Seems weird how the format of the URL is recorded/sent
Here is a normal redirect, the url is formatted correctly,
Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 [06/Feb/2022:16:03:41.232]
portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 0/0/1/233/234 200 4910
- - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
/captive-portal?destination_url=https://www.fispy.mx/ HTTP/1.1"
I’m not sure why the value sent by the AP has all the % and weird symbols
destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
<https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>
> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com> wrote:
>
> Hi Fabrice,
>
> Here are the options that can be added:
>
> [AirEngine9700-M1-url-template-PacketFence]url-parameter ?
> ap-group-name AP group name
> ap-ip AP IP address
> ap-location AP location
> ap-mac AP MAC address
> ap-name AP name
> device-ip Device IP address
> device-mac Device MAC address
> login-url Device's login URL provided to the external portal server
> mac-address Mac address
> redirect-url The url in user original http packet
> set Set
> ssid SSID
> sysname Device name
> user-ipaddress User IP address
> user-mac User MAC address
>
>
> url-template name PacketFence
> url https://wifi.fispy.mx/captive-portal
> <https://wifi.fispy.mx/captive-portal>
> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac ap-mac
>
>
> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET
> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9
> HTTP/1.1"
>
>
> If we do not specify the URL on this configuration, where would PacketFence
> get the value for the AC Web Authentication call?
>
> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>
> Best Regards,
> Jorge
>
>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com
>> <mailto:oeufd...@gmail.com>> wrote:
>>
>> Hello Jorge,
>>
>> what we need is the user mac and the ap information.
>> I found that
>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template
>>
>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template>
>>
>> Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ?
>>
>> And if yes can you provide me the url generated by the controller when it
>> redirect ? (haproxy-portal log)
>>
>> Regards
>> Fabrice
>>
>>
>>
>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com
>> <mailto:jno...@gmail.com>> a écrit :
>> Hi Team,
>>
>> Any input on this? We really would like to get this to work.
>>
>> Thank you!
>> Jorge
>>
>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com
>>> <mailto:jno...@gmail.com>> wrote:
>>>
>>> Hi Fabrice,
>>>
>>> This is the sequence:
>>>
>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132
>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663]
>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/>
>>> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 {wifi.fispy.mx
>>> <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1"
>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133
>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905]
>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/2/2 200
>>> 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET
>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1"
>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130
>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927]
>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/>
>>> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 {wifi.fispy.mx
>>> <http://wifi.fispy.mx/>} "GET
>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>> HTTP/1.1"
>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132
>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060]
>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/>
>>> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 {wifi.fispy.mx
>>> <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1"
>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133
>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219]
>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/1/1 200
>>> 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET
>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1"
>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130
>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287]
>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/>
>>> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 {wifi.fispy.mx
>>> <http://wifi.fispy.mx/>} "GET
>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>> HTTP/1.1”
>>>
>>>
>>>
>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com
>>>> <mailto:oeufd...@gmail.com>> wrote:
>>>>
>>>> Hello Jorge,
>>>>
>>>> i will have a look closer.
>>>> But i have a question, when the device is forwarded to the captive portal,
>>>> (just before
>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>
>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>)
>>>> , what is the url ?
>>>> You should be able to see it in the haproxy-portal.log file.
>>>>
>>>> Regards
>>>> Fabrice
>>>>
>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com
>>>> <mailto:jno...@gmail.com>> a écrit :
>>>> Hi Fabrice,
>>>>
>>>>
>>>> We almost have the configuration working, but are not sure how to get the
>>>> redirect to the client to work correctly. Attached is the documentation
>>>> for Cisco ISE which we used for PacketFence as well.
>>>>
>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC.
>>>>
>>>> This is the format the client should get from PacketFence. This is the
>>>> only piece we are missing for this to work.
>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>
>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>
>>>>
>>>> If we manually click on the link above, then the flow of traffic works
>>>> correctly CLIENT > AC > RADIUS (PacketFence), and authentication works.
>>>> The problem is that when the user logs in to the portal the redirect is
>>>> broken. The parameter for the redirect that PacketFence is serving, comes
>>>> from a configuration parameter within the AC. This configuration works
>>>> fine for Cisco ISE, but the URL format is not working for PacketFence.
>>>>
>>>>
>>>> When we configure the redirect this is what the client is getting from
>>>> PacketFence
>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>
>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin>
>>>>
>>>>
>>>> url-template name PacketFence
>>>> url https://wifi.fispy.mx/captive-portal
>>>> <https://wifi.fispy.mx/captive-portal>
>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR THE
>>>> REDIRECT TO PACKETFENCE
>>>>
>>>>
>>>>
>>>> AC CONFIG
>>>>
>>>> authentication-profile name PacketFence
>>>> portal-access-profile PacketFence
>>>> free-rule-template default_free_rule
>>>> authentication-scheme PacketFence
>>>> accounting-scheme PacketFence
>>>> radius-server PacketFence
>>>> force-push url https://www.fispy.mx <https://www.fispy.mx/>
>>>>
>>>> radius-server template PacketFence
>>>> radius-server shared-key cipher
>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%#
>>>> radius-server authentication 10.0.255.99 1812 source ip-address
>>>> 10.7.255.2 weight 90
>>>> radius-server accounting 10.0.255.99 1813 source ip-address 10.7.255.2
>>>> weight 80
>>>> undo radius-server user-name domain-included
>>>> calling-station-id mac-format unformatted
>>>> called-station-id wlan-user-format ac-mac
>>>> radius-server attribute translate
>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send
>>>> radius-attribute disable HW-IP-Host-Address send
>>>> radius-attribute disable HW-Connect-ID send
>>>> radius-attribute disable HW-Version send
>>>> radius-attribute disable HW-Product-ID send
>>>> radius-attribute disable HW-Domain-Name send
>>>> radius-attribute disable HW-User-Extend-Info send
>>>>
>>>> url-template name PacketFence
>>>> url https://wifi.fispy.mx/captive-portal
>>>> <https://wifi.fispy.mx/captive-portal>
>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR THE
>>>> REDIRECT TO PACKETFENCE
>>>>
>>>> web-auth-server PacketFence
>>>> server-ip 10.0.255.99
>>>> port 443
>>>> url-template PacketFence
>>>> protocol http
>>>> http get-method enable
>>>>
>>>> portal-access-profile name PacketFence
>>>> web-auth-server PacketFence direct
>>>>
>>>>
>>>> authentication-scheme PacketFence
>>>> authentication-mode radius
>>>>
>>>> wlan
>>>> security-profile name FISPY-WiFi
>>>>
>>>> vap-profile name FISPY-WiFi
>>>> service-vlan vlan-id 900
>>>> permit-vlan vlan-id 900
>>>> ssid-profile FISPY-WiFi
>>>> security-profile FISPY-WiFi
>>>> authentication-profile PacketFence
>>>> sta-network-detect disable
>>>> service-experience-analysis enable
>>>> mdns-snooping enable
>>>>
>>>>
>>>>
>>>>
>>>> ###CISCO ISE CONFIG TO COMPARE###
>>>>
>>>> url-template name CISCO-ISE
>>>> url
>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02
>>>>
>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02>
>>>> parameter start-mark #
>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>>>> <https://portal.fispy.mx:8443/login>
>>>>
>>>> ####################################
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com
>>>>> <mailto:oeufd...@gmail.com>> wrote:
>>>>>
>>>>> Hello Jorge,
>>>>>
>>>>> do you have any Huawei documentation to implement that ?
>>>>>
>>>>> Regards
>>>>> Fabrice
>>>>>
>>>>>
>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users
>>>>> <packetfence-users@lists.sourceforge.net
>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit :
>>>>> Hi Team,
>>>>>
>>>>> We were wondering if anyone has had any success in configuring Web Auth
>>>>> for the Huawei AC? It’s somewhat critical for us to get this going.
>>>>>
>>>>> Thank you!
>>>>> Jorge
>>>>>
>>>>> _______________________________________________
>>>>> PacketFence-users mailing list
>>>>> PacketFence-users@lists.sourceforge.net
>>>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>>>>
>>>>
>>>>
>>>
>>
>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
