f1:00:31 > IP Address : 10.20.162.94 (active) > IP Info : IP active since 2020-01-31 10:55:14 and DHCP lease valid until 2020-02-01 10:55:14 > Owner : username > Category : domain_users > Status : registered > Name : DESKTOP-BCATNIF > VoIP : no > > DEVICE PROFILING INFORMATION > Device: Operating System/Windows OS/Microsoft Windows kernel 5.x > Device version: > Device profiling confidence level: 30 > > DHCP Info : Last DHCP request at 2020-01-31 10:55:15 > Location : port 0 (vlan 0) on switch 10.20.0.1 > Connection type: Inline > 802.1X Username: > Wireless SSID : > Last activity : 0000-00-00 00:00:00 BUT, when looking up the same node in the pf GUI, we see: > Device Class Windows OS > Device Manufacturer Intel Corporate > Device Type Microsoft Windows Kernel 10.0 > Fully Qualified Device Name Operating System/Windows OS/Microsoft Windows Kernel 10.0 > Version 10 > Score 90% > Mobile No > DHCP Fingerprint 1,3,6,15,31,33,43,44,46,47,119,121,249,252 So, they don't not match! WHY is the security event triggered, with "Operating System/Windows OS/Microsoft Windows kernel 5.x", when in the database, the same node is identified as "Windows OS/Microsoft Windows Kernel 10.0" Does not make sense..? How are others here blocking pre-win7 clients? Are you also getting fake positives as well? Thanks for any pointers, MJ |
