Fabrice, I’m not sure if the issue is with the format for the accounting request. Authentication proxy does work, but accounting does not. On the logs of the billing server this is what we see:
Authentication Packet: 09/02 08:24:56:3920 - [5blz ] - [ ] - [card] Accept Accounting Packet 10/02 09:58:55:0823 - [f0:2f:4b:14:67:d9 ] - [10.250.71.249 ] - Reject (IP accept) - [F02F4B1467D9] -> [C0-F6-C2-A5-C4-D0:FISPY-WiFi] Customer not found > On Feb 9, 2022, at 5:57 PM, Jorge Nolla <jno...@gmail.com> wrote: > > I noticed pfacct running and made the change, still no luck. > > <Screen Shot 2022-02-09 at 5.56.32 PM.png> > >> On Feb 9, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com >> <mailto:oeufd...@gmail.com>> wrote: >> >> Hello Jorge, >> you have to enable radius-acct service. >> >> It´s radius-acct who is able to proxy the request to another server, not >> pfacct (btw you can keep it enabled). >> >> Regards >> Fabrice >> >> >> Le mer. 9 févr. 2022 à 19:21, Jorge Nolla <jno...@gmail.com >> <mailto:jno...@gmail.com>> a écrit : >> >> Another configuration file with references to the billing server Splynx: >> >> [root@wifi raddb]# cat mods-config/perl/multi_domain_constants.pm >> <http://multi_domain_constants.pm/> >> package multi_domain_constants; >> >> our $VAR1 = { >> '1' => { >> 'ConfigRealm' => { >> 'local' => { >> 'radius_strip_username' >> => 'disabled', >> 'eap' => 'default', >> 'admin_strip_username' => >> 'disabled', >> 'portal_strip_username' >> => 'disabled' >> }, >> 'default' => { >> >> 'radius_acct_proxy_type' => 'load-balance', >> >> 'radius_auth_compute_in_pf' => 'disabled', >> >> 'eduroam_radius_auth_proxy_type' => 'keyed-balance', >> >> 'radius_auth_proxy_type' => 'keyed-balance', >> 'portal_strip_username' >> => 'disabled', >> 'admin_strip_username' >> => 'disabled', >> 'radius_auth' => '', >> 'radius_strip_username' >> => 'disabled', >> 'eap' => 'default', >> 'eduroam_radius_acct' >> => '', >> >> 'eduroam_radius_acct_proxy_type' => 'load-balance', >> >> 'permit_custom_attributes' => 'disabled', >> >> 'eduroam_radius_auth_compute_in_pf' => 'enabled', >> 'eduroam_radius_auth' >> => '', >> 'radius_acct' => '' >> }, >> 'null' => { >> 'eap' => 'default', >> 'radius_strip_username' => >> 'disabled', >> 'admin_strip_username' => >> 'disabled', >> 'portal_strip_username' => >> 'disabled' >> }, >> 'fispy.mx <http://fispy.mx/>' => { >> 'eduroam_radius_acct' >> => '', >> 'eap' => 'default', >> >> 'radius_strip_username' => 'enabled', >> 'admin_strip_username' >> => 'enabled', >> 'radius_auth' => >> 'Splynx', >> >> 'portal_strip_username' => 'enabled', >> >> 'eduroam_radius_auth_proxy_type' => 'keyed-balance', >> >> 'radius_auth_proxy_type' => 'keyed-balance', >> >> 'radius_acct_proxy_type' => 'load-balance', >> >> 'radius_auth_compute_in_pf' => 'enabled', >> 'eduroam_radius_auth' >> => '', >> 'radius_acct' => >> 'Splynx', >> >> 'eduroam_radius_auth_compute_in_pf' => 'enabled', >> >> 'eduroam_radius_acct_proxy_type' => 'load-balance', >> >> 'permit_custom_attributes' => 'disabled' >> } >> }, >> 'ConfigDomain' => {}, >> 'ConfigOrderedRealm' => [ >> 'default', >> 'local', >> 'null', >> 'fispy.mx <http://fispy.mx/>' >> ] >> }, >> '0' => { >> 'ConfigDomain' => {}, >> 'ConfigRealm' => {}, >> 'ConfigOrderedRealm' => [] >> } >> }; >> our $DATA = $VAR1; >> 1; >> [root@wifi raddb]# >> >> >> >>> On Feb 9, 2022, at 5:19 PM, Jorge Nolla <jno...@gmail.com >>> <mailto:jno...@gmail.com>> wrote: >>> >>> Hi Team, >>> >>> Still can’t get accounting to proxy to the billing server. I don’t see the >>> configuration on the proxy.conf so I imagine is pulling from this file. >>> >>> >>> [root@wifi raddb]# cat proxy.conf.inc >>> # This file is generated from a template at >>> /usr/local/pf/conf/radiusd/proxy.conf.inc >>> # Any changes made to this file will be lost on restart >>> >>> # Eduroam integration is not configured >>> >>> realm default { >>> >>> } >>> realm local { >>> >>> } >>> realm null { >>> >>> } >>> realm fispy.mx <http://fispy.mx/> { >>> >>> auth_pool = auth_pool_fispy.mx <http://auth_pool_fispy.mx/> >>> acct_pool = acct_pool_fispy.mx <http://acct_pool_fispy.mx/> >>> } >>> home_server_pool auth_pool_fispy.mx <http://auth_pool_fispy.mx/> { >>> type = keyed-balance >>> home_server = Splynx >>> } >>> >>> home_server_pool acct_pool_fispy.mx <http://acct_pool_fispy.mx/> { >>> type = load-balance >>> home_server = Splynx >>> } >>> >>> >>> realm eduroam.default { >>> >>> } >>> >>> realm eduroam.local { >>> >>> } >>> >>> realm eduroam.null { >>> >>> } >>> >>> realm eduroam.fispy.mx <http://eduroam.fispy.mx/> { >>> >>> } >>> >>> >>> >>> >>> home_server Splynx { >>> ipaddr = 10.0.254.100 >>> port = 1812 >>> secret = @Put@Madr3 >>> type = auth+acct >>> status_check = status-server >>> } >>> >>> >>> >>> # pfacct configuration >>> >>> realm pfacct { >>> acct_pool = pfacct_pool >>> nostrip >>> } >>> >>> home_server_pool pfacct_pool { >>> home_server = pfacct_local >>> } >>> >>> home_server pfacct_local { >>> type = acct >>> ipaddr = 127.0.0.1 >>> port = 1813 >>> secret = 'ZDQ3YzUzMjkxM2M1NjBhM2IyMTJjNWE0' >>> src_ipaddr = 10.0.255.99 >>> } >>> >>>> On Feb 8, 2022, at 11:51 AM, Jorge Nolla <jno...@gmail.com >>>> <mailto:jno...@gmail.com>> wrote: >>>> >>>> Fabrice, >>>> >>>> For some reason I cannot get accounting forwarding to the Billing/Radius >>>> Server. This server has the plans for the customers. >>>> >>>> <Screen Shot 2022-02-08 at 11.48.23 AM.png> >>>> >>>> >>>> <Screen Shot 2022-02-08 at 11.50.20 AM.png> >>>> >>>> >>>> <Screen Shot 2022-02-08 at 11.48.01 AM.png> >>>> >>>> >>>> <Screen Shot 2022-02-08 at 11.51.33 AM.png> >>>> >>>>> On Feb 8, 2022, at 11:39 AM, Jorge Nolla <jno...@gmail.com >>>>> <mailto:jno...@gmail.com>> wrote: >>>>> >>>>> Hi Fabrice, >>>>> >>>>> It worked. I had to change to HTTPS and DNS for the cert on the server to >>>>> work. We also changed the method to GET. Will try POST, not sure if this >>>>> will make a difference. >>>>> >>>>> my $html_form = qq[ >>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>>>> action="https://portal.fispy.mx:8443/login >>>>> <https://portal.fispy.mx:8443/login>"> >>>>> <input type="hidden" name="username" value="$mac"> >>>>> <input type="hidden" name="password" value="$mac"> >>>>> </form> >>>>> <script src="/content/autosubmit.js" >>>>> type="text/javascript"></script> >>>>> >>>>> Here is the a sample of the radius info on PF. Top entry is with new >>>>> configuration MAC address as username. Bottom one is the old >>>>> configuration, where we were submitting the url request manually. >>>>> >>>>> <Screen Shot 2022-02-08 at 11.34.52 AM.png> >>>>> >>>>> >>>>>> On Feb 8, 2022, at 9:30 AM, Fabrice Durand <oeufd...@gmail.com >>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>> >>>>>> Yes, that's it. >>>>>> >>>>>> Le mar. 8 févr. 2022 à 11:23, Jorge Nolla <jno...@gmail.com >>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>> Fabrice, >>>>>> >>>>>> The document you had provided didn’t layout the configuration steps. I >>>>>> think this might be the correct document for the configuration you are >>>>>> referring. If you have a chance take a look and let me know. >>>>>> >>>>>> https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064 >>>>>> <https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064> >>>>>> >>>>>> >>>>>> >>>>>>> On Feb 8, 2022, at 9:14 AM, Fabrice Durand <oeufd...@gmail.com >>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>> >>>>>>> You can try that instead: >>>>>>> >>>>>>> my $html_form = qq[ >>>>>>> <form name="weblogin_form" data-autosubmit="1000" method="POST" >>>>>>> action="http://$controller_ip:8443/login >>>>>>> <http://$controller_ip:8443/login>"> >>>>>>> <input type="hidden" name="username" value="$mac"> >>>>>>> <input type="hidden" name="password" value="$mac"> >>>>>>> </form> >>>>>>> <script src="/content/autosubmit.js" >>>>>>> type="text/javascript"></script> >>>>>>> ]; >>>>>>> >>>>>>> It will pass the mac address of the device in the radius request as >>>>>>> username and password instead of the real username and password who has >>>>>>> been authenticated previously on the portal. >>>>>>> Then you just need to configure the registration role in the switch >>>>>>> configuration to be -1 (packetfence side) and if the device is unreg >>>>>>> then the request will be rejected. >>>>>>> >>>>>>> >>>>>>> Le mar. 8 févr. 2022 à 11:04, Jorge Nolla <jno...@gmail.com >>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>> Hi Fabrice, >>>>>>> >>>>>>> Let me check what the difference is in configuration on the AC side, >>>>>>> I’ll report within the hour. Any clues as to why the parameters are not >>>>>>> being passed? >>>>>>> >>>>>>> >>>>>>>> On Feb 8, 2022, at 8:55 AM, Fabrice Durand <oeufd...@gmail.com >>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>> >>>>>>>> Hello Jorge, >>>>>>>> >>>>>>>> i really think that it´s not the correct way to support the web auth >>>>>>>> in Huawei. >>>>>>>> The only thing you can do with the portal is to authenticate with a >>>>>>>> username and password, there is no way to do anything else >>>>>>>> (sms/email/sponsor/....). >>>>>>>> >>>>>>>> Also when you authenticate on the portal , the portal validate your >>>>>>>> username and password and with the workflow you have it will >>>>>>>> authenticate twice (portal and radius) and it doesn´t make sense. >>>>>>>> >>>>>>>> So if you want to keep this way then you will need a simple html page >>>>>>>> with a username and password field that post on >>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>> <https://portal.fispy.mx:8443/login> then configure packetfence to >>>>>>>> authenticate the username and password from radius. >>>>>>>> >>>>>>>> The other way who looks really better is to use that: >>>>>>>> (https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2 >>>>>>>> >>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2>) >>>>>>>> >>>>>>>> <download.png> >>>>>>>> >>>>>>>> As i said , it´s exactly how it works with the cisco wlc and it will >>>>>>>> support all authentication mechanisms available on the portal. >>>>>>>> >>>>>>>> Regards >>>>>>>> Fabrice >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla <jno...@gmail.com >>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>> >>>>>>>> Radius request from the AC once it receives the correct values. This >>>>>>>> is sent back to Radius which in this case is PF >>>>>>>> >>>>>>>> User-Name = “5blz” <<< VALUE NEEDED IN URL as username >>>>>>>> User-Password = "******” <<< VALUE NEEDED IN URL as password >>>>>>>> NAS-IP-Address = 10.7.255.2 >>>>>>>> NAS-Port = 900 >>>>>>>> Service-Type = Framed-User >>>>>>>> Framed-Protocol = PPP >>>>>>>> Framed-IP-Address = 10.9.91.31 >>>>>>>> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" >>>>>>>> Calling-Station-Id = "f0:2f:4b:14:67:d9" >>>>>>>> NAS-Identifier = "AirEngine9700-M1" >>>>>>>> NAS-Port-Type = Wireless-802.11 >>>>>>>> Acct-Session-Id = "AirEngi00000000000900d5d66c0600187" >>>>>>>> Event-Timestamp = "Feb 7 2022 18:05:13 MST" >>>>>>>> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" >>>>>>>> Huawei-Loopback-Address = "C0F6-C2A5-C4D0" >>>>>>>> Huawei-User-Mac = "\000\000\000\003" >>>>>>>> Stripped-User-Name = "5blz" >>>>>>>> Realm = "null" >>>>>>>> FreeRADIUS-Client-IP-Address = 10.7.255.2 >>>>>>>> Called-Station-SSID = "FISPY-WiFi" >>>>>>>> PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9" >>>>>>>> PacketFence-Radius-Ip = "10.0.255.99" >>>>>>>> SQL-User-Name = "5blz" >>>>>>>> >>>>>>>>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>> >>>>>>>>> Hi Fabrice, >>>>>>>>> >>>>>>>>> I did hardcode as follow: >>>>>>>>> >>>>>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>>>>>>>> action="https://portal.fispy.mx:8443/login?username=bob&password=bob >>>>>>>>> <https://portal.fispy.mx:8443/login?username=bob&password=bob>" >>>>>>>>> style="display:none"> >>>>>>>>> >>>>>>>>> But the redirect which the client is getting, is only this part, not >>>>>>>>> sure why: >>>>>>>>> >>>>>>>>> https://portal.fispy.mx:8443/login? >>>>>>>>> <https://portal.fispy.mx:8443/login?> >>>>>>>>> >>>>>>>>> >>>>>>>>> Here is the flow of the External Portal Authentication as per Huawei. >>>>>>>>> Portal Server - Notify the STA of the login URL >>>>>>>>> STA - Send the username and password in HTTP GET POST. When this is >>>>>>>>> configured to use ISE as per the guide, the ISE server sends the >>>>>>>>> redirect to the STA as per the format. >>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>> >>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>> >>>>>>>>> >>>>>>>>> <PastedGraphic-1.tiff> >>>>>>>>> >>>>>>>>>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>> >>>>>>>>>> Did you try to hardcode that in the code and see if it works ? >>>>>>>>>> >>>>>>>>>> Also i don´t understand the goal of passing the username and >>>>>>>>>> password , is there any extra check after that ? What happen if the >>>>>>>>>> user register by sms/email ? >>>>>>>>>> >>>>>>>>>> And i just found that: >>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1 >>>>>>>>>> >>>>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1> >>>>>>>>>> Is it something that can be configured on the Hawei ? If yes then it >>>>>>>>>> will mimic the way the Cisco WLC works. >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Fabrice >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <jno...@gmail.com >>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>> Hi Fabrice, >>>>>>>>>> >>>>>>>>>> This line needs to be HTTPS for it to work >>>>>>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>>>>>>>>> action="http://$controller_ip:8443/login?username=bob&password=bob >>>>>>>>>> <http://$controller_ip:8443/login?username=bob&password=bob>" >>>>>>>>>> style="display:none”> >>>>>>>>>> >>>>>>>>>> This needs to be the username and password which is being entered by >>>>>>>>>> the user in the PF portal, which is the Radius username and password >>>>>>>>>> username=bob&password=bob >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>> >>>>>>>>>>> I just pushed a fix. >>>>>>>>>>> >>>>>>>>>>> cd /usr/local/pf >>>>>>>>>>> curl >>>>>>>>>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff >>>>>>>>>>> >>>>>>>>>>> <https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff> >>>>>>>>>>> | patch -p1 >>>>>>>>>>> and restart >>>>>>>>>>> >>>>>>>>>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <jno...@gmail.com >>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: >>>>>>>>>>> httpd.portal(61371) INFO: [mac:[undef]] URI '/Huawei' is detected >>>>>>>>>>> as an external captive portal URI (pf::web::externalportal::handle) >>>>>>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: >>>>>>>>>>> httpd.portal(61371) ERROR: [mac:[undef]] Cannot load perl module >>>>>>>>>>> for switch type 'pf::Switch::Huawei'. Either switch type is unknown >>>>>>>>>>> or switch type perl module have compilation errors. See the >>>>>>>>>>> following message for details: (pf::web::externalportal::handle) >>>>>>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: >>>>>>>>>>> httpd.portal(61370) INFO: [mac:[undef]] URI '/Huawei' is detected >>>>>>>>>>> as an external captive portal URI (pf::web::externalportal::handle) >>>>>>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: >>>>>>>>>>> httpd.portal(61370) ERROR: [mac:[undef]] Cannot load perl module >>>>>>>>>>> for switch type 'pf::Switch::Huawei'. Either switch type is unknown >>>>>>>>>>> or switch type perl module have compilation errors. See the >>>>>>>>>>> following message for details: (pf::web::externalportal::handle) >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Here is the output for HAProxy >>>>>>>>>>>> >>>>>>>>>>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814 >>>>>>>>>>>> <http://10.9.215.39:63814/> [07/Feb/2022:10:48:54.074] >>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0 >>>>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9 >>>>>>>>>>>> HTTP/1.1” >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>> >>>>>>>>>>>>> From the Pf portal after the patch is applied. >>>>>>>>>>>>> >>>>>>>>>>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is >>>>>>>>>>>>> not supported. >>>>>>>>>>>>> >>>>>>>>>>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> This is the only option on the config. >>>>>>>>>>>>>> >>>>>>>>>>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Getting an error page from PF >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Not Implemented >>>>>>>>>>>>>>> GET no supported for current URL. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> How is the switch supposed to be defined in PF? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> I am just not sure what to set for username and password, if >>>>>>>>>>>>>>>> you do sms auth then there is no password. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Also in the url it looks that it miss the mac address of the >>>>>>>>>>>>>>>> device , can you try to add device-mac and see if the device >>>>>>>>>>>>>>>> mac is in the url ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Here the first draft: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> cd /usr/local/pf/ >>>>>>>>>>>>>>>> curl >>>>>>>>>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>>>>>>>>>>>>>>> | patch -p1 >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> then restart packetfence. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On the controller: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>>>> url https://wifi.fispy.mx/ >>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>Hawei >>>>>>>>>>>>>>>> url-parameter device-ip device-mac ac-ip user-ipaddress >>>>>>>>>>>>>>>> userip ssid ssid user-mac ap-mac >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> So when the device will be forwarded to the portal it should >>>>>>>>>>>>>>>> be able to recognise the mac address and the ip of the device >>>>>>>>>>>>>>>> (in the bottom). >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Register on the portal and you should be forwarded to >>>>>>>>>>>>>>>> http://$controller_ip:8443/login?username=bob&password=bob >>>>>>>>>>>>>>>> <http://$controller_ip:8443/login?username=bob&password=bob> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Let me know how it behave. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>>>>>> Hi Fabrice >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This is the GET the AC is expecting: >>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> If successful it will return as per image below. If it fails >>>>>>>>>>>>>>>> the AC will redirect back to the Portal >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <WebAuthentication.png> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Here is the configuration: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>>>> url-parameter login-url destination_url >>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> HA Proxy output >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 >>>>>>>>>>>>>>>> <http://10.9.70.173:52266/> [06/Feb/2022:16:44:26.153] >>>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 >>>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Only problem is that PacketFence is not updating the dynamic >>>>>>>>>>>>>>>> values with username and password for it to work >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> AC = Access Controller. This manages the APs’ as they are >>>>>>>>>>>>>>>> operating in Fit/Lightweight mode. >>>>>>>>>>>>>>>> AP = Access Points. These are the actual radios. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Best Regards, >>>>>>>>>>>>>>>> Jorge >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand >>>>>>>>>>>>>>>>> <oeufd...@gmail.com <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> i have what i need at least to be able to support the >>>>>>>>>>>>>>>>> web-auth. >>>>>>>>>>>>>>>>> The only thing i am not sure is at the end of the >>>>>>>>>>>>>>>>> registration process what we are supposed to do. >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> I will create a branch on github in order for you to test. >>>>>>>>>>>>>>>>> (it will be an update of the Huawei switch module). >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac >>>>>>>>>>>>>>>>> ? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>>>>>>> If I try to manually send the redirect in the browser here is >>>>>>>>>>>>>>>>> what HA proxy records. This is a simple copy and paste in the >>>>>>>>>>>>>>>>> browser and the output: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx >>>>>>>>>>>>>>>>> <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>>>>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> It doesn’t let it go through as it seems that is trying to >>>>>>>>>>>>>>>>> validate network connectivity >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Seems weird how the format of the URL is recorded/sent >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Here is a normal redirect, the url is formatted correctly, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>>>>>>>>>>>>>>>>> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232] >>>>>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/1/233/234 200 4910 - - ---- >>>>>>>>>>>>>>>>>> 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>>>>>>> /captive-portal?destination_url=https://www.fispy.mx/ >>>>>>>>>>>>>>>>>> <https://www.fispy.mx/> HTTP/1.1" >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> I’m not sure why the value sent by the AP has all the % and >>>>>>>>>>>>>>>>>> weird symbols >>>>>>>>>>>>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Here are the options that can be added: >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>>>>>>>>>>>>>>>>> ap-group-name AP group name >>>>>>>>>>>>>>>>>>> ap-ip AP IP address >>>>>>>>>>>>>>>>>>> ap-location AP location >>>>>>>>>>>>>>>>>>> ap-mac AP MAC address >>>>>>>>>>>>>>>>>>> ap-name AP name >>>>>>>>>>>>>>>>>>> device-ip Device IP address >>>>>>>>>>>>>>>>>>> device-mac Device MAC address >>>>>>>>>>>>>>>>>>> login-url Device's login URL provided to the >>>>>>>>>>>>>>>>>>> external portal server >>>>>>>>>>>>>>>>>>> mac-address Mac address >>>>>>>>>>>>>>>>>>> redirect-url The url in user original http packet >>>>>>>>>>>>>>>>>>> set Set >>>>>>>>>>>>>>>>>>> ssid SSID >>>>>>>>>>>>>>>>>>> sysname Device name >>>>>>>>>>>>>>>>>>> user-ipaddress User IP address >>>>>>>>>>>>>>>>>>> user-mac User MAC address >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>>>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid >>>>>>>>>>>>>>>>>>> ssid user-mac ap-mac >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx >>>>>>>>>>>>>>>>>>> <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>>>>>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> If we do not specify the URL on this configuration, where >>>>>>>>>>>>>>>>>>> would PacketFence get the value for the AC Web >>>>>>>>>>>>>>>>>>> Authentication call? >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> Best Regards, >>>>>>>>>>>>>>>>>>> Jorge >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand >>>>>>>>>>>>>>>>>>>> <oeufd...@gmail.com <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> what we need is the user mac and the ap information. >>>>>>>>>>>>>>>>>>>> I found that >>>>>>>>>>>>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Is it possible to add extra parameters like user-mac ssid >>>>>>>>>>>>>>>>>>>> ap-ip ap-mac ? >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> And if yes can you provide me the url generated by the >>>>>>>>>>>>>>>>>>>> controller when it redirect ? (haproxy-portal log) >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla >>>>>>>>>>>>>>>>>>>> <jno...@gmail.com <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Any input on this? We really would like to get this to >>>>>>>>>>>>>>>>>>>> work. >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> Thank you! >>>>>>>>>>>>>>>>>>>> Jorge >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> This is the sequence: >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] >>>>>>>>>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/201/201 200 7146 - - ---- >>>>>>>>>>>>>>>>>>>>> 3/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>>>>>>>>>>>>>>>>>>> "GET /access?lang= HTTP/1.1" >>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] >>>>>>>>>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 >>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 >>>>>>>>>>>>>>>>>>>>> 0/0 {10.0.255.99} "GET >>>>>>>>>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838705224 >>>>>>>>>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] >>>>>>>>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- >>>>>>>>>>>>>>>>>>>>> 4/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>>>>>>>>>>>>>>>>>>> "GET >>>>>>>>>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] >>>>>>>>>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/129/129 200 7146 - - ---- >>>>>>>>>>>>>>>>>>>>> 4/2/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>>>>>>>>>>>>>>>>>>> "GET /access?lang= HTTP/1.1" >>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] >>>>>>>>>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 >>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 >>>>>>>>>>>>>>>>>>>>> 0/0 {10.0.255.99} "GET >>>>>>>>>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838716546 >>>>>>>>>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] >>>>>>>>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- >>>>>>>>>>>>>>>>>>>>> 4/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>>>>>>>>>>>>>>>>>>> "GET >>>>>>>>>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>>>>>>>> HTTP/1.1” >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand >>>>>>>>>>>>>>>>>>>>>> <oeufd...@gmail.com <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> i will have a look closer. >>>>>>>>>>>>>>>>>>>>>> But i have a question, when the device is forwarded to >>>>>>>>>>>>>>>>>>>>>> the captive portal, (just before >>>>>>>>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>>>>>>>>>>>>>>>>> , what is the url ? >>>>>>>>>>>>>>>>>>>>>> You should be able to see it in the haproxy-portal.log >>>>>>>>>>>>>>>>>>>>>> file. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla >>>>>>>>>>>>>>>>>>>>>> <jno...@gmail.com <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> We almost have the configuration working, but are not >>>>>>>>>>>>>>>>>>>>>> sure how to get the redirect to the client to work >>>>>>>>>>>>>>>>>>>>>> correctly. Attached is the documentation for Cisco ISE >>>>>>>>>>>>>>>>>>>>>> which we used for PacketFence as well. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei >>>>>>>>>>>>>>>>>>>>>> AC. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> This is the format the client should get from >>>>>>>>>>>>>>>>>>>>>> PacketFence. This is the only piece we are missing for >>>>>>>>>>>>>>>>>>>>>> this to work. >>>>>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> If we manually click on the link above, then the flow of >>>>>>>>>>>>>>>>>>>>>> traffic works correctly CLIENT > AC > RADIUS >>>>>>>>>>>>>>>>>>>>>> (PacketFence), and authentication works. The problem is >>>>>>>>>>>>>>>>>>>>>> that when the user logs in to the portal the redirect is >>>>>>>>>>>>>>>>>>>>>> broken. The parameter for the redirect that PacketFence >>>>>>>>>>>>>>>>>>>>>> is serving, comes from a configuration parameter within >>>>>>>>>>>>>>>>>>>>>> the AC. This configuration works fine for Cisco ISE, but >>>>>>>>>>>>>>>>>>>>>> the URL format is not working for PacketFence. >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> When we configure the redirect this is what the client >>>>>>>>>>>>>>>>>>>>>> is getting from PacketFence >>>>>>>>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE >>>>>>>>>>>>>>>>>>>>>> PARAMETER FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> AC CONFIG >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> authentication-profile name PacketFence >>>>>>>>>>>>>>>>>>>>>> portal-access-profile PacketFence >>>>>>>>>>>>>>>>>>>>>> free-rule-template default_free_rule >>>>>>>>>>>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>>>>>>>>>>> accounting-scheme PacketFence >>>>>>>>>>>>>>>>>>>>>> radius-server PacketFence >>>>>>>>>>>>>>>>>>>>>> force-push url https://www.fispy.mx >>>>>>>>>>>>>>>>>>>>>> <https://www.fispy.mx/> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> radius-server template PacketFence >>>>>>>>>>>>>>>>>>>>>> radius-server shared-key cipher >>>>>>>>>>>>>>>>>>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%# >>>>>>>>>>>>>>>>>>>>>> radius-server authentication 10.0.255.99 1812 source >>>>>>>>>>>>>>>>>>>>>> ip-address 10.7.255.2 weight 90 >>>>>>>>>>>>>>>>>>>>>> radius-server accounting 10.0.255.99 1813 source >>>>>>>>>>>>>>>>>>>>>> ip-address 10.7.255.2 weight 80 >>>>>>>>>>>>>>>>>>>>>> undo radius-server user-name domain-included >>>>>>>>>>>>>>>>>>>>>> calling-station-id mac-format unformatted >>>>>>>>>>>>>>>>>>>>>> called-station-id wlan-user-format ac-mac >>>>>>>>>>>>>>>>>>>>>> radius-server attribute translate >>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-Version send >>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-Product-ID send >>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE >>>>>>>>>>>>>>>>>>>>>> PARAMETER FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> web-auth-server PacketFence >>>>>>>>>>>>>>>>>>>>>> server-ip 10.0.255.99 >>>>>>>>>>>>>>>>>>>>>> port 443 >>>>>>>>>>>>>>>>>>>>>> url-template PacketFence >>>>>>>>>>>>>>>>>>>>>> protocol http >>>>>>>>>>>>>>>>>>>>>> http get-method enable >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> portal-access-profile name PacketFence >>>>>>>>>>>>>>>>>>>>>> web-auth-server PacketFence direct >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>>>>>>>>>>> authentication-mode radius >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> wlan >>>>>>>>>>>>>>>>>>>>>> security-profile name FISPY-WiFi >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> vap-profile name FISPY-WiFi >>>>>>>>>>>>>>>>>>>>>> service-vlan vlan-id 900 >>>>>>>>>>>>>>>>>>>>>> permit-vlan vlan-id 900 >>>>>>>>>>>>>>>>>>>>>> ssid-profile FISPY-WiFi >>>>>>>>>>>>>>>>>>>>>> security-profile FISPY-WiFi >>>>>>>>>>>>>>>>>>>>>> authentication-profile PacketFence >>>>>>>>>>>>>>>>>>>>>> sta-network-detect disable >>>>>>>>>>>>>>>>>>>>>> service-experience-analysis enable >>>>>>>>>>>>>>>>>>>>>> mdns-snooping enable >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> url-template name CISCO-ISE >>>>>>>>>>>>>>>>>>>>>> url >>>>>>>>>>>>>>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02> >>>>>>>>>>>>>>>>>>>>>> parameter start-mark # >>>>>>>>>>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> #################################### >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand >>>>>>>>>>>>>>>>>>>>>>> <oeufd...@gmail.com <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via >>>>>>>>>>>>>>>>>>>>>>> PacketFence-users >>>>>>>>>>>>>>>>>>>>>>> <packetfence-users@lists.sourceforge.net >>>>>>>>>>>>>>>>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a >>>>>>>>>>>>>>>>>>>>>>> écrit : >>>>>>>>>>>>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> We were wondering if anyone has had any success in >>>>>>>>>>>>>>>>>>>>>>> configuring Web Auth for the Huawei AC? It’s somewhat >>>>>>>>>>>>>>>>>>>>>>> critical for us to get this going. >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> Thank you! >>>>>>>>>>>>>>>>>>>>>>> Jorge >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>>>>>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>>>>>>>>>>>>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>>>>>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
