Re: [PacketFence-users] Error communicatin with Nessus

2017-08-09 Thread Cristian Mammoli via PacketFence-users 

I'm getting the same error. Nessus is running and I can connect with
wget https://127.0.0.1:8834 --no-check-certificate
Even a simple test program such as this fails with the same error even 
if the data is correct:


use Net::Nessus::REST;

my $nessus = Net::Nessus::REST->new(
url => 'https://localhost:8834'
);

$nessus->create_session(
username => 'admin',
password => '123',
);

[root@srvpf ~]# perl test.pl
communication error: Can't connect to localhost:8834 at test.pl line 7.

There is no trace of the connection in the nessus logs

Il 01/08/2017 16:52, Juan Camilo Valencia via PacketFence-users ha scritto:

Hi Akala,

Nessus has a log that you can verify from the server perspective to 
try figure it out what is going on, if I'm not wrong is in 
/opt/nessus/var/nessus/log/ and is something realted with server in 
its name, try to tail that log while you try to do the connection from 
packetfence and you can have more information about it. Also can you 
locate
/usr/share/perl5/vendor_perl/Net/Nessus/REST.pm and paste it, probably 
you are using a package outside inverse repo and that package has a 
little modification to bypass some SSL verification for 
self-certificate servers, which generic package does not have.


I hope this can help you a little bit.

Best Regards,


2017-07-31 13:30 GMT-05:00 Akala Kehinde via PacketFence-users 
>:


Hello Fabrice,

Still can"t get my head around this.. Seems to me like an API
communication problem or any more ideas to what the problem might be.

Regards,
Kehinde

On Sat, Jul 29, 2017 at 8:53 AM, Akala Kehinde
mailto:kehindeak...@gmail.com>> wrote:

Hello Fabrice,

I still get the same error, kindly see logs below:

[root@pfence logs]# netstat -nlp | grep 8834
tcp0  0 0.0.0.0:8834 
 0.0.0.0:*   LISTEN  1761/nessusd

tcp6   0  0 :::8834   :::*LISTEN
 1761/nessusd
[root@pfence logs]#

Jul 29 08:51:53 pfence pfqueue: pfqueue(13223) INFO:
[mac:00:50:ff:25:ce:00] Instantiate profile SNS
(pf::Connection::ProfileFactory::_from_profile)
Jul 29 08:51:53 pfence pfqueue: pfqueue(13223) INFO:
[mac:00:50:ff:25:ce:00] violation 125 already exists for
00:50:ff:25:ce:00, not adding again (pf::violation::violation_add)
Jul 29 08:51:54 pfence pfqueue: pfqueue(13223) INFO:
[mac:00:50:ff:25:ce:00] Instantiate profile SNS
(pf::Connection::ProfileFactory::_from_profile)
Jul 29 08:51:54 pfence pfqueue: pfqueue(13223) INFO:
[mac:00:50:ff:25:ce:00] New ID generated: 15013423ce00
(pf::util::generate_id)
Jul 29 08:51:54 pfence pfqueue: pfqueue(13223) ERROR:
[mac:00:50:ff:25:ce:00] communication error: Can't connect to
127.0.0.1:8834  at
/usr/local/pf/lib/pf/scan/nessus6.pm  line 96.
 (pf::api::can_fork::notify)



Regards,
Kehinde

On Fri, Jul 28, 2017 at 8:22 PM, Fabrice Durand via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Hello Akala,

if nessus run on the same server then try 127.0.0.1 for
the server ip.

Also what return : netstat -nlp | grep 8834

Regards

Fabrice



Le 2017-07-28 à 12:09, Akala Kehinde via PacketFence-users
a écrit :

Just FYI, the Nessus server runs on the PF server.

Regards,
Kehinde

On Fri, Jul 28, 2017 at 5:53 PM, Akala Kehinde
mailto:kehindeak...@gmail.com>>
wrote:

Hallo Guys,

Quick one..
I get this error when PF tries triggering a violation:

Checked line 96 and seems it's an error with the
creds, but creds is right. Or is the creds not
supposed to be that on the Nessus server?

Jul  8 13:57:58 pfence pfqueue: pfqueue(10450) INFO:
[mac:00:50:ff:25:ce:00] New ID generated:
149951507810ce00 (pf::util::generate_id)
Jul  8 13:57:58 pfence pfqueue: pfqueue(10450) ERROR:
[mac:00:50:ff:25:ce:00] communication error: Can't
connect to 172.16.100.10:8834
 at
/usr/local/pf/lib/pf/scan/nessus6.pm
 line 96.
 (pf::api::can_fork::notify)


Regards,
Kehinde

Regards,
Kehinde





--
Check out the vibrant tech community on one of the world's mos

[PacketFence-users] OpenVAS v9 integration

2017-08-09 Thread Cristian Mammoli via PacketFence-users 

Does Packetfence work with OpenVAS-9 (Greenbone OS 4)?

--
Mammoli Cristian
System administrator
T. +39 0731 22911
Via Brodolini 6 | 60035 Jesi (an)


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Compatibility double check for our environment

2017-08-09 Thread Yan Kimiko via PacketFence-users 
Hello Durand, Thank you very much for your reply.

I have a question about you reply and hope I can get your further help.

For identification part, you said we can use 802.1x+mab. I don’t understand why 
we need mab. Our current environment is already using 802.1x via cisco acs, and 
mab is not enabled in our current environment and it also works well.
Or did I misunderstanding something, you mean use 802.1x for the normal office 
users and use mab for those VoIP and printers ?


Our requirement:
1.Identification
—802.1x based on user info from AD source or based on device’s MAC address.


Your reply:802.1x and mac auth bypass seems to be ok for both.


For compliance check part, our AD servers are controlled by another team and We 
are not so familiar about this part’s setup, and neither do another team. Do 
you have any setup suggestion or setup guidance or sample or something on how 
to use WMI checking if specific software installed in a device ?
And another solution we thought is : Keep monitoring PF syslog, once find a 
device passed 802.1x, immediately send a controlled-device check request to our 
antivirus server(there is a condition here:if a device has installed our 
antivirus agent , it must be found in our antivirus server), if the check 
response is yes, we’ll know this device has installed the agent, and then we 
can move it to normal VLAN, otherwise redirect a portal to user with the 
remediation solution for him.


2.Compliance and health check when registering to office network.
—When a device logs in, checking if the device has installed our official
antivirus software before giving the device normal network’s access.Isolated
the device from normal inner network but gives it restricted network access so
that they can have a way to install the required software.


Your reply:wmi scan


For this part our thinking solution is the same as you mentioned: Once our 
antivirus server find a dangerous device, send an alert syslog to PF, PF use 
the received alert syslog to trigger a violation and to do the next control. 
Hope it works.

3.Isolation dangerous device from normal network
—When our antivirus agent find some threat exists in the device, update the
device’s VLAN to an isolation VLAN so that the threat won’t spread to other
inner network.


Your reply:you need to find a way to trigger a webservice api call from the 
antivirus management console or send the syslog to packetfence.


Finally, when PF do the 802.1x authentication, can we trigger wmi scan in the 
mean time ? We want to use pf as our weapon to force people install our 
security agent before he can get normal network access.
Or if not happening in the same time, after every device passed 802.1x auth, we 
just put it in evaluation VLAN(with limit network access), and trigger a 
violation to do the WMI scan when a device found in evaluation VLAN, if the 
device has installed the agent, move the device to normal VLAN, others redirect 
url to tell this user he should install our agent first, and give a link in url 
for his to download agent.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Compatibility double check for our environment

2017-08-09 Thread Yan Kimiko via PacketFence-users 
Hello Durand, Thank you very much for your reply.

I have a question about you reply and hope I can get your further help.

For identification part, you said we can use 802.1x+mab. I don’t understand why 
we need mab. Our current environment is already using 802.1x via cisco acs, and 
mab is not enabled in our current environment and it also works well.
Or did I misunderstanding something, you mean use 802.1x for the normal office 
users and use mab for those VoIP and printers ?


Our requirement:
1.Identification
―802.1x based on user info from AD source or based on device’s MAC address.


Your reply:802.1x and mac auth bypass seems to be ok for both.


For compliance check part, our AD servers are controlled by another team and We 
are not so familiar about this part’s setup, and neither do another team. Do 
you have any setup suggestion or setup guidance or sample or something on how 
to use WMI checking if specific software installed in a device ?
And another solution we thought is : Keep monitoring PF syslog, once find a 
device passed 802.1x, immediately send a controlled-device check request to our 
antivirus server(there is a condition here:if a device has installed our 
antivirus agent , it must be found in our antivirus server), if the check 
response is yes, we’ll know this device has installed the agent, and then we 
can move it to normal VLAN, otherwise redirect a portal to user with the 
remediation solution for him.


2.Compliance and health check when registering to office network.
―When a device logs in, checking if the device has installed our official
antivirus software before giving the device normal network’s access.Isolated
the device from normal inner network but gives it restricted network access so
that they can have a way to install the required software.


Your reply:wmi scan


For this part our thinking solution is the same as you mentioned: Once our 
antivirus server find a dangerous device, send an alert syslog to PF, PF use 
the received alert syslog to trigger a violation and to do the next control. 
Hope it works.

3.Isolation dangerous device from normal network
―When our antivirus agent find some threat exists in the device, update the
device’s VLAN to an isolation VLAN so that the threat won’t spread to other
inner network.


Your reply:you need to find a way to trigger a webservice api call from the 
antivirus management console or send the syslog to packetfence.


Finally, when PF do the 802.1x authentication, can we trigger wmi scan in the 
mean time ? We want to use pf as our weapon to force people install our 
security agent before he can get normal network access.
Or if not happening in the same time, after every device passed 802.1x auth, we 
just put it in evaluation VLAN(with limit network access), and trigger a 
violation to do the WMI scan when a device found in evaluation VLAN, if the 
device has installed the agent, move the device to normal VLAN, others redirect 
url to tell this user he should install our agent first, and give a link in url 
for his to download agent.

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users