Hello All, Sending this for the archive purpose. Thanks to Fabrice for helping me with this.
Problem statement: In my setup, users are allowed to have only 1 device, so I wanted to trigger a custom security event when "max nodes per pid met or exceeded", move the new node to the isolation vlan so that the user can deregister old node to proceed. Solution: 1) Patch the trigger.pm with attached file (max_node,diff): cd /usr/local/pf patch -p1 --dry-run < max_node.diff if there is no error: patch -p1 < max_node.diff 2) Patch the role.pm with below code: https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/role.pm#L708 my $open_security_event_count = pf::security_event::security_event_count_reevaluate_access($args->{'mac'}); if ($open_security_event_count != 0) { return $FALSE; } 3) Restart packetfence: 4) Configure the security event: If you are doing auto registration. You need to trigger the security event with action isolate. Then create a vlan filter that disables the autoregistration if the security event is open for this device. Then the first request will be rejected (security event triggered) and once the device reconnects it will go in the isolation vlan. Vlan filter: [Disable_Auto_reg] description=Disable Auto Reg on security event run_actions=enabled status=enabled condition=security_event.id == "3000009" top_op=and scopes=AutoRegister role=REJECT Security event: [3000009] trigger=internal::is_max_reg_nodes_reached desc=Max node access_duration=12h actions=reevaluate_access window=5m enabled=Y Set the window to 5 minutes , so when the user connects and triggers the security event, it has 5 minutes to unregister the old node and when 5 minutes passed then he will be able to login. Thanks, - Arun
max_node.diff
Description: Binary data
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
