what kind of authentication source you use to authenticate ? Le ven. 11 févr. 2022 à 16:05, Jorge Nolla <jno...@gmail.com> a écrit :
> Hi Fabrice, > > I did try $username, but it returns the DEFAULT username and not the > actual username which was used to register the device with in the portal. > > > On Feb 11, 2022, at 2:02 PM, Fabrice Durand <oeufd...@gmail.com> wrote: > > Hello Jorge, > > you can try that: > > https://github.com/inverse-inc/packetfence/commit/e99698c955d596b6d04ef52c64a7aadc21f34e47 > Regards > Fabrice > > > Le ven. 11 févr. 2022 à 12:04, Jorge Nolla <jno...@gmail.com> a écrit : > >> Hi Fabrice, >> >> This is the last step for us to get this working, any thoughts? >> >> Thank you! >> Jorge >> >> On Feb 10, 2022, at 6:05 PM, Jorge Nolla <jno...@gmail.com> wrote: >> >> Fabrice, >> >> With this configuration it seems PF is not doing any accounting, probably >> because it is expecting the username to be the Mac. >> >> >> On Feb 10, 2022, at 4:57 PM, Jorge Nolla <jno...@gmail.com> wrote: >> >> Fabrice, >> >> Looking at the reply of the Billing server to packet fence, it did not >> accept the username and password. If we hardcode the username and password >> instead of the $Mac then it works: >> >> >> my $html_form = qq[ >> <form name="weblogin_form" data-autosubmit="1000" method="GET" >> action="https://portal.fispy.mx:8443/login";> >> <input type="hidden" name="username" value="5blz”> username >> entered in the web portal we need to dynamically pass this value <<< >> <input type="hidden" name="password" value="21pu”> password >> entered in the web portal we need to dynamically pass this value <<< >> </form> >> <script src="/content/autosubmit.js" >> type="text/javascript"></script> >> >> >> RADIUS Request >> User-Name = "5blz" >> User-Password = "******" >> NAS-IP-Address = 10.7.255.2 >> NAS-Port = 900 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> Framed-IP-Address = 10.9.129.39 >> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" >> Calling-Station-Id = "f0:2f:4b:14:67:d9" >> NAS-Identifier = "AirEngine9700-M1" >> NAS-Port-Type = Wireless-802.11 >> Acct-Session-Id = "AirEngi0000000000090012ad34060020d" >> Event-Timestamp = "Feb 10 2022 16:49:02 MST" >> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" >> Huawei-Connect-ID = 393741 >> Huawei-Startup-Stamp = 1643301831 >> Huawei-IPHost-Addr = "10.9.129.39 f0:2f:4b:14:67:d9" >> Huawei-Loopback-Address = "C0F6-C2A5-C4D0" >> Huawei-User-Mac = "\000\000\000\003" >> Huawei-Version = "Huawei AirEngine9700-M1" >> Huawei-Product-ID = "AC" >> Stripped-User-Name = "5blz" >> Realm = "null" >> Realm = "null" >> FreeRADIUS-Client-IP-Address = 10.7.255.2 >> Called-Station-SSID = "FISPY-WiFi" >> PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9" >> PacketFence-Radius-Ip = "10.0.255.99" >> SQL-User-Name = "5blz" >> >> >> RADIUS Reply >> Acct-Interim-Interval = 60 >> REST-HTTP-Status-Code = 200 >> >> >> >> >> On Feb 10, 2022, at 3:51 PM, Jorge Nolla <jno...@gmail.com> wrote: >> >> I’m no radius expert so I do apologize. I do see the request being >> accepted by the billing server with the MAC as username. Not sure how what >> gets translated, as there are no records of that Mac address configured on >> the billing server. >> >> >> 2022-02-10 15:44:22.487982 (109) Access-Request Id 170 any: >> 10.0.255.99:47364 -> 10.0.254.100:1812 +122.837 >> User-Name = "f0:2f:4b:14:67:d9" >> User-Password = >> "O\031\222\341p͑\256O\376N\260*CY\035\360\337\370\373x\313\036\004\267}&>\006g\3220" >> NAS-IP-Address = 10.7.255.2 >> NAS-Port = 900 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> Framed-IP-Address = 10.9.215.255 >> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" >> Calling-Station-Id = "f0:2f:4b:14:67:d9" >> NAS-Identifier = "AirEngine9700-M1" >> Proxy-State = 0x3937 >> NAS-Port-Type = Wireless-802.11 >> Acct-Session-Id = "AirEngi000000000009008e8f160600201" >> Event-Timestamp = "Feb 10 2022 15:44:22 MST" >> Message-Authenticator = 0x3f20f75cc25e65a3f6d4a928de8644fe >> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" >> Huawei-Connect-ID = 393729 >> Huawei-Startup-Stamp = 1643301831 >> Huawei-IPHost-Addr = "10.9.215.255 f0:2f:4b:14:67:d9" >> Huawei-Loopback-Address = "C0F6-C2A5-C4D0" >> Huawei-User-Mac = "\000\000\000\003" >> Huawei-Version = "Huawei AirEngine9700-M1" >> Huawei-Product-ID = "AC" >> Attr-26.29464.33 = 0x31302e302e3235352e3939 >> Attr-26.29464.32 = >> 0x3165623139616265663234666132396334383731346130343334323334323936 >> Authenticator-Field = 0x337490bc1555238aad909eb52234a42e >> 2022-02-10 15:44:22.504685 (110) Access-Accept Id 170 any: >> 10.0.255.99:47364 <- 10.0.254.100:1812 +122.854 +0.016 >> Framed-IP-Address = 10.250.68.42 >> Session-Timeout = 299 >> Proxy-State = 0x3937 >> Authenticator-Field = 0xd5a830666d0bc44b13654de6c615f3a0 >> >> >> >> >> On Feb 10, 2022, at 2:45 PM, Jorge Nolla <jno...@gmail.com> wrote: >> >> Here is the start of the accounting. Still the billing server is looking >> for the username which was used to login, not the MAC. >> >> 2022-02-10 14:40:59.155697 (5169) Accounting-Request Id 59 any: >> 10.0.255.99:48071 -> 10.0.254.100:1813 +68.397 >> User-Name = "f0:2f:4b:14:67:d9" >> NAS-IP-Address = 10.7.255.2 >> NAS-Port = 900 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> Framed-IP-Address = 10.9.149.208 >> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" >> Calling-Station-Id = "f0:2f:4b:14:67:d9" >> NAS-Identifier = "AirEngine9700-M1" >> Proxy-State = 0x313939 >> NAS-Port-Type = Wireless-802.11 >> Acct-Status-Type = Start >> Acct-Delay-Time = 0 >> Acct-Session-Id = "AirEngi000000000009008391da06001f8" >> Acct-Authentic = RADIUS >> Event-Timestamp = "Feb 10 2022 14:40:58 MST" >> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" >> Huawei-Connect-ID = 393720 >> Huawei-IPHost-Addr = "10.9.149.208 f0:2f:4b:14:67:d9" >> Huawei-Loopback-Address = "C0F6-C2A5-C4D0" >> Huawei-User-Mac = "\000\000\000\003" >> Attr-26.29464.32 = >> 0x3165623139616265663234666132396334383731346130343334323334323936 >> Authenticator-Field = 0x72352a9f7ff652f7e6a7c20a62ee551b >> >> On Feb 10, 2022, at 11:44 AM, Jorge Nolla <jno...@gmail.com> wrote: >> >> Fabrice, >> >> PF is sending the accounting data to the billing server. The problem is >> the info does not match: >> >> PF: 10.0.255.99 >> Billing server (Splynx): 10.0.254.100 >> >> >> >> 2022-02-10 11:39:32.968605 (12417) Accounting-Request Id 80 any: >> 10.0.255.99:54246 -> 10.0.254.100:1813 +165.413 >> >> User-Name = "f0:2f:4b:14:67:d9” << this needs to be the username entered >> in the portal and not the MAC of the device of this to work. How can we >> modify this? >> NAS-IP-Address = 10.7.255.2 >> NAS-Port = 900 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> Framed-IP-Address = 10.9.120.192 >> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" >> Calling-Station-Id = "f0:2f:4b:14:67:d9" >> NAS-Identifier = "AirEngine9700-M1" >> Proxy-State = 0x313734 >> NAS-Port-Type = Wireless-802.11 >> Acct-Status-Type = Stop >> Acct-Delay-Time = 0 >> Acct-Input-Octets = 432779 >> Acct-Output-Octets = 22133343 >> Acct-Session-Id = "AirEngi000000000009001d099206001ed" >> Acct-Authentic = RADIUS >> Acct-Session-Time = 299 >> Acct-Input-Packets = 2643 >> Acct-Output-Packets = 16634 >> Acct-Terminate-Cause = Session-Timeout >> Acct-Input-Gigawords = 0 >> Acct-Output-Gigawords = 0 >> Event-Timestamp = "Feb 10 2022 11:39:32 MST" >> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" >> Huawei-Connect-ID = 393709 >> Huawei-IPHost-Addr = "10.9.120.192 f0:2f:4b:14:67:d9" >> Huawei-Loopback-Address = "C0F6-C2A5-C4D0" >> Huawei-User-Mac = "\000\000\000\003" >> Attr-26.29464.32 = >> 0x3165623139616265663234666132396334383731346130343334323334323936 >> Authenticator-Field = 0xb28b0b1cdf553d1c27a431568347fc4b >> >> >> >> >> On Feb 9, 2022, at 6:12 PM, Jorge Nolla <jno...@gmail.com> wrote: >> >> Hi Fabrice, >> >> This is the output when It receives an accounting message from the >> controller: >> >> >> ^C[root@wifi jnolla]# radsniff -i any -f "port 1813" -x >> Logging all events >> Sniffing on (any) >> 2022-02-09 18:10:33.642001 (1) Accounting-Request Id 147 any: >> 10.7.255.2:62395 -> 10.0.255.99:1813 +0.000 >> User-Name = "62:ca:49:92:a0:3d" >> NAS-IP-Address = 10.7.255.2 >> NAS-Port = 900 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> Framed-IP-Address = 10.9.239.159 >> Called-Station-Id = "C0-F6-C2-A5-C4-D0:FISPY-WiFi" >> Calling-Station-Id = "62ca-4992-a03d" >> NAS-Identifier = "AirEngine9700-M1" >> NAS-Port-Type = Wireless-802.11 >> Acct-Status-Type = Interim-Update >> Acct-Delay-Time = 0 >> Acct-Input-Octets = 131762920 >> Acct-Output-Octets = 194531281 >> Acct-Session-Id = "AirEngi0000000000090083f40606001b4" >> Acct-Authentic = RADIUS >> Acct-Session-Time = 33887 >> Acct-Input-Packets = 211695 >> Acct-Output-Packets = 221103 >> Acct-Input-Gigawords = 0 >> Acct-Output-Gigawords = 0 >> Event-Timestamp = "Feb 9 2022 18:10:32 MST" >> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" >> Huawei-Loopback-Address = "C0F6-C2A5-C4D0" >> Huawei-User-Mac = "\000\000\000\003" >> Authenticator-Field = 0x86cc68cf43a59904f7d3c0e36e910008 >> 2022-02-09 18:10:33.661871 (2) Accounting-Response Id 147 any: >> 10.7.255.2:62395 <- 10.0.255.99:1813 +0.019 +0.019 >> Reply-Message = "Accounting ok" >> Authenticator-Field = 0xdfccea5174f4312f6e0784825583dbdf >> 2022-02-09 18:10:38.861871 (1) Cleaning up request packet ID 147 >> 2022-02-09 18:10:49.323597 (3) Accounting-Request Id 148 any: >> 10.7.255.2:62395 -> 10.0.255.99:1813 +15.681 >> User-Name = "62:ca:49:92:a0:3d" >> NAS-IP-Address = 10.7.255.2 >> NAS-Port = 900 >> Service-Type = Framed-User >> Framed-Protocol = PPP >> Framed-IP-Address = 10.9.239.159 >> Called-Station-Id = "C0-F6-C2-A5-C4-D0:FISPY-WiFi" >> Calling-Station-Id = "62ca-4992-a03d" >> NAS-Identifier = "AirEngine9700-M1" >> NAS-Port-Type = Wireless-802.11 >> Acct-Status-Type = Interim-Update >> Acct-Delay-Time = 0 >> Acct-Input-Octets = 131775665 >> Acct-Output-Octets = 194533397 >> Acct-Session-Id = "AirEngi0000000000090083f40606001b4" >> Acct-Authentic = RADIUS >> Acct-Session-Time = 33902 >> Acct-Input-Packets = 211773 >> Acct-Output-Packets = 221123 >> Acct-Input-Gigawords = 0 >> Acct-Output-Gigawords = 0 >> Event-Timestamp = "Feb 9 2022 18:10:48 MST" >> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" >> Huawei-Loopback-Address = "C0F6-C2A5-C4D0" >> Huawei-User-Mac = "\000\000\000\003" >> Authenticator-Field = 0x3fbec8864dcb325273ce4ba1da28e690 >> 2022-02-09 18:10:49.342798 (4) Accounting-Response Id 148 any: >> 10.7.255.2:62395 <- 10.0.255.99:1813 +15.700 +0.019 >> Reply-Message = "Accounting ok" >> Authenticator-Field = 0x15b54405e404decb5b3db3f58cc8d2cb >> 2022-02-09 18:10:54.542798 (3) Cleaning up request packet ID 148 >> >> >> >> >> On Feb 9, 2022, at 6:04 PM, Fabrice Durand <oeufd...@gmail.com> wrote: >> >> You have to restart pfacct and radiusd-acct. >> >> And check the accounting packet, not sure you have the realm in the >> username attribute. >> >> raddebug -f /usr/local/pf/var/run/radiusd-acct.sock -t 300 >> or >> radsniff -i any -f "port 1813" -x >> >> Regards >> Fabrice >> >> Le mer. 9 févr. 2022 à 19:57, Jorge Nolla <jno...@gmail.com> a écrit : >> >>> I noticed pfacct running and made the change, still no luck. >>> >>> <Screen Shot 2022-02-09 at 5.56.32 PM.png> >>> >>> On Feb 9, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com> wrote: >>> >>> Hello Jorge, >>> you have to enable radius-acct service. >>> >>> It´s radius-acct who is able to proxy the request to another server, not >>> pfacct (btw you can keep it enabled). >>> >>> Regards >>> Fabrice >>> >>> >>> Le mer. 9 févr. 2022 à 19:21, Jorge Nolla <jno...@gmail.com> a écrit : >>> >>>> >>>> Another configuration file with references to the billing server Splynx: >>>> >>>> [root@wifi raddb]# cat mods-config/perl/multi_domain_constants.pm >>>> package multi_domain_constants; >>>> >>>> our $VAR1 = { >>>> '1' => { >>>> 'ConfigRealm' => { >>>> 'local' => { >>>> >>>> 'radius_strip_username' => 'disabled', >>>> 'eap' => 'default', >>>> >>>> 'admin_strip_username' => 'disabled', >>>> >>>> 'portal_strip_username' => 'disabled' >>>> }, >>>> 'default' => { >>>> >>>> 'radius_acct_proxy_type' => 'load-balance', >>>> >>>> 'radius_auth_compute_in_pf' => 'disabled', >>>> >>>> 'eduroam_radius_auth_proxy_type' => 'keyed-balance', >>>> >>>> 'radius_auth_proxy_type' => 'keyed-balance', >>>> >>>> 'portal_strip_username' => 'disabled', >>>> >>>> 'admin_strip_username' => 'disabled', >>>> 'radius_auth' => >>>> '', >>>> >>>> 'radius_strip_username' => 'disabled', >>>> 'eap' => 'default', >>>> >>>> 'eduroam_radius_acct' => '', >>>> >>>> 'eduroam_radius_acct_proxy_type' => 'load-balance', >>>> >>>> 'permit_custom_attributes' => 'disabled', >>>> >>>> 'eduroam_radius_auth_compute_in_pf' => 'enabled', >>>> >>>> 'eduroam_radius_auth' => '', >>>> 'radius_acct' => '' >>>> }, >>>> 'null' => { >>>> 'eap' => 'default', >>>> >>>> 'radius_strip_username' => 'disabled', >>>> >>>> 'admin_strip_username' => 'disabled', >>>> >>>> 'portal_strip_username' => 'disabled' >>>> }, >>>> 'fispy.mx' => { >>>> >>>> 'eduroam_radius_acct' => '', >>>> 'eap' => >>>> 'default', >>>> >>>> 'radius_strip_username' => 'enabled', >>>> >>>> 'admin_strip_username' => 'enabled', >>>> 'radius_auth' => >>>> 'Splynx', >>>> >>>> 'portal_strip_username' => 'enabled', >>>> >>>> 'eduroam_radius_auth_proxy_type' => 'keyed-balance', >>>> >>>> 'radius_auth_proxy_type' => 'keyed-balance', >>>> >>>> 'radius_acct_proxy_type' => 'load-balance', >>>> >>>> 'radius_auth_compute_in_pf' => 'enabled', >>>> >>>> 'eduroam_radius_auth' => '', >>>> 'radius_acct' => >>>> 'Splynx', >>>> >>>> 'eduroam_radius_auth_compute_in_pf' => 'enabled', >>>> >>>> 'eduroam_radius_acct_proxy_type' => 'load-balance', >>>> >>>> 'permit_custom_attributes' => 'disabled' >>>> } >>>> }, >>>> 'ConfigDomain' => {}, >>>> 'ConfigOrderedRealm' => [ >>>> 'default', >>>> 'local', >>>> 'null', >>>> 'fispy.mx' >>>> ] >>>> }, >>>> '0' => { >>>> 'ConfigDomain' => {}, >>>> 'ConfigRealm' => {}, >>>> 'ConfigOrderedRealm' => [] >>>> } >>>> }; >>>> our $DATA = $VAR1; >>>> 1; >>>> [root@wifi raddb]# >>>> >>>> >>>> >>>> On Feb 9, 2022, at 5:19 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>> >>>> Hi Team, >>>> >>>> Still can’t get accounting to proxy to the billing server. I don’t see >>>> the configuration on the proxy.conf so I imagine is pulling from this file. >>>> >>>> >>>> [root@wifi raddb]# cat proxy.conf.inc >>>> # This file is generated from a template at >>>> /usr/local/pf/conf/radiusd/proxy.conf.inc >>>> # Any changes made to this file will be lost on restart >>>> >>>> # Eduroam integration is not configured >>>> >>>> realm default { >>>> >>>> } >>>> realm local { >>>> >>>> } >>>> realm null { >>>> >>>> } >>>> realm fispy.mx { >>>> >>>> auth_pool = auth_pool_fispy.mx >>>> acct_pool = acct_pool_fispy.mx >>>> } >>>> home_server_pool auth_pool_fispy.mx { >>>> type = keyed-balance >>>> home_server = Splynx >>>> } >>>> >>>> home_server_pool acct_pool_fispy.mx { >>>> type = load-balance >>>> home_server = Splynx >>>> } >>>> >>>> >>>> realm eduroam.default { >>>> >>>> } >>>> >>>> realm eduroam.local { >>>> >>>> } >>>> >>>> realm eduroam.null { >>>> >>>> } >>>> >>>> realm eduroam.fispy.mx { >>>> >>>> } >>>> >>>> >>>> >>>> >>>> home_server Splynx { >>>> ipaddr = 10.0.254.100 >>>> port = 1812 >>>> secret = @Put@Madr3 >>>> type = auth+acct >>>> status_check = status-server >>>> } >>>> >>>> >>>> >>>> # pfacct configuration >>>> >>>> realm pfacct { >>>> acct_pool = pfacct_pool >>>> nostrip >>>> } >>>> >>>> home_server_pool pfacct_pool { >>>> home_server = pfacct_local >>>> } >>>> >>>> home_server pfacct_local { >>>> type = acct >>>> ipaddr = 127.0.0.1 >>>> port = 1813 >>>> secret = 'ZDQ3YzUzMjkxM2M1NjBhM2IyMTJjNWE0' >>>> src_ipaddr = 10.0.255.99 >>>> } >>>> >>>> On Feb 8, 2022, at 11:51 AM, Jorge Nolla <jno...@gmail.com> wrote: >>>> >>>> Fabrice, >>>> >>>> For some reason I cannot get accounting forwarding to the >>>> Billing/Radius Server. This server has the plans for the customers. >>>> >>>> <Screen Shot 2022-02-08 at 11.48.23 AM.png> >>>> >>>> >>>> <Screen Shot 2022-02-08 at 11.50.20 AM.png> >>>> >>>> >>>> <Screen Shot 2022-02-08 at 11.48.01 AM.png> >>>> >>>> >>>> <Screen Shot 2022-02-08 at 11.51.33 AM.png> >>>> >>>> On Feb 8, 2022, at 11:39 AM, Jorge Nolla <jno...@gmail.com> wrote: >>>> >>>> Hi Fabrice, >>>> >>>> It worked. I had to change to HTTPS and DNS for the cert on the server >>>> to work. We also changed the method to GET. Will try POST, not sure if this >>>> will make a difference. >>>> >>>> my $html_form = qq[ >>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>>> action="https://portal.fispy.mx:8443/login";> >>>> <input type="hidden" name="username" value="$mac"> >>>> <input type="hidden" name="password" value="$mac"> >>>> </form> >>>> <script src="/content/autosubmit.js" >>>> type="text/javascript"></script> >>>> >>>> Here is the a sample of the radius info on PF. Top entry is with new >>>> configuration MAC address as username. Bottom one is the old configuration, >>>> where we were submitting the url request manually. >>>> >>>> <Screen Shot 2022-02-08 at 11.34.52 AM.png> >>>> >>>> >>>> On Feb 8, 2022, at 9:30 AM, Fabrice Durand <oeufd...@gmail.com> wrote: >>>> >>>> Yes, that's it. >>>> >>>> Le mar. 8 févr. 2022 à 11:23, Jorge Nolla <jno...@gmail.com> a écrit : >>>> >>>>> Fabrice, >>>>> >>>>> The document you had provided didn’t layout the configuration steps. I >>>>> think this might be the correct document for the configuration you are >>>>> referring. If you have a chance take a look and let me know. >>>>> >>>>> https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064 >>>>> >>>>> >>>>> >>>>> On Feb 8, 2022, at 9:14 AM, Fabrice Durand <oeufd...@gmail.com> wrote: >>>>> >>>>> You can try that instead: >>>>> >>>>> my $html_form = qq[ >>>>> <form name="weblogin_form" data-autosubmit="1000" >>>>> method="POST" action="http://$controller_ip:8443/login";> >>>>> <input type="hidden" name="username" value="$mac"> >>>>> <input type="hidden" name="password" value="$mac"> >>>>> </form> >>>>> <script src="/content/autosubmit.js" >>>>> type="text/javascript"></script> >>>>> ]; >>>>> >>>>> It will pass the mac address of the device in the radius request as >>>>> username and password instead of the real username and password who has >>>>> been authenticated previously on the portal. >>>>> Then you just need to configure the registration role in the switch >>>>> configuration to be -1 (packetfence side) and if the device is unreg then >>>>> the request will be rejected. >>>>> >>>>> >>>>> Le mar. 8 févr. 2022 à 11:04, Jorge Nolla <jno...@gmail.com> a écrit : >>>>> >>>>>> Hi Fabrice, >>>>>> >>>>>> Let me check what the difference is in configuration on the AC side, >>>>>> I’ll report within the hour. Any clues as to why the parameters are not >>>>>> being passed? >>>>>> >>>>>> >>>>>> On Feb 8, 2022, at 8:55 AM, Fabrice Durand <oeufd...@gmail.com> >>>>>> wrote: >>>>>> >>>>>> Hello Jorge, >>>>>> >>>>>> i really think that it´s not the correct way to support the web auth >>>>>> in Huawei. >>>>>> The only thing you can do with the portal is to authenticate with a >>>>>> username and password, there is no way to do anything else >>>>>> (sms/email/sponsor/....). >>>>>> >>>>>> Also when you authenticate on the portal , the portal validate your >>>>>> username and password and with the workflow you have it will authenticate >>>>>> twice (portal and radius) and it doesn´t make sense. >>>>>> >>>>>> So if you want to keep this way then you will need a simple html page >>>>>> with a username and password field that post on >>>>>> https://portal.fispy.mx:8443/login then configure packetfence to >>>>>> authenticate the username and password from radius. >>>>>> >>>>>> The other way who looks really better is to use that: ( >>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2 >>>>>> ) >>>>>> >>>>>> <download.png> >>>>>> >>>>>> As i said , it´s exactly how it works with the cisco wlc and it will >>>>>> support all authentication mechanisms available on the portal. >>>>>> >>>>>> Regards >>>>>> Fabrice >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla <jno...@gmail.com> a >>>>>> écrit : >>>>>> >>>>>>> >>>>>>> Radius request from the AC once it receives the correct values. This >>>>>>> is sent back to Radius which in this case is PF >>>>>>> >>>>>>> User-Name = “5blz” *<<< VALUE NEEDED IN URL as username* >>>>>>> User-Password = "******” *<<< VALUE NEEDED IN URL as password* >>>>>>> NAS-IP-Address = 10.7.255.2 NAS-Port = 900 Service-Type = Framed-User >>>>>>> Framed-Protocol = PPP Framed-IP-Address = 10.9.91.31 Called-Station-Id = >>>>>>> "c0:f6:c2:a5:c4:d0:FISPY-WiFi" Calling-Station-Id = "f0:2f:4b:14:67:d9" >>>>>>> NAS-Identifier = "AirEngine9700-M1" NAS-Port-Type = Wireless-802.11 >>>>>>> Acct-Session-Id = "AirEngi00000000000900d5d66c0600187" Event-Timestamp = >>>>>>> "Feb 7 2022 18:05:13 MST" NAS-Port-Id = >>>>>>> "slot=0;subslot=0;port=0;vlanid=900" Huawei-Loopback-Address = >>>>>>> "C0F6-C2A5-C4D0" Huawei-User-Mac = "\000\000\000\003" >>>>>>> Stripped-User-Name = >>>>>>> "5blz" Realm = "null" FreeRADIUS-Client-IP-Address = 10.7.255.2 >>>>>>> Called-Station-SSID = "FISPY-WiFi" PacketFence-KeyBalanced = >>>>>>> "aa86741e358fa86079a91aaf4dc581f9" PacketFence-Radius-Ip = "10.0.255.99" >>>>>>> SQL-User-Name = "5blz" >>>>>>> >>>>>>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>> >>>>>>> Hi Fabrice, >>>>>>> >>>>>>> I did hardcode as follow: >>>>>>> >>>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>>>>>> action="https://portal.fispy.mx:8443/login?username=bob&password=bob"; >>>>>>> style="display:none"> >>>>>>> >>>>>>> But the redirect which the client is getting, is only this part, not >>>>>>> sure why: >>>>>>> >>>>>>> https://portal.fispy.mx:8443/login? >>>>>>> >>>>>>> >>>>>>> Here is the flow of the External Portal Authentication as per >>>>>>> Huawei. >>>>>>> Portal Server - Notify the STA of the login URL >>>>>>> STA - Send the username and password in HTTP GET POST. When this is >>>>>>> configured to use ISE as per the guide, the ISE server sends the >>>>>>> redirect >>>>>>> to the STA as per the format. >>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>> >>>>>>> >>>>>>> <PastedGraphic-1.tiff> >>>>>>> >>>>>>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>> wrote: >>>>>>> >>>>>>> Did you try to hardcode that in the code and see if it works ? >>>>>>> >>>>>>> Also i don´t understand the goal of passing the username and >>>>>>> password , is there any extra check after that ? What happen if the user >>>>>>> register by sms/email ? >>>>>>> >>>>>>> And i just found that: >>>>>>> >>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1 >>>>>>> Is it something that can be configured on the Hawei ? If yes then it >>>>>>> will mimic the way the Cisco WLC works. >>>>>>> >>>>>>> Regards >>>>>>> Fabrice >>>>>>> >>>>>>> >>>>>>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <jno...@gmail.com> a >>>>>>> écrit : >>>>>>> >>>>>>>> Hi Fabrice, >>>>>>>> >>>>>>>> This line needs to be HTTPS for it to work >>>>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>>>>>>> action="http://$controller_ip:8443/login?username=bob&password=bob"; >>>>>>>> style="display:none”> >>>>>>>> >>>>>>>> This needs to be the username and password which is being entered >>>>>>>> by the user in the PF portal, which is the Radius username and password >>>>>>>> username=bob&password=bob >>>>>>>> >>>>>>>> >>>>>>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>> I just pushed a fix. >>>>>>>> >>>>>>>> cd /usr/local/pf >>>>>>>> curl >>>>>>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff >>>>>>>> | patch -p1 >>>>>>>> and restart >>>>>>>> >>>>>>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <jno...@gmail.com> a >>>>>>>> écrit : >>>>>>>> >>>>>>>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log >>>>>>>>> >>>>>>>>> >>>>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: >>>>>>>>> httpd.portal(61371) INFO: [mac:[undef]] URI '/Huawei' is detected as >>>>>>>>> an >>>>>>>>> external captive portal URI (pf::web::externalportal::handle) >>>>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: >>>>>>>>> httpd.portal(61371) ERROR: [mac:[undef]] Cannot load perl module for >>>>>>>>> switch >>>>>>>>> type 'pf::Switch::Huawei'. Either switch type is unknown or switch >>>>>>>>> type >>>>>>>>> perl module have compilation errors. See the following message for >>>>>>>>> details: >>>>>>>>> (pf::web::externalportal::handle) >>>>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: >>>>>>>>> httpd.portal(61370) INFO: [mac:[undef]] URI '/Huawei' is detected as >>>>>>>>> an >>>>>>>>> external captive portal URI (pf::web::externalportal::handle) >>>>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: >>>>>>>>> httpd.portal(61370) ERROR: [mac:[undef]] Cannot load perl module for >>>>>>>>> switch >>>>>>>>> type 'pf::Switch::Huawei'. Either switch type is unknown or switch >>>>>>>>> type >>>>>>>>> perl module have compilation errors. See the following message for >>>>>>>>> details: >>>>>>>>> (pf::web::externalportal::handle) >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> Here is the output for HAProxy >>>>>>>>> >>>>>>>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814 >>>>>>>>> [07/Feb/2022:10:48:54.074] portal-https-10.0.255.99~ >>>>>>>>> 10.0.255.99-backend/ >>>>>>>>> 127.0.0.1 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0 { >>>>>>>>> wifi.fispy.mx} "GET >>>>>>>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9 >>>>>>>>> HTTP/1.1” >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> Hi Fabrice, >>>>>>>>> >>>>>>>>> From the Pf portal after the patch is applied. >>>>>>>>> >>>>>>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is >>>>>>>>> not supported. >>>>>>>>> >>>>>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> This is the only option on the config. >>>>>>>>> >>>>>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com> wrote: >>>>>>>>> >>>>>>>>> Hi Fabrice, >>>>>>>>> >>>>>>>>> Getting an error page from PF >>>>>>>>> >>>>>>>>> Not Implemented >>>>>>>>> GET no supported for current URL. >>>>>>>>> >>>>>>>>> How is the switch supposed to be defined in PF? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>> I am just not sure what to set for username and password, if you >>>>>>>>> do sms auth then there is no password. >>>>>>>>> >>>>>>>>> Also in the url it looks that it miss the mac address of the >>>>>>>>> device , can you try to add device-mac and see if the device mac is >>>>>>>>> in the >>>>>>>>> url ? >>>>>>>>> >>>>>>>>> Here the first draft: >>>>>>>>> >>>>>>>>> >>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>>> >>>>>>>>> cd /usr/local/pf/ >>>>>>>>> curl >>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>>> | patch -p1 >>>>>>>>> >>>>>>>>> then restart packetfence. >>>>>>>>> >>>>>>>>> On the controller: >>>>>>>>> >>>>>>>>> url-template name PacketFence >>>>>>>>> url https://wifi.fispy.mx/ <https://wifi.fispy.mx/captive-portal> >>>>>>>>> Hawei >>>>>>>>> url-parameter device-ip device-mac ac-ip user-ipaddress userip >>>>>>>>> ssid ssid user-mac ap-mac >>>>>>>>> >>>>>>>>> So when the device will be forwarded to the portal it should be >>>>>>>>> able to recognise the mac address and the ip of the device (in the >>>>>>>>> bottom). >>>>>>>>> >>>>>>>>> Register on the portal and you should be forwarded to >>>>>>>>> http://$controller_ip:8443/login?username=bob&password=bob >>>>>>>>> >>>>>>>>> Let me know how it behave. >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Fabrice >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com> a >>>>>>>>> écrit : >>>>>>>>> >>>>>>>>>> Hi Fabrice >>>>>>>>>> >>>>>>>>>> This is the GET the AC is expecting: >>>>>>>>>> >>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>> >>>>>>>>>> If successful it will return as per image below. If it fails the >>>>>>>>>> AC will redirect back to the Portal >>>>>>>>>> >>>>>>>>>> <WebAuthentication.png> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Here is the configuration: >>>>>>>>>> >>>>>>>>>> url-template name PacketFence >>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>> url-parameter login-url destination_url >>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> HA Proxy output >>>>>>>>>> >>>>>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 >>>>>>>>>> [06/Feb/2022:16:44:26.153] portal-https-10.0.255.99~ >>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>> 127.0.0.1 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 { >>>>>>>>>> wifi.fispy.mx} "GET /captive-portal?destination_url= >>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>> HTTP/1.1" >>>>>>>>>> >>>>>>>>>> Only problem is that PacketFence is not updating the dynamic >>>>>>>>>> values with username and password for it to work >>>>>>>>>> >>>>>>>>>> AC = Access Controller. This manages the APs’ as they are >>>>>>>>>> operating in Fit/Lightweight mode. >>>>>>>>>> AP = Access Points. These are the actual radios. >>>>>>>>>> >>>>>>>>>> Best Regards, >>>>>>>>>> Jorge >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>> Hello Jorge, >>>>>>>>>> >>>>>>>>>> i have what i need at least to be able to support the web-auth. >>>>>>>>>> The only thing i am not sure is at the end of the registration >>>>>>>>>> process what we are supposed to do. >>>>>>>>>> >>>>>>>>>> I will create a branch on github in order for you to test. (it >>>>>>>>>> will be an update of the Huawei switch module). >>>>>>>>>> >>>>>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Fabrice >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com> a >>>>>>>>>> écrit : >>>>>>>>>> >>>>>>>>>>> If I try to manually send the redirect in the browser here is >>>>>>>>>>> what HA proxy records. This is a simple copy and paste in the >>>>>>>>>>> browser and >>>>>>>>>>> the output: >>>>>>>>>>> >>>>>>>>>>> https://wifi.fispy.mx/captive-portal?destination_url= >>>>>>>>>>> https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>>> >>>>>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET >>>>>>>>>>> /captive-portal?destination_url= >>>>>>>>>>> https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>>> HTTP/1.1" >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> It doesn’t let it go through as it seems that is trying to >>>>>>>>>>> validate network connectivity >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Seems weird how the format of the URL is recorded/sent >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Here is a normal redirect, the url is formatted correctly, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>>>>>>>>>> [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~ >>>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>>> 127.0.0.1 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 { >>>>>>>>>>> wifi.fispy.mx} "GET /captive-portal?destination_url= >>>>>>>>>>> https://www.fispy.mx/ HTTP/1.1" >>>>>>>>>>> >>>>>>>>>>> I’m not sure why the value sent by the AP has all the % and >>>>>>>>>>> weird symbols >>>>>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Fabrice, >>>>>>>>>>> >>>>>>>>>>> Here are the options that can be added: >>>>>>>>>>> >>>>>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>>>>>>>>> ap-group-name AP group name >>>>>>>>>>> ap-ip AP IP address >>>>>>>>>>> ap-location AP location >>>>>>>>>>> ap-mac AP MAC address >>>>>>>>>>> ap-name AP name >>>>>>>>>>> device-ip Device IP address >>>>>>>>>>> device-mac Device MAC address >>>>>>>>>>> login-url Device's login URL provided to the external >>>>>>>>>>> portal server >>>>>>>>>>> mac-address Mac address >>>>>>>>>>> redirect-url The url in user original http packet >>>>>>>>>>> set Set >>>>>>>>>>> ssid SSID >>>>>>>>>>> sysname Device name >>>>>>>>>>> user-ipaddress User IP address >>>>>>>>>>> user-mac User MAC address >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> url-template name PacketFence >>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid >>>>>>>>>>> user-mac ap-mac >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET >>>>>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>>>>>>>>> HTTP/1.1" >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If we do not specify the URL on this configuration, where would >>>>>>>>>>> PacketFence get the value for the AC Web Authentication call? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>> >>>>>>>>>>> Best Regards, >>>>>>>>>>> Jorge >>>>>>>>>>> >>>>>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>>>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hello Jorge, >>>>>>>>>>> >>>>>>>>>>> what we need is the user mac and the ap information. >>>>>>>>>>> I found that >>>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>>>>>>>> >>>>>>>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip >>>>>>>>>>> ap-mac ? >>>>>>>>>>> >>>>>>>>>>> And if yes can you provide me the url generated by the >>>>>>>>>>> controller when it redirect ? (haproxy-portal log) >>>>>>>>>>> >>>>>>>>>>> Regards >>>>>>>>>>> Fabrice >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com> a >>>>>>>>>>> écrit : >>>>>>>>>>> >>>>>>>>>>>> Hi Team, >>>>>>>>>>>> >>>>>>>>>>>> Any input on this? We really would like to get this to work. >>>>>>>>>>>> >>>>>>>>>>>> Thank you! >>>>>>>>>>>> Jorge >>>>>>>>>>>> >>>>>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>> >>>>>>>>>>>> This is the sequence: >>>>>>>>>>>> >>>>>>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>> [02/Feb/2022:14:51:32.663] portal-http-10.0.255.99 >>>>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>>>> 127.0.0.1 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 { >>>>>>>>>>>> wifi.fispy.mx} "GET /access?lang= HTTP/1.1" >>>>>>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>> [02/Feb/2022:14:51:37.905] portal-http-10.0.255.99 static/ >>>>>>>>>>>> 127.0.0.1 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 >>>>>>>>>>>> {10.0.255.99} "GET >>>>>>>>>>>> /common/network-access-detection.gif?r=1643838705224 >>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>> [02/Feb/2022:14:51:43.927] portal-https-10.0.255.99~ >>>>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>>>> 127.0.0.1 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 { >>>>>>>>>>>> wifi.fispy.mx} "GET >>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>> [02/Feb/2022:14:51:44.060] portal-http-10.0.255.99 >>>>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>>>> 127.0.0.1 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 { >>>>>>>>>>>> wifi.fispy.mx} "GET /access?lang= HTTP/1.1" >>>>>>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>> [02/Feb/2022:14:51:49.219] portal-http-10.0.255.99 static/ >>>>>>>>>>>> 127.0.0.1 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 >>>>>>>>>>>> {10.0.255.99} "GET >>>>>>>>>>>> /common/network-access-detection.gif?r=1643838716546 >>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>> [02/Feb/2022:14:51:55.287] portal-https-10.0.255.99~ >>>>>>>>>>>> 10.0.255.99-backend/ >>>>>>>>>>>> 127.0.0.1 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 { >>>>>>>>>>>> wifi.fispy.mx} "GET >>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>> HTTP/1.1” >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>>>>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>> >>>>>>>>>>>> i will have a look closer. >>>>>>>>>>>> But i have a question, when the device is forwarded to the >>>>>>>>>>>> captive portal, (just before >>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>>>>>>> , what is the url ? >>>>>>>>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>>>>>>>> >>>>>>>>>>>> Regards >>>>>>>>>>>> Fabrice >>>>>>>>>>>> >>>>>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com> a >>>>>>>>>>>> écrit : >>>>>>>>>>>> >>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> We almost have the configuration working, but are not sure how >>>>>>>>>>>>> to get the redirect to the client to work correctly. Attached is >>>>>>>>>>>>> the >>>>>>>>>>>>> documentation for Cisco ISE which we used for PacketFence as well. >>>>>>>>>>>>> >>>>>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>>>>>>>>> >>>>>>>>>>>>> This is the format the client should get from >>>>>>>>>>>>> PacketFence. This is the only piece we are missing for this to >>>>>>>>>>>>> work. >>>>>>>>>>>>> >>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> If we manually click on the link above, then the flow of >>>>>>>>>>>>> traffic works correctly CLIENT > AC > RADIUS (PacketFence), and >>>>>>>>>>>>> authentication works. The problem is that when the user logs in >>>>>>>>>>>>> to the >>>>>>>>>>>>> portal the redirect is broken. The parameter for the redirect that >>>>>>>>>>>>> PacketFence is serving, comes from a configuration parameter >>>>>>>>>>>>> within the AC. >>>>>>>>>>>>> This configuration works fine for Cisco ISE, but the URL format >>>>>>>>>>>>> is not >>>>>>>>>>>>> working for PacketFence. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> When we configure the redirect this is what the client is >>>>>>>>>>>>> getting from PacketFence >>>>>>>>>>>>> >>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>> https://portal.fispy.mx:8443/login <<< THIS IS THE PARAMETER >>>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> AC CONFIG >>>>>>>>>>>>> >>>>>>>>>>>>> authentication-profile name PacketFence >>>>>>>>>>>>> portal-access-profile PacketFence >>>>>>>>>>>>> free-rule-template default_free_rule >>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>> accounting-scheme PacketFence >>>>>>>>>>>>> radius-server PacketFence >>>>>>>>>>>>> force-push url https://www.fispy.mx >>>>>>>>>>>>> >>>>>>>>>>>>> radius-server template PacketFence >>>>>>>>>>>>> radius-server shared-key cipher %^%#*)l=:1.X-Yd$\<~orEF@ >>>>>>>>>>>>> ]<}NMejv3)E^\6;7:NUY%^%# >>>>>>>>>>>>> radius-server authentication 10.0.255.99 1812 source >>>>>>>>>>>>> ip-address 10.7.255.2 weight 90 >>>>>>>>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address >>>>>>>>>>>>> 10.7.255.2 weight 80 >>>>>>>>>>>>> undo radius-server user-name domain-included >>>>>>>>>>>>> calling-station-id mac-format unformatted >>>>>>>>>>>>> called-station-id wlan-user-format ac-mac >>>>>>>>>>>>> radius-server attribute translate >>>>>>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>>>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>>>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>>>>>>>> radius-attribute disable HW-Version send >>>>>>>>>>>>> radius-attribute disable HW-Product-ID send >>>>>>>>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>>>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>>>>>>>> >>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>> https://portal.fispy.mx:8443/login <<< THIS IS THE PARAMETER >>>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>> >>>>>>>>>>>>> web-auth-server PacketFence >>>>>>>>>>>>> server-ip 10.0.255.99 >>>>>>>>>>>>> port 443 >>>>>>>>>>>>> url-template PacketFence >>>>>>>>>>>>> protocol http >>>>>>>>>>>>> http get-method enable >>>>>>>>>>>>> >>>>>>>>>>>>> portal-access-profile name PacketFence >>>>>>>>>>>>> web-auth-server PacketFence direct >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>> authentication-mode radius >>>>>>>>>>>>> >>>>>>>>>>>>> wlan >>>>>>>>>>>>> security-profile name FISPY-WiFi >>>>>>>>>>>>> >>>>>>>>>>>>> vap-profile name FISPY-WiFi >>>>>>>>>>>>> service-vlan vlan-id 900 >>>>>>>>>>>>> permit-vlan vlan-id 900 >>>>>>>>>>>>> ssid-profile FISPY-WiFi >>>>>>>>>>>>> security-profile FISPY-WiFi >>>>>>>>>>>>> authentication-profile PacketFence >>>>>>>>>>>>> sta-network-detect disable >>>>>>>>>>>>> service-experience-analysis enable >>>>>>>>>>>>> mdns-snooping enable >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>>>>>>>> >>>>>>>>>>>>> url-template name CISCO-ISE >>>>>>>>>>>>> url >>>>>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>>>>>>>> parameter start-mark # >>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>> >>>>>>>>>>>>> #################################### >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com> >>>>>>>>>>>>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>> >>>>>>>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>>>>>>> >>>>>>>>>>>>> Regards >>>>>>>>>>>>> Fabrice >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via >>>>>>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net> a >>>>>>>>>>>>> écrit : >>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>>> >>>>>>>>>>>>>> We were wondering if anyone has had any success in >>>>>>>>>>>>>> configuring Web Auth for the Huawei AC? It’s somewhat critical >>>>>>>>>>>>>> for us to >>>>>>>>>>>>>> get this going. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Thank you! >>>>>>>>>>>>>> Jorge >>>>>>>>>>>>>> >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>>> >>>>>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>>> >>>> >>>> >>> >> >> >> >> >> >> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
