Hello Jorge,

i have what i need at least to be able to support the web-auth.
The only thing i am not sure is at the end of the registration process what
we are supposed to do.

I will create a branch on github in order for you to test. (it will be an
update of the Huawei switch module).

For information, what is the ac-ip ac-mac versus ap-ip ap-mac ?

Regards
Fabrice


Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com> a écrit :

> If I try to manually send the redirect in the browser here is what HA
> proxy records. This is a simple copy and paste in the browser and the
> output:
>
> https://wifi.fispy.mx/captive-portal?destination_url=
> https://portal.fispy.mx:8443/login?username=539z&password=0uf3
>
> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
> /captive-portal?destination_url=
> https://portal.fispy.mx:8443/login?username=539z&password=0uf3 HTTP/1.1"
>
>
> It doesn’t let it go through as it seems that is trying to validate
> network connectivity
>
>
> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com> wrote:
>
> Seems weird how the format of the URL is recorded/sent
>
>
> Here is a normal redirect, the url is formatted correctly,
>
>
> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577
> [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~ 10.0.255.99-backend/
> 127.0.0.1 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx}
> "GET /captive-portal?destination_url=https://www.fispy.mx/ HTTP/1.1"
>
>  I’m not sure why the value sent by the AP has all the % and weird symbols
> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>
>
>
> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com> wrote:
>
> Hi Fabrice,
>
> Here are the options that can be added:
>
> [AirEngine9700-M1-url-template-PacketFence]url-parameter ?
>   ap-group-name   AP group name
>   ap-ip           AP IP address
>   ap-location     AP location
>   ap-mac          AP MAC address
>   ap-name         AP name
>   device-ip       Device IP address
>   device-mac      Device MAC address
>   login-url       Device's login URL provided to the external portal server
>   mac-address     Mac address
>   redirect-url    The url in user original http packet
>   set             Set
>   ssid            SSID
>   sysname         Device name
>   user-ipaddress  User IP address
>   user-mac        User MAC address
>
>
> url-template name PacketFence
>  url https://wifi.fispy.mx/captive-portal
>  url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac
> ap-mac
>
>
> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET
> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9
> HTTP/1.1"
>
>
> If we do not specify the URL on this configuration, where would
> PacketFence get the value for the AC Web Authentication call?
>
>
> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>
> Best Regards,
> Jorge
>
> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com> wrote:
>
> Hello Jorge,
>
> what we need is the user mac and the ap information.
> I found that
> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template
>
> Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ?
>
> And if yes can you provide me the url generated by the controller when it
> redirect ?  (haproxy-portal log)
>
> Regards
> Fabrice
>
>
>
> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com> a écrit :
>
>> Hi Team,
>>
>> Any input on this? We really would like to get this to work.
>>
>> Thank you!
>> Jorge
>>
>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com> wrote:
>>
>> Hi Fabrice,
>>
>> This is the sequence:
>>
>> Feb  2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132
>> [02/Feb/2022:14:51:32.663] portal-http-10.0.255.99 10.0.255.99-backend/
>> 127.0.0.1 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 {wifi.fispy.mx}
>> "GET /access?lang= HTTP/1.1"
>> Feb  2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133
>> [02/Feb/2022:14:51:37.905] portal-http-10.0.255.99 static/127.0.0.1
>> 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET
>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1"
>> Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130
>> [02/Feb/2022:14:51:43.927] portal-https-10.0.255.99~ 10.0.255.99-backend/
>> 127.0.0.1 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 {wifi.fispy.mx}
>> "GET
>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>> HTTP/1.1"
>> Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132
>> [02/Feb/2022:14:51:44.060] portal-http-10.0.255.99 10.0.255.99-backend/
>> 127.0.0.1 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 {wifi.fispy.mx}
>> "GET /access?lang= HTTP/1.1"
>> Feb  2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133
>> [02/Feb/2022:14:51:49.219] portal-http-10.0.255.99 static/127.0.0.1
>> 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET
>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1"
>> Feb  2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130
>> [02/Feb/2022:14:51:55.287] portal-https-10.0.255.99~ 10.0.255.99-backend/
>> 127.0.0.1 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 {wifi.fispy.mx}
>> "GET
>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>> HTTP/1.1”
>>
>>
>>
>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com> wrote:
>>
>> Hello Jorge,
>>
>> i will have a look closer.
>> But i have a question, when the device is forwarded to the captive
>> portal, (just before
>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>)
>> , what is the url ?
>> You should be able to see it in the haproxy-portal.log file.
>>
>> Regards
>> Fabrice
>>
>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com> a écrit :
>>
>>> Hi Fabrice,
>>>
>>>
>>> We almost have the configuration working, but are not sure how to get
>>> the redirect to the client to work correctly. Attached is the documentation
>>> for Cisco ISE which we used for PacketFence as well.
>>>
>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC.
>>>
>>> This is the format the client should get from PacketFence. This is the
>>> only piece we are missing for this to work.
>>>
>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>
>>>
>>> If we manually click on the link above, then the flow of traffic works
>>> correctly CLIENT > AC > RADIUS (PacketFence), and authentication works. The
>>> problem is that when the user logs in to the portal the redirect is broken.
>>> The parameter for the redirect that PacketFence is serving, comes from a
>>> configuration parameter within the AC. This configuration works fine for
>>> Cisco ISE, but the URL format is not working for PacketFence.
>>>
>>>
>>> When we configure the redirect this is what the client is getting from
>>> PacketFence
>>>
>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>
>>>
>>> url-template name PacketFence
>>>  url https://wifi.fispy.mx/captive-portal
>>>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>>>  <<< THIS IS THE PARAMETER FOR THE REDIRECT TO PACKETFENCE
>>>
>>>
>>>
>>> AC CONFIG
>>>
>>> authentication-profile name PacketFence
>>>  portal-access-profile PacketFence
>>>  free-rule-template default_free_rule
>>>  authentication-scheme PacketFence
>>>  accounting-scheme PacketFence
>>>  radius-server PacketFence
>>>  force-push url https://www.fispy.mx
>>>
>>> radius-server template PacketFence
>>>  radius-server shared-key cipher %^%#*)l=:1.X-Yd$\<~orEF@
>>> ]<}NMejv3)E^\6;7:NUY%^%#
>>>  radius-server authentication 10.0.255.99 1812 source ip-address
>>> 10.7.255.2 weight 90
>>>  radius-server accounting 10.0.255.99 1813 source ip-address 10.7.255.2
>>> weight 80
>>>  undo radius-server user-name domain-included
>>>  calling-station-id mac-format unformatted
>>>  called-station-id wlan-user-format ac-mac
>>>  radius-server attribute translate
>>>  radius-attribute disable HW-NAS-Startup-Time-Stamp send
>>>  radius-attribute disable HW-IP-Host-Address send
>>>  radius-attribute disable HW-Connect-ID send
>>>  radius-attribute disable HW-Version send
>>>  radius-attribute disable HW-Product-ID send
>>>  radius-attribute disable HW-Domain-Name send
>>>  radius-attribute disable HW-User-Extend-Info send
>>>
>>> url-template name PacketFence
>>>  url https://wifi.fispy.mx/captive-portal
>>>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>>>  <<< THIS IS THE PARAMETER FOR THE REDIRECT TO PACKETFENCE
>>>
>>> web-auth-server PacketFence
>>>  server-ip 10.0.255.99
>>>  port 443
>>>  url-template PacketFence
>>>  protocol http
>>>  http get-method enable
>>>
>>> portal-access-profile name PacketFence
>>>  web-auth-server PacketFence direct
>>>
>>>
>>> authentication-scheme PacketFence
>>>   authentication-mode radius
>>>
>>> wlan
>>>  security-profile name FISPY-WiFi
>>>
>>>  vap-profile name FISPY-WiFi
>>>   service-vlan vlan-id 900
>>>   permit-vlan vlan-id 900
>>>   ssid-profile FISPY-WiFi
>>>   security-profile FISPY-WiFi
>>>   authentication-profile PacketFence
>>>   sta-network-detect disable
>>>   service-experience-analysis enable
>>>   mdns-snooping enable
>>>
>>>
>>>
>>>
>>> ###CISCO ISE CONFIG TO COMPARE###
>>>
>>> url-template name CISCO-ISE
>>>  url
>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02
>>>  parameter start-mark #
>>>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login
>>>
>>> ####################################
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com> wrote:
>>>
>>> Hello Jorge,
>>>
>>> do you have any Huawei documentation to implement that ?
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users <
>>> packetfence-users@lists.sourceforge.net> a écrit :
>>>
>>>> Hi Team,
>>>>
>>>> We were wondering if anyone has had any success in configuring Web Auth
>>>> for the Huawei AC? It’s somewhat critical for us to get this going.
>>>>
>>>> Thank you!
>>>> Jorge
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>
>>> PacketFence-users@lists.sourceforge.net
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>
>>>
>>>
>>>
>>>
>>
>>
>
>
>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to