Hi Fabrice, Getting this error
sudo curl https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff | patch -p1 File lib/pf/Switch/Huawei.pm is read-only; trying to patch anyway patch: **** Can't create temporary file lib/pf/Switch/Huawei.pm.o00FB2T : Permission denied > On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com> wrote: > > I am just not sure what to set for username and password, if you do sms auth > then there is no password. > > Also in the url it looks that it miss the mac address of the device , can you > try to add device-mac and see if the device mac is in the url ? > > Here the first draft: > > https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff > > <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> > > cd /usr/local/pf/ > curl > https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff > > <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> > | patch -p1 > > then restart packetfence. > > On the controller: > > url-template name PacketFence > url https://wifi.fispy.mx/ <https://wifi.fispy.mx/captive-portal>Hawei > url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid ssid > user-mac ap-mac > > So when the device will be forwarded to the portal it should be able to > recognise the mac address and the ip of the device (in the bottom). > > Register on the portal and you should be forwarded to > http://$controller_ip:8443/login?username=bob&password=bob > > Let me know how it behave. > > Regards > Fabrice > > > > > Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com > <mailto:jno...@gmail.com>> a écrit : > Hi Fabrice > > This is the GET the AC is expecting: > https://portal.fispy.mx:8443/login?username=($username)&password=($password) > <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> > > If successful it will return as per image below. If it fails the AC will > redirect back to the Portal > > <WebAuthentication.png> > > > Here is the configuration: > > url-template name PacketFence > url https://wifi.fispy.mx/captive-portal > <https://wifi.fispy.mx/captive-portal> > url-parameter login-url destination_url > https://portal.fispy.mx:8443/login?username=($username)&password=($password) > <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> > > > HA Proxy output > > Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 > <http://10.9.70.173:52266/> [06/Feb/2022:16:44:26.153] > portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/> > 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx > <http://wifi.fispy.mx/>} "GET > /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password) > > <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> > HTTP/1.1" > > Only problem is that PacketFence is not updating the dynamic values with > username and password for it to work > > AC = Access Controller. This manages the APs’ as they are operating in > Fit/Lightweight mode. > AP = Access Points. These are the actual radios. > > Best Regards, > Jorge > > >> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com >> <mailto:oeufd...@gmail.com>> wrote: >> >> Hello Jorge, >> >> i have what i need at least to be able to support the web-auth. >> The only thing i am not sure is at the end of the registration process what >> we are supposed to do. >> >> I will create a branch on github in order for you to test. (it will be an >> update of the Huawei switch module). >> >> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? >> >> Regards >> Fabrice >> >> >> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com >> <mailto:jno...@gmail.com>> a écrit : >> If I try to manually send the redirect in the browser here is what HA proxy >> records. This is a simple copy and paste in the browser and the output: >> >> https://wifi.fispy.mx/captive-portal >> <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >> >> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> HTTP/1.1" >> >> >> It doesn’t let it go through as it seems that is trying to validate network >> connectivity >> >> >>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com >>> <mailto:jno...@gmail.com>> wrote: >>> >>> Seems weird how the format of the URL is recorded/sent >>> >>> >>> Here is a normal redirect, the url is formatted correctly, >>> >>> >>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232] >>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/> >>> 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx >>> <http://wifi.fispy.mx/>} "GET >>> /captive-portal?destination_url=https://www.fispy.mx/ >>> <https://www.fispy.mx/> HTTP/1.1" >>> >>> I’m not sure why the value sent by the AP has all the % and weird symbols >>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>> >>> >>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com >>>> <mailto:jno...@gmail.com>> wrote: >>>> >>>> Hi Fabrice, >>>> >>>> Here are the options that can be added: >>>> >>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>> ap-group-name AP group name >>>> ap-ip AP IP address >>>> ap-location AP location >>>> ap-mac AP MAC address >>>> ap-name AP name >>>> device-ip Device IP address >>>> device-mac Device MAC address >>>> login-url Device's login URL provided to the external portal server >>>> mac-address Mac address >>>> redirect-url The url in user original http packet >>>> set Set >>>> ssid SSID >>>> sysname Device name >>>> user-ipaddress User IP address >>>> user-mac User MAC address >>>> >>>> >>>> url-template name PacketFence >>>> url https://wifi.fispy.mx/captive-portal >>>> <https://wifi.fispy.mx/captive-portal> >>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac >>>> ap-mac >>>> >>>> >>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>> "GET >>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>> HTTP/1.1" >>>> >>>> >>>> If we do not specify the URL on this configuration, where would >>>> PacketFence get the value for the AC Web Authentication call? >>>> >>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>> >>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>> >>>> Best Regards, >>>> Jorge >>>> >>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com >>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>> >>>>> Hello Jorge, >>>>> >>>>> what we need is the user mac and the ap information. >>>>> I found that >>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>> >>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template> >>>>> >>>>> Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ? >>>>> >>>>> And if yes can you provide me the url generated by the controller when it >>>>> redirect ? (haproxy-portal log) >>>>> >>>>> Regards >>>>> Fabrice >>>>> >>>>> >>>>> >>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com >>>>> <mailto:jno...@gmail.com>> a écrit : >>>>> Hi Team, >>>>> >>>>> Any input on this? We really would like to get this to work. >>>>> >>>>> Thank you! >>>>> Jorge >>>>> >>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com >>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>> >>>>>> Hi Fabrice, >>>>>> >>>>>> This is the sequence: >>>>>> >>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] >>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>> <http://127.0.0.1/> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 >>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] >>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/2/2 >>>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] >>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>> HTTP/1.1" >>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] >>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>> <http://127.0.0.1/> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 >>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] >>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/1/1 >>>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] >>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>> HTTP/1.1” >>>>>> >>>>>> >>>>>> >>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>> >>>>>>> Hello Jorge, >>>>>>> >>>>>>> i will have a look closer. >>>>>>> But i have a question, when the device is forwarded to the captive >>>>>>> portal, (just before >>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>> >>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>> , what is the url ? >>>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>>> >>>>>>> Regards >>>>>>> Fabrice >>>>>>> >>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com >>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>> Hi Fabrice, >>>>>>> >>>>>>> >>>>>>> We almost have the configuration working, but are not sure how to get >>>>>>> the redirect to the client to work correctly. Attached is the >>>>>>> documentation for Cisco ISE which we used for PacketFence as well. >>>>>>> >>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>>> >>>>>>> This is the format the client should get from PacketFence. This is the >>>>>>> only piece we are missing for this to work. >>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>> >>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>> >>>>>>> >>>>>>> If we manually click on the link above, then the flow of traffic works >>>>>>> correctly CLIENT > AC > RADIUS (PacketFence), and authentication works. >>>>>>> The problem is that when the user logs in to the portal the redirect is >>>>>>> broken. The parameter for the redirect that PacketFence is serving, >>>>>>> comes from a configuration parameter within the AC. This configuration >>>>>>> works fine for Cisco ISE, but the URL format is not working for >>>>>>> PacketFence. >>>>>>> >>>>>>> >>>>>>> When we configure the redirect this is what the client is getting from >>>>>>> PacketFence >>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>> >>>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin> >>>>>>> >>>>>>> >>>>>>> url-template name PacketFence >>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR THE >>>>>>> REDIRECT TO PACKETFENCE >>>>>>> >>>>>>> >>>>>>> >>>>>>> AC CONFIG >>>>>>> >>>>>>> authentication-profile name PacketFence >>>>>>> portal-access-profile PacketFence >>>>>>> free-rule-template default_free_rule >>>>>>> authentication-scheme PacketFence >>>>>>> accounting-scheme PacketFence >>>>>>> radius-server PacketFence >>>>>>> force-push url https://www.fispy.mx <https://www.fispy.mx/> >>>>>>> >>>>>>> radius-server template PacketFence >>>>>>> radius-server shared-key cipher >>>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%# >>>>>>> radius-server authentication 10.0.255.99 1812 source ip-address >>>>>>> 10.7.255.2 weight 90 >>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address 10.7.255.2 >>>>>>> weight 80 >>>>>>> undo radius-server user-name domain-included >>>>>>> calling-station-id mac-format unformatted >>>>>>> called-station-id wlan-user-format ac-mac >>>>>>> radius-server attribute translate >>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>> radius-attribute disable HW-Version send >>>>>>> radius-attribute disable HW-Product-ID send >>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>> >>>>>>> url-template name PacketFence >>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR THE >>>>>>> REDIRECT TO PACKETFENCE >>>>>>> >>>>>>> web-auth-server PacketFence >>>>>>> server-ip 10.0.255.99 >>>>>>> port 443 >>>>>>> url-template PacketFence >>>>>>> protocol http >>>>>>> http get-method enable >>>>>>> >>>>>>> portal-access-profile name PacketFence >>>>>>> web-auth-server PacketFence direct >>>>>>> >>>>>>> >>>>>>> authentication-scheme PacketFence >>>>>>> authentication-mode radius >>>>>>> >>>>>>> wlan >>>>>>> security-profile name FISPY-WiFi >>>>>>> >>>>>>> vap-profile name FISPY-WiFi >>>>>>> service-vlan vlan-id 900 >>>>>>> permit-vlan vlan-id 900 >>>>>>> ssid-profile FISPY-WiFi >>>>>>> security-profile FISPY-WiFi >>>>>>> authentication-profile PacketFence >>>>>>> sta-network-detect disable >>>>>>> service-experience-analysis enable >>>>>>> mdns-snooping enable >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>> >>>>>>> url-template name CISCO-ISE >>>>>>> url >>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>> >>>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02> >>>>>>> parameter start-mark # >>>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>>> <https://portal.fispy.mx:8443/login> >>>>>>> >>>>>>> #################################### >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com >>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>> >>>>>>>> Hello Jorge, >>>>>>>> >>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>> >>>>>>>> Regards >>>>>>>> Fabrice >>>>>>>> >>>>>>>> >>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users >>>>>>>> <packetfence-users@lists.sourceforge.net >>>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit : >>>>>>>> Hi Team, >>>>>>>> >>>>>>>> We were wondering if anyone has had any success in configuring Web >>>>>>>> Auth for the Huawei AC? It’s somewhat critical for us to get this >>>>>>>> going. >>>>>>>> >>>>>>>> Thank you! >>>>>>>> Jorge >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> PacketFence-users mailing list >>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
