Fabrice, The document you had provided didn’t layout the configuration steps. I think this might be the correct document for the configuration you are referring. If you have a chance take a look and let me know.
https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064 > On Feb 8, 2022, at 9:14 AM, Fabrice Durand <oeufd...@gmail.com> wrote: > > You can try that instead: > > my $html_form = qq[ > <form name="weblogin_form" data-autosubmit="1000" method="POST" > action="http://$controller_ip:8443/login"> > <input type="hidden" name="username" value="$mac"> > <input type="hidden" name="password" value="$mac"> > </form> > <script src="/content/autosubmit.js" type="text/javascript"></script> > ]; > > It will pass the mac address of the device in the radius request as username > and password instead of the real username and password who has been > authenticated previously on the portal. > Then you just need to configure the registration role in the switch > configuration to be -1 (packetfence side) and if the device is unreg then the > request will be rejected. > > > Le mar. 8 févr. 2022 à 11:04, Jorge Nolla <jno...@gmail.com > <mailto:jno...@gmail.com>> a écrit : > Hi Fabrice, > > Let me check what the difference is in configuration on the AC side, I’ll > report within the hour. Any clues as to why the parameters are not being > passed? > > >> On Feb 8, 2022, at 8:55 AM, Fabrice Durand <oeufd...@gmail.com >> <mailto:oeufd...@gmail.com>> wrote: >> >> Hello Jorge, >> >> i really think that it´s not the correct way to support the web auth in >> Huawei. >> The only thing you can do with the portal is to authenticate with a username >> and password, there is no way to do anything else (sms/email/sponsor/....). >> >> Also when you authenticate on the portal , the portal validate your username >> and password and with the workflow you have it will authenticate twice >> (portal and radius) and it doesn´t make sense. >> >> So if you want to keep this way then you will need a simple html page with a >> username and password field that post on https://portal.fispy.mx:8443/login >> <https://portal.fispy.mx:8443/login> then configure packetfence to >> authenticate the username and password from radius. >> >> The other way who looks really better is to use that: >> (https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2 >> >> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2>) >> >> <download.png> >> >> As i said , it´s exactly how it works with the cisco wlc and it will support >> all authentication mechanisms available on the portal. >> >> Regards >> Fabrice >> >> >> >> >> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla <jno...@gmail.com >> <mailto:jno...@gmail.com>> a écrit : >> >> Radius request from the AC once it receives the correct values. This is sent >> back to Radius which in this case is PF >> >> User-Name = “5blz” <<< VALUE NEEDED IN URL as username >> User-Password = "******” <<< VALUE NEEDED IN URL as password >> NAS-IP-Address = 10.7.255.2 >> NAS-Port = 900 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> Framed-IP-Address = 10.9.91.31 >> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" >> Calling-Station-Id = "f0:2f:4b:14:67:d9" >> NAS-Identifier = "AirEngine9700-M1" >> NAS-Port-Type = Wireless-802.11 >> Acct-Session-Id = "AirEngi00000000000900d5d66c0600187" >> Event-Timestamp = "Feb 7 2022 18:05:13 MST" >> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" >> Huawei-Loopback-Address = "C0F6-C2A5-C4D0" >> Huawei-User-Mac = "\000\000\000\003" >> Stripped-User-Name = "5blz" >> Realm = "null" >> FreeRADIUS-Client-IP-Address = 10.7.255.2 >> Called-Station-SSID = "FISPY-WiFi" >> PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9" >> PacketFence-Radius-Ip = "10.0.255.99" >> SQL-User-Name = "5blz" >> >>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla <jno...@gmail.com >>> <mailto:jno...@gmail.com>> wrote: >>> >>> Hi Fabrice, >>> >>> I did hardcode as follow: >>> >>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>> action="https://portal.fispy.mx:8443/login?username=bob&password=bob >>> <https://portal.fispy.mx:8443/login?username=bob&password=bob>" >>> style="display:none"> >>> >>> But the redirect which the client is getting, is only this part, not sure >>> why: >>> >>> https://portal.fispy.mx:8443/login? <https://portal.fispy.mx:8443/login?> >>> >>> >>> Here is the flow of the External Portal Authentication as per Huawei. >>> Portal Server - Notify the STA of the login URL >>> STA - Send the username and password in HTTP GET POST. When this is >>> configured to use ISE as per the guide, the ISE server sends the redirect >>> to the STA as per the format. >>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>> >>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>> >>> >>> <PastedGraphic-1.tiff> >>> >>>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <oeufd...@gmail.com >>>> <mailto:oeufd...@gmail.com>> wrote: >>>> >>>> Did you try to hardcode that in the code and see if it works ? >>>> >>>> Also i don´t understand the goal of passing the username and password , is >>>> there any extra check after that ? What happen if the user register by >>>> sms/email ? >>>> >>>> And i just found that: >>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1 >>>> >>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1> >>>> Is it something that can be configured on the Hawei ? If yes then it will >>>> mimic the way the Cisco WLC works. >>>> >>>> Regards >>>> Fabrice >>>> >>>> >>>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <jno...@gmail.com >>>> <mailto:jno...@gmail.com>> a écrit : >>>> Hi Fabrice, >>>> >>>> This line needs to be HTTPS for it to work >>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>>> action="http://$controller_ip:8443/login?username=bob&password=bob >>>> <http://$controller_ip:8443/login?username=bob&password=bob>" >>>> style="display:none”> >>>> >>>> This needs to be the username and password which is being entered by the >>>> user in the PF portal, which is the Radius username and password >>>> username=bob&password=bob >>>> >>>> >>>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <oeufd...@gmail.com >>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>> >>>>> I just pushed a fix. >>>>> >>>>> cd /usr/local/pf >>>>> curl >>>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff >>>>> >>>>> <https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff> >>>>> | patch -p1 >>>>> and restart >>>>> >>>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <jno...@gmail.com >>>>> <mailto:jno...@gmail.com>> a écrit : >>>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log >>>>> >>>>> >>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371) >>>>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive >>>>> portal URI (pf::web::externalportal::handle) >>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371) >>>>> ERROR: [mac:[undef]] Cannot load perl module for switch type >>>>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl >>>>> module have compilation errors. See the following message for details: >>>>> (pf::web::externalportal::handle) >>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370) >>>>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive >>>>> portal URI (pf::web::externalportal::handle) >>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370) >>>>> ERROR: [mac:[undef]] Cannot load perl module for switch type >>>>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl >>>>> module have compilation errors. See the following message for details: >>>>> (pf::web::externalportal::handle) >>>>> >>>>> >>>>> >>>>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <jno...@gmail.com >>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>> >>>>>> Here is the output for HAProxy >>>>>> >>>>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814 >>>>>> <http://10.9.215.39:63814/> [07/Feb/2022:10:48:54.074] >>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>> <http://127.0.0.1/> 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0 >>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9 >>>>>> HTTP/1.1” >>>>>> >>>>>> >>>>>> >>>>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <jno...@gmail.com >>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>> >>>>>>> Hi Fabrice, >>>>>>> >>>>>>> From the Pf portal after the patch is applied. >>>>>>> >>>>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is not >>>>>>> supported. >>>>>>> >>>>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com >>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>> >>>>>>>> >>>>>>>> This is the only option on the config. >>>>>>>> >>>>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png> >>>>>>>> >>>>>>>> >>>>>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>> >>>>>>>>> Hi Fabrice, >>>>>>>>> >>>>>>>>> Getting an error page from PF >>>>>>>>> >>>>>>>>> Not Implemented >>>>>>>>> GET no supported for current URL. >>>>>>>>> >>>>>>>>> How is the switch supposed to be defined in PF? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>> >>>>>>>>>> I am just not sure what to set for username and password, if you do >>>>>>>>>> sms auth then there is no password. >>>>>>>>>> >>>>>>>>>> Also in the url it looks that it miss the mac address of the device >>>>>>>>>> , can you try to add device-mac and see if the device mac is in the >>>>>>>>>> url ? >>>>>>>>>> >>>>>>>>>> Here the first draft: >>>>>>>>>> >>>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>>>> >>>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>>>>>>>>> >>>>>>>>>> cd /usr/local/pf/ >>>>>>>>>> curl >>>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>>>> >>>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>>>>>>>>> | patch -p1 >>>>>>>>>> >>>>>>>>>> then restart packetfence. >>>>>>>>>> >>>>>>>>>> On the controller: >>>>>>>>>> >>>>>>>>>> url-template name PacketFence >>>>>>>>>> url https://wifi.fispy.mx/ >>>>>>>>>> <https://wifi.fispy.mx/captive-portal>Hawei >>>>>>>>>> url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid >>>>>>>>>> ssid user-mac ap-mac >>>>>>>>>> >>>>>>>>>> So when the device will be forwarded to the portal it should be able >>>>>>>>>> to recognise the mac address and the ip of the device (in the >>>>>>>>>> bottom). >>>>>>>>>> >>>>>>>>>> Register on the portal and you should be forwarded to >>>>>>>>>> http://$controller_ip:8443/login?username=bob&password=bob >>>>>>>>>> <http://$controller_ip:8443/login?username=bob&password=bob> >>>>>>>>>> >>>>>>>>>> Let me know how it behave. >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Fabrice >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com >>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>> Hi Fabrice >>>>>>>>>> >>>>>>>>>> This is the GET the AC is expecting: >>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>> >>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>> >>>>>>>>>> If successful it will return as per image below. If it fails the AC >>>>>>>>>> will redirect back to the Portal >>>>>>>>>> >>>>>>>>>> <WebAuthentication.png> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Here is the configuration: >>>>>>>>>> >>>>>>>>>> url-template name PacketFence >>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>> url-parameter login-url destination_url >>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>> >>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> HA Proxy output >>>>>>>>>> >>>>>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 >>>>>>>>>> <http://10.9.70.173:52266/> [06/Feb/2022:16:44:26.153] >>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>> <http://127.0.0.1/> 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 >>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>> >>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>> HTTP/1.1" >>>>>>>>>> >>>>>>>>>> Only problem is that PacketFence is not updating the dynamic values >>>>>>>>>> with username and password for it to work >>>>>>>>>> >>>>>>>>>> AC = Access Controller. This manages the APs’ as they are operating >>>>>>>>>> in Fit/Lightweight mode. >>>>>>>>>> AP = Access Points. These are the actual radios. >>>>>>>>>> >>>>>>>>>> Best Regards, >>>>>>>>>> Jorge >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hello Jorge, >>>>>>>>>>> >>>>>>>>>>> i have what i need at least to be able to support the web-auth. >>>>>>>>>>> The only thing i am not sure is at the end of the registration >>>>>>>>>>> process what we are supposed to do. >>>>>>>>>>> >>>>>>>>>>> I will create a branch on github in order for you to test. (it will >>>>>>>>>>> be an update of the Huawei switch module). >>>>>>>>>>> >>>>>>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? >>>>>>>>>>> >>>>>>>>>>> Regards >>>>>>>>>>> Fabrice >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com >>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>> If I try to manually send the redirect in the browser here is what >>>>>>>>>>> HA proxy records. This is a simple copy and paste in the browser >>>>>>>>>>> and the output: >>>>>>>>>>> >>>>>>>>>>> https://wifi.fispy.mx/captive-portal >>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>>>>>>>>>> >>>>>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>>>>>>>>> "GET >>>>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>>>>>>>>>> HTTP/1.1" >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> It doesn’t let it go through as it seems that is trying to validate >>>>>>>>>>> network connectivity >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Seems weird how the format of the URL is recorded/sent >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Here is a normal redirect, the url is formatted correctly, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>>>>>>>>>>> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232] >>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>> <http://127.0.0.1/> 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 >>>>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>> /captive-portal?destination_url=https://www.fispy.mx/ >>>>>>>>>>>> <https://www.fispy.mx/> HTTP/1.1" >>>>>>>>>>>> >>>>>>>>>>>> I’m not sure why the value sent by the AP has all the % and weird >>>>>>>>>>>> symbols >>>>>>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>> >>>>>>>>>>>>> Here are the options that can be added: >>>>>>>>>>>>> >>>>>>>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>>>>>>>>>>> ap-group-name AP group name >>>>>>>>>>>>> ap-ip AP IP address >>>>>>>>>>>>> ap-location AP location >>>>>>>>>>>>> ap-mac AP MAC address >>>>>>>>>>>>> ap-name AP name >>>>>>>>>>>>> device-ip Device IP address >>>>>>>>>>>>> device-mac Device MAC address >>>>>>>>>>>>> login-url Device's login URL provided to the external >>>>>>>>>>>>> portal server >>>>>>>>>>>>> mac-address Mac address >>>>>>>>>>>>> redirect-url The url in user original http packet >>>>>>>>>>>>> set Set >>>>>>>>>>>>> ssid SSID >>>>>>>>>>>>> sysname Device name >>>>>>>>>>>>> user-ipaddress User IP address >>>>>>>>>>>>> user-mac User MAC address >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid >>>>>>>>>>>>> user-mac ap-mac >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx >>>>>>>>>>>>> <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> If we do not specify the URL on this configuration, where would >>>>>>>>>>>>> PacketFence get the value for the AC Web Authentication call? >>>>>>>>>>>>> >>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>> >>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>>> >>>>>>>>>>>>> Best Regards, >>>>>>>>>>>>> Jorge >>>>>>>>>>>>> >>>>>>>>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>> >>>>>>>>>>>>>> what we need is the user mac and the ap information. >>>>>>>>>>>>>> I found that >>>>>>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip >>>>>>>>>>>>>> ap-mac ? >>>>>>>>>>>>>> >>>>>>>>>>>>>> And if yes can you provide me the url generated by the >>>>>>>>>>>>>> controller when it redirect ? (haproxy-portal log) >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards >>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>>> >>>>>>>>>>>>>> Any input on this? We really would like to get this to work. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thank you! >>>>>>>>>>>>>> Jorge >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> This is the sequence: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] >>>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 >>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= >>>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] >>>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> >>>>>>>>>>>>>>> 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >>>>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] >>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 >>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] >>>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 >>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= >>>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] >>>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> >>>>>>>>>>>>>>> 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >>>>>>>>>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] >>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 >>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>> HTTP/1.1” >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> i will have a look closer. >>>>>>>>>>>>>>>> But i have a question, when the device is forwarded to the >>>>>>>>>>>>>>>> captive portal, (just before >>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>>>>>>>>>>> , what is the url ? >>>>>>>>>>>>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> We almost have the configuration working, but are not sure how >>>>>>>>>>>>>>>> to get the redirect to the client to work correctly. Attached >>>>>>>>>>>>>>>> is the documentation for Cisco ISE which we used for >>>>>>>>>>>>>>>> PacketFence as well. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This is the format the client should get from PacketFence. >>>>>>>>>>>>>>>> This is the only piece we are missing for this to work. >>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If we manually click on the link above, then the flow of >>>>>>>>>>>>>>>> traffic works correctly CLIENT > AC > RADIUS (PacketFence), >>>>>>>>>>>>>>>> and authentication works. The problem is that when the user >>>>>>>>>>>>>>>> logs in to the portal the redirect is broken. The parameter >>>>>>>>>>>>>>>> for the redirect that PacketFence is serving, comes from a >>>>>>>>>>>>>>>> configuration parameter within the AC. This configuration >>>>>>>>>>>>>>>> works fine for Cisco ISE, but the URL format is not working >>>>>>>>>>>>>>>> for PacketFence. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> When we configure the redirect this is what the client is >>>>>>>>>>>>>>>> getting from PacketFence >>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE >>>>>>>>>>>>>>>> PARAMETER FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> AC CONFIG >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> authentication-profile name PacketFence >>>>>>>>>>>>>>>> portal-access-profile PacketFence >>>>>>>>>>>>>>>> free-rule-template default_free_rule >>>>>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>>>>> accounting-scheme PacketFence >>>>>>>>>>>>>>>> radius-server PacketFence >>>>>>>>>>>>>>>> force-push url https://www.fispy.mx <https://www.fispy.mx/> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> radius-server template PacketFence >>>>>>>>>>>>>>>> radius-server shared-key cipher >>>>>>>>>>>>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%# >>>>>>>>>>>>>>>> radius-server authentication 10.0.255.99 1812 source >>>>>>>>>>>>>>>> ip-address 10.7.255.2 weight 90 >>>>>>>>>>>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address >>>>>>>>>>>>>>>> 10.7.255.2 weight 80 >>>>>>>>>>>>>>>> undo radius-server user-name domain-included >>>>>>>>>>>>>>>> calling-station-id mac-format unformatted >>>>>>>>>>>>>>>> called-station-id wlan-user-format ac-mac >>>>>>>>>>>>>>>> radius-server attribute translate >>>>>>>>>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>>>>>>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>>>>>>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>>>>>>>>>>> radius-attribute disable HW-Version send >>>>>>>>>>>>>>>> radius-attribute disable HW-Product-ID send >>>>>>>>>>>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>>>>>>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE >>>>>>>>>>>>>>>> PARAMETER FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> web-auth-server PacketFence >>>>>>>>>>>>>>>> server-ip 10.0.255.99 >>>>>>>>>>>>>>>> port 443 >>>>>>>>>>>>>>>> url-template PacketFence >>>>>>>>>>>>>>>> protocol http >>>>>>>>>>>>>>>> http get-method enable >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> portal-access-profile name PacketFence >>>>>>>>>>>>>>>> web-auth-server PacketFence direct >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>>>>> authentication-mode radius >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> wlan >>>>>>>>>>>>>>>> security-profile name FISPY-WiFi >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> vap-profile name FISPY-WiFi >>>>>>>>>>>>>>>> service-vlan vlan-id 900 >>>>>>>>>>>>>>>> permit-vlan vlan-id 900 >>>>>>>>>>>>>>>> ssid-profile FISPY-WiFi >>>>>>>>>>>>>>>> security-profile FISPY-WiFi >>>>>>>>>>>>>>>> authentication-profile PacketFence >>>>>>>>>>>>>>>> sta-network-detect disable >>>>>>>>>>>>>>>> service-experience-analysis enable >>>>>>>>>>>>>>>> mdns-snooping enable >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> url-template name CISCO-ISE >>>>>>>>>>>>>>>> url >>>>>>>>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02> >>>>>>>>>>>>>>>> parameter start-mark # >>>>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> #################################### >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand >>>>>>>>>>>>>>>>> <oeufd...@gmail.com <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via >>>>>>>>>>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net >>>>>>>>>>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit : >>>>>>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> We were wondering if anyone has had any success in >>>>>>>>>>>>>>>>> configuring Web Auth for the Huawei AC? It’s somewhat >>>>>>>>>>>>>>>>> critical for us to get this going. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Thank you! >>>>>>>>>>>>>>>>> Jorge >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>>>>>>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users