Great! it will be easier.
Le dim. 6 févr. 2022 à 18:38, Jorge Nolla <jno...@gmail.com> a écrit : > Fabrice, > > I figured out why the AC is formatting in that way, > > > 6.3.7.3.6 The URL of the Redirected Portal Page Contains %XX, Which Cannot > Be Identified by Some Portal Servers > > When a third-party Portal server is connected, the browser can be > redirected to the URL of the Portal page, but the Portal page cannot be > opened. The URL of the Portal page contains %XX, for example, > http://12.12.12.1:8080/portal?ac > %2Dip=100%2E1%2E1%2E1&userip=200%2E1%2E1%2E172&ssid=portal %5Ftest. > > By default, the Portal URL encoding and decoding function is enabled on > the device. > > URL encoding encodes special characters (that is, characters that are not > simple 7- bit ASCII characters, such as Chinese characters) in hexadecimal > format using the percent sign (%), including special characters such as the > equal sign (=), ampersand (&), and percent sign (%). The URL encoding is > actually a hexadecimal character ASCII code. However, there is a slight > change, and "%" needs to be added to the beginning. For example, the ASCII > code of a backslash (\) is 92, and the hexadecimal number of 92 is 5c. > Therefore, the URL encoding result of a backslash (\) is %5c. The URL > coding table can be found on the Internet. Some Portal servers do not > support this encoding format. When the URL encoding function is enabled on > the device, redirection fails. > > Disable the Portal URL encoding function on the device. > > *[Huawei] undo portal url-encode enable* > > > This worked, now we get the correct output: > > Feb 6 16:34:19 wifi haproxy[2427]: 10.9.70.173:51832 > [06/Feb/2022:16:34:18.789] portal-https-10.0.255.99~ 10.0.255.99-backend/ > 127.0.0.1 0/0/1/387/388 302 1018 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} > "GET > /captive-portal?ac-ip=10.7.255.2&userip=10.9.70.173&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9 > HTTP/1.1" > > > > On Feb 6, 2022, at 4:29 PM, Jorge Nolla <jno...@gmail.com> wrote: > > If I try to manually send the redirect in the browser here is what HA > proxy records. This is a simple copy and paste in the browser and the > output: > > https://wifi.fispy.mx/captive-portal?destination_url= > https://portal.fispy.mx:8443/login?username=539z&password=0uf3 > > 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET > /captive-portal?destination_url= > https://portal.fispy.mx:8443/login?username=539z&password=0uf3 HTTP/1.1" > > > It doesn’t let it go through as it seems that is trying to validate > network connectivity > > > On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com> wrote: > > Seems weird how the format of the URL is recorded/sent > > > Here is a normal redirect, the url is formatted correctly, > > > Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 > [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~ 10.0.255.99-backend/ > 127.0.0.1 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} > "GET /captive-portal?destination_url=https://www.fispy.mx/ HTTP/1.1" > > I’m not sure why the value sent by the AP has all the % and weird symbols > destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin > <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> > > > On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com> wrote: > > Hi Fabrice, > > Here are the options that can be added: > > [AirEngine9700-M1-url-template-PacketFence]url-parameter ? > ap-group-name AP group name > ap-ip AP IP address > ap-location AP location > ap-mac AP MAC address > ap-name AP name > device-ip Device IP address > device-mac Device MAC address > login-url Device's login URL provided to the external portal server > mac-address Mac address > redirect-url The url in user original http packet > set Set > ssid SSID > sysname Device name > user-ipaddress User IP address > user-mac User MAC address > > > url-template name PacketFence > url https://wifi.fispy.mx/captive-portal > url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac > ap-mac > > > 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET > /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 > HTTP/1.1" > > > If we do not specify the URL on this configuration, where would > PacketFence get the value for the AC Web Authentication call? > > > https://portal.fispy.mx:8443/login?username=($username)&password=($password) > > Best Regards, > Jorge > > On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com> wrote: > > Hello Jorge, > > what we need is the user mac and the ap information. > I found that > https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template > > Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ? > > And if yes can you provide me the url generated by the controller when it > redirect ? (haproxy-portal log) > > Regards > Fabrice > > > > Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com> a écrit : > >> Hi Team, >> >> Any input on this? We really would like to get this to work. >> >> Thank you! >> Jorge >> >> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com> wrote: >> >> Hi Fabrice, >> >> This is the sequence: >> >> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >> [02/Feb/2022:14:51:32.663] portal-http-10.0.255.99 10.0.255.99-backend/ >> 127.0.0.1 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 {wifi.fispy.mx} >> "GET /access?lang= HTTP/1.1" >> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >> [02/Feb/2022:14:51:37.905] portal-http-10.0.255.99 static/127.0.0.1 >> 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >> [02/Feb/2022:14:51:43.927] portal-https-10.0.255.99~ 10.0.255.99-backend/ >> 127.0.0.1 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 {wifi.fispy.mx} >> "GET >> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >> HTTP/1.1" >> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >> [02/Feb/2022:14:51:44.060] portal-http-10.0.255.99 10.0.255.99-backend/ >> 127.0.0.1 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 {wifi.fispy.mx} >> "GET /access?lang= HTTP/1.1" >> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >> [02/Feb/2022:14:51:49.219] portal-http-10.0.255.99 static/127.0.0.1 >> 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >> [02/Feb/2022:14:51:55.287] portal-https-10.0.255.99~ 10.0.255.99-backend/ >> 127.0.0.1 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 {wifi.fispy.mx} >> "GET >> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >> HTTP/1.1” >> >> >> >> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com> wrote: >> >> Hello Jorge, >> >> i will have a look closer. >> But i have a question, when the device is forwarded to the captive >> portal, (just before >> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >> , what is the url ? >> You should be able to see it in the haproxy-portal.log file. >> >> Regards >> Fabrice >> >> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com> a écrit : >> >>> Hi Fabrice, >>> >>> >>> We almost have the configuration working, but are not sure how to get >>> the redirect to the client to work correctly. Attached is the documentation >>> for Cisco ISE which we used for PacketFence as well. >>> >>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>> >>> This is the format the client should get from PacketFence. This is the >>> only piece we are missing for this to work. >>> >>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>> >>> >>> If we manually click on the link above, then the flow of traffic works >>> correctly CLIENT > AC > RADIUS (PacketFence), and authentication works. The >>> problem is that when the user logs in to the portal the redirect is broken. >>> The parameter for the redirect that PacketFence is serving, comes from a >>> configuration parameter within the AC. This configuration works fine for >>> Cisco ISE, but the URL format is not working for PacketFence. >>> >>> >>> When we configure the redirect this is what the client is getting from >>> PacketFence >>> >>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>> >>> >>> url-template name PacketFence >>> url https://wifi.fispy.mx/captive-portal >>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>> <<< THIS IS THE PARAMETER FOR THE REDIRECT TO PACKETFENCE >>> >>> >>> >>> AC CONFIG >>> >>> authentication-profile name PacketFence >>> portal-access-profile PacketFence >>> free-rule-template default_free_rule >>> authentication-scheme PacketFence >>> accounting-scheme PacketFence >>> radius-server PacketFence >>> force-push url https://www.fispy.mx >>> >>> radius-server template PacketFence >>> radius-server shared-key cipher %^%#*)l=:1.X-Yd$\<~orEF@ >>> ]<}NMejv3)E^\6;7:NUY%^%# >>> radius-server authentication 10.0.255.99 1812 source ip-address >>> 10.7.255.2 weight 90 >>> radius-server accounting 10.0.255.99 1813 source ip-address 10.7.255.2 >>> weight 80 >>> undo radius-server user-name domain-included >>> calling-station-id mac-format unformatted >>> called-station-id wlan-user-format ac-mac >>> radius-server attribute translate >>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>> radius-attribute disable HW-IP-Host-Address send >>> radius-attribute disable HW-Connect-ID send >>> radius-attribute disable HW-Version send >>> radius-attribute disable HW-Product-ID send >>> radius-attribute disable HW-Domain-Name send >>> radius-attribute disable HW-User-Extend-Info send >>> >>> url-template name PacketFence >>> url https://wifi.fispy.mx/captive-portal >>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>> <<< THIS IS THE PARAMETER FOR THE REDIRECT TO PACKETFENCE >>> >>> web-auth-server PacketFence >>> server-ip 10.0.255.99 >>> port 443 >>> url-template PacketFence >>> protocol http >>> http get-method enable >>> >>> portal-access-profile name PacketFence >>> web-auth-server PacketFence direct >>> >>> >>> authentication-scheme PacketFence >>> authentication-mode radius >>> >>> wlan >>> security-profile name FISPY-WiFi >>> >>> vap-profile name FISPY-WiFi >>> service-vlan vlan-id 900 >>> permit-vlan vlan-id 900 >>> ssid-profile FISPY-WiFi >>> security-profile FISPY-WiFi >>> authentication-profile PacketFence >>> sta-network-detect disable >>> service-experience-analysis enable >>> mdns-snooping enable >>> >>> >>> >>> >>> ###CISCO ISE CONFIG TO COMPARE### >>> >>> url-template name CISCO-ISE >>> url >>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>> parameter start-mark # >>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>> >>> #################################### >>> >>> >>> >>> >>> >>> >>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com> wrote: >>> >>> Hello Jorge, >>> >>> do you have any Huawei documentation to implement that ? >>> >>> Regards >>> Fabrice >>> >>> >>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users < >>> packetfence-users@lists.sourceforge.net> a écrit : >>> >>>> Hi Team, >>>> >>>> We were wondering if anyone has had any success in configuring Web Auth >>>> for the Huawei AC? It’s somewhat critical for us to get this going. >>>> >>>> Thank you! >>>> Jorge >>>> >>>> _______________________________________________ >>>> PacketFence-users mailing list >>> >>> PacketFence-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> >>> >>> >>> >>> >> >> > > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users