Worked as root after I stopped pf. Testing now. [root@wifi pf]# curl https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff | patch -p1 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 2900 100 2900 0 0 10701 0 --:--:-- --:--:-- --:--:-- 10701 patching file lib/pf/Switch/Huawei.pm patching file lib/pf/web/constants.pm
> On Feb 6, 2022, at 6:09 PM, Jorge Nolla <jno...@gmail.com> wrote: > > Hi Fabrice, > > Getting this error > > sudo curl > https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff > > <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> > | patch -p1 > > File lib/pf/Switch/Huawei.pm is read-only; trying to patch anyway > patch: **** Can't create temporary file lib/pf/Switch/Huawei.pm.o00FB2T : > Permission denied > >> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com >> <mailto:oeufd...@gmail.com>> wrote: >> >> I am just not sure what to set for username and password, if you do sms auth >> then there is no password. >> >> Also in the url it looks that it miss the mac address of the device , can >> you try to add device-mac and see if the device mac is in the url ? >> >> Here the first draft: >> >> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >> >> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >> >> cd /usr/local/pf/ >> curl >> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >> >> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >> | patch -p1 >> >> then restart packetfence. >> >> On the controller: >> >> url-template name PacketFence >> url https://wifi.fispy.mx/ <https://wifi.fispy.mx/captive-portal>Hawei >> url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid ssid >> user-mac ap-mac >> >> So when the device will be forwarded to the portal it should be able to >> recognise the mac address and the ip of the device (in the bottom). >> >> Register on the portal and you should be forwarded to >> http://$controller_ip:8443/login?username=bob&password=bob >> <http://$controller_ip:8443/login?username=bob&password=bob> >> >> Let me know how it behave. >> >> Regards >> Fabrice >> >> >> >> >> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com >> <mailto:jno...@gmail.com>> a écrit : >> Hi Fabrice >> >> This is the GET the AC is expecting: >> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >> >> If successful it will return as per image below. If it fails the AC will >> redirect back to the Portal >> >> <WebAuthentication.png> >> >> >> Here is the configuration: >> >> url-template name PacketFence >> url https://wifi.fispy.mx/captive-portal >> <https://wifi.fispy.mx/captive-portal> >> url-parameter login-url destination_url >> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >> >> >> HA Proxy output >> >> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 >> <http://10.9.70.173:52266/> [06/Feb/2022:16:44:26.153] >> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/> >> 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx >> <http://wifi.fispy.mx/>} "GET >> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password) >> >> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >> HTTP/1.1" >> >> Only problem is that PacketFence is not updating the dynamic values with >> username and password for it to work >> >> AC = Access Controller. This manages the APs’ as they are operating in >> Fit/Lightweight mode. >> AP = Access Points. These are the actual radios. >> >> Best Regards, >> Jorge >> >> >>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com >>> <mailto:oeufd...@gmail.com>> wrote: >>> >>> Hello Jorge, >>> >>> i have what i need at least to be able to support the web-auth. >>> The only thing i am not sure is at the end of the registration process what >>> we are supposed to do. >>> >>> I will create a branch on github in order for you to test. (it will be an >>> update of the Huawei switch module). >>> >>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? >>> >>> Regards >>> Fabrice >>> >>> >>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com >>> <mailto:jno...@gmail.com>> a écrit : >>> If I try to manually send the redirect in the browser here is what HA proxy >>> records. This is a simple copy and paste in the browser and the output: >>> >>> https://wifi.fispy.mx/captive-portal >>> <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>> >>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> HTTP/1.1" >>> >>> >>> It doesn’t let it go through as it seems that is trying to validate network >>> connectivity >>> >>> >>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com >>>> <mailto:jno...@gmail.com>> wrote: >>>> >>>> Seems weird how the format of the URL is recorded/sent >>>> >>>> >>>> Here is a normal redirect, the url is formatted correctly, >>>> >>>> >>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>>> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232] >>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>> <http://127.0.0.1/> 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 >>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>> /captive-portal?destination_url=https://www.fispy.mx/ >>>> <https://www.fispy.mx/> HTTP/1.1" >>>> >>>> I’m not sure why the value sent by the AP has all the % and weird symbols >>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>>> >>>> >>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com >>>>> <mailto:jno...@gmail.com>> wrote: >>>>> >>>>> Hi Fabrice, >>>>> >>>>> Here are the options that can be added: >>>>> >>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>>> ap-group-name AP group name >>>>> ap-ip AP IP address >>>>> ap-location AP location >>>>> ap-mac AP MAC address >>>>> ap-name AP name >>>>> device-ip Device IP address >>>>> device-mac Device MAC address >>>>> login-url Device's login URL provided to the external portal >>>>> server >>>>> mac-address Mac address >>>>> redirect-url The url in user original http packet >>>>> set Set >>>>> ssid SSID >>>>> sysname Device name >>>>> user-ipaddress User IP address >>>>> user-mac User MAC address >>>>> >>>>> >>>>> url-template name PacketFence >>>>> url https://wifi.fispy.mx/captive-portal >>>>> <https://wifi.fispy.mx/captive-portal> >>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac >>>>> ap-mac >>>>> >>>>> >>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>>> "GET >>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>>> HTTP/1.1" >>>>> >>>>> >>>>> If we do not specify the URL on this configuration, where would >>>>> PacketFence get the value for the AC Web Authentication call? >>>>> >>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>> >>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>> >>>>> Best Regards, >>>>> Jorge >>>>> >>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com >>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>> >>>>>> Hello Jorge, >>>>>> >>>>>> what we need is the user mac and the ap information. >>>>>> I found that >>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>>> >>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template> >>>>>> >>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ? >>>>>> >>>>>> And if yes can you provide me the url generated by the controller when >>>>>> it redirect ? (haproxy-portal log) >>>>>> >>>>>> Regards >>>>>> Fabrice >>>>>> >>>>>> >>>>>> >>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com >>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>> Hi Team, >>>>>> >>>>>> Any input on this? We really would like to get this to work. >>>>>> >>>>>> Thank you! >>>>>> Jorge >>>>>> >>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com >>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>> >>>>>>> Hi Fabrice, >>>>>>> >>>>>>> This is the sequence: >>>>>>> >>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] >>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>> <http://127.0.0.1/> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 >>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] >>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/2/2 >>>>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] >>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>> HTTP/1.1" >>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] >>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>> <http://127.0.0.1/> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 >>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] >>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/1/1 >>>>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] >>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>> HTTP/1.1” >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>> >>>>>>>> Hello Jorge, >>>>>>>> >>>>>>>> i will have a look closer. >>>>>>>> But i have a question, when the device is forwarded to the captive >>>>>>>> portal, (just before >>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>> >>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>>> , what is the url ? >>>>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>>>> >>>>>>>> Regards >>>>>>>> Fabrice >>>>>>>> >>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com >>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>> Hi Fabrice, >>>>>>>> >>>>>>>> >>>>>>>> We almost have the configuration working, but are not sure how to get >>>>>>>> the redirect to the client to work correctly. Attached is the >>>>>>>> documentation for Cisco ISE which we used for PacketFence as well. >>>>>>>> >>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>>>> >>>>>>>> This is the format the client should get from PacketFence. This is the >>>>>>>> only piece we are missing for this to work. >>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>> >>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>> >>>>>>>> >>>>>>>> If we manually click on the link above, then the flow of traffic works >>>>>>>> correctly CLIENT > AC > RADIUS (PacketFence), and authentication >>>>>>>> works. The problem is that when the user logs in to the portal the >>>>>>>> redirect is broken. The parameter for the redirect that PacketFence is >>>>>>>> serving, comes from a configuration parameter within the AC. This >>>>>>>> configuration works fine for Cisco ISE, but the URL format is not >>>>>>>> working for PacketFence. >>>>>>>> >>>>>>>> >>>>>>>> When we configure the redirect this is what the client is getting from >>>>>>>> PacketFence >>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>> >>>>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin> >>>>>>>> >>>>>>>> >>>>>>>> url-template name PacketFence >>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR >>>>>>>> THE REDIRECT TO PACKETFENCE >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> AC CONFIG >>>>>>>> >>>>>>>> authentication-profile name PacketFence >>>>>>>> portal-access-profile PacketFence >>>>>>>> free-rule-template default_free_rule >>>>>>>> authentication-scheme PacketFence >>>>>>>> accounting-scheme PacketFence >>>>>>>> radius-server PacketFence >>>>>>>> force-push url https://www.fispy.mx <https://www.fispy.mx/> >>>>>>>> >>>>>>>> radius-server template PacketFence >>>>>>>> radius-server shared-key cipher >>>>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%# >>>>>>>> radius-server authentication 10.0.255.99 1812 source ip-address >>>>>>>> 10.7.255.2 weight 90 >>>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address >>>>>>>> 10.7.255.2 weight 80 >>>>>>>> undo radius-server user-name domain-included >>>>>>>> calling-station-id mac-format unformatted >>>>>>>> called-station-id wlan-user-format ac-mac >>>>>>>> radius-server attribute translate >>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>>> radius-attribute disable HW-Version send >>>>>>>> radius-attribute disable HW-Product-ID send >>>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>>> >>>>>>>> url-template name PacketFence >>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR >>>>>>>> THE REDIRECT TO PACKETFENCE >>>>>>>> >>>>>>>> web-auth-server PacketFence >>>>>>>> server-ip 10.0.255.99 >>>>>>>> port 443 >>>>>>>> url-template PacketFence >>>>>>>> protocol http >>>>>>>> http get-method enable >>>>>>>> >>>>>>>> portal-access-profile name PacketFence >>>>>>>> web-auth-server PacketFence direct >>>>>>>> >>>>>>>> >>>>>>>> authentication-scheme PacketFence >>>>>>>> authentication-mode radius >>>>>>>> >>>>>>>> wlan >>>>>>>> security-profile name FISPY-WiFi >>>>>>>> >>>>>>>> vap-profile name FISPY-WiFi >>>>>>>> service-vlan vlan-id 900 >>>>>>>> permit-vlan vlan-id 900 >>>>>>>> ssid-profile FISPY-WiFi >>>>>>>> security-profile FISPY-WiFi >>>>>>>> authentication-profile PacketFence >>>>>>>> sta-network-detect disable >>>>>>>> service-experience-analysis enable >>>>>>>> mdns-snooping enable >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>>> >>>>>>>> url-template name CISCO-ISE >>>>>>>> url >>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>>> >>>>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02> >>>>>>>> parameter start-mark # >>>>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>>>> <https://portal.fispy.mx:8443/login> >>>>>>>> >>>>>>>> #################################### >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>> >>>>>>>>> Hello Jorge, >>>>>>>>> >>>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Fabrice >>>>>>>>> >>>>>>>>> >>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users >>>>>>>>> <packetfence-users@lists.sourceforge.net >>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit : >>>>>>>>> Hi Team, >>>>>>>>> >>>>>>>>> We were wondering if anyone has had any success in configuring Web >>>>>>>>> Auth for the Huawei AC? It’s somewhat critical for us to get this >>>>>>>>> going. >>>>>>>>> >>>>>>>>> Thank you! >>>>>>>>> Jorge >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> PacketFence-users mailing list >>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
