Hi Fabrice, From the Pf portal after the patch is applied.
type: 'Huawei' is not a valid value The chosen type (Huawei) is not supported. > On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com> wrote: > > > This is the only option on the config. > > <Screen Shot 2022-02-06 at 6.48.16 PM.png> > > >> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com >> <mailto:jno...@gmail.com>> wrote: >> >> Hi Fabrice, >> >> Getting an error page from PF >> >> Not Implemented >> GET no supported for current URL. >> >> How is the switch supposed to be defined in PF? >> >> >> >>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com >>> <mailto:oeufd...@gmail.com>> wrote: >>> >>> I am just not sure what to set for username and password, if you do sms >>> auth then there is no password. >>> >>> Also in the url it looks that it miss the mac address of the device , can >>> you try to add device-mac and see if the device mac is in the url ? >>> >>> Here the first draft: >>> >>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>> >>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>> >>> cd /usr/local/pf/ >>> curl >>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>> >>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>> | patch -p1 >>> >>> then restart packetfence. >>> >>> On the controller: >>> >>> url-template name PacketFence >>> url https://wifi.fispy.mx/ <https://wifi.fispy.mx/captive-portal>Hawei >>> url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid ssid >>> user-mac ap-mac >>> >>> So when the device will be forwarded to the portal it should be able to >>> recognise the mac address and the ip of the device (in the bottom). >>> >>> Register on the portal and you should be forwarded to >>> http://$controller_ip:8443/login?username=bob&password=bob >>> <http://$controller_ip:8443/login?username=bob&password=bob> >>> >>> Let me know how it behave. >>> >>> Regards >>> Fabrice >>> >>> >>> >>> >>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com >>> <mailto:jno...@gmail.com>> a écrit : >>> Hi Fabrice >>> >>> This is the GET the AC is expecting: >>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>> >>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>> >>> If successful it will return as per image below. If it fails the AC will >>> redirect back to the Portal >>> >>> <WebAuthentication.png> >>> >>> >>> Here is the configuration: >>> >>> url-template name PacketFence >>> url https://wifi.fispy.mx/captive-portal >>> <https://wifi.fispy.mx/captive-portal> >>> url-parameter login-url destination_url >>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>> >>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>> >>> >>> HA Proxy output >>> >>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 >>> <http://10.9.70.173:52266/> [06/Feb/2022:16:44:26.153] >>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/> >>> 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx >>> <http://wifi.fispy.mx/>} "GET >>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>> >>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>> HTTP/1.1" >>> >>> Only problem is that PacketFence is not updating the dynamic values with >>> username and password for it to work >>> >>> AC = Access Controller. This manages the APs’ as they are operating in >>> Fit/Lightweight mode. >>> AP = Access Points. These are the actual radios. >>> >>> Best Regards, >>> Jorge >>> >>> >>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com >>>> <mailto:oeufd...@gmail.com>> wrote: >>>> >>>> Hello Jorge, >>>> >>>> i have what i need at least to be able to support the web-auth. >>>> The only thing i am not sure is at the end of the registration process >>>> what we are supposed to do. >>>> >>>> I will create a branch on github in order for you to test. (it will be an >>>> update of the Huawei switch module). >>>> >>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? >>>> >>>> Regards >>>> Fabrice >>>> >>>> >>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com >>>> <mailto:jno...@gmail.com>> a écrit : >>>> If I try to manually send the redirect in the browser here is what HA >>>> proxy records. This is a simple copy and paste in the browser and the >>>> output: >>>> >>>> https://wifi.fispy.mx/captive-portal >>>> <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>>> >>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> HTTP/1.1" >>>> >>>> >>>> It doesn’t let it go through as it seems that is trying to validate >>>> network connectivity >>>> >>>> >>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com >>>>> <mailto:jno...@gmail.com>> wrote: >>>>> >>>>> Seems weird how the format of the URL is recorded/sent >>>>> >>>>> >>>>> Here is a normal redirect, the url is formatted correctly, >>>>> >>>>> >>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>>>> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232] >>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>> <http://127.0.0.1/> 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 >>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>> /captive-portal?destination_url=https://www.fispy.mx/ >>>>> <https://www.fispy.mx/> HTTP/1.1" >>>>> >>>>> I’m not sure why the value sent by the AP has all the % and weird >>>>> symbols >>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>>>> >>>>> >>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com >>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>> >>>>>> Hi Fabrice, >>>>>> >>>>>> Here are the options that can be added: >>>>>> >>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>>>> ap-group-name AP group name >>>>>> ap-ip AP IP address >>>>>> ap-location AP location >>>>>> ap-mac AP MAC address >>>>>> ap-name AP name >>>>>> device-ip Device IP address >>>>>> device-mac Device MAC address >>>>>> login-url Device's login URL provided to the external portal >>>>>> server >>>>>> mac-address Mac address >>>>>> redirect-url The url in user original http packet >>>>>> set Set >>>>>> ssid SSID >>>>>> sysname Device name >>>>>> user-ipaddress User IP address >>>>>> user-mac User MAC address >>>>>> >>>>>> >>>>>> url-template name PacketFence >>>>>> url https://wifi.fispy.mx/captive-portal >>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac >>>>>> ap-mac >>>>>> >>>>>> >>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>>>> "GET >>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>>>> HTTP/1.1" >>>>>> >>>>>> >>>>>> If we do not specify the URL on this configuration, where would >>>>>> PacketFence get the value for the AC Web Authentication call? >>>>>> >>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>> >>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>> >>>>>> Best Regards, >>>>>> Jorge >>>>>> >>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>> >>>>>>> Hello Jorge, >>>>>>> >>>>>>> what we need is the user mac and the ap information. >>>>>>> I found that >>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>>>> >>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template> >>>>>>> >>>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ? >>>>>>> >>>>>>> And if yes can you provide me the url generated by the controller when >>>>>>> it redirect ? (haproxy-portal log) >>>>>>> >>>>>>> Regards >>>>>>> Fabrice >>>>>>> >>>>>>> >>>>>>> >>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com >>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>> Hi Team, >>>>>>> >>>>>>> Any input on this? We really would like to get this to work. >>>>>>> >>>>>>> Thank you! >>>>>>> Jorge >>>>>>> >>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com >>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>> >>>>>>>> Hi Fabrice, >>>>>>>> >>>>>>>> This is the sequence: >>>>>>>> >>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] >>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>> <http://127.0.0.1/> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 >>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] >>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/2/2 >>>>>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] >>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>> HTTP/1.1" >>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] >>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>> <http://127.0.0.1/> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 >>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] >>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/1/1 >>>>>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] >>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>> HTTP/1.1” >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>> >>>>>>>>> Hello Jorge, >>>>>>>>> >>>>>>>>> i will have a look closer. >>>>>>>>> But i have a question, when the device is forwarded to the captive >>>>>>>>> portal, (just before >>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>> >>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>>>> , what is the url ? >>>>>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Fabrice >>>>>>>>> >>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com >>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>> Hi Fabrice, >>>>>>>>> >>>>>>>>> >>>>>>>>> We almost have the configuration working, but are not sure how to get >>>>>>>>> the redirect to the client to work correctly. Attached is the >>>>>>>>> documentation for Cisco ISE which we used for PacketFence as well. >>>>>>>>> >>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>>>>> >>>>>>>>> This is the format the client should get from PacketFence. This is >>>>>>>>> the only piece we are missing for this to work. >>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>> >>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>> >>>>>>>>> >>>>>>>>> If we manually click on the link above, then the flow of traffic >>>>>>>>> works correctly CLIENT > AC > RADIUS (PacketFence), and >>>>>>>>> authentication works. The problem is that when the user logs in to >>>>>>>>> the portal the redirect is broken. The parameter for the redirect >>>>>>>>> that PacketFence is serving, comes from a configuration parameter >>>>>>>>> within the AC. This configuration works fine for Cisco ISE, but the >>>>>>>>> URL format is not working for PacketFence. >>>>>>>>> >>>>>>>>> >>>>>>>>> When we configure the redirect this is what the client is getting >>>>>>>>> from PacketFence >>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>> >>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin> >>>>>>>>> >>>>>>>>> >>>>>>>>> url-template name PacketFence >>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>> url-parameter login-url switch_url >>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR >>>>>>>>> THE REDIRECT TO PACKETFENCE >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> AC CONFIG >>>>>>>>> >>>>>>>>> authentication-profile name PacketFence >>>>>>>>> portal-access-profile PacketFence >>>>>>>>> free-rule-template default_free_rule >>>>>>>>> authentication-scheme PacketFence >>>>>>>>> accounting-scheme PacketFence >>>>>>>>> radius-server PacketFence >>>>>>>>> force-push url https://www.fispy.mx <https://www.fispy.mx/> >>>>>>>>> >>>>>>>>> radius-server template PacketFence >>>>>>>>> radius-server shared-key cipher >>>>>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%# >>>>>>>>> radius-server authentication 10.0.255.99 1812 source ip-address >>>>>>>>> 10.7.255.2 weight 90 >>>>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address >>>>>>>>> 10.7.255.2 weight 80 >>>>>>>>> undo radius-server user-name domain-included >>>>>>>>> calling-station-id mac-format unformatted >>>>>>>>> called-station-id wlan-user-format ac-mac >>>>>>>>> radius-server attribute translate >>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>>>> radius-attribute disable HW-Version send >>>>>>>>> radius-attribute disable HW-Product-ID send >>>>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>>>> >>>>>>>>> url-template name PacketFence >>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>> url-parameter login-url switch_url >>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR >>>>>>>>> THE REDIRECT TO PACKETFENCE >>>>>>>>> >>>>>>>>> web-auth-server PacketFence >>>>>>>>> server-ip 10.0.255.99 >>>>>>>>> port 443 >>>>>>>>> url-template PacketFence >>>>>>>>> protocol http >>>>>>>>> http get-method enable >>>>>>>>> >>>>>>>>> portal-access-profile name PacketFence >>>>>>>>> web-auth-server PacketFence direct >>>>>>>>> >>>>>>>>> >>>>>>>>> authentication-scheme PacketFence >>>>>>>>> authentication-mode radius >>>>>>>>> >>>>>>>>> wlan >>>>>>>>> security-profile name FISPY-WiFi >>>>>>>>> >>>>>>>>> vap-profile name FISPY-WiFi >>>>>>>>> service-vlan vlan-id 900 >>>>>>>>> permit-vlan vlan-id 900 >>>>>>>>> ssid-profile FISPY-WiFi >>>>>>>>> security-profile FISPY-WiFi >>>>>>>>> authentication-profile PacketFence >>>>>>>>> sta-network-detect disable >>>>>>>>> service-experience-analysis enable >>>>>>>>> mdns-snooping enable >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>>>> >>>>>>>>> url-template name CISCO-ISE >>>>>>>>> url >>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>>>> >>>>>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02> >>>>>>>>> parameter start-mark # >>>>>>>>> url-parameter login-url switch_url >>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>> <https://portal.fispy.mx:8443/login> >>>>>>>>> >>>>>>>>> #################################### >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>> >>>>>>>>>> Hello Jorge, >>>>>>>>>> >>>>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Fabrice >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users >>>>>>>>>> <packetfence-users@lists.sourceforge.net >>>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit : >>>>>>>>>> Hi Team, >>>>>>>>>> >>>>>>>>>> We were wondering if anyone has had any success in configuring Web >>>>>>>>>> Auth for the Huawei AC? It’s somewhat critical for us to get this >>>>>>>>>> going. >>>>>>>>>> >>>>>>>>>> Thank you! >>>>>>>>>> Jorge >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> PacketFence-users mailing list >>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
