Hello Jorge, you can try that: https://github.com/inverse-inc/packetfence/commit/e99698c955d596b6d04ef52c64a7aadc21f34e47 Regards Fabrice
Le ven. 11 févr. 2022 à 12:04, Jorge Nolla <jno...@gmail.com> a écrit : > Hi Fabrice, > > This is the last step for us to get this working, any thoughts? > > Thank you! > Jorge > > On Feb 10, 2022, at 6:05 PM, Jorge Nolla <jno...@gmail.com> wrote: > > Fabrice, > > With this configuration it seems PF is not doing any accounting, probably > because it is expecting the username to be the Mac. > > > On Feb 10, 2022, at 4:57 PM, Jorge Nolla <jno...@gmail.com> wrote: > > Fabrice, > > Looking at the reply of the Billing server to packet fence, it did not > accept the username and password. If we hardcode the username and password > instead of the $Mac then it works: > > > my $html_form = qq[ > <form name="weblogin_form" data-autosubmit="1000" method="GET" > action="https://portal.fispy.mx:8443/login";> > <input type="hidden" name="username" value="5blz”> username entered > in the web portal we need to dynamically pass this value <<< > <input type="hidden" name="password" value="21pu”> password entered > in the web portal we need to dynamically pass this value <<< > </form> > <script src="/content/autosubmit.js" type="text/javascript"></script> > > > RADIUS Request > User-Name = "5blz" > User-Password = "******" > NAS-IP-Address = 10.7.255.2 > NAS-Port = 900 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 10.9.129.39 > Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" > Calling-Station-Id = "f0:2f:4b:14:67:d9" > NAS-Identifier = "AirEngine9700-M1" > NAS-Port-Type = Wireless-802.11 > Acct-Session-Id = "AirEngi0000000000090012ad34060020d" > Event-Timestamp = "Feb 10 2022 16:49:02 MST" > NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" > Huawei-Connect-ID = 393741 > Huawei-Startup-Stamp = 1643301831 > Huawei-IPHost-Addr = "10.9.129.39 f0:2f:4b:14:67:d9" > Huawei-Loopback-Address = "C0F6-C2A5-C4D0" > Huawei-User-Mac = "\000\000\000\003" > Huawei-Version = "Huawei AirEngine9700-M1" > Huawei-Product-ID = "AC" > Stripped-User-Name = "5blz" > Realm = "null" > Realm = "null" > FreeRADIUS-Client-IP-Address = 10.7.255.2 > Called-Station-SSID = "FISPY-WiFi" > PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9" > PacketFence-Radius-Ip = "10.0.255.99" > SQL-User-Name = "5blz" > > > RADIUS Reply > Acct-Interim-Interval = 60 > REST-HTTP-Status-Code = 200 > > > > > On Feb 10, 2022, at 3:51 PM, Jorge Nolla <jno...@gmail.com> wrote: > > I’m no radius expert so I do apologize. I do see the request being > accepted by the billing server with the MAC as username. Not sure how what > gets translated, as there are no records of that Mac address configured on > the billing server. > > > 2022-02-10 15:44:22.487982 (109) Access-Request Id 170 any: > 10.0.255.99:47364 -> 10.0.254.100:1812 +122.837 > User-Name = "f0:2f:4b:14:67:d9" > User-Password = > "O\031\222\341p͑\256O\376N\260*CY\035\360\337\370\373x\313\036\004\267}&>\006g\3220" > NAS-IP-Address = 10.7.255.2 > NAS-Port = 900 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 10.9.215.255 > Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" > Calling-Station-Id = "f0:2f:4b:14:67:d9" > NAS-Identifier = "AirEngine9700-M1" > Proxy-State = 0x3937 > NAS-Port-Type = Wireless-802.11 > Acct-Session-Id = "AirEngi000000000009008e8f160600201" > Event-Timestamp = "Feb 10 2022 15:44:22 MST" > Message-Authenticator = 0x3f20f75cc25e65a3f6d4a928de8644fe > NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" > Huawei-Connect-ID = 393729 > Huawei-Startup-Stamp = 1643301831 > Huawei-IPHost-Addr = "10.9.215.255 f0:2f:4b:14:67:d9" > Huawei-Loopback-Address = "C0F6-C2A5-C4D0" > Huawei-User-Mac = "\000\000\000\003" > Huawei-Version = "Huawei AirEngine9700-M1" > Huawei-Product-ID = "AC" > Attr-26.29464.33 = 0x31302e302e3235352e3939 > Attr-26.29464.32 = > 0x3165623139616265663234666132396334383731346130343334323334323936 > Authenticator-Field = 0x337490bc1555238aad909eb52234a42e > 2022-02-10 15:44:22.504685 (110) Access-Accept Id 170 any: > 10.0.255.99:47364 <- 10.0.254.100:1812 +122.854 +0.016 > Framed-IP-Address = 10.250.68.42 > Session-Timeout = 299 > Proxy-State = 0x3937 > Authenticator-Field = 0xd5a830666d0bc44b13654de6c615f3a0 > > > > > On Feb 10, 2022, at 2:45 PM, Jorge Nolla <jno...@gmail.com> wrote: > > Here is the start of the accounting. Still the billing server is looking > for the username which was used to login, not the MAC. > > 2022-02-10 14:40:59.155697 (5169) Accounting-Request Id 59 any: > 10.0.255.99:48071 -> 10.0.254.100:1813 +68.397 > User-Name = "f0:2f:4b:14:67:d9" > NAS-IP-Address = 10.7.255.2 > NAS-Port = 900 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 10.9.149.208 > Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" > Calling-Station-Id = "f0:2f:4b:14:67:d9" > NAS-Identifier = "AirEngine9700-M1" > Proxy-State = 0x313939 > NAS-Port-Type = Wireless-802.11 > Acct-Status-Type = Start > Acct-Delay-Time = 0 > Acct-Session-Id = "AirEngi000000000009008391da06001f8" > Acct-Authentic = RADIUS > Event-Timestamp = "Feb 10 2022 14:40:58 MST" > NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" > Huawei-Connect-ID = 393720 > Huawei-IPHost-Addr = "10.9.149.208 f0:2f:4b:14:67:d9" > Huawei-Loopback-Address = "C0F6-C2A5-C4D0" > Huawei-User-Mac = "\000\000\000\003" > Attr-26.29464.32 = > 0x3165623139616265663234666132396334383731346130343334323334323936 > Authenticator-Field = 0x72352a9f7ff652f7e6a7c20a62ee551b > > On Feb 10, 2022, at 11:44 AM, Jorge Nolla <jno...@gmail.com> wrote: > > Fabrice, > > PF is sending the accounting data to the billing server. The problem is > the info does not match: > > PF: 10.0.255.99 > Billing server (Splynx): 10.0.254.100 > > > > 2022-02-10 11:39:32.968605 (12417) Accounting-Request Id 80 any: > 10.0.255.99:54246 -> 10.0.254.100:1813 +165.413 > > User-Name = "f0:2f:4b:14:67:d9” << this needs to be the username entered > in the portal and not the MAC of the device of this to work. How can we > modify this? > NAS-IP-Address = 10.7.255.2 > NAS-Port = 900 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 10.9.120.192 > Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" > Calling-Station-Id = "f0:2f:4b:14:67:d9" > NAS-Identifier = "AirEngine9700-M1" > Proxy-State = 0x313734 > NAS-Port-Type = Wireless-802.11 > Acct-Status-Type = Stop > Acct-Delay-Time = 0 > Acct-Input-Octets = 432779 > Acct-Output-Octets = 22133343 > Acct-Session-Id = "AirEngi000000000009001d099206001ed" > Acct-Authentic = RADIUS > Acct-Session-Time = 299 > Acct-Input-Packets = 2643 > Acct-Output-Packets = 16634 > Acct-Terminate-Cause = Session-Timeout > Acct-Input-Gigawords = 0 > Acct-Output-Gigawords = 0 > Event-Timestamp = "Feb 10 2022 11:39:32 MST" > NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" > Huawei-Connect-ID = 393709 > Huawei-IPHost-Addr = "10.9.120.192 f0:2f:4b:14:67:d9" > Huawei-Loopback-Address = "C0F6-C2A5-C4D0" > Huawei-User-Mac = "\000\000\000\003" > Attr-26.29464.32 = > 0x3165623139616265663234666132396334383731346130343334323334323936 > Authenticator-Field = 0xb28b0b1cdf553d1c27a431568347fc4b > > > > > On Feb 9, 2022, at 6:12 PM, Jorge Nolla <jno...@gmail.com> wrote: > > Hi Fabrice, > > This is the output when It receives an accounting message from the > controller: > > > ^C[root@wifi jnolla]# radsniff -i any -f "port 1813" -x > Logging all events > Sniffing on (any) > 2022-02-09 18:10:33.642001 (1) Accounting-Request Id 147 any: > 10.7.255.2:62395 -> 10.0.255.99:1813 +0.000 > User-Name = "62:ca:49:92:a0:3d" > NAS-IP-Address = 10.7.255.2 > NAS-Port = 900 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 10.9.239.159 > Called-Station-Id = "C0-F6-C2-A5-C4-D0:FISPY-WiFi" > Calling-Station-Id = "62ca-4992-a03d" > NAS-Identifier = "AirEngine9700-M1" > NAS-Port-Type = Wireless-802.11 > Acct-Status-Type = Interim-Update > Acct-Delay-Time = 0 > Acct-Input-Octets = 131762920 > Acct-Output-Octets = 194531281 > Acct-Session-Id = "AirEngi0000000000090083f40606001b4" > Acct-Authentic = RADIUS > Acct-Session-Time = 33887 > Acct-Input-Packets = 211695 > Acct-Output-Packets = 221103 > Acct-Input-Gigawords = 0 > Acct-Output-Gigawords = 0 > Event-Timestamp = "Feb 9 2022 18:10:32 MST" > NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" > Huawei-Loopback-Address = "C0F6-C2A5-C4D0" > Huawei-User-Mac = "\000\000\000\003" > Authenticator-Field = 0x86cc68cf43a59904f7d3c0e36e910008 > 2022-02-09 18:10:33.661871 (2) Accounting-Response Id 147 any: > 10.7.255.2:62395 <- 10.0.255.99:1813 +0.019 +0.019 > Reply-Message = "Accounting ok" > Authenticator-Field = 0xdfccea5174f4312f6e0784825583dbdf > 2022-02-09 18:10:38.861871 (1) Cleaning up request packet ID 147 > 2022-02-09 18:10:49.323597 (3) Accounting-Request Id 148 any: > 10.7.255.2:62395 -> 10.0.255.99:1813 +15.681 > User-Name = "62:ca:49:92:a0:3d" > NAS-IP-Address = 10.7.255.2 > NAS-Port = 900 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 10.9.239.159 > Called-Station-Id = "C0-F6-C2-A5-C4-D0:FISPY-WiFi" > Calling-Station-Id = "62ca-4992-a03d" > NAS-Identifier = "AirEngine9700-M1" > NAS-Port-Type = Wireless-802.11 > Acct-Status-Type = Interim-Update > Acct-Delay-Time = 0 > Acct-Input-Octets = 131775665 > Acct-Output-Octets = 194533397 > Acct-Session-Id = "AirEngi0000000000090083f40606001b4" > Acct-Authentic = RADIUS > Acct-Session-Time = 33902 > Acct-Input-Packets = 211773 > Acct-Output-Packets = 221123 > Acct-Input-Gigawords = 0 > Acct-Output-Gigawords = 0 > Event-Timestamp = "Feb 9 2022 18:10:48 MST" > NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" > Huawei-Loopback-Address = "C0F6-C2A5-C4D0" > Huawei-User-Mac = "\000\000\000\003" > Authenticator-Field = 0x3fbec8864dcb325273ce4ba1da28e690 > 2022-02-09 18:10:49.342798 (4) Accounting-Response Id 148 any: > 10.7.255.2:62395 <- 10.0.255.99:1813 +15.700 +0.019 > Reply-Message = "Accounting ok" > Authenticator-Field = 0x15b54405e404decb5b3db3f58cc8d2cb > 2022-02-09 18:10:54.542798 (3) Cleaning up request packet ID 148 > > > > > On Feb 9, 2022, at 6:04 PM, Fabrice Durand <oeufd...@gmail.com> wrote: > > You have to restart pfacct and radiusd-acct. > > And check the accounting packet, not sure you have the realm in the > username attribute. > > raddebug -f /usr/local/pf/var/run/radiusd-acct.sock -t 300 > or > radsniff -i any -f "port 1813" -x > > Regards > Fabrice > > Le mer. 9 févr. 2022 à 19:57, Jorge Nolla <jno...@gmail.com> a écrit : > >> I noticed pfacct running and made the change, still no luck. >> >> <Screen Shot 2022-02-09 at 5.56.32 PM.png> >> >> On Feb 9, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com> wrote: >> >> Hello Jorge, >> you have to enable radius-acct service. >> >> It´s radius-acct who is able to proxy the request to another server, not >> pfacct (btw you can keep it enabled). >> >> Regards >> Fabrice >> >> >> Le mer. 9 févr. 2022 à 19:21, Jorge Nolla <jno...@gmail.com> a écrit : >> >>> >>> Another configuration file with references to the billing server Splynx: >>> >>> [root@wifi raddb]# cat mods-config/perl/multi_domain_constants.pm >>> package multi_domain_constants; >>> >>> our $VAR1 = { >>> '1' => { >>> 'ConfigRealm' => { >>> 'local' => { >>> >>> 'radius_strip_username' => 'disabled', >>> 'eap' => 'default', >>> >>> 'admin_strip_username' => 'disabled', >>> >>> 'portal_strip_username' => 'disabled' >>> }, >>> 'default' => { >>> >>> 'radius_acct_proxy_type' => 'load-balance', >>> >>> 'radius_auth_compute_in_pf' => 'disabled', >>> >>> 'eduroam_radius_auth_proxy_type' => 'keyed-balance', >>> >>> 'radius_auth_proxy_type' => 'keyed-balance', >>> >>> 'portal_strip_username' => 'disabled', >>> >>> 'admin_strip_username' => 'disabled', >>> 'radius_auth' => '', >>> >>> 'radius_strip_username' => 'disabled', >>> 'eap' => 'default', >>> >>> 'eduroam_radius_acct' => '', >>> >>> 'eduroam_radius_acct_proxy_type' => 'load-balance', >>> >>> 'permit_custom_attributes' => 'disabled', >>> >>> 'eduroam_radius_auth_compute_in_pf' => 'enabled', >>> >>> 'eduroam_radius_auth' => '', >>> 'radius_acct' => '' >>> }, >>> 'null' => { >>> 'eap' => 'default', >>> >>> 'radius_strip_username' => 'disabled', >>> 'admin_strip_username' >>> => 'disabled', >>> >>> 'portal_strip_username' => 'disabled' >>> }, >>> 'fispy.mx' => { >>> >>> 'eduroam_radius_acct' => '', >>> 'eap' => 'default', >>> >>> 'radius_strip_username' => 'enabled', >>> >>> 'admin_strip_username' => 'enabled', >>> 'radius_auth' => >>> 'Splynx', >>> >>> 'portal_strip_username' => 'enabled', >>> >>> 'eduroam_radius_auth_proxy_type' => 'keyed-balance', >>> >>> 'radius_auth_proxy_type' => 'keyed-balance', >>> >>> 'radius_acct_proxy_type' => 'load-balance', >>> >>> 'radius_auth_compute_in_pf' => 'enabled', >>> >>> 'eduroam_radius_auth' => '', >>> 'radius_acct' => >>> 'Splynx', >>> >>> 'eduroam_radius_auth_compute_in_pf' => 'enabled', >>> >>> 'eduroam_radius_acct_proxy_type' => 'load-balance', >>> >>> 'permit_custom_attributes' => 'disabled' >>> } >>> }, >>> 'ConfigDomain' => {}, >>> 'ConfigOrderedRealm' => [ >>> 'default', >>> 'local', >>> 'null', >>> 'fispy.mx' >>> ] >>> }, >>> '0' => { >>> 'ConfigDomain' => {}, >>> 'ConfigRealm' => {}, >>> 'ConfigOrderedRealm' => [] >>> } >>> }; >>> our $DATA = $VAR1; >>> 1; >>> [root@wifi raddb]# >>> >>> >>> >>> On Feb 9, 2022, at 5:19 PM, Jorge Nolla <jno...@gmail.com> wrote: >>> >>> Hi Team, >>> >>> Still can’t get accounting to proxy to the billing server. I don’t see >>> the configuration on the proxy.conf so I imagine is pulling from this file. >>> >>> >>> [root@wifi raddb]# cat proxy.conf.inc >>> # This file is generated from a template at >>> /usr/local/pf/conf/radiusd/proxy.conf.inc >>> # Any changes made to this file will be lost on restart >>> >>> # Eduroam integration is not configured >>> >>> realm default { >>> >>> } >>> realm local { >>> >>> } >>> realm null { >>> >>> } >>> realm fispy.mx { >>> >>> auth_pool = auth_pool_fispy.mx >>> acct_pool = acct_pool_fispy.mx >>> } >>> home_server_pool auth_pool_fispy.mx { >>> type = keyed-balance >>> home_server = Splynx >>> } >>> >>> home_server_pool acct_pool_fispy.mx { >>> type = load-balance >>> home_server = Splynx >>> } >>> >>> >>> realm eduroam.default { >>> >>> } >>> >>> realm eduroam.local { >>> >>> } >>> >>> realm eduroam.null { >>> >>> } >>> >>> realm eduroam.fispy.mx { >>> >>> } >>> >>> >>> >>> >>> home_server Splynx { >>> ipaddr = 10.0.254.100 >>> port = 1812 >>> secret = @Put@Madr3 >>> type = auth+acct >>> status_check = status-server >>> } >>> >>> >>> >>> # pfacct configuration >>> >>> realm pfacct { >>> acct_pool = pfacct_pool >>> nostrip >>> } >>> >>> home_server_pool pfacct_pool { >>> home_server = pfacct_local >>> } >>> >>> home_server pfacct_local { >>> type = acct >>> ipaddr = 127.0.0.1 >>> port = 1813 >>> secret = 'ZDQ3YzUzMjkxM2M1NjBhM2IyMTJjNWE0' >>> src_ipaddr = 10.0.255.99 >>> } >>> >>> On Feb 8, 2022, at 11:51 AM, Jorge Nolla <jno...@gmail.com> wrote: >>> >>> Fabrice, >>> >>> For some reason I cannot get accounting forwarding to the Billing/Radius >>> Server. This server has the plans for the customers. >>> >>> <Screen Shot 2022-02-08 at 11.48.23 AM.png> >>> >>> >>> <Screen Shot 2022-02-08 at 11.50.20 AM.png> >>> >>> >>> <Screen Shot 2022-02-08 at 11.48.01 AM.png> >>> >>> >>> <Screen Shot 2022-02-08 at 11.51.33 AM.png> >>> >>> On Feb 8, 2022, at 11:39 AM, Jorge Nolla <jno...@gmail.com> wrote: >>> >>> Hi Fabrice, >>> >>> It worked. I had to change to HTTPS and DNS for the cert on the server >>> to work. We also changed the method to GET. Will try POST, not sure if this >>> will make a difference. >>> >>> my $html_form = qq[ >>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>> action="https://portal.fispy.mx:8443/login";> >>> <input type="hidden" name="username" value="$mac"> >>> <input type="hidden" name="password" value="$mac"> >>> </form> >>> <script src="/content/autosubmit.js" >>> type="text/javascript"></script> >>> >>> Here is the a sample of the radius info on PF. Top entry is with new >>> configuration MAC address as username. Bottom one is the old configuration, >>> where we were submitting the url request manually. >>> >>> <Screen Shot 2022-02-08 at 11.34.52 AM.png> >>> >>> >>> On Feb 8, 2022, at 9:30 AM, Fabrice Durand <oeufd...@gmail.com> wrote: >>> >>> Yes, that's it. >>> >>> Le mar. 8 févr. 2022 à 11:23, Jorge Nolla <jno...@gmail.com> a écrit : >>> >>>> Fabrice, >>>> >>>> The document you had provided didn’t layout the configuration steps. I >>>> think this might be the correct document for the configuration you are >>>> referring. If you have a chance take a look and let me know. >>>> >>>> https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064 >>>> >>>> >>>> >>>> On Feb 8, 2022, at 9:14 AM, Fabrice Durand <oeufd...@gmail.com> wrote: >>>> >>>> You can try that instead: >>>> >>>> my $html_form = qq[ >>>> <form name="weblogin_form" data-autosubmit="1000" method="POST" >>>> action="http://$controller_ip:8443/login";> >>>> <input type="hidden" name="username" value="$mac"> >>>> <input type="hidden" name="password" value="$mac"> >>>> </form> >>>> <script src="/content/autosubmit.js" >>>> type="text/javascript"></script> >>>> ]; >>>> >>>> It will pass the mac address of the device in the radius request as >>>> username and password instead of the real username and password who has >>>> been authenticated previously on the portal. >>>> Then you just need to configure the registration role in the switch >>>> configuration to be -1 (packetfence side) and if the device is unreg then >>>> the request will be rejected. >>>> >>>> >>>> Le mar. 8 févr. 2022 à 11:04, Jorge Nolla <jno...@gmail.com> a écrit : >>>> >>>>> Hi Fabrice, >>>>> >>>>> Let me check what the difference is in configuration on the AC side, >>>>> I’ll report within the hour. Any clues as to why the parameters are not >>>>> being passed? >>>>> >>>>> >>>>> On Feb 8, 2022, at 8:55 AM, Fabrice Durand <oeufd...@gmail.com> wrote: >>>>> >>>>> Hello Jorge, >>>>> >>>>> i really think that it´s not the correct way to support the web auth >>>>> in Huawei. >>>>> The only thing you can do with the portal is to authenticate with a >>>>> username and password, there is no way to do anything else >>>>> (sms/email/sponsor/....). >>>>> >>>>> Also when you authenticate on the portal , the portal validate your >>>>> username and password and with the workflow you have it will authenticate >>>>> twice (portal and radius) and it doesn´t make sense. >>>>> >>>>> So if you want to keep this way then you will need a simple html page >>>>> with a username and password field that post on >>>>> https://portal.fispy.mx:8443/login then configure packetfence to >>>>> authenticate the username and password from radius. >>>>> >>>>> The other way who looks really better is to use that: ( >>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2 >>>>> ) >>>>> >>>>> <download.png> >>>>> >>>>> As i said , it´s exactly how it works with the cisco wlc and it will >>>>> support all authentication mechanisms available on the portal. >>>>> >>>>> Regards >>>>> Fabrice >>>>> >>>>> >>>>> >>>>> >>>>> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla <jno...@gmail.com> a écrit : >>>>> >>>>>> >>>>>> Radius request from the AC once it receives the correct values. This >>>>>> is sent back to Radius which in this case is PF >>>>>> >>>>>> User-Name = “5blz” *<<< VALUE NEEDED IN URL as username* >>>>>> User-Password = "******” *<<< VALUE NEEDED IN URL as password* >>>>>> NAS-IP-Address = 10.7.255.2 NAS-Port = 900 Service-Type = Framed-User >>>>>> Framed-Protocol = PPP Framed-IP-Address = 10.9.91.31 Called-Station-Id = >>>>>> "c0:f6:c2:a5:c4:d0:FISPY-WiFi" Calling-Station-Id = "f0:2f:4b:14:67:d9" >>>>>> NAS-Identifier = "AirEngine9700-M1" NAS-Port-Type = Wireless-802.11 >>>>>> Acct-Session-Id = "AirEngi00000000000900d5d66c0600187" Event-Timestamp = >>>>>> "Feb 7 2022 18:05:13 MST" NAS-Port-Id = >>>>>> "slot=0;subslot=0;port=0;vlanid=900" Huawei-Loopback-Address = >>>>>> "C0F6-C2A5-C4D0" Huawei-User-Mac = "\000\000\000\003" Stripped-User-Name >>>>>> = >>>>>> "5blz" Realm = "null" FreeRADIUS-Client-IP-Address = 10.7.255.2 >>>>>> Called-Station-SSID = "FISPY-WiFi" PacketFence-KeyBalanced = >>>>>> "aa86741e358fa86079a91aaf4dc581f9" PacketFence-Radius-Ip = "10.0.255.99" >>>>>> SQL-User-Name = "5blz" >>>>>> >>>>>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>> >>>>>> Hi Fabrice, >>>>>> >>>>>> I did hardcode as follow: >>>>>> >>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>>>>> action="https://portal.fispy.mx:8443/login?username=bob&password=bob"; >>>>>> style="display:none"> >>>>>> >>>>>> But the redirect which the client is getting, is only this part, not >>>>>> sure why: >>>>>> >>>>>> https://portal.fispy.mx:8443/login? >>>>>> >>>>>> >>>>>> Here is the flow of the External Portal Authentication as per Huawei. >>>>>> Portal Server - Notify the STA of the login URL >>>>>> STA - Send the username and password in HTTP GET POST. When this is >>>>>> configured to use ISE as per the guide, the ISE server sends the redirect >>>>>> to the STA as per the format. >>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>> >>>>>> >>>>>> <PastedGraphic-1.tiff> >>>>>> >>>>>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>> wrote: >>>>>> >>>>>> Did you try to hardcode that in the code and see if it works ? >>>>>> >>>>>> Also i don´t understand the goal of passing the username and password >>>>>> , is there any extra check after that ? What happen if the user register >>>>>> by >>>>>> sms/email ? >>>>>> >>>>>> And i just found that: >>>>>> >>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1 >>>>>> Is it something that can be configured on the Hawei ? If yes then it >>>>>> will mimic the way the Cisco WLC works. >>>>>> >>>>>> Regards >>>>>> Fabrice >>>>>> >>>>>> >>>>>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <jno...@gmail.com> a >>>>>> écrit : >>>>>> >>>>>>> Hi Fabrice, >>>>>>> >>>>>>> This line needs to be HTTPS for it to work >>>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>>>>>> action="http://$controller_ip:8443/login?username=bob&password=bob"; >>>>>>> style="display:none”> >>>>>>> >>>>>>> This needs to be the username and password which is being entered by >>>>>>> the user in the PF portal, which is the Radius username and password >>>>>>> username=bob&password=bob >>>>>>> >>>>>>> >>>>>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>> I just pushed a fix. >>>>>>> >>>>>>> cd /usr/local/pf >>>>>>> curl >>>>>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff >>>>>>> | patch -p1 >>>>>>> and restart >>>>>>> >>>>>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <jno...@gmail.com> a >>>>>>> écrit : >>>>>>> >>>>>>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log >>>>>>>> >>>>>>>> >>>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: >>>>>>>> httpd.portal(61371) INFO: [mac:[undef]] URI '/Huawei' is detected as an >>>>>>>> external captive portal URI (pf::web::externalportal::handle) >>>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: >>>>>>>> httpd.portal(61371) ERROR: [mac:[undef]] Cannot load perl module for >>>>>>>> switch >>>>>>>> type 'pf::Switch::Huawei'. Either switch type is unknown or switch type >>>>>>>> perl module have compilation errors. See the following message for >>>>>>>> details: >>>>>>>> (pf::web::externalportal::handle) >>>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: >>>>>>>> httpd.portal(61370) INFO: [mac:[undef]] URI '/Huawei' is detected as an >>>>>>>> external captive portal URI (pf::web::externalportal::handle) >>>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: >>>>>>>> httpd.portal(61370) ERROR: [mac:[undef]] Cannot load perl module for >>>>>>>> switch >>>>>>>> type 'pf::Switch::Huawei'. Either switch type is unknown or switch type >>>>>>>> perl module have compilation errors. See the following message for >>>>>>>> details: >>>>>>>> (pf::web::externalportal::handle) >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>> >>>>>>>> Here is the output for HAProxy >>>>>>>> >>>>>>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814 >>>>>>>> [07/Feb/2022:10:48:54.074] portal-https-10.0.255.99~ >>>>>>>> 10.0.255.99-backend/ >>>>>>>> 127.0.0.1 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} >>>>>>>> "GET >>>>>>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9 >>>>>>>> HTTP/1.1” >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>> >>>>>>>> Hi Fabrice, >>>>>>>> >>>>>>>> From the Pf portal after the patch is applied. >>>>>>>> >>>>>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is not >>>>>>>> supported. >>>>>>>> >>>>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>> >>>>>>>> >>>>>>>> This is the only option on the config. >>>>>>>> >>>>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>> >>>>>>>> Hi Fabrice, >>>>>>>> >>>>>>>> Getting an error page from PF >>>>>>>> >>>>>>>> Not Implemented >>>>>>>> GET no supported for current URL. >>>>>>>> >>>>>>>> How is the switch supposed to be defined in PF? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> I am just not sure what to set for username and password, if you do >>>>>>>> sms auth then there is no password. >>>>>>>> >>>>>>>> Also in the url it looks that it miss the mac address of the device >>>>>>>> , can you try to add device-mac and see if the device mac is in the >>>>>>>> url ? >>>>>>>> >>>>>>>> Here the first draft: >>>>>>>> >>>>>>>> >>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>> >>>>>>>> cd /usr/local/pf/ >>>>>>>> curl >>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>> | patch -p1 >>>>>>>> >>>>>>>> then restart packetfence. >>>>>>>> >>>>>>>> On the controller: >>>>>>>> >>>>>>>> url-template name PacketFence >>>>>>>> url https://wifi.fispy.mx/ <https://wifi.fispy.mx/captive-portal> >>>>>>>> Hawei >>>>>>>> url-parameter device-ip device-mac ac-ip user-ipaddress userip >>>>>>>> ssid ssid user-mac ap-mac >>>>>>>> >>>>>>>> So when the device will be forwarded to the portal it should be >>>>>>>> able to recognise the mac address and the ip of the device (in the >>>>>>>> bottom). >>>>>>>> >>>>>>>> Register on the portal and you should be forwarded to >>>>>>>> http://$controller_ip:8443/login?username=bob&password=bob >>>>>>>> >>>>>>>> Let me know how it behave. >>>>>>>> >>>>>>>> Regards >>>>>>>> Fabrice >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com> a >>>>>>>> écrit : >>>>>>>> >>>>>>>>> Hi Fabrice >>>>>>>>> >>>>>>>>> This is the GET the AC is expecting: >>>>>>>>> >>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>> >>>>>>>>> If successful it will return as per image below. If it fails the >>>>>>>>> AC will redirect back to the Portal >>>>>>>>> >>>>>>>>> <WebAuthentication.png> >>>>>>>>> >>>>>>>>> >>>>>>>>> Here is the configuration: >>>>>>>>> >>>>>>>>> url-template name PacketFence >>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>> url-parameter login-url destination_url >>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>> >>>>>>>>> >>>>>>>>> HA Proxy output >>>>>>>>> >>>>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 >>>>>>>>> [06/Feb/2022:16:44:26.153] portal-https-10.0.255.99~ >>>>>>>>> 10.0.255.99-backend/ >>>>>>>>> 127.0.0.1 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 { >>>>>>>>> wifi.fispy.mx} "GET /captive-portal?destination_url= >>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>> HTTP/1.1" >>>>>>>>> >>>>>>>>> Only problem is that PacketFence is not updating the dynamic >>>>>>>>> values with username and password for it to work >>>>>>>>> >>>>>>>>> AC = Access Controller. This manages the APs’ as they are >>>>>>>>> operating in Fit/Lightweight mode. >>>>>>>>> AP = Access Points. These are the actual radios. >>>>>>>>> >>>>>>>>> Best Regards, >>>>>>>>> Jorge >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> Hello Jorge, >>>>>>>>> >>>>>>>>> i have what i need at least to be able to support the web-auth. >>>>>>>>> The only thing i am not sure is at the end of the registration >>>>>>>>> process what we are supposed to do. >>>>>>>>> >>>>>>>>> I will create a branch on github in order for you to test. (it >>>>>>>>> will be an update of the Huawei switch module). >>>>>>>>> >>>>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Fabrice >>>>>>>>> >>>>>>>>> >>>>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com> a >>>>>>>>> écrit : >>>>>>>>> >>>>>>>>>> If I try to manually send the redirect in the browser here is >>>>>>>>>> what HA proxy records. This is a simple copy and paste in the >>>>>>>>>> browser and >>>>>>>>>> the output: >>>>>>>>>> >>>>>>>>>> https://wifi.fispy.mx/captive-portal?destination_url= >>>>>>>>>> https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>> >>>>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET >>>>>>>>>> /captive-portal?destination_url= >>>>>>>>>> https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>> HTTP/1.1" >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> It doesn’t let it go through as it seems that is trying to >>>>>>>>>> validate network connectivity >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> Seems weird how the format of the URL is recorded/sent >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Here is a normal redirect, the url is formatted correctly, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>>>>>>>>> [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~ >>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>> 127.0.0.1 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 { >>>>>>>>>> wifi.fispy.mx} "GET /captive-portal?destination_url= >>>>>>>>>> https://www.fispy.mx/ HTTP/1.1" >>>>>>>>>> >>>>>>>>>> I’m not sure why the value sent by the AP has all the % and >>>>>>>>>> weird symbols >>>>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>>>> >>>>>>>>>> Hi Fabrice, >>>>>>>>>> >>>>>>>>>> Here are the options that can be added: >>>>>>>>>> >>>>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>>>>>>>> ap-group-name AP group name >>>>>>>>>> ap-ip AP IP address >>>>>>>>>> ap-location AP location >>>>>>>>>> ap-mac AP MAC address >>>>>>>>>> ap-name AP name >>>>>>>>>> device-ip Device IP address >>>>>>>>>> device-mac Device MAC address >>>>>>>>>> login-url Device's login URL provided to the external >>>>>>>>>> portal server >>>>>>>>>> mac-address Mac address >>>>>>>>>> redirect-url The url in user original http packet >>>>>>>>>> set Set >>>>>>>>>> ssid SSID >>>>>>>>>> sysname Device name >>>>>>>>>> user-ipaddress User IP address >>>>>>>>>> user-mac User MAC address >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> url-template name PacketFence >>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid >>>>>>>>>> user-mac ap-mac >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET >>>>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>>>>>>>> HTTP/1.1" >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> If we do not specify the URL on this configuration, where would >>>>>>>>>> PacketFence get the value for the AC Web Authentication call? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>> >>>>>>>>>> Best Regards, >>>>>>>>>> Jorge >>>>>>>>>> >>>>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Hello Jorge, >>>>>>>>>> >>>>>>>>>> what we need is the user mac and the ap information. >>>>>>>>>> I found that >>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>>>>>>> >>>>>>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip >>>>>>>>>> ap-mac ? >>>>>>>>>> >>>>>>>>>> And if yes can you provide me the url generated by the controller >>>>>>>>>> when it redirect ? (haproxy-portal log) >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Fabrice >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com> a >>>>>>>>>> écrit : >>>>>>>>>> >>>>>>>>>>> Hi Team, >>>>>>>>>>> >>>>>>>>>>> Any input on this? We really would like to get this to work. >>>>>>>>>>> >>>>>>>>>>> Thank you! >>>>>>>>>>> Jorge >>>>>>>>>>> >>>>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Fabrice, >>>>>>>>>>> >>>>>>>>>>> This is the sequence: >>>>>>>>>>> >>>>>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>> [02/Feb/2022:14:51:32.663] portal-http-10.0.255.99 >>>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>>> 127.0.0.1 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 { >>>>>>>>>>> wifi.fispy.mx} "GET /access?lang= HTTP/1.1" >>>>>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>> [02/Feb/2022:14:51:37.905] portal-http-10.0.255.99 static/ >>>>>>>>>>> 127.0.0.1 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 >>>>>>>>>>> {10.0.255.99} "GET >>>>>>>>>>> /common/network-access-detection.gif?r=1643838705224 >>>>>>>>>>> HTTP/1.1" >>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>> [02/Feb/2022:14:51:43.927] portal-https-10.0.255.99~ >>>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>>> 127.0.0.1 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 { >>>>>>>>>>> wifi.fispy.mx} "GET >>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>> HTTP/1.1" >>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>> [02/Feb/2022:14:51:44.060] portal-http-10.0.255.99 >>>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>>> 127.0.0.1 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 { >>>>>>>>>>> wifi.fispy.mx} "GET /access?lang= HTTP/1.1" >>>>>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>> [02/Feb/2022:14:51:49.219] portal-http-10.0.255.99 static/ >>>>>>>>>>> 127.0.0.1 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 >>>>>>>>>>> {10.0.255.99} "GET >>>>>>>>>>> /common/network-access-detection.gif?r=1643838716546 >>>>>>>>>>> HTTP/1.1" >>>>>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>> [02/Feb/2022:14:51:55.287] portal-https-10.0.255.99~ >>>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>>> 127.0.0.1 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 { >>>>>>>>>>> wifi.fispy.mx} "GET >>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>> HTTP/1.1” >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hello Jorge, >>>>>>>>>>> >>>>>>>>>>> i will have a look closer. >>>>>>>>>>> But i have a question, when the device is forwarded to the >>>>>>>>>>> captive portal, (just before >>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>>>>>> , what is the url ? >>>>>>>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>>>>>>> >>>>>>>>>>> Regards >>>>>>>>>>> Fabrice >>>>>>>>>>> >>>>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com> a >>>>>>>>>>> écrit : >>>>>>>>>>> >>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> We almost have the configuration working, but are not sure how >>>>>>>>>>>> to get the redirect to the client to work correctly. Attached is >>>>>>>>>>>> the >>>>>>>>>>>> documentation for Cisco ISE which we used for PacketFence as well. >>>>>>>>>>>> >>>>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>>>>>>>> >>>>>>>>>>>> This is the format the client should get from PacketFence. This >>>>>>>>>>>> is the only piece we are missing for this to work. >>>>>>>>>>>> >>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> If we manually click on the link above, then the flow of >>>>>>>>>>>> traffic works correctly CLIENT > AC > RADIUS (PacketFence), and >>>>>>>>>>>> authentication works. The problem is that when the user logs in to >>>>>>>>>>>> the >>>>>>>>>>>> portal the redirect is broken. The parameter for the redirect that >>>>>>>>>>>> PacketFence is serving, comes from a configuration parameter >>>>>>>>>>>> within the AC. >>>>>>>>>>>> This configuration works fine for Cisco ISE, but the URL format is >>>>>>>>>>>> not >>>>>>>>>>>> working for PacketFence. >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> When we configure the redirect this is what the client is >>>>>>>>>>>> getting from PacketFence >>>>>>>>>>>> >>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>> https://portal.fispy.mx:8443/login <<< THIS IS THE PARAMETER >>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> AC CONFIG >>>>>>>>>>>> >>>>>>>>>>>> authentication-profile name PacketFence >>>>>>>>>>>> portal-access-profile PacketFence >>>>>>>>>>>> free-rule-template default_free_rule >>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>> accounting-scheme PacketFence >>>>>>>>>>>> radius-server PacketFence >>>>>>>>>>>> force-push url https://www.fispy.mx >>>>>>>>>>>> >>>>>>>>>>>> radius-server template PacketFence >>>>>>>>>>>> radius-server shared-key cipher %^%#*)l=:1.X-Yd$\<~orEF@ >>>>>>>>>>>> ]<}NMejv3)E^\6;7:NUY%^%# >>>>>>>>>>>> radius-server authentication 10.0.255.99 1812 source >>>>>>>>>>>> ip-address 10.7.255.2 weight 90 >>>>>>>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address >>>>>>>>>>>> 10.7.255.2 weight 80 >>>>>>>>>>>> undo radius-server user-name domain-included >>>>>>>>>>>> calling-station-id mac-format unformatted >>>>>>>>>>>> called-station-id wlan-user-format ac-mac >>>>>>>>>>>> radius-server attribute translate >>>>>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>>>>>>> radius-attribute disable HW-Version send >>>>>>>>>>>> radius-attribute disable HW-Product-ID send >>>>>>>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>>>>>>> >>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>> https://portal.fispy.mx:8443/login <<< THIS IS THE PARAMETER >>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>> >>>>>>>>>>>> web-auth-server PacketFence >>>>>>>>>>>> server-ip 10.0.255.99 >>>>>>>>>>>> port 443 >>>>>>>>>>>> url-template PacketFence >>>>>>>>>>>> protocol http >>>>>>>>>>>> http get-method enable >>>>>>>>>>>> >>>>>>>>>>>> portal-access-profile name PacketFence >>>>>>>>>>>> web-auth-server PacketFence direct >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>> authentication-mode radius >>>>>>>>>>>> >>>>>>>>>>>> wlan >>>>>>>>>>>> security-profile name FISPY-WiFi >>>>>>>>>>>> >>>>>>>>>>>> vap-profile name FISPY-WiFi >>>>>>>>>>>> service-vlan vlan-id 900 >>>>>>>>>>>> permit-vlan vlan-id 900 >>>>>>>>>>>> ssid-profile FISPY-WiFi >>>>>>>>>>>> security-profile FISPY-WiFi >>>>>>>>>>>> authentication-profile PacketFence >>>>>>>>>>>> sta-network-detect disable >>>>>>>>>>>> service-experience-analysis enable >>>>>>>>>>>> mdns-snooping enable >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>>>>>>> >>>>>>>>>>>> url-template name CISCO-ISE >>>>>>>>>>>> url >>>>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>>>>>>> parameter start-mark # >>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>> >>>>>>>>>>>> #################################### >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>> >>>>>>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>>>>>> >>>>>>>>>>>> Regards >>>>>>>>>>>> Fabrice >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via >>>>>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net> a >>>>>>>>>>>> écrit : >>>>>>>>>>>> >>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>> >>>>>>>>>>>>> We were wondering if anyone has had any success in configuring >>>>>>>>>>>>> Web Auth for the Huawei AC? It’s somewhat critical for us to get >>>>>>>>>>>>> this going. >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you! >>>>>>>>>>>>> Jorge >>>>>>>>>>>>> >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>> >>>>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >>> >>> >>> >> > > > > > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
