Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-24 Thread Bill Handler via PacketFence-users 
Diego,

Thanks for your help and guidance on this…  The end-system is getting the reply 
from Google with the authorization code – the Portal URL in the config that 
ends in ‘/callback’.  However, the hostname of the pf server is not being 
resolved.  If I replace the hostname.domain with the IP address of the 
registration VLAN interface on the PF server (the end-system’s gateway), the 
authentication proceeds and the end-system authenticates.

Weirdness abounds…  I’ll perform a packet capture on Monday when I’m back in 
the office to see if I can tell what the end-system is requesting for ‘website’ 
that google returns.

Have a good weekend, and thanks again for your assistance.

Thanks,

Bill

From: Diego Garcia del Rio 
Sent: Friday, April 24, 2020 10:29 AM
To: Bill Handler 
Cc: Jonathan Nathanson ; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

Hi.. those errors are not errors. They are jus the logs of pfdns and its still 
related to the user trying / reaching google.

you should look at the logs (especially packetfence.log) for any other messages 
around the time. Most of the log messages SHOULD have the mac address of the 
device trying to connect so you can grep for those

(you can also use grep -i to make grep case insensitive, so "grep -i oauth" 
should find... all variations of oauth..

also try to set the debug level for the portal module to dEBUG or TRACE:

like this:


conf/log.conf.d/pfqueue.conf



Change to following line from this



log4perl.rootLogger = INFO, PFQUEUE



To this



log4perl.rootLogger = TRACE, PFQUEUE



Then you can either wait 5 minutes (that is the time it takes for the

logging level to be updated)



Or restart the service if you do not want to wait.

But adapt it to the portal module instead of pfqueue.conf

On Fri, Apr 24, 2020 at 11:14 AM Diego Garcia del Rio 
mailto:garc...@gmail.com>> wrote:
let me check what I have configured.  But i think you do need n API enabled.

On Fri, Apr 24, 2020 at 11:12 AM Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:
Again, apologies for my ignorance on this…

When I created the Oauth credentials in the Google Developer site, I did not 
enable an API.  I’m thinking I missed doing that.  Since I’m just trying to 
authenticate users and not accessing anything within GSuite or anything else 
along those lines, I’m not sure what API I may need.

Ideas?

Thanks,

Bill

From: Bill Handler
Sent: Friday, April 24, 2020 8:36 AM
To: Diego Garcia del Rio mailto:garc...@gmail.com>>
Cc: Jonathan Nathanson mailto:jmhnathan...@gmail.com>>; 
packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

Diego,

Thanks for the pointers.  The logs appear to be now located in the 
/usr/local/pf/logs directory.  There is no logs folder in the /usr/local/pf/var 
directory.

I ran the restart command and tried to log in via Google again…  Rechecked the 
logs as I did before (grep OAuth), ran it a second time as ‘grep oauth’ and now 
got some responses… (this is with the openid defaults)

[root@packetfence_v10 logs]# cat *.log | grep OAuth
Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding Forward 
rules to allow connections to the OAuth2 Providers and passthrough. 
(pf::iptables::generate_passthrough_rules)

[root@packetfence_v10 logs]# cat *.log | grep oauth
Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 
172.16.172.237:50335 [24/Apr/2020:07:43:35.454] 
portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/1/210/213 302 928 - -  3/2/0/0/0 0/0 
{pfv10.pcsknox.com} "GET 
/switchto/default_policy+default_registration_policy+default_oauth_policy 
HTTP/1.1"
Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 
172.16.172.237:50627 [24/Apr/2020:07:43:39.361] 
portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/0/1909/1910 302 1410 - -  6/2/0/0/0 0/0 
{pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 
172.16.172.237:51592 [24/Apr/2020:07:44:52.404] 
portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/0/1827/1829 302 1410 - -  4/2/0/0/0 0/0 
{pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 - [24/Apr/2020:07:43:30 
-0400] "A IN 
oauthaccountmanager.googleapis.com. 
udp 52 false 512" NOERROR qr,rd,ra 102 61.289551ms
[root@packetfence_v10 logs]#

I put the old Google Auth config – yours with the userinfo.email settings and 
restarted the pf service.  Tried to authenticate the end-system again, but 
still failed…

Checked the logs as before, and here are the results (duplicate entries from 
above

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-24 Thread Diego Garcia del Rio via PacketFence-users 
Hi.. those errors are not errors. They are jus the logs of pfdns and its
still related to the user trying / reaching google.

you should look at the logs (especially packetfence.log) for any other
messages around the time. Most of the log messages SHOULD have the mac
address of the device trying to connect so you can grep for those

(you can also use grep -i to make grep case insensitive, so "grep -i oauth"
should find... all variations of oauth..

also try to set the debug level for the portal module to dEBUG or TRACE:

like this:

conf/log.conf.d/pfqueue.conf

Change to following line from this

log4perl.rootLogger = INFO, PFQUEUE

To this

log4perl.rootLogger = TRACE, PFQUEUE

Then you can either wait 5 minutes (that is the time it takes for the
logging level to be updated)

Or restart the service if you do not want to wait.


But adapt it to the portal module instead of pfqueue.conf

On Fri, Apr 24, 2020 at 11:14 AM Diego Garcia del Rio 
wrote:

> let me check what I have configured.  But i think you do need n API
> enabled.
>
> On Fri, Apr 24, 2020 at 11:12 AM Bill Handler 
> wrote:
>
>> Again, apologies for my ignorance on this…
>>
>>
>>
>> When I created the Oauth credentials in the Google Developer site, I did
>> not enable an API.  I’m thinking I missed doing that.  Since I’m just
>> trying to authenticate users and not accessing anything within GSuite or
>> anything else along those lines, I’m not sure what API I may need.
>>
>>
>>
>> Ideas?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Bill
>>
>>
>>
>> *From:* Bill Handler
>> *Sent:* Friday, April 24, 2020 8:36 AM
>> *To:* Diego Garcia del Rio 
>> *Cc:* Jonathan Nathanson ;
>> packetfence-users@lists.sourceforge.net
>> *Subject:* RE: [PacketFence-users] Google oauth2 -
>> Behavior/Troubleshooting
>>
>>
>>
>> Diego,
>>
>>
>>
>> Thanks for the pointers.  The logs appear to be now located in the
>> /usr/local/pf/logs directory.  There is no logs folder in the
>> /usr/local/pf/var directory.
>>
>>
>>
>> I ran the restart command and tried to log in via Google again…
>> Rechecked the logs as I did before (grep OAuth), ran it a second time as
>> ‘grep oauth’ and now got some responses… (this is with the openid defaults)
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>>
>> Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding
>> Forward rules to allow connections to the OAuth2 Providers and passthrough.
>> (pf::iptables::generate_passthrough_rules)
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep oauth
>>
>> Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 172.16.172.237:50335
>> [24/Apr/2020:07:43:35.454] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/1/210/213 302 928 - -  3/2/0/0/0 0/0 {pfv10.pcsknox.com}
>> "GET
>> /switchto/default_policy+default_registration_policy+default_oauth_policy
>> HTTP/1.1"
>>
>> Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 172.16.172.237:50627
>> [24/Apr/2020:07:43:39.361] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/0/1909/1910 302 1410 - -  6/2/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 172.16.172.237:51592
>> [24/Apr/2020:07:44:52.404] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/0/1827/1829 302 1410 - -  4/2/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 -
>> [24/Apr/2020:07:43:30 -0400] "A IN oauthaccountmanager.googleapis.com.
>> udp 52 false 512" NOERROR qr,rd,ra 102 61.289551ms
>>
>> [root@packetfence_v10 logs]#
>>
>>
>>
>> I put the old Google Auth config – yours with the userinfo.email settings
>> and restarted the pf service.  Tried to authenticate the end-system again,
>> but still failed…
>>
>>
>>
>> Checked the logs as before, and here are the results (duplicate entries
>> from above removed for clarity):
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>>
>> Apr 24 08:17:32 packetfence_v10 packetfence: INFO -e(7334): Adding
>> Forward rules to allow connections to the OAuth2 Providers and passthrough.
>> (pf::iptables::generate_passthrough_rules)
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep oauth
>>
>> Apr 24 08:14:58 packetfence_v10 haproxy[244351]: 172.16.172.237:60742
>> [24/Apr/2020:08:14:58.422] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/1/439/440 302 1482 - -  4/3/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 08:27:35 packetfence_v10 haproxy[8300]: 172.16.172.237:51328
>> [24/Apr/2020:08:27:33.905] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/0/1787/1788 302 1482 - -  3/2/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
>> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
>> udp 52 false 512" NOERROR qr,rd,ra 102 23.614118ms
>>
>> Apr 24 08:27:59 packetfence_v10 pfdns:

Re: [PacketFence-users] PF 10.0.0 webadmin won't start after Upgrade

2020-04-24 Thread felix13890--- via PacketFence-users 
Hello Nicolas, here is the Output:[root@nac3 ~]# /usr/local/pf/bin/pfcmd service pf status   Service Status    PID  packetfence-api-frontend.service    started   19672    packetfence-config.service  started   0    packetfence-fingerbank-collector.service    started   25624    packetfence-galera-autofix.service  started   19575    packetfence-haproxy-admin.service   started   19737    packetfence-haproxy-db.service  started   25170    packetfence-haproxy-portal.service  started   9234     packetfence-httpd.aaa.service   started   25368    packetfence-httpd.admin.service disabled  27505    packetfence-httpd.admin_dispatcher.service  started   19660    packetfence-httpd.collector.service disabled  0    packetfence-httpd.dispatcher.service    started   25269    packetfence-httpd.portal.service    started   25379    packetfence-httpd.proxy.service disabled  0    packetfence-httpd.webservices.service   started   25366    packetfence-iptables.service    started   19659    packetfence-keepalived.service  started   26075    packetfence-mariadb.service started   22999    packetfence-netdata.service started   25399    packetfence-pfacct.service  started   25270    packetfence-pfdetect.service    disabled  0    packetfence-pfdhcp.service  started   25265    packetfence-pfdhcplistener.service  started   25651    packetfence-pfdns.service   started   25346    packetfence-pffilter.service    started   25255    packetfence-pfipset.service started   25263 

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-24 Thread Bill Handler via PacketFence-users 
Again, apologies for my ignorance on this…

When I created the Oauth credentials in the Google Developer site, I did not 
enable an API.  I’m thinking I missed doing that.  Since I’m just trying to 
authenticate users and not accessing anything within GSuite or anything else 
along those lines, I’m not sure what API I may need.

Ideas?

Thanks,

Bill

From: Bill Handler
Sent: Friday, April 24, 2020 8:36 AM
To: Diego Garcia del Rio 
Cc: Jonathan Nathanson ; 
packetfence-users@lists.sourceforge.net
Subject: RE: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

Diego,

Thanks for the pointers.  The logs appear to be now located in the 
/usr/local/pf/logs directory.  There is no logs folder in the /usr/local/pf/var 
directory.

I ran the restart command and tried to log in via Google again…  Rechecked the 
logs as I did before (grep OAuth), ran it a second time as ‘grep oauth’ and now 
got some responses… (this is with the openid defaults)

[root@packetfence_v10 logs]# cat *.log | grep OAuth
Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding Forward 
rules to allow connections to the OAuth2 Providers and passthrough. 
(pf::iptables::generate_passthrough_rules)

[root@packetfence_v10 logs]# cat *.log | grep oauth
Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 172.16.172.237:50335 
[24/Apr/2020:07:43:35.454] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/1/210/213 302 928 - -  3/2/0/0/0 0/0 {pfv10.pcsknox.com} "GET 
/switchto/default_policy+default_registration_policy+default_oauth_policy 
HTTP/1.1"
Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 172.16.172.237:50627 
[24/Apr/2020:07:43:39.361] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/0/1909/1910 302 1410 - -  6/2/0/0/0 0/0 {pfv10.pcsknox.com} "POST 
/oauth2/go HTTP/1.1"
Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 172.16.172.237:51592 
[24/Apr/2020:07:44:52.404] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/0/1827/1829 302 1410 - -  4/2/0/0/0 0/0 {pfv10.pcsknox.com} "POST 
/oauth2/go HTTP/1.1"
Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 - [24/Apr/2020:07:43:30 
-0400] "A IN oauthaccountmanager.googleapis.com. udp 52 false 512" NOERROR 
qr,rd,ra 102 61.289551ms
[root@packetfence_v10 logs]#

I put the old Google Auth config – yours with the userinfo.email settings and 
restarted the pf service.  Tried to authenticate the end-system again, but 
still failed…

Checked the logs as before, and here are the results (duplicate entries from 
above removed for clarity):

[root@packetfence_v10 logs]# cat *.log | grep OAuth
Apr 24 08:17:32 packetfence_v10 packetfence: INFO -e(7334): Adding Forward 
rules to allow connections to the OAuth2 Providers and passthrough. 
(pf::iptables::generate_passthrough_rules)

[root@packetfence_v10 logs]# cat *.log | grep oauth
Apr 24 08:14:58 packetfence_v10 haproxy[244351]: 172.16.172.237:60742 
[24/Apr/2020:08:14:58.422] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/1/439/440 302 1482 - -  4/3/0/0/0 0/0 {pfv10.pcsknox.com} "POST 
/oauth2/go HTTP/1.1"
Apr 24 08:27:35 packetfence_v10 haproxy[8300]: 172.16.172.237:51328 
[24/Apr/2020:08:27:33.905] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/0/1787/1788 302 1482 - -  3/2/0/0/0 0/0 {pfv10.pcsknox.com} "POST 
/oauth2/go HTTP/1.1"
Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 - [24/Apr/2020:08:27:59 
-0400] "A IN oauthaccountmanager.googleapis.com. udp 52 false 512" NOERROR 
qr,rd,ra 102 23.614118ms
Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 - [24/Apr/2020:08:27:59 
-0400] "A IN oauthaccountmanager.googleapis.com. udp 52 false 512" NOERROR 
qr,rd,ra 102 25.300084ms
[root@packetfence_v10 logs]#

I’m hopeful that this helps, but again, I’m not sure what I’m looking for…

Thanks,

Bill

From: Diego Garcia del Rio mailto:garc...@gmail.com>>
Sent: Thursday, April 23, 2020 5:26 PM
To: Bill Handler mailto:bhand...@pcsknox.com>>
Cc: Jonathan Nathanson mailto:jmhnathan...@gmail.com>>; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

Hi bill

Please look at ALL the log files under /usr/local/pf/var/logs (the httpd logs 
only cover the requests from the devices). There will be two requests going to 
google.. one where Packetfence is doing NAT for the devices to be onboarded 
(this is the traffic from the user's browser) and then another that will go 
from packetfence itself to google again, using the token returned by the 
customer's browser to get the actual data from the google account.

also, I dont remember if any of the changes to google oauth take effect 
immediately or you need to restart the PF service. (to restart the PF service 
use this script:

/usr/local/pf/bin/pfcmd  service pf restart





On Thu, Apr 23, 2020 at 3:37 PM Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:
I’m hoping I’ve set up the Google part correctly, if not

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-24 Thread Diego Garcia del Rio via PacketFence-users 
let me check what I have configured.  But i think you do need n API enabled.

On Fri, Apr 24, 2020 at 11:12 AM Bill Handler  wrote:

> Again, apologies for my ignorance on this…
>
>
>
> When I created the Oauth credentials in the Google Developer site, I did
> not enable an API.  I’m thinking I missed doing that.  Since I’m just
> trying to authenticate users and not accessing anything within GSuite or
> anything else along those lines, I’m not sure what API I may need.
>
>
>
> Ideas?
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Bill Handler
> *Sent:* Friday, April 24, 2020 8:36 AM
> *To:* Diego Garcia del Rio 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* RE: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Diego,
>
>
>
> Thanks for the pointers.  The logs appear to be now located in the
> /usr/local/pf/logs directory.  There is no logs folder in the
> /usr/local/pf/var directory.
>
>
>
> I ran the restart command and tried to log in via Google again…  Rechecked
> the logs as I did before (grep OAuth), ran it a second time as ‘grep oauth’
> and now got some responses… (this is with the openid defaults)
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>
> Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding
> Forward rules to allow connections to the OAuth2 Providers and passthrough.
> (pf::iptables::generate_passthrough_rules)
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep oauth
>
> Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 172.16.172.237:50335
> [24/Apr/2020:07:43:35.454] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/1/210/213 302 928 - -  3/2/0/0/0 0/0 {pfv10.pcsknox.com}
> "GET
> /switchto/default_policy+default_registration_policy+default_oauth_policy
> HTTP/1.1"
>
> Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 172.16.172.237:50627
> [24/Apr/2020:07:43:39.361] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/0/1909/1910 302 1410 - -  6/2/0/0/0 0/0 {
> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>
> Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 172.16.172.237:51592
> [24/Apr/2020:07:44:52.404] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/0/1827/1829 302 1410 - -  4/2/0/0/0 0/0 {
> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>
> Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 -
> [24/Apr/2020:07:43:30 -0400] "A IN oauthaccountmanager.googleapis.com.
> udp 52 false 512" NOERROR qr,rd,ra 102 61.289551ms
>
> [root@packetfence_v10 logs]#
>
>
>
> I put the old Google Auth config – yours with the userinfo.email settings
> and restarted the pf service.  Tried to authenticate the end-system again,
> but still failed…
>
>
>
> Checked the logs as before, and here are the results (duplicate entries
> from above removed for clarity):
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>
> Apr 24 08:17:32 packetfence_v10 packetfence: INFO -e(7334): Adding Forward
> rules to allow connections to the OAuth2 Providers and passthrough.
> (pf::iptables::generate_passthrough_rules)
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep oauth
>
> Apr 24 08:14:58 packetfence_v10 haproxy[244351]: 172.16.172.237:60742
> [24/Apr/2020:08:14:58.422] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/1/439/440 302 1482 - -  4/3/0/0/0 0/0 {pfv10.pcsknox.com}
> "POST /oauth2/go HTTP/1.1"
>
> Apr 24 08:27:35 packetfence_v10 haproxy[8300]: 172.16.172.237:51328
> [24/Apr/2020:08:27:33.905] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/0/1787/1788 302 1482 - -  3/2/0/0/0 0/0 {
> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>
> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
> udp 52 false 512" NOERROR qr,rd,ra 102 23.614118ms
>
> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
> udp 52 false 512" NOERROR qr,rd,ra 102 25.300084ms
>
> [root@packetfence_v10 logs]#
>
>
>
> I’m hopeful that this helps, but again, I’m not sure what I’m looking for…
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Diego Garcia del Rio 
> *Sent:* Thursday, April 23, 2020 5:26 PM
> *To:* Bill Handler 
> *Cc:* Jonathan Nathanson ;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Hi bill
>
>
>
> Please look at ALL the log files under /usr/local/pf/var/logs (the httpd
> logs only cover the requests from the devices). There will be two requests
> going to google.. one where Packetfence is doing NAT for the devices to be
> onboarded (this is the traffic from the user's browser) and then another
> that will go from packetfence itself to google again, using the token
> returned by the customer's browser to get the actual data from the google
> account.
>
>
>
> also, I dont remember if any of the changes to google oauth take

Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

2020-04-24 Thread Bill Handler via PacketFence-users 
Diego,

Thanks for the pointers.  The logs appear to be now located in the 
/usr/local/pf/logs directory.  There is no logs folder in the /usr/local/pf/var 
directory.

I ran the restart command and tried to log in via Google again…  Rechecked the 
logs as I did before (grep OAuth), ran it a second time as ‘grep oauth’ and now 
got some responses… (this is with the openid defaults)

[root@packetfence_v10 logs]# cat *.log | grep OAuth
Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding Forward 
rules to allow connections to the OAuth2 Providers and passthrough. 
(pf::iptables::generate_passthrough_rules)

[root@packetfence_v10 logs]# cat *.log | grep oauth
Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 172.16.172.237:50335 
[24/Apr/2020:07:43:35.454] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/1/210/213 302 928 - -  3/2/0/0/0 0/0 {pfv10.pcsknox.com} "GET 
/switchto/default_policy+default_registration_policy+default_oauth_policy 
HTTP/1.1"
Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 172.16.172.237:50627 
[24/Apr/2020:07:43:39.361] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/0/1909/1910 302 1410 - -  6/2/0/0/0 0/0 {pfv10.pcsknox.com} "POST 
/oauth2/go HTTP/1.1"
Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 172.16.172.237:51592 
[24/Apr/2020:07:44:52.404] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/0/1827/1829 302 1410 - -  4/2/0/0/0 0/0 {pfv10.pcsknox.com} "POST 
/oauth2/go HTTP/1.1"
Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 - [24/Apr/2020:07:43:30 
-0400] "A IN oauthaccountmanager.googleapis.com. udp 52 false 512" NOERROR 
qr,rd,ra 102 61.289551ms
[root@packetfence_v10 logs]#

I put the old Google Auth config – yours with the userinfo.email settings and 
restarted the pf service.  Tried to authenticate the end-system again, but 
still failed…

Checked the logs as before, and here are the results (duplicate entries from 
above removed for clarity):

[root@packetfence_v10 logs]# cat *.log | grep OAuth
Apr 24 08:17:32 packetfence_v10 packetfence: INFO -e(7334): Adding Forward 
rules to allow connections to the OAuth2 Providers and passthrough. 
(pf::iptables::generate_passthrough_rules)

[root@packetfence_v10 logs]# cat *.log | grep oauth
Apr 24 08:14:58 packetfence_v10 haproxy[244351]: 172.16.172.237:60742 
[24/Apr/2020:08:14:58.422] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/1/439/440 302 1482 - -  4/3/0/0/0 0/0 {pfv10.pcsknox.com} "POST 
/oauth2/go HTTP/1.1"
Apr 24 08:27:35 packetfence_v10 haproxy[8300]: 172.16.172.237:51328 
[24/Apr/2020:08:27:33.905] portal-http-192.0.2.1 172.16.174.1-backend/127.0.0.1 
0/0/0/1787/1788 302 1482 - -  3/2/0/0/0 0/0 {pfv10.pcsknox.com} "POST 
/oauth2/go HTTP/1.1"
Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 - [24/Apr/2020:08:27:59 
-0400] "A IN oauthaccountmanager.googleapis.com. udp 52 false 512" NOERROR 
qr,rd,ra 102 23.614118ms
Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 - [24/Apr/2020:08:27:59 
-0400] "A IN oauthaccountmanager.googleapis.com. udp 52 false 512" NOERROR 
qr,rd,ra 102 25.300084ms
[root@packetfence_v10 logs]#

I’m hopeful that this helps, but again, I’m not sure what I’m looking for…

Thanks,

Bill

From: Diego Garcia del Rio 
Sent: Thursday, April 23, 2020 5:26 PM
To: Bill Handler 
Cc: Jonathan Nathanson ; 
packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Google oauth2 - Behavior/Troubleshooting

Hi bill

Please look at ALL the log files under /usr/local/pf/var/logs (the httpd logs 
only cover the requests from the devices). There will be two requests going to 
google.. one where Packetfence is doing NAT for the devices to be onboarded 
(this is the traffic from the user's browser) and then another that will go 
from packetfence itself to google again, using the token returned by the 
customer's browser to get the actual data from the google account.

also, I dont remember if any of the changes to google oauth take effect 
immediately or you need to restart the PF service. (to restart the PF service 
use this script:

/usr/local/pf/bin/pfcmd  service pf restart





On Thu, Apr 23, 2020 at 3:37 PM Bill Handler 
mailto:bhand...@pcsknox.com>> wrote:
I’m hoping I’ve set up the Google part correctly, if not the authentication 
wouldn’t go through correct?  I just needed to setup OAuth 2.0 Client IDs.  I 
don’t need any API Keys or Service Accounts correct?  In the Client ID I listed 
it as a web application

Diego,

Thanks for your help…  This is my first experience with PacketFence, and I’m 
feeling my way through it.  I’m not entirely sure what all your information 
means, so please pardon my ignorance.

My Google Auth was set to the default openid that you listed.  I changed it to 
the older scope/protected resource urls with no change.

I know that the request is going out to google, and that something is coming 
back by seeing the url in the end-system’s browser.  It seems like PF is not