Use 172.17.254.254 ip as your captive portal ip and at your web redirect url (of course allow traffic at acls to this ip not to 10.1.254.126) for registration.
Another thing, I suggest not to use Authorize_any for default role (set the same as in registration role). If you want to assign vlans for specific roles you have to create those vlans (on your network and add interfaces to your wlc) and setup in pf (i.e. vlan 10 for registration vlan 20 for isolation 30 normal vlan for regular users etc.). Packetfence will assign those specific vlans depends on the role and force to the wlc. Right now you're not assigning any vlans. You're using static one binded to your wlan (you're forcing only which one acls to use). From: Helen Chen [mailto:helen_c...@resourcepro.com.cn] Sent: Friday, April 7, 2017 10:19 AM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Captive Portal Redirection not working Hi Tomasz, Thank you so much on getting back to me. Our registration interface ip address is 172.17.254.254. Management\portal adedress is 10.1.254.126. As we want to do out-of-band mode, I set the captive portal ip address the same one with the management\portal address, which is 10.1.254.126. From 172.17.0.0/16 is able to communicate with 10.1.254.126. Just in case you missed the other email. Please see more details below and attached. Hi Tomasz, I tweak the iptables (iptables -I INPUT -i <registration interface#> -j input-portal-if) and solved the production mode captive portal redirecting issue. However, the problem "Your network should be enabled within a minute or two. If it is not reboot your computer" issue still exist after I passed the authentication phase. I tried to disconnect the WLAN and join again, the error will still stay there, it looks like it got stuck in registration mode. Can you please shed some lights on this one? In addition, to answer your questions: Did you setup acls authorize_any on the controller? - yes, we did. And per the show client detail on WLC, we can see the ACL Authorize_any is applied. Policy Manager State............................. RUN AAA Override ACL Name............................ none AAA Override ACL Applied Status.................. Unavailable AAA Override Flex ACL Name....................... none --More or (q)uit current module or <ctrl-z> to abort AAA Override Flex ACL Applied Status............. Unavailable AAA URL redirect................................. none Audit Session ID................................. 0a0105320000cc6858e738ae AAA Role Type.................................... none Local Policy Applied............................. none IPv4 ACL Name.................................... Authorize_any FlexConnect ACL Applied Status................... Unavailable IPv4 ACL Applied Status.......................... Yes IPv6 ACL Name.................................... none IPv6 ACL Applied Status.......................... Unavailable Layer2 ACL Name.................................. none Layer2 ACL Applied Status........................ Unavailable mDNS Status...................................... Enabled mDNS Profile Name................................ default-mdns-profile No. of mDNS Services Advertised.................. 0 Policy Type...................................... N/A Encryption Cipher................................ None Protected Management Frame ...................... No Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ guest VLAN............................................. 51 Quarantine VLAN.................................. 0 Access VLAN...................................... 51 Local Bridging VLAN.............................. 51 Client Capabilities: CF Pollable................................ Not implemented CF Poll Request............................ Not implemented Short Preamble............................. Implemented PBCC....................................... Not implemented Channel Agility............................ Not implemented Listen Interval............................ 20 Fast BSS Transition........................ Not implemented 11v BSS Transition......................... Not implemented Client Wifi Direct Capabilities: WFD capable................................ No Manged WFD capable......................... No Cross Connection Capable................... No Support Concurrent Operation............... No Fast BSS Transition Details: Client Statistics: Number of Bytes Received................... 0 Number of Bytes Sent....................... 0 Total Number of Bytes Sent................. 0 Total Number of Bytes Recv................. 0 Number of Bytes Sent (last 90s)............ 0 --More or (q)uit current module or <ctrl-z> to abort Number of Bytes Recv (last 90s)............ 0 Number of Packets Received................. 0 Number of Packets Sent..................... 0 Number of Interim-Update Sent.............. 0 Number of EAP Id Request Msg Timeouts...... 0 Number of EAP Id Request Msg Failures...... 0 Number of EAP Request Msg Timeouts......... 0 Number of EAP Request Msg Failures......... 0 Number of EAP Key Msg Timeouts............. 0 Number of EAP Key Msg Failures............. 0 Number of Data Retries..................... 0 Number of RTS Retries...................... 0 Number of Duplicate Received Packets....... 0 Number of Decrypt Failed Packets........... 0 Number of Mic Failured Packets............. 0 Number of Mic Missing Packets.............. 0 Number of RA Packets Dropped............... 0 Number of Policy Errors.................... 0 Radio Signal Strength Indicator............ Unavailable Signal to Noise Ratio...................... Unavailable Client Rate Limiting Statistics: Number of Data Packets Received............ 0 Number of Data Rx Packets Dropped.......... 0 --More or (q)uit current module or <ctrl-z> to abort Number of Data Bytes Received.............. 0 Number of Data Rx Bytes Dropped............ 0 Number of Realtime Packets Received........ 0 Number of Realtime Rx Packets Dropped...... 0 Number of Realtime Bytes Received.......... 0 Number of Realtime Rx Bytes Dropped........ 0 Number of Data Packets Sent................ 0 Number of Data Tx Packets Dropped.......... 0 Number of Data Bytes Sent.................. 0 Number of Data Tx Bytes Dropped............ 0 Number of Realtime Packets Sent............ 0 Number of Realtime Tx Packets Dropped...... 0 Number of Realtime Bytes Sent.............. 0 Number of Realtime Tx Bytes Dropped........ 0 Nearby AP Statistics: Tech_TestAP(slot 0) antenna0: 7 secs ago..................... -66 dBm antenna1: 7 secs ago..................... -74 dBm Tech_TestAP(slot 1) antenna0: 6 secs ago..................... -71 dBm antenna1: 6 secs ago..................... -77 dBm QD-G5-2702-4F-B3(slot 0) antenna0: 7 secs ago..................... -75 dBm --More or (q)uit current module or <ctrl-z> to abort antenna1: 7 secs ago..................... -75 dBm DNS Server details: DNS server IP ............................. 0.0.0.0 DNS server IP ............................. 0.0.0.0 Assisted Roaming Prediction List details: Did you check NAC State Radius NAC? - Yes, we set the NAC state to ISE NAC. On WLC2500, it only has ISE NAC, SNMP NAC and none. Did you set acl authorize_any to this role? - yes, we did. Please see the switch.conf below. The problem is I set the registration vlan and default vlan both to 51. Is this ok? As I remember in the administration guide, for web auth mode, device VLAN ID never change but only the ACL associated gonna change. How can we accomplish this? The reason is we only want to enable one SSID. Please see related screenshots attached. [10.1.5.50] deauthMethod=RADIUS description=QD-G5-2504-3F-1 type=Cisco::WLC_2500 mode=production SNMPCommunityRead=xxxxx registrationVlan=51 SNMPCommunityWrite=xxxxx isolationVlan=52 radiusSecret=xxxxx SNMPVersion=2c defaultVlan=51 coaPort=1700 RoleMap=Y AdminITRole=Authorize_any registrationUrl=http://10.1.254.126/Cisco::WLC RSPEmployeeRole=Authorize_any UrlMap=Y guestVlan=51 defaultRole=Authorize_any registrationRole=Pre-Auth-For-WebRedirect guestRole=Authorize_any controllerIp=10.1.5.50 ExternalPortalEnforcement=Y VlanMap=N Thank you so much for your help, --- Helen From: Tomasz Karczewski [mailto:tkarczew...@man.olsztyn.pl] Sent: Friday, April 7, 2017 3:41 PM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Captive Portal Redirection not working This message was identified as a phishing <http://aka.ms/LearnAboutPhishing> scam. Feedback <http://aka.ms/SafetyTipsFeedback> Did you allow traffic to your captive portal ip? Configuration > captive portal > ip (here is your ip) and of course enable network detection. Set your ip or fqdn with one from registration interface. From: Helen Chen [mailto:helen_c...@resourcepro.com.cn] Sent: Friday, April 7, 2017 8:44 AM To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] Captive Portal Redirection not working Hi All, I tweak the iptables and solved the production mode not redirecting issue. However, the problem "Your network should be enabled within a minute or two. If it is not reboot your computer" issue still exist after I passed the authentication phase. We're doing out-of-band mode. Anyone can help me out here? Thank you very much. --- Helen From: Helen Chen [mailto:helen_c...@resourcepro.com.cn] Sent: Thursday, April 6, 2017 4:14 PM To: packetfence-users@lists.sourceforge.net Subject: [PacketFence-users] Captive Portal Redirection not working This message was identified as a phishing <http://aka.ms/LearnAboutPhishing> scam. Feedback <http://aka.ms/SafetyTipsFeedback> Hi All, Lately I've been struggling one problem for weeks now. Any of your help would really be appreciated. We have one Cisco WLC 2504 here. I put the switch mode to registration, then the captive portal is redirected fine. However, after I passed the credential authentication, the ACL failed to redirect. The error says "Your network should be enabled within a minute or two. If it is not reboot your computer". I checked the log and notice the reason I cannot achieve reassignment is because I was not on a production mode so pf cannot perform deauthentiation. So I change the switch mode to production. The problem will be the captive portal will jump to "captive. Apple.com" instead of packetfence. If I cancel it and open a browser it will say could not open the page because the server stopped responding. I disabled pfsetvlan and snmptrapd as it's wireless traffic, it's not necessary to enable it,right? Please see related logs below. Any suggestions? (Cisco Controller) >show client detail 7c:01:91:25:f9:eb Client MAC Address............................... 7c:01:91:25:f9:eb Client Username ................................. N/A AP MAC Address................................... 5c:83:8f:9f:1b:90 AP Name.......................................... Tech_TestAP AP radio slot Id................................. 0 Client State..................................... Associated Client User Group................................ Client NAC OOB State............................. Access Wireless LAN Id.................................. 4 Wireless LAN Network Name (SSID)................. Guest Wireless LAN Profile Name........................ Guest_Test Hotspot (802.11u)................................ Not Supported BSSID............................................ 5c:83:8f:9f:1b:93 Connected For ................................... 97 secs Channel.......................................... 1 IP Address....................................... 172.17.0.10 Gateway Address.................................. Unknown Netmask.......................................... Unknown Association Id................................... 169 Authentication Algorithm......................... Open System Reason Code...................................... 1 Status Code...................................... 0 Session Timeout.................................. 1800 Client CCX version............................... No CCX support QoS Level........................................ Silver Avg data Rate.................................... 0 Burst data Rate.................................. 0 Avg Real time data Rate.......................... 0 Burst Real Time data Rate........................ 0 802.1P Priority Tag.............................. disabled CTS Security Group Tag........................... Not Applicable KTS CAC Capability............................... No Qos Map Capability............................... No WMM Support...................................... Enabled APSD ACs....................................... BK BE VI VO Current Rate..................................... m12 Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0, ............................................. 12.0,18.0,24.0,36.0,48.0, ............................................. 54.0 Mobility State................................... Local Mobility Move Count.............................. 0 Security Policy Completed........................ No Policy Manager State............................. WEBAUTH_REQD AAA Override ACL Name............................ Pre-Auth-For-WebRedirect AAA Override ACL Applied Status.................. Yes AAA Override Flex ACL Name....................... none AAA Override Flex ACL Applied Status............. Unavailable AAA URL redirect................................. http://10.1.254.126/Cisco::WLC/sid189bef Audit Session ID................................. 0a0105320000bdd258e5e518 AAA Role Type.................................... none Local Policy Applied............................. none IPv4 ACL Name.................................... none FlexConnect ACL Applied Status................... Unavailable IPv4 ACL Applied Status.......................... Unavailable IPv6 ACL Name.................................... none IPv6 ACL Applied Status.......................... Unavailable Layer2 ACL Name.................................. none Layer2 ACL Applied Status........................ Unavailable mDNS Status...................................... Enabled mDNS Profile Name................................ default-mdns-profile No. of mDNS Services Advertised.................. 0 Policy Type...................................... N/A Encryption Cipher................................ None Protected Management Frame ...................... No Management Frame Protection...................... No EAP Type......................................... Unknown Interface........................................ guest VLAN............................................. 51 Quarantine VLAN.................................. 0 Access VLAN...................................... 51 Local Bridging VLAN.............................. 51 Client Capabilities: CF Pollable................................ Not implemented CF Poll Request............................ Not implemented Short Preamble............................. Implemented PBCC....................................... Not implemented Channel Agility............................ Not implemented Listen Interval............................ 20 Fast BSS Transition........................ Not implemented 11v BSS Transition......................... Not implemented Client Wifi Direct Capabilities: WFD capable................................ No Manged WFD capable......................... No Cross Connection Capable................... No Support Concurrent Operation............... No Fast BSS Transition Details: Client Statistics: Number of Bytes Received................... 14034 Number of Bytes Sent....................... 9976 Total Number of Bytes Sent................. 9976 Total Number of Bytes Recv................. 14034 Number of Bytes Sent (last 90s)............ 2256 Number of Bytes Recv (last 90s)............ 4646 Number of Packets Received................. 145 Number of Packets Sent..................... 71 Number of Interim-Update Sent.............. 0 Number of EAP Id Request Msg Timeouts...... 0 Number of EAP Id Request Msg Failures...... 0 Number of EAP Request Msg Timeouts......... 0 Number of EAP Request Msg Failures......... 0 Number of EAP Key Msg Timeouts............. 0 Number of EAP Key Msg Failures............. 0 Number of Data Retries..................... 119 Number of RTS Retries...................... 0 Number of Duplicate Received Packets....... 44 Number of Decrypt Failed Packets........... 0 Number of Mic Failured Packets............. 0 Number of Mic Missing Packets.............. 0 Number of RA Packets Dropped............... 0 Number of Policy Errors.................... 0 Radio Signal Strength Indicator............ -66 dBm Signal to Noise Ratio...................... 22 dB Client Rate Limiting Statistics: Number of Data Packets Received............ 0 Number of Data Rx Packets Dropped.......... 0 Number of Data Bytes Received.............. 0 Number of Data Rx Bytes Dropped............ 0 Number of Realtime Packets Received........ 0 Number of Realtime Rx Packets Dropped...... 0 Number of Realtime Bytes Received.......... 0 Number of Realtime Rx Bytes Dropped........ 0 Number of Data Packets Sent................ 0 Number of Data Tx Packets Dropped.......... 0 Number of Data Bytes Sent.................. 0 Number of Data Tx Bytes Dropped............ 0 Number of Realtime Packets Sent............ 0 Number of Realtime Tx Packets Dropped...... 0 Number of Realtime Bytes Sent.............. 0 Number of Realtime Tx Bytes Dropped........ 0 Nearby AP Statistics: Tech_TestAP(slot 0) antenna0: 7 secs ago..................... -63 dBm antenna1: 7 secs ago..................... -70 dBm Tech_TestAP(slot 1) antenna0: 7 secs ago..................... -76 dBm antenna1: 7 secs ago..................... -74 dBm QD-G5-2702-4F-B3(slot 0) antenna0: 7 secs ago..................... -83 dBm antenna1: 7 secs ago..................... -82 dBm QD-G5-2702-4F-B3(slot 1) antenna0: 7 secs ago..................... -95 dBm antenna1: 7 secs ago..................... -91 dBm DNS Server details: DNS server IP ............................. 0.0.0.0 DNS server IP ............................. 0.0.0. [10.1.5.50] deauthMethod=RADIUS description=QD-G5-2504-1 type=Cisco::WLC_2500 SNMPCommunityRead=xxxx registrationVlan=51 SNMPCommunityWrite=xxxx isolationVlan=52 radiusSecret=xxxxx SNMPVersion=2c defaultVlan=51 coaPort=1700 RoleMap=Y registrationUrl=http://10.1.254.126/Cisco::WLC UrlMap=Y guestVlan=51 RSPEmployeeVlan=51 defaultRole=Authorize_any registrationRole=Pre-Auth-For-WebRedirect controllerIp=10.1.5.50 ExternalPortalEnforcement=Y VlanMap=N mode=production [172.17.0.0] dns=172.17.254.254 dhcp_start=172.17.0.10 gateway=172.17.254.254 domain-name=vlan-registration.resourcepro0.resourcepro.com nat_enabled=disabled named=enabled dhcp_max_lease_time=30 fake_mac_enabled=disabled dhcpd=enabled dhcp_end=172.17.255.246 type=vlan-registration netmask=255.255.0.0 dhcp_default_lease_time=30 [172.18.0.0] dns=172.18.254.254 dhcp_start=172.18.0.10 gateway=172.18.254.254 domain-name=vlan-isolation.resourcepro0.resourcepro.com nat_enabled=disabled named=enabled dhcp_max_lease_time=30 fake_mac_enabled=disabled dhcpd=disabled dhcp_end=172.18.255.246 type=vlan-isolation netmask=255.255.0.0 dhcp_default_lease_time=30 --- Helen
smime.p7s
Description: S/MIME cryptographic signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
