[PacketFence-users] Captive Portal setting not working

[Rafiq Shaikh via PacketFence-users]

Hi,

We are trying to setup Packetfence as a UAM server and RADIUS server for the 
wifi captive portal.
In this setup we have OpenWifi (OpenWrt) AP configured to use packetfence IP as 
uam server and radius server.
On packetfence, we have created profile and switch configuration to handle 
messages coming from our AP.
When a wifi client connects to the AP, it is expected that the wifi client gets 
redirected to the uam (packetfence)
for login credentials. However we notice that the client did not get redirected 
to the login page instead it got authenticated
(RADIUS-Accept) by packetfence RADIUS.

I am sure we are missing some critical configuration, either on AP or on 
packetfence.

We checked on AP side and I think configuration looks correct except that I am 
not sure if the uam_server = 
is correct. Does it need additional paths after the IP address?

What might be wrong with my setup?

Why would RADIUS server accept client connection without client credentials?

Can you point me to a document that provides step-by-step captive portal 
configuration on packet fence?

Thanks in advance for your help.

Best Regards,
-Rafiq.


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Diego Garcia del Rio via PacketFence-users]

Hi Giovanni

indeed.. if you're using it for guest access then what you describe is
really the only viable option or just bypass the authentication at
all. Are you using the google sign in just to collect the email
addresses for guests? you could alternatively use the email login
where the user enters (manually) an email address.

On android devices the google login is sometimes an issue as the main
account gets selected automatically and might not be the one that the
user wants to use.

On my sites I stopped using google as an auhentication source (via
oAuth) due to these issues and the hassle created for end users.


On Wed, Jun 12, 2024 at 3:24 PM Giovanni Trapasso
 wrote:
>
> Hi Diego,
>
> Thanks for your reply.
>
> We are using this for our Guest SSID, we don't want our internal Google users 
> to use it.  Have not experienced any issues with Android clients.
>
> For anyone else who might be experiencing this blocking issue from Google we 
> wrote up a workaround for people using iPhone and Google.
>
> 1.Connect to Guest Wi-Fi Network: Go to your device's Wi-Fi settings and 
> connect to the Guest network.
> 2.Choose Google as Authenticator Provider: When prompted for 
> authentication, select "Google" as your authenticator provider
> 3.Agree to Terms: Accept the terms and conditions presented on the screen.
> 4.Bypass Access Block Page: If you encounter an access block page, simply 
> tap "Cancel" to proceed.
> 5.Opt for Offline Use: Select the option to use the internet "Without 
> Internet" or "Offline Mode" if prompted.
> 6.Open Safari and Enter URL: Launch Safari web browser and type in the 
> URL "captive.apple.com" in the address bar.
> 7.Sign in with Google Account: Follow the on-screen prompts to 
> authenticate using your Google account credentials.
>
> On Wed, Jun 12, 2024 at 12:08 PM Diego Garcia del Rio  
> wrote:
>>
>> the only way to get proper google authentication is using the ldap
>> integration and your own google workspace domain (asuming you want to
>> authenticate users from the ualberta.ca domain). It wont work for
>> generic gmail.com users though
>>
>> to do this, you need to enable Secure LDAP in the google workspace admin.
>>
>> Android users are also similarly affected, though in some cases, the
>> OS launches the full browser instead of the captive portal limited
>> browser.
>>
>>
>> On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
>> PacketFence-users  wrote:
>> >
>> > Hi Everyone,
>> >
>> > I just deployed a PacketFence captive portal for my guest wireless with 
>> > Google as one of my Authentication Sources.  I have started receiving 
>> > complaints when apple iphone users are trying to use the google option to 
>> > authenticate on my captive portal.  They press the Google button, they get 
>> > the acceptable use page but right after they press the accept button they 
>> > get an error from accounts.google.com.  The error is similar to this:
>> >
>> > "
>> > Access Blocked: Google appsheet's request does not comply with 
>> > Google's Policies
>> >
>> >  request does not comply with Google's 'Use secure browsers' 
>> > policy. if this app has a website, you can open a web browser and try 
>> > signing in from there. if you are attempting to access a wireless network, 
>> > Please follow these instructions.
>> >
>> > You can also contact the developer to let them know that their app must 
>> > comply with Google's 'Use secure browser' policy.
>> >
>> > Learn more about the error
>> >
>> > If you are developer of . See error details.
>> >
>> > Error: 403: disallowed_useragent
>> > "
>> >
>> > Of course this is due to a security policy Google is enforcing.  My 
>> > captive portal is working fine with all types of other devices, even the 
>> > Apple iPad, but Apple iPhones are seeing this issue.
>> >
>> > I am curious how many others are experiencing this issue and what they are 
>> > doing about this?  I have 2 other authentication sources for my guest 
>> > users to choose from so it might not be a big deal
>> > --
>> >
>> >
>> > ___
>> > PacketFence-users mailing list
>> > PacketFence-users@lists.sourceforge.net
>> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> ___
> Giovanni Trapasso
> Digital Networks and Data Center Services
> Information Services & Technology (IST)
> 269 General Services Building
> University of Alberta
> Edmonton, Alberta, Canada
> T6G 2E5
>
> Phone: (780) 492-4696
>
> To open a Technical Service call with IST go to:
> https://ist.ualberta.ca/
>
> ** This communication is intended for the use of the recipient to whom it is 
> addressed, and may contain confidential, personal, and/or privileged 
> information. Please contact me immediately if you are not the intended 
> recipient of this communication, and do not copy, distribute, or take action 
> relying on it. Any 

Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Giovanni Trapasso via PacketFence-users]

Hi Diego,

In the past we only had a button to allow people on our Guest network.  I
did not like it but people wanted things to be easy for guests to get
access to our campus.  Another issue is we have students using the Guest
network instead of Eduroam, no clue why because we throttle the Guest
network quite a bit.

Anyways we wanted to get a Captive Portal running so that we can force
people to put some kind of credentials, we really don't care who they are
and we will never reach out to them unless they did something wrong on our
network.  But the added benefit is we can now reject our students
university gmail account and hopefully get them to use Eduroam.

Just additional weirdness regarding iPhone and Google.  iPads don't have
this issue.  you connect, you press Google, you are redirected to
accounts.google.com and no issues with Google blocking.

On Wed, Jun 12, 2024 at 1:38 PM Diego Garcia del Rio 
wrote:

> Hi Giovanni
>
> indeed.. if you're using it for guest access then what you describe is
> really the only viable option or just bypass the authentication at
> all. Are you using the google sign in just to collect the email
> addresses for guests? you could alternatively use the email login
> where the user enters (manually) an email address.
>
> On android devices the google login is sometimes an issue as the main
> account gets selected automatically and might not be the one that the
> user wants to use.
>
> On my sites I stopped using google as an auhentication source (via
> oAuth) due to these issues and the hassle created for end users.
>
>
> On Wed, Jun 12, 2024 at 3:24 PM Giovanni Trapasso
>  wrote:
> >
> > Hi Diego,
> >
> > Thanks for your reply.
> >
> > We are using this for our Guest SSID, we don't want our internal Google
> users to use it.  Have not experienced any issues with Android clients.
> >
> > For anyone else who might be experiencing this blocking issue from
> Google we wrote up a workaround for people using iPhone and Google.
> >
> > 1.Connect to Guest Wi-Fi Network: Go to your device's Wi-Fi settings
> and connect to the Guest network.
> > 2.Choose Google as Authenticator Provider: When prompted for
> authentication, select "Google" as your authenticator provider
> > 3.Agree to Terms: Accept the terms and conditions presented on the
> screen.
> > 4.Bypass Access Block Page: If you encounter an access block page,
> simply tap "Cancel" to proceed.
> > 5.Opt for Offline Use: Select the option to use the internet
> "Without Internet" or "Offline Mode" if prompted.
> > 6.Open Safari and Enter URL: Launch Safari web browser and type in
> the URL "captive.apple.com" in the address bar.
> > 7.Sign in with Google Account: Follow the on-screen prompts to
> authenticate using your Google account credentials.
> >
> > On Wed, Jun 12, 2024 at 12:08 PM Diego Garcia del Rio 
> wrote:
> >>
> >> the only way to get proper google authentication is using the ldap
> >> integration and your own google workspace domain (asuming you want to
> >> authenticate users from the ualberta.ca domain). It wont work for
> >> generic gmail.com users though
> >>
> >> to do this, you need to enable Secure LDAP in the google workspace
> admin.
> >>
> >> Android users are also similarly affected, though in some cases, the
> >> OS launches the full browser instead of the captive portal limited
> >> browser.
> >>
> >>
> >> On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
> >> PacketFence-users  wrote:
> >> >
> >> > Hi Everyone,
> >> >
> >> > I just deployed a PacketFence captive portal for my guest wireless
> with Google as one of my Authentication Sources.  I have started receiving
> complaints when apple iphone users are trying to use the google option to
> authenticate on my captive portal.  They press the Google button, they get
> the acceptable use page but right after they press the accept button they
> get an error from accounts.google.com.  The error is similar to this:
> >> >
> >> > "
> >> > Access Blocked: Google appsheet's request does not comply
> with Google's Policies
> >> >
> >> >  request does not comply with Google's 'Use secure
> browsers' policy. if this app has a website, you can open a web browser and
> try signing in from there. if you are attempting to access a wireless
> network, Please follow these instructions.
> >> >
> >> > You can also contact the developer to let them know that their app
> must comply with Google's 'Use secure browser' policy.
> >> >
> >> > Learn more about the error
> >> >
> >> > If you are developer of . See error details.
> >> >
> >> > Error: 403: disallowed_useragent
> >> > "
> >> >
> >> > Of course this is due to a security policy Google is enforcing.  My
> captive portal is working fine with all types of other devices, even the
> Apple iPad, but Apple iPhones are seeing this issue.
> >> >
> >> > I am curious how many others are experiencing this issue and what
> they are doing about this?  I have 2 other authentication 

Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Giovanni Trapasso via PacketFence-users]

Hi Diego,

Thanks for your reply.

We are using this for our Guest SSID, we don't want our internal Google
users to use it.  Have not experienced any issues with Android clients.

For anyone else who might be experiencing this blocking issue from Google
we wrote up a workaround for people using iPhone and Google.

1.Connect to Guest Wi-Fi Network: Go to your device's Wi-Fi settings
and connect to the Guest network.
2.Choose Google as Authenticator Provider: When prompted for
authentication, select "Google" as your authenticator provider
3.Agree to Terms: Accept the terms and conditions presented on the
screen.
4.Bypass Access Block Page: If you encounter an access block page,
simply tap "Cancel" to proceed.
5.Opt for Offline Use: Select the option to use the internet "Without
Internet" or "Offline Mode" if prompted.
6.Open Safari and Enter URL: Launch Safari web browser and type in the
URL "captive.apple.com" in the address bar.
7.Sign in with Google Account: Follow the on-screen prompts to
authenticate using your Google account credentials.

On Wed, Jun 12, 2024 at 12:08 PM Diego Garcia del Rio 
wrote:

> the only way to get proper google authentication is using the ldap
> integration and your own google workspace domain (asuming you want to
> authenticate users from the ualberta.ca domain). It wont work for
> generic gmail.com users though
>
> to do this, you need to enable Secure LDAP in the google workspace admin.
>
> Android users are also similarly affected, though in some cases, the
> OS launches the full browser instead of the captive portal limited
> browser.
>
>
> On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
> PacketFence-users  wrote:
> >
> > Hi Everyone,
> >
> > I just deployed a PacketFence captive portal for my guest wireless with
> Google as one of my Authentication Sources.  I have started receiving
> complaints when apple iphone users are trying to use the google option to
> authenticate on my captive portal.  They press the Google button, they get
> the acceptable use page but right after they press the accept button they
> get an error from accounts.google.com.  The error is similar to this:
> >
> > "
> > Access Blocked: Google appsheet's request does not comply
> with Google's Policies
> >
> >  request does not comply with Google's 'Use secure browsers'
> policy. if this app has a website, you can open a web browser and try
> signing in from there. if you are attempting to access a wireless network,
> Please follow these instructions.
> >
> > You can also contact the developer to let them know that their app must
> comply with Google's 'Use secure browser' policy.
> >
> > Learn more about the error
> >
> > If you are developer of . See error details.
> >
> > Error: 403: disallowed_useragent
> > "
> >
> > Of course this is due to a security policy Google is enforcing.  My
> captive portal is working fine with all types of other devices, even the
> Apple iPad, but Apple iPhones are seeing this issue.
> >
> > I am curious how many others are experiencing this issue and what they
> are doing about this?  I have 2 other authentication sources for my guest
> users to choose from so it might not be a big deal
> > --
> >
> >
> > ___
> > PacketFence-users mailing list
> > PacketFence-users@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/packetfence-users
>


-- 
___
Giovanni Trapasso
Digital Networks and Data Center Services
Information Services & Technology (IST)
269 General Services Building
University of Alberta
Edmonton, Alberta, Canada
T6G 2E5

Phone: (780) 492-4696

To open a Technical Service call with IST go to:
https://ist.ualberta.ca/ 

** This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and/or privileged
information. Please contact me immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communication received in error, or subsequent
reply, should be deleted or destroyed.**
___
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Diego Garcia del Rio via PacketFence-users]

the only way to get proper google authentication is using the ldap
integration and your own google workspace domain (asuming you want to
authenticate users from the ualberta.ca domain). It wont work for
generic gmail.com users though

to do this, you need to enable Secure LDAP in the google workspace admin.

Android users are also similarly affected, though in some cases, the
OS launches the full browser instead of the captive portal limited
browser.


On Wed, Jun 12, 2024 at 10:25 AM Giovanni Trapasso via
PacketFence-users  wrote:
>
> Hi Everyone,
>
> I just deployed a PacketFence captive portal for my guest wireless with 
> Google as one of my Authentication Sources.  I have started receiving 
> complaints when apple iphone users are trying to use the google option to 
> authenticate on my captive portal.  They press the Google button, they get 
> the acceptable use page but right after they press the accept button they get 
> an error from accounts.google.com.  The error is similar to this:
>
> "
> Access Blocked: Google appsheet's request does not comply with 
> Google's Policies
>
>  request does not comply with Google's 'Use secure browsers' 
> policy. if this app has a website, you can open a web browser and try signing 
> in from there. if you are attempting to access a wireless network, Please 
> follow these instructions.
>
> You can also contact the developer to let them know that their app must 
> comply with Google's 'Use secure browser' policy.
>
> Learn more about the error
>
> If you are developer of . See error details.
>
> Error: 403: disallowed_useragent
> "
>
> Of course this is due to a security policy Google is enforcing.  My captive 
> portal is working fine with all types of other devices, even the Apple iPad, 
> but Apple iPhones are seeing this issue.
>
> I am curious how many others are experiencing this issue and what they are 
> doing about this?  I have 2 other authentication sources for my guest users 
> to choose from so it might not be a big deal
> --
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Cannot show

[Stephen Winata via PacketFence-users]

Can someone help me with the captive portal i use packet fence zen 13.1 i
have some problem with the captive portal so i already follow documentation
about packet fence and im stuck in captive portal it just won’t show i
already got the vlan guest but every time i search
https://.packetfence.or… 
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal - Google (OAuth 2) - iphone error

[Giovanni Trapasso via PacketFence-users]

Hi Everyone,

I just deployed a PacketFence captive portal for my guest wireless with
Google as one of my Authentication Sources.  I have started receiving
complaints when apple iphone users are trying to use the google option
to authenticate on my captive portal.  They press the Google button, they
get the acceptable use page but right after they press the accept button
they get an error from accounts.google.com.  The error is similar to this:

"
Access Blocked: Google appsheet's request does not comply with
Google's Policies

 request does not comply with Google's 'Use secure browsers'
policy. if this app has a website, you can open a web browser and try
signing in from there. if you are attempting to access a wireless network,
Please follow these instructions.

You can also contact the developer to let them know that their app must
comply with Google's 'Use secure browser' policy.

Learn more about the error

If you are developer of . See error details.

Error: 403: disallowed_useragent
"

Of course this is due to a security policy Google is enforcing.  My captive
portal is working fine with all types of other devices, even the Apple
iPad, but Apple iPhones are seeing this issue.

I am curious how many others are experiencing this issue and what they are
doing about this?  I have 2 other authentication sources for my guest users
to choose from so it might not be a big deal
--
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] captive portal after 10 min of inactivity

[Fabrice Durand via PacketFence-users]

You can configure the the idle-timeout on the AP/Controller side to 10
minutes , configure the accounting too and on the PacketFence side in the
connection profile enable "Automatically deregister devices on accounting
stop"

Le mer. 15 mai 2024 à 13:27, leonardo.izzo--- via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi, the director of the school where I have to configure PF would like
> that after authenticating with a captive portal from a browser with Google
> Workstation credentials, after 10 minutes of inactivity this captive portal
> appears again. This is because they have many devices that do not belong to
> a specific teacher, but can pass from one teacher to another throughout the
> day. How can I solve it? Thank you
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] captive portal after 10 min of inactivity

[leonida368--- via PacketFence-users]

Hi, the director of the school where I have to configure PF would like that
after authenticating with a captive portal from a browser with Google
Workstation credentials, after 10 minutes of inactivity this captive portal
appears again. This is because they have many devices that do not belong to
a specific teacher, but can pass from one teacher to another throughout the
day. How can I solve it? Thank you

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] captive portal after 10 min of inactivity

[leonardo.izzo--- via PacketFence-users]

Hi, the director of the school where I have to configure PF would like that
after authenticating with a captive portal from a browser with Google
Workstation credentials, after 10 minutes of inactivity this captive portal
appears again. This is because they have many devices that do not belong to
a specific teacher, but can pass from one teacher to another throughout the
day. How can I solve it? Thank you

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal is only accessible when iptables is disabled

[Daniel Zook via PacketFence-users]

Hi Eric,

I saw your post from 8/21/23:
https://sourceforge.net/p/packetfence/mailman/message/37887654/

I did not experience the problem on our test server (ZEN, 13.1.0), but I
ran into the same issue with a brand-new cluster install (ISO 13.1.0).  I
found that it is because the DNS servers are not being allowed inbound.

If you or anyone else knows what iptables entry is required, please share,
thanks.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal is only accessible when iptables is disabled

[Daniel Zook via PacketFence-users]

I compared the iptables.conf file between the ZEN and the ISO/Cluster
install, and they are exactly the same.  They both allow DNS inbound
via these entries:

:input-internal-vlan-if - [0:0]
# DNS
-A input-internal-vlan-if --protocol tcp --match tcp --dport 53  --jump ACCEPT
-A input-internal-vlan-if --protocol udp --match udp --dport 53  --jump ACCEPT


I discovered that DNS only fails in a cluster in certain scenarios.  I
tested it by performing a lookup from a client in the registration
network while specifying the DNS server IP to use (e.g. nslookup
pf1.emu.edu 10.9.0.2)

iptables running on pf1 only
Pf1: succeeds
Pf2: succeeds
Pf3: failed
Pfcluster: succeeded

iptables running on pf2 only
Pf1: failed
Pf2: succeeded
Pf3: failed
Pfcluster: failed

iptables running on pf3 only
Pf1: succeeded
Pf2: failed
Pf3: failed
Pfcluster: succeeded

I'm baffled.  Has anyone else experienced this?  Should I report this
as an issue on GitHub?
(Version 13.1, fresh install from PacketFence ISO)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal or DNS Enforcement

[Angela Foster via PacketFence-users]

Hello,

I am trying to implement PacketFence in a way that will force all connected 
clients to an external URL. Currently, I don't really need these devices to go 
through any kind of registration process - the fact that they are in the VLAN 
talking to PacketFence is enough reason to force the clients to do this. For my 
use case, the VLAN provisioning is being done outside of PacketFence. Ie, once 
a client connects to the external URL and completes what they need to there, 
the VLAN will be reprovisioned by another server and service. Is there a way to 
implement inline mode, and force all users - registered or not - to an external 
URL? Or do I need to use DNS Enforcement with another device serving as the 
gateway to the VLAN to achieve this?

I currently have PacketFence Zen 13.1 installed and running. Appreciate any 
guidance!

Angela




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Aruba Switch

[Westfalia Spielgeräte GmbH]

Hello,

I am attempting to achieve a Captive Portal setup with PacketFence for external 
users using Aruba Switches. I have successfully configured authentication via 
Active Directory for internal computers and users, which is functioning 
properly. However, I am probably encountering an issue with the Switch 
configuration, as the Captive Portal isn't displayed automatically.

My Aruba 2540 Switch is configured as follows:

snmpv3 enable
snmpv3 restricted-access
snmpv3 group managerpriv user "packetfence" sec-model ver3
snmpv3 notify "Packetfencenotify" tagvalue "xx" type inform
snmpv3 targetaddress "PacketfenceTargetaddress" params "x" 
172.25.0.124
 taglist ""
snmpv3 user "packetfence"
aaa server-group radius "PacketFence" host 172.25.0.124
aaa accounting network start-stop radius server-group "PacketFence"
aaa authentication port-access eap-radius server-group "PacketFence"
aaa authentication mac-based chap-radius server-group "PacketFence"
aaa authentication captive-portal enable
aaa authentication captive-portal profile "CaptiveGuestPortal"
aaa port-access authenticator 20
aaa port-access authenticator 20 tx-period 10
aaa port-access authenticator active
aaa port-access mac-based 20
aaa port-access mac-based 20 addr-moves
aaa port-access mac-based 20 reauth-period 14400
aaa port-access 20 auth-order authenticator mac-based

I can confirm that the MAC address is being accepted by PacketFence, and the 
laptop is gaining access to the network. However, when I open a browser, no 
Captive Portal is displayed automatically. I can manually open it by entering 
"172.25.0.124/captive-portal", and I can see that PacketFence is applying the 
Guest role. But when I click on the node, it says the node (Mac-Address) does 
not exist.

I am also a bit confused about the network device guide: [PacketFence Network 
Devices Configuration 
Guide](https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba).
 It states that I should enter "Role by Web Auth URL" as 
"http://172.25.0.124/Aruba::ArubaOS_Switch_16_x;. However, when I try that link 
in my browser, it says "not implemented GET not supported for current URL". 
Instead, I entered "http://172.25.0.124/captive-portal;, but I'm not sure if 
that is correct or if I missed something.
My main issue remains that the Captive Portal is not shown automatically. Any 
help would be great, so i can understand the mistake better.

Thank you!

Regards
Kai
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Packetfence 13.0.0

[Carlos Wetli via PacketFence-users]

Hello,

For an upcoming project I am testing the captive portal for wired users.
I installed the latest version of Packetfence (13.0.0) in a lab
environment (based on Cisco devices) I did the basic configuration
(Network, DNS, Cert, MAC-Authentication).

The MAB ist working fine. Within Radius answer, the switch is receiving
the vlan, information regarding redirection as shown below:

Nov 21 19:01:01.793: RADIUS: Tunnel-Private-Group[81]  5   "100"
Nov 21 19:01:01.793: RADIUS:  Tunnel-Medium-Type  [65]  6
00:ALL_802[6]
Nov 21 19:01:01.793: RADIUS:  Vendor, Cisco   [26]  38
Nov 21 19:01:01.793: RADIUS:   Cisco AVpair   [1]   32
"url-redirect-acl=ACL-4-WEBAUTH"
Nov 21 19:01:01.796: RADIUS:  Vendor, Cisco   [26]  73
Nov 21 19:01:01.796: RADIUS:   Cisco AVpair   [1]   67
"url-redirect=https://pf13.cwe.home/Cisco::Catalyst_2960/sidce32f3;
Nov 21 19:01:01.796: RADIUS:  Reply-Message   [18]  33
Nov 21 19:01:01.796: RADIUS:   22 50 46 31 33 20 69 6E 20 4D 41 42 2D 43
50 20  ["PF13 in MAB-CP ]
Nov 21 19:01:01.796: RADIUS:   46 69 6C 74 65 72 20 53 65 63 74 69 6F 6E
22   [ Filter Section"]
Nov 21 19:01:01.796: RADIUS:  Tunnel-Type [64]  6
00:VLAN   [13]
Nov 21 19:01:01.796: RADIUS:  Filter-Id   [11]  6
Nov 21 19:01:01.796: RADIUS:   63 77 63 77  [ cwcw]

The user tries to connect to a web site and gets redirected to the
captive portal as expected.  At this stage the user is always getting
the same web page with the message "your network should be enabled
within a minute or two...". My expectation is that the user should get a
new page, in which he can accept the terms and conditions. When accepted
the users (MAC) ist the registered and access is granted for the defined
time.

Logs:

Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(16) INFO: [mac:unknown] External captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(16) INFO: [mac:unknown] Detected external portal client.
Using the IP 192.168.1.115 address in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(16) INFO: [mac:00:1c:c4:cb:92:20] External captive portal
detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(16) INFO: [mac:00:1c:c4:cb:92:20] Detected external portal
client. Using the IP 192.168.1.115 address in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(16) INFO: [mac:00:1c:c4:cb:92:20] Instantiate profile
Non_EAP (pf::Connection::ProfileFactory::_from_profile)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(14) INFO: [mac:unknown] External captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(14) INFO: [mac:unknown] Detected external portal client.
Using the IP 192.168.1.115 address in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(14) INFO: [mac:00:1c:c4:cb:92:20] External captive portal
detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(14) INFO: [mac:00:1c:c4:cb:92:20] Detected external portal
client. Using the IP 192.168.1.115 address in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(14) INFO: [mac:00:1c:c4:cb:92:20] Instantiate profile
Non_EAP (pf::Connection::ProfileFactory::_from_profile)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(14) INFO: [mac:00:1c:c4:cb:92:20] Device is registered and
still on the portal, attempting to release it again.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(15) INFO: [mac:unknown] External captive portal detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(15) INFO: [mac:unknown] Detected external portal client.
Using the IP 192.168.1.115 address in it's session.
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:
httpd.portal(15) INFO: [mac:00:1c:c4:cb:92:20] External captive portal
detected !
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]:

[PacketFence-users] Captive Portal Packetfence 13.0.0 looping

[cwe via PacketFence-users]

Hello,

For a upcoming project I am testing the captive portal for wired users. 
I installed the latest version of Packetfence (13.0.0) in a lab 
environment (based on Cisco devices) I did the basic configuration 
(Network, DNS, Cert, MAC-Authentication).


The MAB ist working fine. Within Radius answer, the switch is receiving 
the vlan, information regarding redirection as shown below:


Nov 21 19:01:01.793: RADIUS: Tunnel-Private-Group[81]  5   "100"
Nov 21 19:01:01.793: RADIUS:  Tunnel-Medium-Type  [65]  6 
00:ALL_802    [6]

Nov 21 19:01:01.793: RADIUS:  Vendor, Cisco   [26]  38
Nov 21 19:01:01.793: RADIUS:   Cisco AVpair   [1]   32 
"url-redirect-acl=ACL-4-WEBAUTH"

Nov 21 19:01:01.796: RADIUS:  Vendor, Cisco   [26]  73
Nov 21 19:01:01.796: RADIUS:   Cisco AVpair   [1]   67 
"url-redirect=https://pf13.cwe.home/Cisco::Catalyst_2960/sidce32f3;

Nov 21 19:01:01.796: RADIUS:  Reply-Message   [18]  33
Nov 21 19:01:01.796: RADIUS:   22 50 46 31 33 20 69 6E 20 4D 41 42 2D 43 
50 20  ["PF13 in MAB-CP ]
Nov 21 19:01:01.796: RADIUS:   46 69 6C 74 65 72 20 53 65 63 74 69 6F 6E 
22   [ Filter Section"]
Nov 21 19:01:01.796: RADIUS:  Tunnel-Type [64]  6 
00:VLAN   [13]

Nov 21 19:01:01.796: RADIUS:  Filter-Id   [11]  6
Nov 21 19:01:01.796: RADIUS:   63 77 63 77  [ cwcw]

The user tries to connect to a web site and gets redirected to the 
captive portal as expected.  At this stage the user is always getting 
the same web page with the message "your network should be enabled 
within a minute or two...". My expectation is that the user should get a 
new page, in which he can accept the terms and conditions. When accepted 
the users (MAC) ist the registered and access is granted for the defined 
time.


Logs:

Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(16) INFO: [mac:unknown] External captive portal detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(16) INFO: [mac:unknown] Detected external portal client. 
Using the IP 192.168.1.115 address in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(16) INFO: [mac:00:1c:c4:cb:92:20] External captive portal 
detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(16) INFO: [mac:00:1c:c4:cb:92:20] Detected external portal 
client. Using the IP 192.168.1.115 address in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(16) INFO: [mac:00:1c:c4:cb:92:20] Instantiate profile 
Non_EAP (pf::Connection::ProfileFactory::_from_profile)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(14) INFO: [mac:unknown] External captive portal detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(14) INFO: [mac:unknown] Detected external portal client. 
Using the IP 192.168.1.115 address in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(14) INFO: [mac:00:1c:c4:cb:92:20] External captive portal 
detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(14) INFO: [mac:00:1c:c4:cb:92:20] Detected external portal 
client. Using the IP 192.168.1.115 address in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(14) INFO: [mac:00:1c:c4:cb:92:20] Instantiate profile 
Non_EAP (pf::Connection::ProfileFactory::_from_profile)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(14) INFO: [mac:00:1c:c4:cb:92:20] Device is registered and 
still on the portal, attempting to release it again. 
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(15) INFO: [mac:unknown] External captive portal detected ! 
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(15) INFO: [mac:unknown] Detected external portal client. 
Using the IP 192.168.1.115 address in it's session. 
(captiveportal::PacketFence::Model::Portal::Session::_build_clientIP)
Nov 21 19:04:25 PF13 httpd.portal-docker-wrapper[35011]: 
httpd.portal(15) INFO: [mac:00:1c:c4:cb:92:20] External captive portal 
detected ! 

[PacketFence-users] Captive Portal is only accessible when iptables is disabled

[Eric Rolleman via PacketFence-users]

I recently upgraded my PacketFence install to 13.0.0 from 11.3.0 (in case this 
is related).

I now have this issue where the captive portal is only available to those on 
the Registration Vlan if the iptables service is turned off.

I have an interface assigned to Management, Registration and Isolation with 
DHCP turned on for the Registration interface.

The device is placed on Registration as expected and receives an IP address, 
however the Captive Portal page doesn't work unless I have the iptables service 
stopped.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal and DACLs problems on version 12.2 (Aruba 2930M)

[Fabrice Durand via PacketFence-users]

Hello Yassine,

I backported a fix for that on 12.2 , the new package should be available
tomorrow.

Regards
Fabrice


Le mar. 9 mai 2023 à 08:28, TISSIR, Yassine via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Still stuck on the same problem
> Any suggestion would be really appreciated
>
> Le lun. 3 avr. 2023 à 23:20, TISSIR, Yassine <56...@etu.he2b.be> a écrit :
>
>> Hello everyone ,
>> I'm currently testing packetfence for my company. I started with version
>> 11.2 but I decided to upgrade to 12.2 because of an issue that I think
>> prevented getting the captive portal to work in vlan enforcement mode (A
>> guest computer placed in the registration VLAN was redirected to
>> "packetfence.domain/captive-portal" that points to  66.70.255.147 but the
>> page was loading indefinitely). The problem is that after the update I have
>> the following error when trying to save ACLs for registration VLAN:
>>
>>  "AccessListMapping.0.accesslist: WARNING: Syntax error in
>> ACL:packetfence, near: >in<.
>> "config/switch/192.168.1.10"
>>
>> I also had an AD authentication source for the domain computers that
>> worked fine before the update, but stopped working now (Audit tab shows
>> successfuls authentications, but the computers don't get internet access
>> anymore).
>>
>> Here is my switches.conf :
>>
>> [default]
>> description=aruba sw
>> VlanMap=N
>> ExternalPortalEnforcement=Y
>> deauthOnPrevious=N
>> [192.168.1.10]
>> group=default
>> description=ARUBA 2930
>> wsPwd=xx
>> wsUser=xx
>> SNMPPrivProtocolWrite=md5
>> SNMPPrivProtocolRead=md5
>> SNMPAuthProtocolRead=md5
>> SNMPAuthProtocolWrite=md5
>> SNMPUserNameWrite=xx
>> SNMPVersion=3
>> SNMPUserNameRead=xx
>> SNMPAuthPasswordWrite=xx
>> SNMPAuthPasswordRead=xx
>> SNMPPrivPasswordRead=xx
>> SNMPPrivPasswordWrite=xx
>> SNMPEngineID=xx
>> SNMPPrivProtocolTrap=AES
>> SNMPUserNameTrap=xx
>> SNMPAuthProtocolTrap=md5
>> SNMPVersionTrap=3
>> SNMPAuthPasswordTrap=xx
>> SNMPPrivPasswordTrap=xx
>> guestVlan=10
>> defaultVlan=10
>> registrationVlan=20
>> type=Aruba::2930M
>> radiusSecret=xx
>> VlanMap=Y
>> coaPort=3799
>> isolationVlan=99
>> UserVlan=10
>> macDetectionVlan=20
>> ExternalPortalEnforcement=N
>> registrationUrl=http://192.168.1.4/Aruba::2930M
>> UrlMap=Y
>> AccessListMap=Y
>>
>>
>> The ACLS that I try to save are the one from the Network Devices
>> Configuration Guide for Aruba 2930 switch:
>>
>> permit in tcp from any to 192.168.1.4 80
>> permit in tcp from any to 192.168.1.4 443
>> deny in tcp from any to any 80 cpy
>> deny in tcp from any to any 443 cpy
>> permit in udp from any to any 53
>> permit in udp from any to any 67
>>
>> Any help would be really appreciated
>>
>>
>>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal and DACLs problems on version 12.2 (Aruba 2930M)

[TISSIR, Yassine via PacketFence-users]

Still stuck on the same problem
Any suggestion would be really appreciated

Le lun. 3 avr. 2023 à 23:20, TISSIR, Yassine <56...@etu.he2b.be> a écrit :

> Hello everyone ,
> I'm currently testing packetfence for my company. I started with version
> 11.2 but I decided to upgrade to 12.2 because of an issue that I think
> prevented getting the captive portal to work in vlan enforcement mode (A
> guest computer placed in the registration VLAN was redirected to
> "packetfence.domain/captive-portal" that points to  66.70.255.147 but the
> page was loading indefinitely). The problem is that after the update I have
> the following error when trying to save ACLs for registration VLAN:
>
>  "AccessListMapping.0.accesslist: WARNING: Syntax error in
> ACL:packetfence, near: >in<.
> "config/switch/192.168.1.10"
>
> I also had an AD authentication source for the domain computers that
> worked fine before the update, but stopped working now (Audit tab shows
> successfuls authentications, but the computers don't get internet access
> anymore).
>
> Here is my switches.conf :
>
> [default]
> description=aruba sw
> VlanMap=N
> ExternalPortalEnforcement=Y
> deauthOnPrevious=N
> [192.168.1.10]
> group=default
> description=ARUBA 2930
> wsPwd=xx
> wsUser=xx
> SNMPPrivProtocolWrite=md5
> SNMPPrivProtocolRead=md5
> SNMPAuthProtocolRead=md5
> SNMPAuthProtocolWrite=md5
> SNMPUserNameWrite=xx
> SNMPVersion=3
> SNMPUserNameRead=xx
> SNMPAuthPasswordWrite=xx
> SNMPAuthPasswordRead=xx
> SNMPPrivPasswordRead=xx
> SNMPPrivPasswordWrite=xx
> SNMPEngineID=xx
> SNMPPrivProtocolTrap=AES
> SNMPUserNameTrap=xx
> SNMPAuthProtocolTrap=md5
> SNMPVersionTrap=3
> SNMPAuthPasswordTrap=xx
> SNMPPrivPasswordTrap=xx
> guestVlan=10
> defaultVlan=10
> registrationVlan=20
> type=Aruba::2930M
> radiusSecret=xx
> VlanMap=Y
> coaPort=3799
> isolationVlan=99
> UserVlan=10
> macDetectionVlan=20
> ExternalPortalEnforcement=N
> registrationUrl=http://192.168.1.4/Aruba::2930M
> UrlMap=Y
> AccessListMap=Y
>
>
> The ACLS that I try to save are the one from the Network Devices
> Configuration Guide for Aruba 2930 switch:
>
> permit in tcp from any to 192.168.1.4 80
> permit in tcp from any to 192.168.1.4 443
> deny in tcp from any to any 80 cpy
> deny in tcp from any to any 443 cpy
> permit in udp from any to any 53
> permit in udp from any to any 67
>
> Any help would be really appreciated
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal and DACLs problems on version 12.2 (Aruba 2930M)

[TISSIR, Yassine via PacketFence-users]

Hello everyone ,
I'm currently testing packetfence for my company. I started with version
11.2 but I decided to upgrade to 12.2 because of an issue that I think
prevented getting the captive portal to work in vlan enforcement mode (A
guest computer placed in the registration VLAN was redirected to
"packetfence.domain/captive-portal" that points to  66.70.255.147 but the
page was loading indefinitely). The problem is that after the update I have
the following error when trying to save ACLs for registration VLAN:

 "AccessListMapping.0.accesslist: WARNING: Syntax error in ACL:packetfence,
near: >in<.
"config/switch/192.168.1.10"

I also had an AD authentication source for the domain computers that worked
fine before the update, but stopped working now (Audit tab shows
successfuls authentications, but the computers don't get internet access
anymore).

Here is my switches.conf :

[default]
description=aruba sw
VlanMap=N
ExternalPortalEnforcement=Y
deauthOnPrevious=N
[192.168.1.10]
group=default
description=ARUBA 2930
wsPwd=xx
wsUser=xx
SNMPPrivProtocolWrite=md5
SNMPPrivProtocolRead=md5
SNMPAuthProtocolRead=md5
SNMPAuthProtocolWrite=md5
SNMPUserNameWrite=xx
SNMPVersion=3
SNMPUserNameRead=xx
SNMPAuthPasswordWrite=xx
SNMPAuthPasswordRead=xx
SNMPPrivPasswordRead=xx
SNMPPrivPasswordWrite=xx
SNMPEngineID=xx
SNMPPrivProtocolTrap=AES
SNMPUserNameTrap=xx
SNMPAuthProtocolTrap=md5
SNMPVersionTrap=3
SNMPAuthPasswordTrap=xx
SNMPPrivPasswordTrap=xx
guestVlan=10
defaultVlan=10
registrationVlan=20
type=Aruba::2930M
radiusSecret=xx
VlanMap=Y
coaPort=3799
isolationVlan=99
UserVlan=10
macDetectionVlan=20
ExternalPortalEnforcement=N
registrationUrl=http://192.168.1.4/Aruba::2930M
UrlMap=Y
AccessListMap=Y


The ACLS that I try to save are the one from the Network Devices
Configuration Guide for Aruba 2930 switch:

permit in tcp from any to 192.168.1.4 80
permit in tcp from any to 192.168.1.4 443
deny in tcp from any to any 80 cpy
deny in tcp from any to any 443 cpy
permit in udp from any to any 53
permit in udp from any to any 67

Any help would be really appreciated
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] captive portal page not accessible

[jhyanagi via PacketFence-users]

Hi Ludovic,

Thanks, now I have a better understanding.

I know I can get some expected result if I request something like this.

curl "
http://address-of-eth0/Fortinet::FortiGate?apip=192.168.1.1=11:11:11:22:22:22
"



302 Moved Temporarily


Moved
The document has moved http://address-of-eth0/captive-portal?destination_url=http://www.packetfence.org/=192.168.1.1=11:11:11:22:22:22
">here.




Is the workflow explained in here still valid?

https://www.packetfence.org/doc/PacketFence_Developers_Guide.html#_workflow

If not, is there any update information to have better understanding?

Thanks & Regards,
jhyanagi

On Fri, Mar 17, 2023 at 10:59 AM Zammit, Ludovic  wrote:

> Hello there,
>
> It’s because it’s not a page that you can display or reach, you need to be
> brought there by a external portal mechanism.
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal Lead*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:  
>  
> 
> 
>
> On Mar 17, 2023, at 1:33 PM, jhyanagi via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hello PacketFence users,
>
> I have a better understanding now, so let me answer some of my questions
> for reference.
>
> The actual captive portal page is like below.
>
> http://address-of-eth0/captive-portal
> 
>
> it was not HTTPS but HTTP, it generates an error since it is not the
> correct way to access the portal,
> anyway I can see the captive portal page.
>
> However, I still cannot access the page with
>
> http://address-of-eth0/Cisco::WLC
> 
>
> It looks that the address like /Cisco::WLC or /CoovaChilli is to be used
> as the external portal,
> can anybody explain why I cannot still access this?
>
> what I can get is
>
> 501 Not Implemented
> GET not supported for current URL
>
> Any help would be appreciated.
>
> Thanks. Regards
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
>
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WDl4ZELj1F_ooitnmRipcjNBz_pcKd-wu4ZIQWF9SxcKF_DKziHWELA4oCTcy84gPYHh8odwvcu45PvZTD8C4oJBeeaBNBL-XVVWMg$
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] captive portal page not accessible

[Zammit, Ludovic via PacketFence-users]

Hello there,

It’s because it’s not a page that you can display or reach, you need to be 
brought there by a external portal mechanism.

Thanks,

Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Mar 17, 2023, at 1:33 PM, jhyanagi via PacketFence-users 
>  wrote:
> 
> Hello PacketFence users,
> 
> I have a better understanding now, so let me answer some of my questions for 
> reference.
> 
> The actual captive portal page is like below.
> 
> http://address-of-eth0/captive-portal 
> 
> 
> it was not HTTPS but HTTP, it generates an error since it is not the correct 
> way to access the portal,
> anyway I can see the captive portal page.
> 
> However, I still cannot access the page with
> 
> http://address-of-eth0/Cisco::WLC 
> 
> 
> It looks that the address like /Cisco::WLC or /CoovaChilli is to be used as 
> the external portal,
> can anybody explain why I cannot still access this?
> 
> what I can get is
> 
> 501 Not Implemented
> GET not supported for current URL
> 
> Any help would be appreciated.
> 
> Thanks. Regards
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!WDl4ZELj1F_ooitnmRipcjNBz_pcKd-wu4ZIQWF9SxcKF_DKziHWELA4oCTcy84gPYHh8odwvcu45PvZTD8C4oJBeeaBNBL-XVVWMg$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] captive portal page not accessible

[jhyanagi via PacketFence-users]

Hello PacketFence users,

I have a better understanding now, so let me answer some of my questions
for reference.

The actual captive portal page is like below.

http://address-of-eth0/captive-portal

it was not HTTPS but HTTP, it generates an error since it is not the
correct way to access the portal,
anyway I can see the captive portal page.

However, I still cannot access the page with

http://address-of-eth0/Cisco::WLC

It looks that the address like /Cisco::WLC or /CoovaChilli is to be used as
the external portal,
can anybody explain why I cannot still access this?

what I can get is

501 Not Implemented
GET not supported for current URL

Any help would be appreciated.

Thanks. Regards
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] captive portal page not accessible

[jhyanagi via PacketFence-users]

Hello,

I configured 2 interfaces for PacketFence as below,

eth0 : Type=management + portal daemon
eth1 : Type=Other + radius,portal daemon

I want to set up a captive portal.
My scenario is to make eth1 to exchange radius packets with the wireless
APs,
and to make eth0 to serve the portal page, is this possible?

Captive portal page is shown as expected when I see the preview page.

https://address-of-eth0/portal_preview/captive-portal

However, I don't know how I can access the actual portal page.
I understand that the document mentioned the address like below.

https://address-of-eth0/Cisco::WLC

but what I can see is following error.

404 Site address-of-eth0 is not served on this interface

Will you please correct me if I am missing something?
Thank you for your attention to this matter.

Regards,
jhyanagi
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal problems

[Koppanen Timo via PacketFence-users]

Hi Packetfence,

How do I get the Url implemented?

[cid:image002.png@01D92A70.B2BFAC70]
[cid:image003.png@01D92A70.B2BFAC70]
[cid:image004.png@01D92A70.B2BFAC70]
Br,
Timo


From: Koppanen Timo via PacketFence-users 

Sent: Wednesday, 21 December 2022 8:40
To: packetfence-users@lists.sourceforge.net
Cc: Koppanen Timo 
Subject: Re: [PacketFence-users] Captive Portal problems

Hi all,

Any help would be appreciated.

Br,
Timo

From: Koppanen Timo via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
Sent: Thursday, 1 December 2022 16:34
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Koppanen Timo 
mailto:timo.koppa...@etteplan.com>>
Subject: [PacketFence-users] Captive Portal problems

Hi all,

I’ve been trying to get captive portal to work for some time now. I have as my 
test device HPE Aruba 2530. I’ve been trying to follow documentations and 
trying scourge the net for information with no luck. 802.1x works fine when 
using computer account (created new cert in our domain) authentication and 
username authentication, and I would like that Captive portal works as a 
fallback for our workers who don’t have AD joined computer be cause of clients 
supply them.


Switch settings, only testing in port 41 for now:

radius-server host pfence-address key "mysecretkey!"
radius-server host pfence-address dyn-authorization
radius-server host pfence-address time-window 0
ip route 0.0.0.0 0.0.0.0 GW
ip source-interface radius vlan 128
snmp-server community "public" operator
snmp-server community "private" operator unrestricted
aaa server-group radius "PacketFence" host pfence-address
aaa accounting network start-stop radius server-group "PacketFence"
aaa authentication port-access eap-radius server-group "PacketFence"
aaa authentication mac-based peap-mschapv2
aaa authentication captive-portal enable
aaa port-access authenticator 37,41
aaa port-access authenticator 37 tx-period 10
aaa port-access authenticator 37 client-limit 2
aaa port-access authenticator 41 tx-period 10
aaa port-access authenticator 41 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 41
aaa port-access mac-based 41 addr-moves
vlan 1
   name "DEFAULT_VLAN"
   no untagged 2-48
   untagged 1,49-52
   no ip address
   exit
vlan 128
   name "VLAN128"
   untagged 2-48
   tagged 1
   ip address myswitches
   exit

I don’t want to use any guest/registration or anything other vlans than my 128, 
which is office vlan in this case. You either get employee profile or you don’t.

On packetfence side I have switch configured as this show:
https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.packetfence.org%2Fdoc%2FPacketFence_Network_Devices_Configuration_Guide.html%23_aruba=05%7C01%7C%7C22b270ea76624fb1fc1208dae3a01f67%7C1f23d6d3b1584e45b7e17631cf28c804%7C0%7C0%7C638072574114626834%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=ihOmg9aUFk316vVrh0ViPUvWDkUYVl%2F3k5TzRFi%2Feks%3D=0>
and following this as well, skipping the Cisco settings of course:
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_enabling_the_captive_portal<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.packetfence.org%2Fdoc%2FPacketFence_Installation_Guide.html%23_enabling_the_captive_portal=05%7C01%7C%7C22b270ea76624fb1fc1208dae3a01f67%7C1f23d6d3b1584e45b7e17631cf28c804%7C0%7C0%7C638072574114626834%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=cJxaoheqi0ojH6j4aWePh8aMvDlbF%2B8J4ETuiS72NzQ%3D=0>

To test it I unregistered my test pc from packetfence, shutdown wired 
autoconfig, re-plugged ethernet and waited for awhile to see if anything 
happens on PC, am I automatically forwarded to http://mypfenceip/Aruba
Nothing happens. I can see from switch that 802.1x fails and MAC fails, but I 
don’t see anything happening with captive portal.

On PFence logs (radius, packetfence, haproxy[this log is empty]) I don’t see 
anything mentioned about captive portals.

Then when I go from my own computer to the captive portal page mentioned above, 
it just says
Not Implemented
GET not supported for current URL.

What logs should I look in to solve this issue?

Br,
Timo
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal not coming and autjentication failed

[NOUSHAD ALI via PacketFence-users]

Dear Team,

I installed packetfence zen in vlan mode. Created management, registration
and isolation vlans. Created eap profile, local users and I have dlink dgs
1250  manageable switch and configired vlans, enabled AAA, added packefence
as radius server, enabled 802.1x in some ports.
After configuration, I connected a windows 10 pc to 802.1x enabled port of
the switch, but i didn't get packetfence captive portal but  I enabled
wired authentication services in windows machine and connected again, the
windows captive portal coming and while  i entering  the user name and
password that i have created in the packetfence local database it is
showing authentication failed and in the aidit tab showing rejected.
Pls help me to resolve this issue,.

Thank you

Noushadali
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal problems

[Koppanen Timo via PacketFence-users]

Hi all,

Any help would be appreciated.

Br,
Timo

From: Koppanen Timo via PacketFence-users 

Sent: Thursday, 1 December 2022 16:34
To: packetfence-users@lists.sourceforge.net
Cc: Koppanen Timo 
Subject: [PacketFence-users] Captive Portal problems

Hi all,

I’ve been trying to get captive portal to work for some time now. I have as my 
test device HPE Aruba 2530. I’ve been trying to follow documentations and 
trying scourge the net for information with no luck. 802.1x works fine when 
using computer account (created new cert in our domain) authentication and 
username authentication, and I would like that Captive portal works as a 
fallback for our workers who don’t have AD joined computer be cause of clients 
supply them.


Switch settings, only testing in port 41 for now:

radius-server host pfence-address key "mysecretkey!"
radius-server host pfence-address dyn-authorization
radius-server host pfence-address time-window 0
ip route 0.0.0.0 0.0.0.0 GW
ip source-interface radius vlan 128
snmp-server community "public" operator
snmp-server community "private" operator unrestricted
aaa server-group radius "PacketFence" host pfence-address
aaa accounting network start-stop radius server-group "PacketFence"
aaa authentication port-access eap-radius server-group "PacketFence"
aaa authentication mac-based peap-mschapv2
aaa authentication captive-portal enable
aaa port-access authenticator 37,41
aaa port-access authenticator 37 tx-period 10
aaa port-access authenticator 37 client-limit 2
aaa port-access authenticator 41 tx-period 10
aaa port-access authenticator 41 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 41
aaa port-access mac-based 41 addr-moves
vlan 1
   name "DEFAULT_VLAN"
   no untagged 2-48
   untagged 1,49-52
   no ip address
   exit
vlan 128
   name "VLAN128"
   untagged 2-48
   tagged 1
   ip address myswitches
   exit

I don’t want to use any guest/registration or anything other vlans than my 128, 
which is office vlan in this case. You either get employee profile or you don’t.

On packetfence side I have switch configured as this show:
https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.packetfence.org%2Fdoc%2FPacketFence_Network_Devices_Configuration_Guide.html%23_aruba=05%7C01%7C%7C537a506eb6634718dca008dad6d11c49%7C1f23d6d3b1584e45b7e17631cf28c804%7C0%7C0%7C638058490863823107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=%2ByETj%2FkNeIu%2BYgJ4uYDnAFU6wGUtxLECJLrCL1YcE3Y%3D=0>
and following this as well, skipping the Cisco settings of course:
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_enabling_the_captive_portal<https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.packetfence.org%2Fdoc%2FPacketFence_Installation_Guide.html%23_enabling_the_captive_portal=05%7C01%7C%7C537a506eb6634718dca008dad6d11c49%7C1f23d6d3b1584e45b7e17631cf28c804%7C0%7C0%7C638058490863823107%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=B8QX7nWliQGdIqBASBpISlx%2BTlej8GMfic8uQS29zAg%3D=0>

To test it I unregistered my test pc from packetfence, shutdown wired 
autoconfig, re-plugged ethernet and waited for awhile to see if anything 
happens on PC, am I automatically forwarded to http://mypfenceip/Aruba
Nothing happens. I can see from switch that 802.1x fails and MAC fails, but I 
don’t see anything happening with captive portal.

On PFence logs (radius, packetfence, haproxy[this log is empty]) I don’t see 
anything mentioned about captive portals.

Then when I go from my own computer to the captive portal page mentioned above, 
it just says
Not Implemented
GET not supported for current URL.

What logs should I look in to solve this issue?

Br,
Timo
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] captive portal registration vlan timeout

[haidl--- via PacketFence-users]

Hi,

As my prediction, because your network card has obtained DHCP 
at the registration phase. So after authentication, you are switched to vlan 
38, you have to wait until realiable DHCP timeout


Thanks

From: Raymond, David via PacketFence-users 

Sent: Friday, December 16, 2022 8:32 PM
To: packetfence-users@lists.sourceforge.net
Cc: Raymond, David 
Subject: [PacketFence-users] captive portal registration vlan timeout

Hi guys,

I do some research before asking this question.
I have my registration vlan, assign as a vlan on my eth1 card (eth1.37).
When I use a computer on my testing switch, I have the right vlan assign and 
get the captive portal as expect.

Then, when PF assign the guest vlan 38, I see the profile is apply on the nodes 
interface.
But I get the timeout in the client web interface. If I unplug and plug back 
the cable, the vlan is automatically assign on port.
If I wait until the authentication timer of 600, the vlan is apply as expect.

Where can I see why it doesn't work ? I know I'm close to the solution, just 
need little help.

Thanks


David Raymond

Ce courriel (de même que ses fichiers joints) est strictement réservé à l'usage 
de la personne ou de l'entité à qui il est adressé et peut contenir de 
l'information privilégiée et confidentielle. Toute divulgation, distribution ou 
copie de ce courriel est strictement prohibée. Si vous avez reçu ce courriel 
par erreur, veuillez nous en aviser sur-le-champ, détruire toutes les copies et 
le supprimer de votre système informatique. Barrette et ses sociétés affiliées 
se réservent le droit de surveiller toutes les communications par courriel à 
travers leurs réseaux et déclinent toute responsabilité pour l'exactitude et le 
contenu de ce courriel et sa pièce jointe et pour tout dommage ou perte 
résultant de toutes inexactitudes, erreurs, virus ou autres éléments de nature 
destructrice reliés à ce courriel ou à sa pièce jointe.

This communication (including its attachment) is intended solely for the person 
or entity to whom it is addressed, and may contain confidential or privileged 
information. The disclosure, distribution or copying of this message is 
strictly forbidden. Should you have received this communication in error, 
kindly contact the sender promptly, destroy any copies and delete this message 
from your computer system. Barrette and its affiliates reserve the right to 
monitor all e-mail communications through their networks and disclaim all 
responsibility and liability for the accuracy and content of this e-mail 
message and its attachment and for any damages or losses arising from any 
inaccuracies, errors, viruses, or other items of a destructive nature in 
connection with such e-mail message or its attachment.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] captive portal registration vlan timeout

[Raymond, David via PacketFence-users]

Hi guys,

I do some research before asking this question.
I have my registration vlan, assign as a vlan on my eth1 card (eth1.37).
When I use a computer on my testing switch, I have the right vlan assign and 
get the captive portal as expect.

Then, when PF assign the guest vlan 38, I see the profile is apply on the nodes 
interface.
But I get the timeout in the client web interface. If I unplug and plug back 
the cable, the vlan is automatically assign on port.
If I wait until the authentication timer of 600, the vlan is apply as expect.

Where can I see why it doesn't work ? I know I'm close to the solution, just 
need little help.

Thanks


David Raymond

Ce courriel (de m?me que ses fichiers joints) est strictement r?serv? ? l'usage 
de la personne ou de l'entit? ? qui il est adress? et peut contenir de 
l'information privil?gi?e et confidentielle. Toute divulgation, distribution ou 
copie de ce courriel est strictement prohib?e. Si vous avez re?u ce courriel 
par erreur, veuillez nous en aviser sur-le-champ, d?truire toutes les copies et 
le supprimer de votre syst?me informatique. Barrette et ses soci?t?s affili?es 
se r?servent le droit de surveiller toutes les communications par courriel ? 
travers leurs r?seaux et d?clinent toute responsabilit? pour l'exactitude et le 
contenu de ce courriel et sa pi?ce jointe et pour tout dommage ou perte 
r?sultant de toutes inexactitudes, erreurs, virus ou autres ?l?ments de nature 
destructrice reli?s ? ce courriel ou ? sa pi?ce jointe.

This communication (including its attachment) is intended solely for the person 
or entity to whom it is addressed, and may contain confidential or privileged 
information. The disclosure, distribution or copying of this message is 
strictly forbidden. Should you have received this communication in error, 
kindly contact the sender promptly, destroy any copies and delete this message 
from your computer system. Barrette and its affiliates reserve the right to 
monitor all e-mail communications through their networks and disclaim all 
responsibility and liability for the accuracy and content of this e-mail 
message and its attachment and for any damages or losses arising from any 
inaccuracies, errors, viruses, or other items of a destructive nature in 
connection with such e-mail message or its attachment.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal problems

[Koppanen Timo via PacketFence-users]

Hi all,

I’ve been trying to get captive portal to work for some time now. I have as my 
test device HPE Aruba 2530. I’ve been trying to follow documentations and 
trying scourge the net for information with no luck. 802.1x works fine when 
using computer account (created new cert in our domain) authentication and 
username authentication, and I would like that Captive portal works as a 
fallback for our workers who don’t have AD joined computer be cause of clients 
supply them.


Switch settings, only testing in port 41 for now:

radius-server host pfence-address key "mysecretkey!"
radius-server host pfence-address dyn-authorization
radius-server host pfence-address time-window 0
ip route 0.0.0.0 0.0.0.0 GW
ip source-interface radius vlan 128
snmp-server community "public" operator
snmp-server community "private" operator unrestricted
aaa server-group radius "PacketFence" host pfence-address
aaa accounting network start-stop radius server-group "PacketFence"
aaa authentication port-access eap-radius server-group "PacketFence"
aaa authentication mac-based peap-mschapv2
aaa authentication captive-portal enable
aaa port-access authenticator 37,41
aaa port-access authenticator 37 tx-period 10
aaa port-access authenticator 37 client-limit 2
aaa port-access authenticator 41 tx-period 10
aaa port-access authenticator 41 client-limit 2
aaa port-access authenticator active
aaa port-access mac-based 41
aaa port-access mac-based 41 addr-moves
vlan 1
   name "DEFAULT_VLAN"
   no untagged 2-48
   untagged 1,49-52
   no ip address
   exit
vlan 128
   name "VLAN128"
   untagged 2-48
   tagged 1
   ip address myswitches
   exit

I don’t want to use any guest/registration or anything other vlans than my 128, 
which is office vlan in this case. You either get employee profile or you don’t.

On packetfence side I have switch configured as this show:
https://www.packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_aruba
and following this as well, skipping the Cisco settings of course:
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_enabling_the_captive_portal

To test it I unregistered my test pc from packetfence, shutdown wired 
autoconfig, re-plugged ethernet and waited for awhile to see if anything 
happens on PC, am I automatically forwarded to http://mypfenceip/Aruba
Nothing happens. I can see from switch that 802.1x fails and MAC fails, but I 
don’t see anything happening with captive portal.

On PFence logs (radius, packetfence, haproxy[this log is empty]) I don’t see 
anything mentioned about captive portals.

Then when I go from my own computer to the captive portal page mentioned above, 
it just says
Not Implemented
GET not supported for current URL.

What logs should I look in to solve this issue?

Br,
Timo
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal customizations gone after upgrade

[Quiniou-Briand, Nicolas via PacketFence-users]

Hello,

Logo issue [1] has been fixed in maintenance/12.0 branch.
You can follow this procedure [2] to apply it.

[1] https://github.com/inverse-inc/packetfence/issues/7243
[2] 
https://github.com/inverse-inc/packetfence/issues/7243#issuecomment-1280836967


Nicolas Quiniou-Briand
Product Support Engineer

[cid:image005.png@01D8E456.5B365F40]


Office: +33156696210

Akamai Technologies
145 Broadway
Cambridge, MA 02142


Connect with Us:

[cid:image006.jpg@01D8E456.5B365F40] 
[cid:image007.png@01D8E456.5B365F40]   
[cid:image008.png@01D8E456.5B365F40]   
[cid:image009.png@01D8E456.5B365F40] 
  
[cid:image010.png@01D8E456.5B365F40] 
  
[cid:image011.png@01D8E456.5B365F40] 




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal customizations gone after upgrade

[Matthies, Heiko via PacketFence-users]

Hi Jake,

this is to be expected as packetfence overrides the content of the 
captive-portal folder with each update (as far as I know). The only thing saved 
are the customizations made in the Web-UI (customization under the connection 
profile). Our current workaround is to save the css/image files before updating 
the system and reinserting them after the update.

Kind regards,

Heiko Matthies


[cid:2018_Signatur_ASAP_Engineering_607ba42f-d9c6-4abe-af16-b2b0953d2657.png]

[cid:MK_FB_Bayerns_Best_50_Mailsignatur_20220808_5e0395c7-1b32-4dd9-96cf-94c702a6ef87.jpg]<https://www.asap.de/newsroom/presse-detail/asap-gruppe-zaehlt-erneut-zu-bayerns-best-50>

ASAP Engineering GmbH Sachsstra?e 1A | 85080 Gaimersheim
Tel. +49 8458 3389 252 | Fax. +49 (8458) 3389 
399
heiko.matth...@asap.de<mailto:heiko.matth...@asap.de> | 
www.asap.de<http://www.asap.de>

Gesch?ftsf?hrer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der 
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408

Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren personenbezogenen 
Daten bei ASAP erhalten Sie auf unserer Website unter 
Datenschutz.<http://www.asap.de/datenschutz/>
Von: Sallee, Jake via PacketFence-users 

Gesendet: Dienstag, 4. Oktober 2022 21:17
An: packetfence 
Cc: Sallee, Jake 
Betreff: [PacketFence-users] Captive portal customizations gone after upgrade

All:

Hoping someone can shed some light on this.

We did an upgrade to the latest maintenance patch of PF and the customizations 
we put on the captive portal were removed.

All we did is change the logo (vis the web GUI) and slightly modify the CSS to 
fit our color scheme.

Now our custom logo is a broken jpeg and the CSS has reverted back to the 
default.

I checked out the developers guide for customizing the captive portal but it 
didn't help me much ... full disclosure I am not a web developer so that could 
very well be my fault.

Does anyone have any assistance they can offer to help us get this resolved?


Jake Sallee

SYSTEM ENGINEER AND SECURITY SPECIALIST

Godfather of Bandwidth

UMHB Box 8005 | 900 College Street | Belton, Texas 76513

Phone: 254.295.4658 Fax: 254-295-4221

umhb.edu<http://www.umhb.edu/> [cid:image001.png@01D8DC8B.A8D69670] 
<http://facebook.com/umhb> [cid:image002.png@01D8DC8B.A8D69670] 
<http://instagram.com/umhb> [cid:image003.png@01D8DC8B.A8D69670] 
<http://twitter.com/umhb>



[ESig_UMHB_Primary_4CP_Purple]
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal customizations gone after upgrade

[Sallee, Jake via PacketFence-users]

All:

Hoping someone can shed some light on this.

We did an upgrade to the latest maintenance patch of PF and the customizations 
we put on the captive portal were removed.

All we did is change the logo (vis the web GUI) and slightly modify the CSS to 
fit our color scheme.

Now our custom logo is a broken jpeg and the CSS has reverted back to the 
default.

I checked out the developers guide for customizing the captive portal but it 
didn't help me much ... full disclosure I am not a web developer so that could 
very well be my fault.

Does anyone have any assistance they can offer to help us get this resolved?


Jake Sallee

SYSTEM ENGINEER AND SECURITY SPECIALIST

Godfather of Bandwidth

UMHB Box 8005 | 900 College Street | Belton, Texas 76513

Phone: 254.295.4658 Fax: 254-295-4221

umhb.edu [cid:image001.png@01D8A0DA.6B4CCE60] 
 [cid:image002.png@01D8A0DA.6B4CCE60] 
 [cid:image003.png@01D8A0DA.6B4CCE60] 




[ESig_UMHB_Primary_4CP_Purple]
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal strange behaviour

[Marco Naimoli via PacketFence-users]

Hello, I've (successfully) configured an inline captive portal with SAML
integration; everything works as expected, the user authenticates and after
has access to
internet
All the connection with the captive portals uses ssl, but after
authentication the user
is redirected to
*http*://[captiveportal]/access?lang=
I don't understand why he is redirected to "http" and not "https"; it's an
aesthetic problem,
but does anyone know how can I force redirection to
*https*://[captiveportal]/access?lang=
?
Thank you
Marco
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal - Pass mac address

[Diego Garcia del Rio via PacketFence-users]

not sure which wifi integration you're using (or is it wired?) but, at
least for Ruckus (and im sure others as well), when using web-auth it will
have the mac address in the redirect message and support a "remote"
authentication without any need to forward dhcp to packetfence.

(it can get tricky to configure the access points in the "switches" part)..
I had to add them both by MAC as well as the IP of my controller.. but it
works. I have PF deployed in a remote datacenter and 10 schools which
connect to it (over a VPN, but thats just so I dont expose PF to the
internet). All the school sites have overlapping IPs



On Sun, Sep 25, 2022 at 5:03 PM Michael Weber via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello all,
>
> is there a way to pass the MAC address of the client to the captive
> portal?
> I think something about: https://packetfence/signup?mac=aabbccddeeff
> I would like to use the redirect to a external website and pass the mac to
> the portal with something like:
> http://packetfence/captive-portal?next=next=aabbccddeeff
>
> Background:
> We have multiple offices without VPN that use wifi and got the same subnet
> in the wifi. We configured "Guest pre-registration".
> Now guests are redirected to the captive portal but we only see a invalid
> IP address (because of nat between packetfence and clients)  in the footer
> and no mac address.
> IP Helper is configured and nodes are added to packetfence. Unfortunally
> the IP that shows up on the portal is not the correct one (NAT between
> client and packetfence) and because of that the MAC address is not resolved
> based on the IP.
> The biggest problems are the NAT between the clients and packetfence and
> the that we got the same subnet in wifi for all offices. Perhaps there is a
> other solution? Feel free to provide some ideas 
>
> Best Regards
> Michael
>
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal - Pass mac address

[Michael Weber via PacketFence-users]

Hello all,

is there a way to pass the MAC address of the client to the captive portal? 
I think something about: https://packetfence/signup?mac=aabbccddeeff 
I would like to use the redirect to a external website and pass the mac to the 
portal with something like: 
http://packetfence/captive-portal?next=next=aabbccddeeff

Background:
We have multiple offices without VPN that use wifi and got the same subnet in 
the wifi. We configured "Guest pre-registration". 
Now guests are redirected to the captive portal but we only see a invalid IP 
address (because of nat between packetfence and clients)  in the footer and no 
mac address. 
IP Helper is configured and nodes are added to packetfence. Unfortunally the IP 
that shows up on the portal is not the correct one (NAT between client and 
packetfence) and because of that the MAC address is not resolved based on the 
IP.
The biggest problems are the NAT between the clients and packetfence and the 
that we got the same subnet in wifi for all offices. Perhaps there is a other 
solution? Feel free to provide some ideas 

Best Regards
Michael



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal with N2000-Series not working

[Matthies, Heiko via PacketFence-users]

Greetings,

I'm currently trying to implement a captive portal authentication for my wired 
clients on a Dell N2048P in my test lab. I followed the instructions provided 
by the packetfence documentation 
(https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#_enabling_the_captive_portal)
 but the client does not receive an ip address.
PacketFence accepts the authentication request and returns the following RADiUS 
Reply:
REST-HTTP-Status-Code = 200
REST-HTTP-Status-Code = 200
Cisco-AVPair = "url-redirect-acl=registration"
Cisco-AVPair = "url-redirect=http://10.22.11.250/captive-portal/sidc01cbc;
Tunnel-Private-Group-Id = "66"
Reply-Message = "Request processed by PacketFence"
Session-Timeout = 60
Tunnel-Medium-Type = IEEE-802
Tunnel-Type = VLAN
Termination-Action = RADIUS-Request

My switch configuration looks like this:
no ip http server
ip access-list registration
1000 deny ip any 10.22.11.250 0.0.0.0
1010 permit tcp any any eq http
1020 permit tcp any any eq 443
exit

aaa authentication login "defaultList" local
aaa accounting dot1x default start-stop radius
aaa accounting update newinfo periodic 10
aaa authorization exec "dfltExecAuthList" radius local
authentication enable
dot1x system-auth-control
aaa authentication dot1x default radius
aaa authorization network default radius
switchport voice vlan
aaa server radius dynamic-author
client 10.22.11.250 server-key 7 "*"
auth-type any
exit
radius server auth 10.22.11.250
name "IN"
key 7 "*"
exit
radius server acct 10.22.11.250
name "IN"
key 7 "*"
exit

interface Gi1/0/1
spanning-tree portfast
switchport mode general
authentication host-mode multi-domain
authentication event fail action authorize vlan  66
authentication periodic
authentication timer reauthenticate 82800
authentication timer restart 3600
dot1x timeout supp-timeout 5
dot1x timeout tx-period 5
mab auth-type pap
authentication order mab
lldp tlv-select system-description system-capabilities management-address
lldp notification
lldp med confignotification
switchport voice vlan 12
exit

I'm a bit confused about the "deny ip any 10.22.11.250" Rule in my access-list 
but its written like this in the official documentation. My best guess is that 
the switch does not recognize the client as authenticated and therefore blocks 
any traffic going in and out.
I've already experimented with the "authentication allow-unauth dhcp" command 
but this does not seem to help.

Any hints into the right direction would be appreciated.

Kind Regards

Heiko Matthies

[cid:2018_Signatur_ASAP_Engineering_607ba42f-d9c6-4abe-af16-b2b0953d2657.png]

[cid:MK_FB_Podcast_20210201_70f02930-dafd-4abf-9139-c2414fbba13c.png]

ASAP Engineering GmbH Sachsstra?e 1A | 85080 Gaimersheim
Tel. +49 8458 3389 252 | Fax. +49 (8458) 3389 
399 | Mobil. +49 (173) 
6729650
heiko.matth...@asap.de | 
www.asap.de

Gesch?ftsf?hrer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der 
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408

Datenschutz: Ausf?hrliche Informationen zum Umgang mit Ihren personenbezogenen 
Daten bei ASAP erhalten Sie auf unserer Website unter 
Datenschutz.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal authentication

[Zammit, Ludovic via PacketFence-users]

Hello Baptiste,

Whiteout 802.1x ? Do you mean can you use Mac authentication ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Apr 5, 2022, at 5:45 AM, Baptiste Leroy via PacketFence-users 
>  wrote:
> 
> Hello. I 'm trying to configure captive portal but I noticed on my switch 
> that when we authenticate on the portal it uses 802.1x. Why is that ?Why not 
> transmit credentials through the L3 connectivity we have with PacketFence in 
> registration vlan? I thought that 802.1x was for layer 2 authentication. I'm 
> a bit lost.
> 
> So my question is 
> Is it possible to authenticate through this portal and get dynamic vlan 
> without 802.1x enabled ?
> and how ? :)
> 
> Thanks
> Baptiste
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!A_1FVWCjXFb1aO-IqzLvw3YxnZyHdhJesXN1G1NEoAohp2vMA-RhOiJkBRfkhtxH$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal authentication

[Baptiste Leroy via PacketFence-users]

Hello. I 'm trying to configure captive portal but I noticed on my switch
that when we authenticate on the portal it uses 802.1x. Why is that ?Why
not transmit credentials through the L3 connectivity we have with
PacketFence in registration vlan? I thought that 802.1x was for layer 2
authentication. I'm a bit lost.

So my question is
Is it possible to authenticate through this portal and get dynamic vlan
without 802.1x enabled ?
and how ? :)

Thanks
Baptiste
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal (Not Implemented) message.

[Jorge Nolla via PacketFence-users]

Hello Team,

When we configure PF as per the network configuration guide, HA proxy sends the 
following redirect. This redirect is not being recognize as valid via macOS 
captive portal, and displays the following message (Not Implemented. GET not 
supported for current URL). If we open the browser and manually type the URL 
for the captive portal, it opens and we can register the device with out 
issues. We’ve been at this for a week and no luck. Any ideas?

haproxy[2237]: 10.9.129.114:61472 [10/Jan/2022:08:03:07.694] 
portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 0/0/0/13/13 501 413 - - 
 3/2/0/0/0 0/0 {10.0.255.99} "GET 
/Cisco::WLC_5500/sid7097c8?=captive.apple.com

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal with AUP-accept only, no prompt for email/telephone...

[Peter Eriksson via PacketFence-users]

Is it possible to create a really simple captive portal for guests where they 
just accept the AUP and then immediately get access? 

Ie, I’m trying to get rid of the prompting for the user’s email address etc… 
But I guess it’s needed to store the “I’ve accepted the AUP” and/or identify 
the guest in the database? 

Any suggestions? :-)

- Peter

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal info popup

[Tomasz Karczewski via PacketFence-users]

Hello,

 

Does it possible to add "?" after login field you can click to popup short
info about login?

Example https://www.w3schools.com/howto/tryit.asp?filename=tryhow_js_popup

 

Tnx in advance for response

 

Tomasz Karczewski

Administrator Sieci

 



 

tkarczew...@man.olsztyn.pl

http://www.man.olsztyn.pl  http://www.uwm.edu.pl

tel. (89) 523 45 55  fax. (89) 523 43 47

 

Ośrodek Eksploatacji i Zarządzania

Miejską Siecią Komputerową OLMAN w Olsztynie

Uniwersytet Warmińsko-Mazurski w Olsztynie

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal with no login

[Aleksandar Mirkovic via PacketFence-users]

Hi,

I am trying to make captive portal with inline configuration where the users 
will be automatically registered and redirected to external website. Is this 
possible without any interaction?

Kind regards,
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

[Fabrice Durand via PacketFence-users]

Hello Jake,

as Diego said it can be a lack of the dhcp option for the RFC7710 in your
dhcp server (i coded the dhcp server with all my love and you still don't
want to use it).
It can also be a certificate issue, if the certificate expiration date is
more than x months then apple devices don like it and will not follow the
redirection.

If you are able to take a capture from packetfence for a device who have
the issue, t would be easier to troubleshoot.

Regards
Fabrice


Le jeu. 8 juil. 2021 à 17:16, Diego García del Río via PacketFence-users <
packetfence-users@lists.sourceforge.net> a écrit :

> Hi jake,
>
> Its ok.. thats what I had understood
>
> im just surprised that registration / isolation works with an external
> dhcp server. I guess thats what the dhcp listener process is there for
> (snooping the dhcp client information). In general I always expected
> packetfence to identify the client by the fact that its acting as dhcp
> server for the registration/isolation networks. In fact, while external
> dhcp servers can be used for production traffic, isolation/registration is
> meant to be handled with the internal dhcp (as far as I understand). I
> mean, the system seems to be working for you otherwise so it probably works
> fine... but the whole thing is very strange.
>
> sorry for derailing the topic.
>
>
>
>
>
> *Diego Garcia del Rio* | CTO | Mediatel S.A. | Tel: +54 11 5218 0463
> (x103) | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar | Juan Carlos Cruz
> 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
> https://goo.gl/maps/NZCFPwVkFFf14cR67
>
>
> On Thu, 8 Jul 2021 at 15:31, Sallee, Jake via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> I apologize if I did not phrase that correctly.
>>
>> We ARE using PF for isolation and registration, what we are not using is
>> the DHCP functionality that PF offers.
>>
>> We are using our own DHCP servers to provide IPs to clients for
>> registration and isolation, as well as the standard production networks.
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer and Security Specialist
>> University of Mary Hardin-Baylor
>> WWW.UMHB.EDU
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>>
>> 
>> From: Diego García del Río 
>> Sent: Thursday, July 8, 2021 1:06 PM
>> To: packetfence-users@lists.sourceforge.net
>> Cc: Sallee, Jake
>> Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices
>>
>> EXTERNAL Exercise Caution
>> not using packetfence for isolation/registration is quite surprising. Is
>> that supported at all?
>>
>> Im guessing it works for you.. but still quite surprising. (unless you're
>> using the built-in captive portal of your APs)
>>
>> but if you're using an external dhcp server then the RFC7710 path seems
>> moot...
>>
>>
>>
>> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
>> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<
>> http://www.mediatel.com.ar/> | Juan Carlos Cruz 2360 – 4B (1636),
>> Vicente López, Buenos Aires, Argentina |
>> https://goo.gl/maps/NZCFPwVkFFf14cR67
>>
>>
>> On Thu, 8 Jul 2021 at 14:16, Sallee, Jake via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> packetfence-users@lists.sourceforge.net>> wrote:
>> > you might want to check /usr/local/pg/logs for the file
>> httpd.portal.access and look for the string rfc7710 in there?
>>
>> First, thank you for the effort but I didn't see anything in the logs
>> about rfc7710.  But, I have not enabled debugging in the logs yet so there
>> is still hope.
>>
>> Quick question though, currently we do not use PF for our DHCP (even for
>> registration or isolation).  With that in mind would the info you mention
>> still show up in the logs?
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer and Security Specialist
>> University of Mary Hardin-Baylor
>> WWW.UMHB.EDU<http://WWW.UMHB.EDU>
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>>
>> 
>> From: Diego García del Río > dgar...@mediatel.com.ar>>
>> Sent: Wednesday, July 7, 2021 5:47 PM
>> To: packetfence-users@lists.sourceforge.net> packetfence-users@lists.sourceforge.net>
>> Cc: Sallee, Jake
>> Subject: Re: [PacketFence-users] Captive Port

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

[Diego García del Río via PacketFence-users]

Hi jake,

Its ok.. thats what I had understood

im just surprised that registration / isolation works with an external dhcp
server. I guess thats what the dhcp listener process is there for (snooping
the dhcp client information). In general I always expected packetfence to
identify the client by the fact that its acting as dhcp server for the
registration/isolation networks. In fact, while external dhcp servers can
be used for production traffic, isolation/registration is meant to be
handled with the internal dhcp (as far as I understand). I mean, the system
seems to be working for you otherwise so it probably works fine... but the
whole thing is very strange.

sorry for derailing the topic.





*Diego Garcia del Rio* | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
| Cel: +54 9 11 4530-4697 | www.mediatel.com.ar | Juan Carlos Cruz 2360 –
4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Thu, 8 Jul 2021 at 15:31, Sallee, Jake via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> I apologize if I did not phrase that correctly.
>
> We ARE using PF for isolation and registration, what we are not using is
> the DHCP functionality that PF offers.
>
> We are using our own DHCP servers to provide IPs to clients for
> registration and isolation, as well as the standard production networks.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer and Security Specialist
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> 
> From: Diego García del Río 
> Sent: Thursday, July 8, 2021 1:06 PM
> To: packetfence-users@lists.sourceforge.net
> Cc: Sallee, Jake
> Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices
>
> EXTERNAL Exercise Caution
> not using packetfence for isolation/registration is quite surprising. Is
> that supported at all?
>
> Im guessing it works for you.. but still quite surprising. (unless you're
> using the built-in captive portal of your APs)
>
> but if you're using an external dhcp server then the RFC7710 path seems
> moot...
>
>
>
> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<
> http://www.mediatel.com.ar/> | Juan Carlos Cruz 2360 – 4B (1636), Vicente
> López, Buenos Aires, Argentina |
> https://goo.gl/maps/NZCFPwVkFFf14cR67
>
>
> On Thu, 8 Jul 2021 at 14:16, Sallee, Jake via PacketFence-users <
> packetfence-users@lists.sourceforge.net packetfence-users@lists.sourceforge.net>> wrote:
> > you might want to check /usr/local/pg/logs for the file
> httpd.portal.access and look for the string rfc7710 in there?
>
> First, thank you for the effort but I didn't see anything in the logs
> about rfc7710.  But, I have not enabled debugging in the logs yet so there
> is still hope.
>
> Quick question though, currently we do not use PF for our DHCP (even for
> registration or isolation).  With that in mind would the info you mention
> still show up in the logs?
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer and Security Specialist
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU<http://WWW.UMHB.EDU>
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> ________________
> From: Diego García del Río  dgar...@mediatel.com.ar>>
> Sent: Wednesday, July 7, 2021 5:47 PM
> To: packetfence-users@lists.sourceforge.net packetfence-users@lists.sourceforge.net>
> Cc: Sallee, Jake
> Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices
>
> EXTERNAL Exercise Caution
> you might want to check /usr/local/pg/logs for the file
> httpd.portal.access and look for the string rfc7710 in there...
>
> (and sorry, its RFC 7710bis, not 7720bis)
>
> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<http://www.mediatel.com.ar
> ><http://www.mediatel.com.ar/> | Juan Carlos Cruz 2360 – 4B (1636),
> Vicente López, Buenos Aires, Argentina |
> https://goo.gl/maps/NZCFPwVkFFf14cR67
>
>
> On Wed, 7 Jul 2021 at 19:45, Diego García del Río  <mailto:dgar...@mediatel.com.ar><mailto:dgar...@mediatel.com.ar dgar...@mediatel.com.ar>>> wrote:
> Hi.. I asume you're running your portal on https? release 10.2 had
> introduced dhcp-based portal discovery (RFC 7720bis support) and apple
> devices, most of which should be running a 2020 or newer os, should support
> it. if you can capture traffic on the portal interface on your clust

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

[Diego García del Río via PacketFence-users]

not using packetfence for isolation/registration is quite surprising. Is
that supported at all?

Im guessing it works for you.. but still quite surprising. (unless you're
using the built-in captive portal of your APs)

but if you're using an external dhcp server then the RFC7710 path seems
moot...



*Diego Garcia del Rio* | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
| Cel: +54 9 11 4530-4697 | www.mediatel.com.ar | Juan Carlos Cruz 2360 –
4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Thu, 8 Jul 2021 at 14:16, Sallee, Jake via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> > you might want to check /usr/local/pg/logs for the file
> httpd.portal.access and look for the string rfc7710 in there?
>
> First, thank you for the effort but I didn't see anything in the logs
> about rfc7710.  But, I have not enabled debugging in the logs yet so there
> is still hope.
>
> Quick question though, currently we do not use PF for our DHCP (even for
> registration or isolation).  With that in mind would the info you mention
> still show up in the logs?
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer and Security Specialist
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> 
> From: Diego García del Río 
> Sent: Wednesday, July 7, 2021 5:47 PM
> To: packetfence-users@lists.sourceforge.net
> Cc: Sallee, Jake
> Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices
>
> EXTERNAL Exercise Caution
> you might want to check /usr/local/pg/logs for the file
> httpd.portal.access and look for the string rfc7710 in there...
>
> (and sorry, its RFC 7710bis, not 7720bis)
>
> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<
> http://www.mediatel.com.ar/> | Juan Carlos Cruz 2360 – 4B (1636), Vicente
> López, Buenos Aires, Argentina |
> https://goo.gl/maps/NZCFPwVkFFf14cR67
>
>
> On Wed, 7 Jul 2021 at 19:45, Diego García del Río  <mailto:dgar...@mediatel.com.ar>> wrote:
> Hi.. I asume you're running your portal on https? release 10.2 had
> introduced dhcp-based portal discovery (RFC 7720bis support) and apple
> devices, most of which should be running a 2020 or newer os, should support
> it. if you can capture traffic on the portal interface on your cluster, you
> should see that the url for packetfence should be returned in a dhcp option
> (that finishes in "/rfc7710"). I believe the logs might show it (but only
> maybe in debug level)
>
> the clients then query that url. Can you check if the proper,
> load-balanced url is being returned?
>
> somehow maybe the device is failing to contact the /rfc7710 endpoint or
> something, like the client being authenticated is being returned and thus
> the apple device think its logged in?
>
> its a wild guess.. but it would be one option why you see this on apple
> devices.
>
> (newer windows releases should support it as well, but not 100% sure when
> /what release it would be). Android 11 also added support, but of course,
> there you have a much more fragmented ecosystem and i haven't seen
> non-google devices implementing it yet.
>
>
>
>
> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<
> http://www.mediatel.com.ar/> | Juan Carlos Cruz 2360 – 4B (1636), Vicente
> López, Buenos Aires, Argentina |
> https://goo.gl/maps/NZCFPwVkFFf14cR67
>
>
> On Wed, 7 Jul 2021 at 18:35, Sallee, Jake via PacketFence-users <
> packetfence-users@lists.sourceforge.net packetfence-users@lists.sourceforge.net>> wrote:
> Hello all!
>
> This is a strange one and I hope someone out there has faced this demon
> before and can help.
>
> We are running PF 10.3 (with latest maintenance patches) in a 3 node
> cluster.
>
> TLDR:  Captive portal issues on iPhones and some mobile devices, cant find
> any reason in the logs as to why it would be happening.  Started happening
> out of the blue, updated to 10.3 and applied all patches but nothing helped.
>
> Long version:
>
> The issue seems to be centered around WiFi on iPhones and some mobile
> computers (laptops, tables, etc) where some are Apple products and some are
> not.  Android phones seem not to be affected.
>
> When an unregistered endpoint is assigned an IP in the registration
> network the device notices the captive portal and tries to open a browser
> window to facilitate the registration process.
>
> However this is where things

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

[Sallee, Jake via PacketFence-users]

I apologize if I did not phrase that correctly.  

We ARE using PF for isolation and registration, what we are not using is the 
DHCP functionality that PF offers.  

We are using our own DHCP servers to provide IPs to clients for registration 
and isolation, as well as the standard production networks.

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Diego García del Río 
Sent: Thursday, July 8, 2021 1:06 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sallee, Jake
Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

EXTERNAL Exercise Caution
not using packetfence for isolation/registration is quite surprising. Is that 
supported at all?

Im guessing it works for you.. but still quite surprising. (unless you're using 
the built-in captive portal of your APs)

but if you're using an external dhcp server then the RFC7710 path seems moot...



Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Thu, 8 Jul 2021 at 14:16, Sallee, Jake via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
> you might want to check /usr/local/pg/logs for the file httpd.portal.access 
> and look for the string rfc7710 in there?

First, thank you for the effort but I didn't see anything in the logs about 
rfc7710.  But, I have not enabled debugging in the logs yet so there is still 
hope.

Quick question though, currently we do not use PF for our DHCP (even for 
registration or isolation).  With that in mind would the info you mention still 
show up in the logs?

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU<http://WWW.UMHB.EDU>

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Diego García del Río 
mailto:dgar...@mediatel.com.ar>>
Sent: Wednesday, July 7, 2021 5:47 PM
To: 
packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>
Cc: Sallee, Jake
Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

EXTERNAL Exercise Caution
you might want to check /usr/local/pg/logs for the file httpd.portal.access and 
look for the string rfc7710 in there...

(and sorry, its RFC 7710bis, not 7720bis)

Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | 
www.mediatel.com.ar<http://www.mediatel.com.ar><http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 19:45, Diego García del Río 
mailto:dgar...@mediatel.com.ar><mailto:dgar...@mediatel.com.ar<mailto:dgar...@mediatel.com.ar>>>
 wrote:
Hi.. I asume you're running your portal on https? release 10.2 had introduced 
dhcp-based portal discovery (RFC 7720bis support) and apple devices, most of 
which should be running a 2020 or newer os, should support it. if you can 
capture traffic on the portal interface on your cluster, you should see that 
the url for packetfence should be returned in a dhcp option (that finishes in 
"/rfc7710"). I believe the logs might show it (but only maybe in debug level)

the clients then query that url. Can you check if the proper, load-balanced url 
is being returned?

somehow maybe the device is failing to contact the /rfc7710 endpoint or 
something, like the client being authenticated is being returned and thus the 
apple device think its logged in?

its a wild guess.. but it would be one option why you see this on apple devices.

(newer windows releases should support it as well, but not 100% sure when /what 
release it would be). Android 11 also added support, but of course, there you 
have a much more fragmented ecosystem and i haven't seen non-google devices 
implementing it yet.




Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | 
www.mediatel.com.ar<http://www.mediatel.com.ar><http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 18:35, Sallee, Jake via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>>
 wrote:
Hello all!

This is a strange one and I hope someone out there has faced this demon before 
and can help.

We are running PF 10.3 (with latest maintenance

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

[Sallee, Jake via PacketFence-users]

> you might want to check /usr/local/pg/logs for the file httpd.portal.access 
> and look for the string rfc7710 in there?

First, thank you for the effort but I didn't see anything in the logs about 
rfc7710.  But, I have not enabled debugging in the logs yet so there is still 
hope.  

Quick question though, currently we do not use PF for our DHCP (even for 
registration or isolation).  With that in mind would the info you mention still 
show up in the logs?

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Diego García del Río 
Sent: Wednesday, July 7, 2021 5:47 PM
To: packetfence-users@lists.sourceforge.net
Cc: Sallee, Jake
Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

EXTERNAL Exercise Caution
you might want to check /usr/local/pg/logs for the file httpd.portal.access and 
look for the string rfc7710 in there...

(and sorry, its RFC 7710bis, not 7720bis)

Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 19:45, Diego García del Río 
mailto:dgar...@mediatel.com.ar>> wrote:
Hi.. I asume you're running your portal on https? release 10.2 had introduced 
dhcp-based portal discovery (RFC 7720bis support) and apple devices, most of 
which should be running a 2020 or newer os, should support it. if you can 
capture traffic on the portal interface on your cluster, you should see that 
the url for packetfence should be returned in a dhcp option (that finishes in 
"/rfc7710"). I believe the logs might show it (but only maybe in debug level)

the clients then query that url. Can you check if the proper, load-balanced url 
is being returned?

somehow maybe the device is failing to contact the /rfc7710 endpoint or 
something, like the client being authenticated is being returned and thus the 
apple device think its logged in?

its a wild guess.. but it would be one option why you see this on apple devices.

(newer windows releases should support it as well, but not 100% sure when /what 
release it would be). Android 11 also added support, but of course, there you 
have a much more fragmented ecosystem and i haven't seen non-google devices 
implementing it yet.




Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) | 
Cel: +54 9 11 4530-4697 | www.mediatel.com.ar<http://www.mediatel.com.ar/> | 
Juan Carlos Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 18:35, Sallee, Jake via PacketFence-users 
mailto:packetfence-users@lists.sourceforge.net>>
 wrote:
Hello all!

This is a strange one and I hope someone out there has faced this demon before 
and can help.

We are running PF 10.3 (with latest maintenance patches) in a 3 node cluster.

TLDR:  Captive portal issues on iPhones and some mobile devices, cant find any 
reason in the logs as to why it would be happening.  Started happening out of 
the blue, updated to 10.3 and applied all patches but nothing helped.

Long version:

The issue seems to be centered around WiFi on iPhones and some mobile computers 
(laptops, tables, etc) where some are Apple products and some are not.  Android 
phones seem not to be affected.

When an unregistered endpoint is assigned an IP in the registration network the 
device notices the captive portal and tries to open a browser window to 
facilitate the registration process.

However this is where things begin to go wrong.

Some of the time the page does not load at all, after a brief wait of perhaps 7 
seconds, the mobile browser generates an error saying the page cannot be 
loaded.  When the error is dismissed the browser automatically closes and the 
user is dumped to the home screen on their device.

Sometimes it does load but the custom logo is not displayed (loads a broken 
jpg).  Sometimes the page loads as plain text and no CSS.

If the page does load enough for the user to accept the AUP and fill out the 
registration form.  When the user submits the form, however the same browser 
error is displayed and the user id bounced out of the browser app.

If the error occurs AFTER submitting the registration form, the device still 
shows as unregistered in PF.   However, if the user rejoins the network the 
captive portal page will be presented but it will be the enabling access page 
with the progress bar (and a still broken jpg).  Interestingly, the device will 
now show as registered in PF and will have the correct role assigned.

I have been scouring the logs and can?t seem to find any entries that would 
point to a cause.  Desk

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

[Diego García del Río via PacketFence-users]

you might want to check /usr/local/pg/logs for the file httpd.portal.access
and look for the string rfc7710 in there...

(and sorry, its RFC 7710bis, not 7720bis)

*Diego Garcia del Rio* | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
| Cel: +54 9 11 4530-4697 | www.mediatel.com.ar | Juan Carlos Cruz 2360 –
4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 19:45, Diego García del Río 
wrote:

> Hi.. I asume you're running your portal on https? release 10.2 had
> introduced dhcp-based portal discovery (RFC 7720bis support) and apple
> devices, most of which should be running a 2020 or newer os, should support
> it. if you can capture traffic on the portal interface on your cluster, you
> should see that the url for packetfence should be returned in a dhcp
> option (that finishes in "/rfc7710"). I believe the logs might show it (but
> only maybe in debug level)
>
> the clients then query that url. Can you check if the proper,
> load-balanced url is being returned?
>
> somehow maybe the device is failing to contact the /rfc7710 endpoint or
> something, like the client being authenticated is being returned and thus
> the apple device think its logged in?
>
> its a wild guess.. but it would be one option why you see this on apple
> devices.
>
> (newer windows releases should support it as well, but not 100% sure when
> /what release it would be). Android 11 also added support, but of course,
> there you have a much more fragmented ecosystem and i haven't seen
> non-google devices implementing it yet.
>
>
>
>
> *Diego Garcia del Rio* | CTO | Mediatel S.A. | Tel: +54 11 5218 0463
> (x103) | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar | Juan Carlos Cruz
> 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina |
> https://goo.gl/maps/NZCFPwVkFFf14cR67
>
>
> On Wed, 7 Jul 2021 at 18:35, Sallee, Jake via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Hello all!
>>
>> This is a strange one and I hope someone out there has faced this demon
>> before and can help.
>>
>> We are running PF 10.3 (with latest maintenance patches) in a 3 node
>> cluster.
>>
>> TLDR:  Captive portal issues on iPhones and some mobile devices, cant
>> find any reason in the logs as to why it would be happening.  Started
>> happening out of the blue, updated to 10.3 and applied all patches but
>> nothing helped.
>>
>> Long version:
>>
>> The issue seems to be centered around WiFi on iPhones and some mobile
>> computers (laptops, tables, etc) where some are Apple products and some are
>> not.  Android phones seem not to be affected.
>>
>> When an unregistered endpoint is assigned an IP in the registration
>> network the device notices the captive portal and tries to open a browser
>> window to facilitate the registration process.
>>
>> However this is where things begin to go wrong.
>>
>> Some of the time the page does not load at all, after a brief wait of
>> perhaps 7 seconds, the mobile browser generates an error saying the page
>> cannot be loaded.  When the error is dismissed the browser automatically
>> closes and the user is dumped to the home screen on their device.
>>
>> Sometimes it does load but the custom logo is not displayed (loads a
>> broken jpg).  Sometimes the page loads as plain text and no CSS.
>>
>> If the page does load enough for the user to accept the AUP and fill out
>> the registration form.  When the user submits the form, however the same
>> browser error is displayed and the user id bounced out of the browser app.
>>
>> If the error occurs AFTER submitting the registration form, the device
>> still shows as unregistered in PF.   However, if the user rejoins the
>> network the captive portal page will be presented but it will be the
>> enabling access page with the progress bar (and a still broken jpg).
>> Interestingly, the device will now show as registered in PF and will have
>> the correct role assigned.
>>
>> I have been scouring the logs and can?t seem to find any entries that
>> would point to a cause.  Desktops and Laptops with full OS on them do not
>> seem to have the issue.
>>
>> Any help would be greatly appreciated.
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer and Security Specialist
>> University of Mary Hardin-Baylor
>> WWW.UMHB.EDU
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>>
>>
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issue on Mobile Devices

[Diego García del Río via PacketFence-users]

Hi.. I asume you're running your portal on https? release 10.2 had
introduced dhcp-based portal discovery (RFC 7720bis support) and apple
devices, most of which should be running a 2020 or newer os, should support
it. if you can capture traffic on the portal interface on your cluster, you
should see that the url for packetfence should be returned in a dhcp
option (that finishes in "/rfc7710"). I believe the logs might show it (but
only maybe in debug level)

the clients then query that url. Can you check if the proper, load-balanced
url is being returned?

somehow maybe the device is failing to contact the /rfc7710 endpoint or
something, like the client being authenticated is being returned and thus
the apple device think its logged in?

its a wild guess.. but it would be one option why you see this on apple
devices.

(newer windows releases should support it as well, but not 100% sure when
/what release it would be). Android 11 also added support, but of course,
there you have a much more fragmented ecosystem and i haven't seen
non-google devices implementing it yet.




*Diego Garcia del Rio* | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103)
| Cel: +54 9 11 4530-4697 | www.mediatel.com.ar | Juan Carlos Cruz 2360 –
4B (1636), Vicente López, Buenos Aires, Argentina |
https://goo.gl/maps/NZCFPwVkFFf14cR67


On Wed, 7 Jul 2021 at 18:35, Sallee, Jake via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello all!
>
> This is a strange one and I hope someone out there has faced this demon
> before and can help.
>
> We are running PF 10.3 (with latest maintenance patches) in a 3 node
> cluster.
>
> TLDR:  Captive portal issues on iPhones and some mobile devices, cant find
> any reason in the logs as to why it would be happening.  Started happening
> out of the blue, updated to 10.3 and applied all patches but nothing helped.
>
> Long version:
>
> The issue seems to be centered around WiFi on iPhones and some mobile
> computers (laptops, tables, etc) where some are Apple products and some are
> not.  Android phones seem not to be affected.
>
> When an unregistered endpoint is assigned an IP in the registration
> network the device notices the captive portal and tries to open a browser
> window to facilitate the registration process.
>
> However this is where things begin to go wrong.
>
> Some of the time the page does not load at all, after a brief wait of
> perhaps 7 seconds, the mobile browser generates an error saying the page
> cannot be loaded.  When the error is dismissed the browser automatically
> closes and the user is dumped to the home screen on their device.
>
> Sometimes it does load but the custom logo is not displayed (loads a
> broken jpg).  Sometimes the page loads as plain text and no CSS.
>
> If the page does load enough for the user to accept the AUP and fill out
> the registration form.  When the user submits the form, however the same
> browser error is displayed and the user id bounced out of the browser app.
>
> If the error occurs AFTER submitting the registration form, the device
> still shows as unregistered in PF.   However, if the user rejoins the
> network the captive portal page will be presented but it will be the
> enabling access page with the progress bar (and a still broken jpg).
> Interestingly, the device will now show as registered in PF and will have
> the correct role assigned.
>
> I have been scouring the logs and can?t seem to find any entries that
> would point to a cause.  Desktops and Laptops with full OS on them do not
> seem to have the issue.
>
> Any help would be greatly appreciated.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer and Security Specialist
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Issue on Mobile Devices

[Sallee, Jake via PacketFence-users]

Hello all!

This is a strange one and I hope someone out there has faced this demon before 
and can help.

We are running PF 10.3 (with latest maintenance patches) in a 3 node cluster.

TLDR:  Captive portal issues on iPhones and some mobile devices, cant find any 
reason in the logs as to why it would be happening.  Started happening out of 
the blue, updated to 10.3 and applied all patches but nothing helped.

Long version:

The issue seems to be centered around WiFi on iPhones and some mobile computers 
(laptops, tables, etc) where some are Apple products and some are not.  Android 
phones seem not to be affected.

When an unregistered endpoint is assigned an IP in the registration network the 
device notices the captive portal and tries to open a browser window to 
facilitate the registration process.

However this is where things begin to go wrong.

Some of the time the page does not load at all, after a brief wait of perhaps 7 
seconds, the mobile browser generates an error saying the page cannot be 
loaded.  When the error is dismissed the browser automatically closes and the 
user is dumped to the home screen on their device.

Sometimes it does load but the custom logo is not displayed (loads a broken 
jpg).  Sometimes the page loads as plain text and no CSS.

If the page does load enough for the user to accept the AUP and fill out the 
registration form.  When the user submits the form, however the same browser 
error is displayed and the user id bounced out of the browser app.

If the error occurs AFTER submitting the registration form, the device still 
shows as unregistered in PF.   However, if the user rejoins the network the 
captive portal page will be presented but it will be the enabling access page 
with the progress bar (and a still broken jpg).  Interestingly, the device will 
now show as registered in PF and will have the correct role assigned.

I have been scouring the logs and can?t seem to find any entries that would 
point to a cause.  Desktops and Laptops with full OS on them do not seem to 
have the issue.

Any help would be greatly appreciated.

Jake Sallee
Godfather of Bandwidth
System Engineer and Security Specialist
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Error

[Ezeh Victor via PacketFence-users]

Hi,

This has been fixed.

The issue was a spelling error. sigin,html  signin.html.


Thanks.


On Fri, 11 Jun 2021 at 11:50, Ezeh Victor  wrote:

> Also, below is the content of the sigin.html file;
>
> [image: image.png]
>
> On Fri, 11 Jun 2021 at 11:29, Ezeh Victor  wrote:
>
>> Hi,
>>
>> I set up packetfence to manage guest access to the network via wifi.
>>
>> Guests are meant to access the captive portal and register to get sponsor
>> approval.
>>
>> It was working until recently I received this error message when a guest
>> tries to connect;
>>
>> *caught exception in captive portal::
>> Controller::Root->dynamic_application "Can't generate template signin.html:
>> file error - sigin.html not foundError: fileError - sigin.html: not found
>> at usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
>> line 440"*
>>
>> I located the *signin.html *file which is located at*
>> /usr/local/pf/html/captive-portal/templates*
>>
>> Going to the directory mentioned in the error message, and locating line
>> 440 of the error, I do not seem to see any reference to the file and what
>> might be causing the error.
>>
>> Kindly assist.
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Error

[Ezeh Victor via PacketFence-users]

Hi,

I set up packetfence to manage guest access to the network via wifi.

Guests are meant to access the captive portal and register to get sponsor
approval.

It was working until recently I received this error message when a guest
tries to connect;

*caught exception in captive portal:: Controller::Root->dynamic_application
"Can't generate template signin.html: file error - sigin.html not
foundError: fileError - sigin.html: not found at
usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
line 440"*

I located the *signin.html *file which is located at*
/usr/local/pf/html/captive-portal/templates*

Going to the directory mentioned in the error message, and locating line
440 of the error, I do not seem to see any reference to the file and what
might be causing the error.

Kindly assist.
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Error

[Ezeh Victor via PacketFence-users]

Also, below is the content of the sigin.html file;

[image: image.png]

On Fri, 11 Jun 2021 at 11:29, Ezeh Victor  wrote:

> Hi,
>
> I set up packetfence to manage guest access to the network via wifi.
>
> Guests are meant to access the captive portal and register to get sponsor
> approval.
>
> It was working until recently I received this error message when a guest
> tries to connect;
>
> *caught exception in captive portal::
> Controller::Root->dynamic_application "Can't generate template signin.html:
> file error - sigin.html not foundError: fileError - sigin.html: not found
> at usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
> line 440"*
>
> I located the *signin.html *file which is located at*
> /usr/local/pf/html/captive-portal/templates*
>
> Going to the directory mentioned in the error message, and locating line
> 440 of the error, I do not seem to see any reference to the file and what
> might be causing the error.
>
> Kindly assist.
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal issue

[Zammit, Ludovic via PacketFence-users]

No problem, have a nice day!

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jun 10, 2021, at 8:56 AM, Arun Kangle  wrote:
> 
> Thanks for quick response Ludovic,
> 
> It was my mistake, management and registration interfaces were part of 
> different VRF. Sorry to take your time.
> 
> Thanks and regards,
> - Arun 
> 
> On Thu, Jun 10, 2021 at 5:51 PM Zammit, Ludovic  > wrote:
> Hello,
> 
> Are you using web auth or lan enforcement for the registration ?
> 
> Thanks,
> 
> Ludovic Zammit
> Product Support Engineer Principal
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:     
>   
> 
>   
> 
>   
> 
>   
> 
> 
>> On Jun 10, 2021, at 1:06 AM, Arun Kangle via PacketFence-users 
>> > > wrote:
>> 
>> Hello All,
>> I am facing 2 issues below:
>> 1) I am unable to access the captive portal using the FQDN but I am able to 
>> access the Captive Portal by using IP address of the Registration Interface, 
>> and
>> 
>> 2) Redirection isn't happig as well.
>> 
>> Could you please let me know what config I am missing?
>> 
>> Thanks in advance,
>> - Arun
>> 
>> pf.conf file:
>> [root@packetfence conf]# more pf.conf
>> # Copyright (C) Inverse inc.
>> [general]
>> #
>> # general.domain
>> #
>> # Domain name of PacketFence system.
>> domain=AOLIC.NET 
>> 
>> #
>> # general.hostname
>> #
>> # Hostname of PacketFence system.  This is concatenated with the domain in 
>> Apache rewriting rules and therefore must be resolvable by clie
>> nts.
>> hostname=PACKETFENCE
>> #
>> # general.timezone
>> #
>> # System's timezone in string format. List generated from Perl library 
>> DateTime::TimeZone
>> # When left empty, it will use the timezone of the server
>> timezone=Asia/Kolkata
>> 
>> [database]
>> #
>> # database.pass
>> #
>> # Password for the mysql database used by PacketFence. Changing this 
>> parameter after the initial configuration will *not* change it in the
>>  database it self, only in the configuration.
>> pass=x
>> 
>> [captive_portal]
>> #
>> # captive_portal.network_redirect_delay
>> #
>> # How long to display the progress bar during trap release. Default value is
>> # based on VLAN enforcement techniques. Inline enforcement only users could
>> # lower the value.
>> network_redirect_delay=10s
>> 
>> [advanced]
>> #
>> # advanced.sso_on_access_reevaluation
>> #
>> # Trigger Single-Sign-On (Firewall SSO) on access reevaluation
>> sso_on_access_reevaluation=enabled
>> #
>> # advanced.sso_on_accounting
>> #
>> # Trigger Single-Sign-On (Firewall SSO) on accounting
>> sso_on_accounting=enabled
>> # advanced.configurator
>> #
>> # Enable the Configurator and the Configurator API
>> configurator=disabled
>> 
>> [interface eth0.150]
>> ip=172.16.31.53 
>> type=management,portal
>> mask=255.255.255.0
>> 
>> [interface eth0.25]
>> enforcement=vlan
>> ip=10.0.105.2
>> type=internal
>> mask=255.255.255.0
>> [root@packetfence conf]#
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net 
>> 
>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!FsSCHr-3OnxvKwBYTYQcj3JcDFJFsAy1xyxtBHwXu-MBfJPLf_aw2wlRzrO27D6a$
>>  
>> 
>>  
> 



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal issue

[Arun Kangle via PacketFence-users]

Thanks for quick response Ludovic,

It was my mistake, management and registration interfaces were part of
different VRF. Sorry to take your time.

Thanks and regards,
- Arun

On Thu, Jun 10, 2021 at 5:51 PM Zammit, Ludovic  wrote:

> Hello,
>
> Are you using web auth or lan enforcement for the registration ?
>
> Thanks,
>
> *Ludovic Zammit*
> *Product Support Engineer Principal*
> *Cell:* +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:  
>  
> 
> 
>
> On Jun 10, 2021, at 1:06 AM, Arun Kangle via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hello All,
> I am facing 2 issues below:
> 1) I am unable to access the captive portal using the FQDN but I am able
> to access the Captive Portal by using IP address of the Registration
> Interface, and
>
> 2) Redirection isn't happig as well.
>
> Could you please let me know what config I am missing?
>
> Thanks in advance,
> - Arun
>
> pf.conf file:
> [root@packetfence conf]# more pf.conf
> # Copyright (C) Inverse inc.
> [general]
> #
> # general.domain
> #
> # Domain name of PacketFence system.
> domain=AOLIC.NET
> 
> #
> # general.hostname
> #
> # Hostname of PacketFence system.  This is concatenated with the domain in
> Apache rewriting rules and therefore must be resolvable by clie
> nts.
> hostname=PACKETFENCE
> #
> # general.timezone
> #
> # System's timezone in string format. List generated from Perl library
> DateTime::TimeZone
> # When left empty, it will use the timezone of the server
> timezone=Asia/Kolkata
>
> [database]
> #
> # database.pass
> #
> # Password for the mysql database used by PacketFence. Changing this
> parameter after the initial configuration will *not* change it in the
>  database it self, only in the configuration.
> pass=x
>
> [captive_portal]
> #
> # captive_portal.network_redirect_delay
> #
> # How long to display the progress bar during trap release. Default value
> is
> # based on VLAN enforcement techniques. Inline enforcement only users could
> # lower the value.
> network_redirect_delay=10s
>
> [advanced]
> #
> # advanced.sso_on_access_reevaluation
> #
> # Trigger Single-Sign-On (Firewall SSO) on access reevaluation
> sso_on_access_reevaluation=enabled
> #
> # advanced.sso_on_accounting
> #
> # Trigger Single-Sign-On (Firewall SSO) on accounting
> sso_on_accounting=enabled
> # advanced.configurator
> #
> # Enable the Configurator and the Configurator API
> configurator=disabled
>
> [interface eth0.150]
> ip=172.16.31.53
> type=management,portal
> mask=255.255.255.0
>
> [interface eth0.25]
> enforcement=vlan
> ip=10.0.105.2
> type=internal
> mask=255.255.255.0
> [root@packetfence conf]#
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
>
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!FsSCHr-3OnxvKwBYTYQcj3JcDFJFsAy1xyxtBHwXu-MBfJPLf_aw2wlRzrO27D6a$
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive portal issue

[Zammit, Ludovic via PacketFence-users]

Hello,

Are you using web auth or lan enforcement for the registration ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Jun 10, 2021, at 1:06 AM, Arun Kangle via PacketFence-users 
>  wrote:
> 
> Hello All,
> I am facing 2 issues below:
> 1) I am unable to access the captive portal using the FQDN but I am able to 
> access the Captive Portal by using IP address of the Registration Interface, 
> and
> 
> 2) Redirection isn't happig as well.
> 
> Could you please let me know what config I am missing?
> 
> Thanks in advance,
> - Arun
> 
> pf.conf file:
> [root@packetfence conf]# more pf.conf
> # Copyright (C) Inverse inc.
> [general]
> #
> # general.domain
> #
> # Domain name of PacketFence system.
> domain=AOLIC.NET 
> 
> #
> # general.hostname
> #
> # Hostname of PacketFence system.  This is concatenated with the domain in 
> Apache rewriting rules and therefore must be resolvable by clie
> nts.
> hostname=PACKETFENCE
> #
> # general.timezone
> #
> # System's timezone in string format. List generated from Perl library 
> DateTime::TimeZone
> # When left empty, it will use the timezone of the server
> timezone=Asia/Kolkata
> 
> [database]
> #
> # database.pass
> #
> # Password for the mysql database used by PacketFence. Changing this 
> parameter after the initial configuration will *not* change it in the
>  database it self, only in the configuration.
> pass=x
> 
> [captive_portal]
> #
> # captive_portal.network_redirect_delay
> #
> # How long to display the progress bar during trap release. Default value is
> # based on VLAN enforcement techniques. Inline enforcement only users could
> # lower the value.
> network_redirect_delay=10s
> 
> [advanced]
> #
> # advanced.sso_on_access_reevaluation
> #
> # Trigger Single-Sign-On (Firewall SSO) on access reevaluation
> sso_on_access_reevaluation=enabled
> #
> # advanced.sso_on_accounting
> #
> # Trigger Single-Sign-On (Firewall SSO) on accounting
> sso_on_accounting=enabled
> # advanced.configurator
> #
> # Enable the Configurator and the Configurator API
> configurator=disabled
> 
> [interface eth0.150]
> ip=172.16.31.53 
> type=management,portal
> mask=255.255.255.0
> 
> [interface eth0.25]
> enforcement=vlan
> ip=10.0.105.2
> type=internal
> mask=255.255.255.0
> [root@packetfence conf]#
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!FsSCHr-3OnxvKwBYTYQcj3JcDFJFsAy1xyxtBHwXu-MBfJPLf_aw2wlRzrO27D6a$
>  



smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive portal issue

[Arun Kangle via PacketFence-users]

Hello All,
I am facing 2 issues below:
1) I am unable to access the captive portal using the FQDN but I am able to
access the Captive Portal by using IP address of the Registration
Interface, and

2) Redirection isn't happig as well.

Could you please let me know what config I am missing?

Thanks in advance,
- Arun

pf.conf file:
[root@packetfence conf]# more pf.conf
# Copyright (C) Inverse inc.
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=AOLIC.NET
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the domain in
Apache rewriting rules and therefore must be resolvable by clie
nts.
hostname=PACKETFENCE
#
# general.timezone
#
# System's timezone in string format. List generated from Perl library
DateTime::TimeZone
# When left empty, it will use the timezone of the server
timezone=Asia/Kolkata

[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence. Changing this
parameter after the initial configuration will *not* change it in the
 database it self, only in the configuration.
pass=x

[captive_portal]
#
# captive_portal.network_redirect_delay
#
# How long to display the progress bar during trap release. Default value is
# based on VLAN enforcement techniques. Inline enforcement only users could
# lower the value.
network_redirect_delay=10s

[advanced]
#
# advanced.sso_on_access_reevaluation
#
# Trigger Single-Sign-On (Firewall SSO) on access reevaluation
sso_on_access_reevaluation=enabled
#
# advanced.sso_on_accounting
#
# Trigger Single-Sign-On (Firewall SSO) on accounting
sso_on_accounting=enabled
# advanced.configurator
#
# Enable the Configurator and the Configurator API
configurator=disabled

[interface eth0.150]
ip=172.16.31.53
type=management,portal
mask=255.255.255.0

[interface eth0.25]
enforcement=vlan
ip=10.0.105.2
type=internal
mask=255.255.255.0
[root@packetfence conf]#
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Balance F5

[Domingos Varela via PacketFence-users]

Hi,

Please, someone who has managed to configure the portal with the F5 can
help me, I have been trying for many months without success, the
information available on the site about this integration is insufficient.
Thanks

Regards
Cumprimentos,

*Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola


Domingos Varela  escreveu no dia quarta, 6/05/2020
à(s) 00:32:

> Hello,
>
> Did anyone here manage to configure the Pf captive portal on F5?
> I have tried and I have not had successes.
> We are already in the version 10.0 and the documentation on the F5 is the
> same and has not worked.
> Thanks
> Regards
>
> Cumprimentos,
>
> *Domingos Varela*
> Tel. +244 923 229 330 | Luanda - Angola
>
>
> Domingos Varela  escreveu no dia quarta,
> 19/02/2020 à(s) 14:47:
>
>> Hello,
>>
>> Is there any person in this group who has managed or has F5 to balance
>> the PF?
>> I’ve been trying for a long time and without being asked, the group’s
>> staff even gave some inputs, but then they gave up.
>>
>> Can anyone help with this setup so that future implementations are easier
>> for everyone?
>> Thanks
>>
>> Regards
>>
>> Cumprimentos,
>>
>> *Domingos Varela*
>> Tel. +244 923 229 330 | Luanda - Angola
>>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] captive portal: the captive portal does not appear when I am in the registration Vlan

[Abdoul Raouf Diabagate via PacketFence-users]

Hello everyone, I come to ask you again for the problem. I see that the
Packetfence solution works well in many people... please someone could help
me??

Le jeu. 12 nov. 2020 à 13:16, Abdoul Raouf Diabagate 
a écrit :

>
> Hello here is my conf/pf.conf file
>
> # Copyright (C) Inverse inc.
> [general]
> #
> # general.domain
> #
> # Domain name of PacketFence system.
> domain=x.com
> #
> # general.hostname
> #
> # Hostname of PacketFence system.  This is concatenated with the domain in
> Apache rewriting rules and therefore must be resolvable by clients.
> hostname=mlnac
> #
> # general.timezone
> #
> # System's timezone in string format. List generated from Perl library
> DateTime::TimeZone
> # When left empty, it will use the timezone of the server
> timezone=Africa/Abidjan
>
> [alerting]
> #
> # alerting.emailaddr
> #
> # Comma-delimited list of email addresses to which notifications of rogue
> DHCP servers, security_events with an action of "email", or any other
> # PacketFence-related message goes to.
> emailaddr=abdoul.diabag...@xxx.net
>
> [database]
> #
> # database.pass
> #
> # Password for the mysql database used by PacketFence. Changing this
> parameter after the initial configuration will *not* change it in the
> database it self, only in the configuration.
> pass=xxx
>
> [advanced]
> # advanced.configurator
> #
> # Enable the Configurator and the Configurator API
> configurator=disabled
>
> [interface eth0]
> ip=192.168.222.129
> type=management,portal
> mask=255.255.255.0
>
> [interface eth1.110]
> enforcement=vlan
> ip=192.168.110.1
> type=internal
> mask=255.255.255.0
>
> [interface eth1.120]
> enforcement=vlan
> ip=192.168.120.1
> type=internal
> mask=255.255.255.0
>
> [interface eth1.216]
> type=other
> mask=255.255.255.0
>
> [interface eth1.218]
> type=other
> mask=255.255.255.0
>
> [interface eth1.219]
> type=other
> mask=255.255.255.0
>
> [interface eth1.220]
> type=other
> mask=255.255.255.0
>
> [interface eth1.222]
> type=other
> mask=255.255.255.0
>
>
> Le jeu. 12 nov. 2020 à 13:12, Ludovic Zammit  a
> écrit :
>
>> Hello,
>>
>> Show me your conf/pf.conf
>>
>> Remove the passwords.
>>
>> Thanks.
>>
>>
>> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
>> www.inverse.ca
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>> (http://packetfence.org)
>>
>>
>>
>>
>>
>> On Nov 12, 2020, at 6:21 AM, Abdoul Raouf Diabagate <
>> abdoulrao...@gmail.com> wrote:
>>
>> after some testing, I have the impression that the error is due to
>> iptables. because when I open my browser it displays this
>> 
>>
>> but when I restart the iptables service, the captive portal page displays
>> correctly
>> 
>>
>> please who has any idea? I have to restart iptables on each connection
>>
>> Le mer. 11 nov. 2020 à 13:23, Abdoul Raouf Diabagate <
>> abdoulrao...@gmail.com> a écrit :
>>
>>> i want to use webauth for computers that don't have 8021x supplicant.
>>> currently I have the impression that everything is working correctly.
>>> however when I connect a computer that does not have an 8021x supplicant it
>>> moves into the registration vlan and it gets an IP address. when i try to
>>> launch a web page normally i should see the packetfence captive portal but
>>> nothing is displayed and an error message telling me that my packetfence
>>> server took too long to respond.
>>>
>>> what is weird is that when I put a switch port in the registration vlan
>>> switchport access mode switchport access vlan 120 where 120 is my
>>> registration vlan. when I connect a computer it receives an IP address and
>>> the captive portal is displayed correctly what is the problem in your
>>> opinion
>>>
>>>
>>>
>>> Le mer. 11 nov. 2020 à 13:10, Ludovic Zammit  a
>>> écrit :
>>>
 Hello,

 Do you want to do Web Auth or VLAN enforcement for the portal ? You
 can’t do both.

 Thanks,


 Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
 www.inverse.ca
 Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
 (http://packetfence.org)





 On Nov 10, 2020, at 8:05 AM, Abdoul Raouf Diabagate via
 PacketFence-users  wrote:

 I just installed packetfence version 10.2 ZEN. after following the
 setup guide i want to do my first test. the test with the 8021X supplicant
 works and the customer is dynamically registered in the correct vlan

 However when I want to test the captive portal, I plug a windows
 computer into one of the switch ports. after a few minutes, the computer is
 placed in my registration vlan and receives a dynamically ip address from
 packetfence. and I am redirected to the address
 http://192.168.222.129/Cisco::Catalyst_2960/sidceab07.
 after a few minutes of waiting, the browser displays 'waiting time
 exceeded'

 However when I move a port of the switch manually in the registration
 

Re: [PacketFence-users] captive portal: the captive portal does not appear when I am in the registration Vlan

[Abdoul Raouf Diabagate via PacketFence-users]

Hello here is my conf/pf.conf file

# Copyright (C) Inverse inc.
[general]
#
# general.domain
#
# Domain name of PacketFence system.
domain=x.com
#
# general.hostname
#
# Hostname of PacketFence system.  This is concatenated with the domain in
Apache rewriting rules and therefore must be resolvable by clients.
hostname=mlnac
#
# general.timezone
#
# System's timezone in string format. List generated from Perl library
DateTime::TimeZone
# When left empty, it will use the timezone of the server
timezone=Africa/Abidjan

[alerting]
#
# alerting.emailaddr
#
# Comma-delimited list of email addresses to which notifications of rogue
DHCP servers, security_events with an action of "email", or any other
# PacketFence-related message goes to.
emailaddr=abdoul.diabag...@xxx.net

[database]
#
# database.pass
#
# Password for the mysql database used by PacketFence. Changing this
parameter after the initial configuration will *not* change it in the
database it self, only in the configuration.
pass=xxx

[advanced]
# advanced.configurator
#
# Enable the Configurator and the Configurator API
configurator=disabled

[interface eth0]
ip=192.168.222.129
type=management,portal
mask=255.255.255.0

[interface eth1.110]
enforcement=vlan
ip=192.168.110.1
type=internal
mask=255.255.255.0

[interface eth1.120]
enforcement=vlan
ip=192.168.120.1
type=internal
mask=255.255.255.0

[interface eth1.216]
type=other
mask=255.255.255.0

[interface eth1.218]
type=other
mask=255.255.255.0

[interface eth1.219]
type=other
mask=255.255.255.0

[interface eth1.220]
type=other
mask=255.255.255.0

[interface eth1.222]
type=other
mask=255.255.255.0


Le jeu. 12 nov. 2020 à 13:12, Ludovic Zammit  a écrit :

> Hello,
>
> Show me your conf/pf.conf
>
> Remove the passwords.
>
> Thanks.
>
>
> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>
>
> On Nov 12, 2020, at 6:21 AM, Abdoul Raouf Diabagate <
> abdoulrao...@gmail.com> wrote:
>
> after some testing, I have the impression that the error is due to
> iptables. because when I open my browser it displays this
> 
>
> but when I restart the iptables service, the captive portal page displays
> correctly
> 
>
> please who has any idea? I have to restart iptables on each connection
>
> Le mer. 11 nov. 2020 à 13:23, Abdoul Raouf Diabagate <
> abdoulrao...@gmail.com> a écrit :
>
>> i want to use webauth for computers that don't have 8021x supplicant.
>> currently I have the impression that everything is working correctly.
>> however when I connect a computer that does not have an 8021x supplicant it
>> moves into the registration vlan and it gets an IP address. when i try to
>> launch a web page normally i should see the packetfence captive portal but
>> nothing is displayed and an error message telling me that my packetfence
>> server took too long to respond.
>>
>> what is weird is that when I put a switch port in the registration vlan
>> switchport access mode switchport access vlan 120 where 120 is my
>> registration vlan. when I connect a computer it receives an IP address and
>> the captive portal is displayed correctly what is the problem in your
>> opinion
>>
>>
>>
>> Le mer. 11 nov. 2020 à 13:10, Ludovic Zammit  a
>> écrit :
>>
>>> Hello,
>>>
>>> Do you want to do Web Auth or VLAN enforcement for the portal ? You
>>> can’t do both.
>>>
>>> Thanks,
>>>
>>>
>>> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  
>>> www.inverse.ca
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
>>> (http://packetfence.org)
>>>
>>>
>>>
>>>
>>>
>>> On Nov 10, 2020, at 8:05 AM, Abdoul Raouf Diabagate via
>>> PacketFence-users  wrote:
>>>
>>> I just installed packetfence version 10.2 ZEN. after following the setup
>>> guide i want to do my first test. the test with the 8021X supplicant works
>>> and the customer is dynamically registered in the correct vlan
>>>
>>> However when I want to test the captive portal, I plug a windows
>>> computer into one of the switch ports. after a few minutes, the computer is
>>> placed in my registration vlan and receives a dynamically ip address from
>>> packetfence. and I am redirected to the address
>>> http://192.168.222.129/Cisco::Catalyst_2960/sidceab07.
>>> after a few minutes of waiting, the browser displays 'waiting time
>>> exceeded'
>>>
>>> However when I move a port of the switch manually in the registration
>>> vlan, and I plug in a computer, the portal page automatically displays
>>>
>>> Any ideas?
>>>
>>> [switch port conf]
>>> interface FastEthernet0/12
>>>  switchport mode access
>>>  authentication order dot1x mab
>>>  authentication priority dot1x mab
>>>  authentication port-control auto
>>>  authentication periodic
>>>  authentication timer restart 10800
>>>  authentication timer reauthenticate 7200
>>>  authentication violation replace
>>>  mab
>>>  no snmp trap 

Re: [PacketFence-users] captive portal: the captive portal does not appear when I am in the registration Vlan

[Ludovic Zammit via PacketFence-users]

Hello,

Show me your conf/pf.conf

Remove the passwords.

Thanks.

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Nov 12, 2020, at 6:21 AM, Abdoul Raouf Diabagate  
> wrote:
> 
> after some testing, I have the impression that the error is due to iptables. 
> because when I open my browser it displays this
> 
> 
> but when I restart the iptables service, the captive portal page displays 
> correctly
> 
> 
> please who has any idea? I have to restart iptables on each connection
> 
> Le mer. 11 nov. 2020 à 13:23, Abdoul Raouf Diabagate  > a écrit :
> i want to use webauth for computers that don't have 8021x supplicant. 
> currently I have the impression that everything is working correctly. however 
> when I connect a computer that does not have an 8021x supplicant it moves 
> into the registration vlan and it gets an IP address. when i try to launch a 
> web page normally i should see the packetfence captive portal but nothing is 
> displayed and an error message telling me that my packetfence server took too 
> long to respond.
> 
> what is weird is that when I put a switch port in the registration vlan 
> switchport access mode switchport access vlan 120 where 120 is my 
> registration vlan. when I connect a computer it receives an IP address and 
> the captive portal is displayed correctly what is the problem in your opinion
> 
> 
> 
> Le mer. 11 nov. 2020 à 13:10, Ludovic Zammit  > a écrit :
> Hello,
> 
> Do you want to do Web Auth or VLAN enforcement for the portal ? You can’t do 
> both.
> 
> Thanks,
> 
> Ludovic Zammit
> lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
> www.inverse.ca 
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> ) and PacketFence (http://packetfence.org 
> ) 
> 
> 
> 
> 
> 
>> On Nov 10, 2020, at 8:05 AM, Abdoul Raouf Diabagate via PacketFence-users 
>> > > wrote:
>> 
> 
> 
>> I just installed packetfence version 10.2 ZEN. after following the setup 
>> guide i want to do my first test. the test with the 8021X supplicant works 
>> and the customer is dynamically registered in the correct vlan
>> 
>> However when I want to test the captive portal, I plug a windows computer 
>> into one of the switch ports. after a few minutes, the computer is placed in 
>> my registration vlan and receives a dynamically ip address from packetfence. 
>> and I am redirected to the address 
>> http://192.168.222.129/Cisco::Catalyst_2960/sidceab07 
>> .
>> after a few minutes of waiting, the browser displays 'waiting time exceeded'
>> 
>> However when I move a port of the switch manually in the registration vlan, 
>> and I plug in a computer, the portal page automatically displays
>> 
>> Any ideas?
>> 
>> [switch port conf]
>> interface FastEthernet0/12
>>  switchport mode access
>>  authentication order dot1x mab
>>  authentication priority dot1x mab
>>  authentication port-control auto
>>  authentication periodic
>>  authentication timer restart 10800
>>  authentication timer reauthenticate 7200
>>  authentication violation replace
>>  mab
>>  no snmp trap link-status
>>  dot1x pae authenticator
>>  dot1x timeout quiet-period 2
>>  dot1x timeout tx-period 3
>> 
>> [Packetfence LOG]
>> 
>> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
>> [mac:b0:6e:bf:ab:3a:fe] handling radius autz request: from switch_ip => 
>> (192.168.222.130), connection_type => Ethernet-NoEAP,switch_mac => 
>> (88:90:8d:30:60:0c), mac => [b0:6e:bf:ab:3a:fe], port => 10012, username => 
>> "b06ebfab3afe" (pf::radius::authorize)
>> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
>> [mac:b0:6e:bf:ab:3a:fe] Instantiate profile noEAP 
>> (pf::Connection::ProfileFactory::_from_profile)
>> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
>> [mac:b0:6e:bf:ab:3a:fe] is of status unreg; belongs into registration VLAN 
>> (pf::role::getRegistrationRole)
>> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
>> [mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added VLAN 120 to the returned 
>> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
>> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
>> [mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added role registration to the 
>> returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
>> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
>> [mac:b0:6e:bf:ab:3a:fe] Adding web authentication redirection to reply using 
>> 

Re: [PacketFence-users] captive portal: the captive portal does not appear when I am in the registration Vlan

[Abdoul Raouf Diabagate via PacketFence-users]

i want to use webauth for computers that don't have 8021x supplicant.
currently I have the impression that everything is working correctly.
however when I connect a computer that does not have an 8021x supplicant it
moves into the registration vlan and it gets an IP address. when i try to
launch a web page normally i should see the packetfence captive portal but
nothing is displayed and an error message telling me that my packetfence
server took too long to respond.

what is weird is that when I put a switch port in the registration vlan
switchport access mode switchport access vlan 120 where 120 is my
registration vlan. when I connect a computer it receives an IP address and
the captive portal is displayed correctly what is the problem in your
opinion



Le mer. 11 nov. 2020 à 13:10, Ludovic Zammit  a écrit :

> Hello,
>
> Do you want to do Web Auth or VLAN enforcement for the portal ? You can’t
> do both.
>
> Thanks,
>
>
> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>
>
> On Nov 10, 2020, at 8:05 AM, Abdoul Raouf Diabagate via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> I just installed packetfence version 10.2 ZEN. after following the setup
> guide i want to do my first test. the test with the 8021X supplicant works
> and the customer is dynamically registered in the correct vlan
>
> However when I want to test the captive portal, I plug a windows computer
> into one of the switch ports. after a few minutes, the computer is placed
> in my registration vlan and receives a dynamically ip address from
> packetfence. and I am redirected to the address
> http://192.168.222.129/Cisco::Catalyst_2960/sidceab07.
> after a few minutes of waiting, the browser displays 'waiting time
> exceeded'
>
> However when I move a port of the switch manually in the registration
> vlan, and I plug in a computer, the portal page automatically displays
>
> Any ideas?
>
> [switch port conf]
> interface FastEthernet0/12
>  switchport mode access
>  authentication order dot1x mab
>  authentication priority dot1x mab
>  authentication port-control auto
>  authentication periodic
>  authentication timer restart 10800
>  authentication timer reauthenticate 7200
>  authentication violation replace
>  mab
>  no snmp trap link-status
>  dot1x pae authenticator
>  dot1x timeout quiet-period 2
>  dot1x timeout tx-period 3
>
> [Packetfence LOG]
>
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
> [mac:b0:6e:bf:ab:3a:fe] handling radius autz request: from switch_ip =>
> (192.168.222.130), connection_type => Ethernet-NoEAP,switch_mac =>
> (88:90:8d:30:60:0c), mac => [b0:6e:bf:ab:3a:fe], port => 10012, username =>
> "b06ebfab3afe" (pf::radius::authorize)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
> [mac:b0:6e:bf:ab:3a:fe] Instantiate profile noEAP
> (pf::Connection::ProfileFactory::_from_profile)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
> [mac:b0:6e:bf:ab:3a:fe] is of status unreg; belongs into registration VLAN
> (pf::role::getRegistrationRole)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
> [mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added VLAN 120 to the returned
> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
> [mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added role registration to the
> returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
> [mac:b0:6e:bf:ab:3a:fe] Adding web authentication redirection to reply
> using role: 'registration' and URL: '
> http://192.168.222.129/Cisco::Catalyst_2960/sidc3b51a'
> (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1486) INFO: Using 300
> resolution threshold (pf::pfcron::task::cluster_check::run)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1487) INFO: processed
> 0 security_events during security_event maintenance (1605013256.13453
> 1605013256.14244)  (pf::security_event::security_event_maintenance)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1486) INFO: All
> cluster members are running the same configuration version
> (pf::pfcron::task::cluster_check::run)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1487) INFO: processed
> 0 security_events during security_event maintenance (1605013256.1439
> 1605013256.14699)  (pf::security_event::security_event_maintenance)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1485) INFO: getting
> security_events triggers for accounting cleanup
> (pf::accounting::acct_maintenance)
> Nov 10 13:01:48 packetfence pfqueue: pfqueue(27361) WARN:
> [mac:b0:6e:bf:ab:3a:fe] Unable to match MAC address to 

Re: [PacketFence-users] captive portal: the captive portal does not appear when I am in the registration Vlan

[Ludovic Zammit via PacketFence-users]

Hello,

Do you want to do Web Auth or VLAN enforcement for the portal ? You can’t do 
both.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Nov 10, 2020, at 8:05 AM, Abdoul Raouf Diabagate via PacketFence-users 
>  wrote:
> 
> I just installed packetfence version 10.2 ZEN. after following the setup 
> guide i want to do my first test. the test with the 8021X supplicant works 
> and the customer is dynamically registered in the correct vlan
> 
> However when I want to test the captive portal, I plug a windows computer 
> into one of the switch ports. after a few minutes, the computer is placed in 
> my registration vlan and receives a dynamically ip address from packetfence. 
> and I am redirected to the address 
> http://192.168.222.129/Cisco::Catalyst_2960/sidceab07 
> .
> after a few minutes of waiting, the browser displays 'waiting time exceeded'
> 
> However when I move a port of the switch manually in the registration vlan, 
> and I plug in a computer, the portal page automatically displays
> 
> Any ideas?
> 
> [switch port conf]
> interface FastEthernet0/12
>  switchport mode access
>  authentication order dot1x mab
>  authentication priority dot1x mab
>  authentication port-control auto
>  authentication periodic
>  authentication timer restart 10800
>  authentication timer reauthenticate 7200
>  authentication violation replace
>  mab
>  no snmp trap link-status
>  dot1x pae authenticator
>  dot1x timeout quiet-period 2
>  dot1x timeout tx-period 3
> 
> [Packetfence LOG]
> 
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
> [mac:b0:6e:bf:ab:3a:fe] handling radius autz request: from switch_ip => 
> (192.168.222.130), connection_type => Ethernet-NoEAP,switch_mac => 
> (88:90:8d:30:60:0c), mac => [b0:6e:bf:ab:3a:fe], port => 10012, username => 
> "b06ebfab3afe" (pf::radius::authorize)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
> [mac:b0:6e:bf:ab:3a:fe] Instantiate profile noEAP 
> (pf::Connection::ProfileFactory::_from_profile)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
> [mac:b0:6e:bf:ab:3a:fe] is of status unreg; belongs into registration VLAN 
> (pf::role::getRegistrationRole)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
> [mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added VLAN 120 to the returned 
> RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
> [mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added role registration to the 
> returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
> Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO: 
> [mac:b0:6e:bf:ab:3a:fe] Adding web authentication redirection to reply using 
> role: 'registration' and URL: 
> 'http://192.168.222.129/Cisco::Catalyst_2960/sidc3b51a 
> ' 
> (pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1486) INFO: Using 300 
> resolution threshold (pf::pfcron::task::cluster_check::run)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1487) INFO: processed 0 
> security_events during security_event maintenance (1605013256.13453 
> 1605013256.14244)  (pf::security_event::security_event_maintenance)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1486) INFO: All cluster 
> members are running the same configuration version 
> (pf::pfcron::task::cluster_check::run)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1487) INFO: processed 0 
> security_events during security_event maintenance (1605013256.1439 
> 1605013256.14699)  (pf::security_event::security_event_maintenance)
> Nov 10 13:00:56 packetfence packetfence: pfperl-api(1485) INFO: getting 
> security_events triggers for accounting cleanup 
> (pf::accounting::acct_maintenance)
> Nov 10 13:01:48 packetfence pfqueue: pfqueue(27361) WARN: 
> [mac:b0:6e:bf:ab:3a:fe] Unable to match MAC address to IP '192.168.120.103' 
> (pf::ip4log::ip2mac)
> Nov 10 13:01:48 packetfence pfqueue: pfqueue(27361) INFO: 
> [mac:b0:6e:bf:ab:3a:fe] oldip (192.168.120.53) and newip (192.168.120.103) 
> are different for b0:6e:bf:ab:3a:fe - closing ip4log entry 
> (pf::api::update_ip4log)
> Nov 10 13:01:48 packetfence pfqueue: pfqueue(26901) WARN: 
> [mac:b0:6e:bf:ab:3a:fe] Unable to pull accounting history for device 
> b0:6e:bf:ab:3a:fe. The history set doesn't exist yet. 
> (pf::accounting_events_history::latest_mac_history)
> Nov 10 13:01:48 packetfence pfqueue: pfqueue(26901) WARN: 
> [mac:b0:6e:bf:ab:3a:fe] Unable to pull accounting 

[PacketFence-users] captive portal: the captive portal does not appear when I am in the registration Vlan

[Abdoul Raouf Diabagate via PacketFence-users]

I just installed packetfence version 10.2 ZEN. after following the setup
guide i want to do my first test. the test with the 8021X supplicant works
and the customer is dynamically registered in the correct vlan

However when I want to test the captive portal, I plug a windows computer
into one of the switch ports. after a few minutes, the computer is placed
in my registration vlan and receives a dynamically ip address from
packetfence. and I am redirected to the address
http://192.168.222.129/Cisco::Catalyst_2960/sidceab07.
after a few minutes of waiting, the browser displays 'waiting time exceeded'

However when I move a port of the switch manually in the registration vlan,
and I plug in a computer, the portal page automatically displays

Any ideas?

[switch port conf]
interface FastEthernet0/12
 switchport mode access
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer restart 10800
 authentication timer reauthenticate 7200
 authentication violation replace
 mab
 no snmp trap link-status
 dot1x pae authenticator
 dot1x timeout quiet-period 2
 dot1x timeout tx-period 3

[Packetfence LOG]

Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] handling radius autz request: from switch_ip =>
(192.168.222.130), connection_type => Ethernet-NoEAP,switch_mac =>
(88:90:8d:30:60:0c), mac => [b0:6e:bf:ab:3a:fe], port => 10012, username =>
"b06ebfab3afe" (pf::radius::authorize)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] Instantiate profile noEAP
(pf::Connection::ProfileFactory::_from_profile)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] is of status unreg; belongs into registration VLAN
(pf::role::getRegistrationRole)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added VLAN 120 to the returned
RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] (192.168.222.130) Added role registration to the
returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept)
Nov 10 13:00:52 packetfence packetfence_httpd.aaa: httpd.aaa(15827) INFO:
[mac:b0:6e:bf:ab:3a:fe] Adding web authentication redirection to reply
using role: 'registration' and URL: '
http://192.168.222.129/Cisco::Catalyst_2960/sidc3b51a'
(pf::Switch::Cisco::Catalyst_2960::returnRadiusAccessAccept)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1486) INFO: Using 300
resolution threshold (pf::pfcron::task::cluster_check::run)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1487) INFO: processed 0
security_events during security_event maintenance (1605013256.13453
1605013256.14244)  (pf::security_event::security_event_maintenance)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1486) INFO: All cluster
members are running the same configuration version
(pf::pfcron::task::cluster_check::run)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1487) INFO: processed 0
security_events during security_event maintenance (1605013256.1439
1605013256.14699)  (pf::security_event::security_event_maintenance)
Nov 10 13:00:56 packetfence packetfence: pfperl-api(1485) INFO: getting
security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Nov 10 13:01:48 packetfence pfqueue: pfqueue(27361) WARN:
[mac:b0:6e:bf:ab:3a:fe] Unable to match MAC address to IP '192.168.120.103'
(pf::ip4log::ip2mac)
Nov 10 13:01:48 packetfence pfqueue: pfqueue(27361) INFO:
[mac:b0:6e:bf:ab:3a:fe] oldip (192.168.120.53) and newip (192.168.120.103)
are different for b0:6e:bf:ab:3a:fe - closing ip4log entry
(pf::api::update_ip4log)
Nov 10 13:01:48 packetfence pfqueue: pfqueue(26901) WARN:
[mac:b0:6e:bf:ab:3a:fe] Unable to pull accounting history for device
b0:6e:bf:ab:3a:fe. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Nov 10 13:01:48 packetfence pfqueue: pfqueue(26901) WARN:
[mac:b0:6e:bf:ab:3a:fe] Unable to pull accounting history for device
b0:6e:bf:ab:3a:fe. The history set doesn't exist yet.
(pf::accounting_events_history::latest_mac_history)
Nov 10 13:01:56 packetfence packetfence: pfperl-api(1485) INFO: getting
security_events triggers for accounting cleanup
(pf::accounting::acct_maintenance)
Nov 10 13:01:56 packetfence packetfence: pfperl-api(1486) INFO: processed 0
security_events during security_event maintenance (1605013316.14234
1605013316.1507)  (pf::security_event::security_event_maintenance)
Nov 10 13:01:56 packetfence packetfence: pfperl-api(1486) INFO: processed 0
security_events during security_event maintenance (1605013316.15212
1605013316.1)  (pf::security_event::security_event_maintenance)
Nov 10 13:01:56 packetfence packetfence: pfperl-api(1485) INFO: Using 300
resolution threshold 

Re: [PacketFence-users] Captive Portal Mac 0 (missing)

[Geert Heremans via PacketFence-users]

Hello Ludovic

I'm doing Mac-auth because that's what I was using last year on PF 9. I'm
going to look into web-auth because right now I don't know what I really is
or what the possibilities benefits are.

Best regards
Geert

Op di 13 okt. 2020 om 15:03 schreef Ludovic Zammit :

> Hello,
>
> Are you doing Mac authentication or web auth to register your device ?
>
> Thanks,
>
>
> Ludovic zammitlzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
> (http://packetfence.org)
>
>
>
>
>
> On Oct 11, 2020, at 10:20 AM, Geert Heremans via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Hello Everyone
>
> I am so sorry to come to you seeking for help once again I really try to
> find my answers before sending my questions to the mailing list. And
> although also this one has several hits the information din't help me.
>
> After setting up PF10.1 I've Out-of-Band almost everything works now.
> Connection to AD: check. Set my Roles: Check. Configured Unify: check.
>
> When a new computer is connected to the registration network he or she is
> redirected to the CP. The computer gets an IP assigned form the DHCP server
> on the registration VLAN from Packetfence.
>
> *However the MAC-address is 0 and therefor I get a computer not found in
> the packetfence database. I'm testing this by using a Windows 10
> installation on Hyper-v, should this matter. I've tried doing a ipconfig
> /release & / renew on the WIN10 but to no avail.*
>
> I've read in the online sources that this is caused because PF cannot find
> the computer in recent DHCP-leases. But that's strange because there is no
> doubt that PF is sending the DHCP-response to my computer and leasing it an
> IP.
>
> My PF registration VLAN has a network of 172.31.20.0/24. The computer
> gets an IP in this segment.
> My captive portal lives on a totally different IP-segment:66.70.255.147 I
> think that's strange but it works...
>
> Best regards
> Geert
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Mac 0 (missing)

[Ludovic Zammit via PacketFence-users]

Hello,

Are you doing Mac authentication or web auth to register your device ?

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Oct 11, 2020, at 10:20 AM, Geert Heremans via PacketFence-users 
>  wrote:
> 
> Hello Everyone
> 
> I am so sorry to come to you seeking for help once again I really try to find 
> my answers before sending my questions to the mailing list. And although also 
> this one has several hits the information din't help me.
> 
> After setting up PF10.1 I've Out-of-Band almost everything works now. 
> Connection to AD: check. Set my Roles: Check. Configured Unify: check.
> 
> When a new computer is connected to the registration network he or she is 
> redirected to the CP. The computer gets an IP assigned form the DHCP server 
> on the registration VLAN from Packetfence.
> 
> However the MAC-address is 0 and therefor I get a computer not found in the 
> packetfence database. I'm testing this by using a Windows 10 installation on 
> Hyper-v, should this matter. I've tried doing a ipconfig /release & / renew 
> on the WIN10 but to no avail.
> 
> I've read in the online sources that this is caused because PF cannot find 
> the computer in recent DHCP-leases. But that's strange because there is no 
> doubt that PF is sending the DHCP-response to my computer and leasing it an 
> IP.
> 
> My PF registration VLAN has a network of 172.31.20.0/24 
> . The computer gets an IP in this segment. 
> My captive portal lives on a totally different IP-segment:66.70.255.147 I 
> think that's strange but it works...
> 
> Best regards
> Geert
> 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Mac 0 (missing)

[Geert Heremans via PacketFence-users]

Hello Everyone

I am so sorry to come to you seeking for help once again I really try to
find my answers before sending my questions to the mailing list. And
although also this one has several hits the information din't help me.

After setting up PF10.1 I've Out-of-Band almost everything works now.
Connection to AD: check. Set my Roles: Check. Configured Unify: check.

When a new computer is connected to the registration network he or she is
redirected to the CP. The computer gets an IP assigned form the DHCP server
on the registration VLAN from Packetfence.

*However the MAC-address is 0 and therefor I get a computer not found in
the packetfence database. I'm testing this by using a Windows 10
installation on Hyper-v, should this matter. I've tried doing a ipconfig
/release & / renew on the WIN10 but to no avail.*

I've read in the online sources that this is caused because PF cannot find
the computer in recent DHCP-leases. But that's strange because there is no
doubt that PF is sending the DHCP-response to my computer and leasing it an
IP.

My PF registration VLAN has a network of 172.31.20.0/24. The computer gets
an IP in this segment.
My captive portal lives on a totally different IP-segment:66.70.255.147 I
think that's strange but it works...

Best regards
Geert
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Auto Reauthentication

[Michael Brown via PacketFence-users]

 Ok thanks a lot for the reply Ludovic.

On Wednesday, August 5, 2020, 10:11:13 AM EDT, Ludovic Zammit 
 wrote:  
 
 Hello Michael,
No, they would have to submit their credential once PF unreg their node past 
the unreg_date. Only 802.1x has that kind of feature.
Thanks,

Ludovic Zammit
lzam...@inverse.ca ::  +1.514.447.4918 (x145) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 




On Jul 31, 2020, at 12:19 PM, Michael Brown via PacketFence-users 
 wrote:
Hi Guys,
Is there a way to have clients who have authenticated via the captive portal 
(Wireless-No-EAP) using their Active Directory credentials to reauthenticate 
automatically after their Access Duration time limit has expired?  

Thanks,Mike___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Auto Reauthentication

[Ludovic Zammit via PacketFence-users]

Hello Michael,

No, they would have to submit their credential once PF unreg their node past 
the unreg_date. Only 802.1x has that kind of feature.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Jul 31, 2020, at 12:19 PM, Michael Brown via PacketFence-users 
>  wrote:
> 
> Hi Guys,
> 
> Is there a way to have clients who have authenticated via the captive portal 
> (Wireless-No-EAP) using their Active Directory credentials to reauthenticate 
> automatically after their Access Duration time limit has expired?  
> 
> Thanks,
> Mike
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Auto Reauthentication

[Michael Brown via PacketFence-users]

Checking in on this. Thanks. 


Sent from Yahoo Mail for iPhone


On Friday, July 31, 2020, 12:19 PM, Michael Brown  
wrote:

Hi Guys,
Is there a way to have clients who have authenticated via the captive portal 
(Wireless-No-EAP) using their Active Directory credentials to reauthenticate 
automatically after their Access Duration time limit has expired?  

Thanks,Mike


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Auto Reauthentication

[Michael Brown via PacketFence-users]

Hi Guys,
Is there a way to have clients who have authenticated via the captive portal 
(Wireless-No-EAP) using their Active Directory credentials to reauthenticate 
automatically after their Access Duration time limit has expired?  

Thanks,Mike___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

[chrisb--- via PacketFence-users]

Hi Fabrice,

When I connect a device to the ruckus ap, packetfence shows the devices
location as port 0 on the unifi AP.

Any suggestion on how to go about troubleshooting this?



 

Chris

 

From: Durand fabrice  
Sent: Tuesday, July 28, 2020 3:14 PM
To: Chris Brown 
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

 

When this happen, can you check the location log of the device to see where
packetfence think the device is (node -> location).

Le 20-07-28 à 07 h 56, Chris Brown a écrit :

Hi, 

 

I have a Unifi APs that I am testing, the captive portal / web auth works
fine on on the Unifi APs.

 

For some reason PacketFence seems to be sending the death to the Unifi AP /
Controller instead of the Ruckus ZoneDirector when a client device connects
to the ruckus AP.

 

Current switches.conf and PacketFence.log is attached (client device that
connected to in this PacketFence.log file was already registered on
PacketFence via the captive portal) 

 

Thanks for the help

 

Chris

 






 

 

On Jul 28, 2020, at 12:44 AM, Fabrice Durand mailto:fdur...@inverse.ca> > wrote:

 

Hello Chrisb,

it looks that you defined the Unifi switch module for your Ruckus AP.

Jul 27 17:32:14 packetfence pfqueue: pfqueue(23832) INFO:
[mac:58:d9:c3:5e:56:e5] Deauth on site: Default
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)

Fix that and make another try.

Regards

Fabrice

 

Le 20-07-28 à 00 h 34, chr...@vcxtechnologies.com
<mailto:chr...@vcxtechnologies.com>  a écrit :

Hi Please see the attached packefence.log file


Thanks,

Chris Brown




 

From: Durand fabrice via PacketFence-users
<mailto:packetfence-users@lists.sourceforge.net>
 
Sent: Monday, July 27, 2020 3:25 PM
To: packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Durand fabrice  <mailto:fdur...@inverse.ca> 
Subject: Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

 

Hello Chrisb,

can you post the packetfence.log file at the moment you register on the
portal ?

Regards

Fabrice

 

Le 20-07-23 à 20 h 11, chrisb--- via PacketFence-users a écrit :

Hi,


I’m looking for some help setting up Packetfence’s captive portal / web-auth
to work with a Ruckus ZD1100 and various Ruckus APs. When I attempt to
connect a device to the network I can get to the captive portal and use a
null source to register with packetfence but I always get an error that says
“your network should be enabled within a minute or two”


I followed the Ruckus section of the Network Devices Configuration Guide and
found that there is very little information about the configuration
necessary in PacketFence itself in order to get PacketFence to talk to the
Ruckus ZD1100 or the APs. Maybe I’m missing something, but following the
instructions for configuring PacketFence to support the Ruckus Equipment
gives me the exact same results as when I just delete the ZD1100 and APs
from the PacketFence config and try to register a device.


Relevant lines of switches.conf:
[172.16.105.10]

description=ZD1100

group=default

registrationVlan=-1

type=Ruckus

SNMPVersionTrap=2c

radiusSecret=userStrongerSecret

SNMPVersion=2c

[8c:0c:90:14:c8:40]

description=NOC TEST AP

group=default

controllerIp=172.16.105.10

type=Ruckus


Any help would be greatly appreiciated.

Regards,






Chris Brown

chr...@vcxtechnologies.com <mailto:chr...@vcxtechnologies.com> 

 







___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca>  ::  +1.514.447.4918 (x135)
::  www.inverse.ca <http://www.inverse.ca/> 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu
<http://www.sogo.nu/> ) and PacketFence (http://packetfence.org
<http://packetfence.org/> ) 

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

[Graham Prentice via PacketFence-users]

Also noticed your radius secret is different on this settingthan the others: 
(has extra 'r')

 

Relevant lines of switches.conf:
[172.16.105.10]

description=ZD1100

group=default

registrationVlan=-1

type=Ruckus

SNMPVersionTrap=2c

radiusSecret=userStrongerSecret

SNMPVersion=2c

 

 

Graham

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

[Durand fabrice via PacketFence-users]

When this happen, can you check the location log of the device to see 
where packetfence think the device is (node -> location).


Le 20-07-28 à 07 h 56, Chris Brown a écrit :

Hi,

I have a Unifi APs that I am testing, the captive portal / web auth 
works fine on on the Unifi APs.


For some reason PacketFence seems to be sending the death to the Unifi 
AP / Controller instead of the Ruckus ZoneDirector when a client 
device connects to the ruckus AP.


Current switches.conf and PacketFence.log is attached (client device 
that connected to in this PacketFence.log file was already registered 
on PacketFence via the captive portal)


Thanks for the help

Chris





On Jul 28, 2020, at 12:44 AM, Fabrice Durand <mailto:fdur...@inverse.ca>> wrote:


Hello Chrisb,

it looks that you defined the Unifi switch module for your Ruckus AP.

Jul 27 17:32:14 packetfence pfqueue: pfqueue(23832) INFO: 
[mac:58:d9:c3:5e:56:e5] Deauth on site: Default 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)


Fix that and make another try.

Regards

Fabrice


Le 20-07-28 à 00 h 34,chr...@vcxtechnologies.coma écrit :

Hi Please see the attached packefence.log file

Thanks,
Chris Brown

*From:*Durand fabrice via 
PacketFence-users

*Sent:*Monday, July 27, 2020 3:25 PM
*To:*packetfence-users@lists.sourceforge.net
*Cc:*Durand fabrice
*Subject:*Re: [PacketFence-users] Captive Portal Web Auth with 
Ruckus APs


Hello Chrisb,

can you post the packetfence.log file at the moment you register on 
the portal ?


Regards

Fabrice

Le 20-07-23 à 20 h 11, chrisb--- via PacketFence-users a écrit :

Hi,


I’m looking for some help setting up Packetfence’s captive
portal / web-auth to work with a Ruckus ZD1100 and various
Ruckus APs. When I attempt to connect a device to the network I
can get to the captive portal and use a null source to register
with packetfence but I always get an error that says “your
network should be enabled within a minute or two”


I followed the Ruckus section of the Network Devices
Configuration Guide and found that there is very little
information about the configuration necessary in PacketFence
itself in order to get PacketFence to talk to the Ruckus ZD1100
or the APs. Maybe I’m missing something, but following the
instructions for configuring PacketFence to support the Ruckus
Equipment gives me the exact same results as when I just delete
the ZD1100 and APs from the PacketFence config and try to
register a device.


Relevant lines of switches.conf:
[172.16.105.10]
description=ZD1100
group=default
registrationVlan=-1
type=Ruckus
SNMPVersionTrap=2c
radiusSecret=userStrongerSecret
SNMPVersion=2c

[8c:0c:90:14:c8:40]
description=NOC TEST AP
group=default
controllerIp=172.16.105.10
type=Ruckus


Any help would be greatly appreiciated.

Regards,



Chris Brown
chr...@vcxtechnologies.com <mailto:chr...@vcxtechnologies.com>



___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca  ::  +1.514.447.4918 (x135) ::www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

[Chris Brown via PacketFence-users]

Hi,I have a Unifi APs that I am testing, the captive portal / web auth works fine on on the Unifi APs.For some reason PacketFence seems to be sending the death to the Unifi AP / Controller instead of the Ruckus ZoneDirector when a client device connects to the ruckus AP.Current switches.conf and PacketFence.log is attached (client device that connected to in this PacketFence.log file was already registered on PacketFence via the captive portal) Thanks for the helpChris{\rtf1\ansi\ansicpg1252\cocoartf1671\cocoasubrtf600
{\fonttbl\f0\fnil\fcharset0 Menlo-Regular;}
{\colortbl;\red255\green255\blue255;\red0\green0\blue0;}
{\*\expandedcolortbl;;\cssrgb\c0\c0\c0;}
\margl1440\margr1440\vieww10800\viewh8400\viewkind0
\deftab720
\pard\pardeftab720\partightenfactor0

\f0\fs22 \cf0 \expnd0\expndtw0\kerning0
[172.16.105.111]\
description=Unifi Controller\
group=default\
uplink_dynamic=0\
wsPwd=N3wN3tw0rkPassw0rd\
controllerIp=172.16.105.111\
wsTransport=https\
type=Ubiquiti::Unifi\
wsUser=chr...@vcxtechnologies.com\
registrationUrl=http://172.16.105.103/guests/s/default\
registrationVlan=-1\
\
[172.16.105.10]\
registrationUrl=http://172.16.105.103/Ruckus\
description=ZD1100\
SNMPVersionTrap=2c\
group=default\
uplink_dynamic=0\
UrlMap=Y\
registrationVlan=-1\
controllerIp=172.16.105.10\
guestVlan=1\
ExternalPortalEnforcement=Y\
deauthMethod=RADIUS\
type=Ruckus\
radiusSecret=useStrongerSecret\
SNMPVersion=2c\
RoleMap=Y\
guestRole=Default\
\
[18:e8:29:a3:f2:bf]\
description=Ubiquiti AP\
ExternalPortalEnforcement=Y\
type=Ubiquiti::Unifi\
controllerIp=172.16.105.111\
wsTransport=https\
wsUser=chr...@vcxtechnologies.com\
wsPwd=N3wN3tw0rkPassw0rd\
uplink_dynamic=0\
registrationVlan=-1\
\
\
[50:A7:33:2B:1E:60]\
description=Ruckus TEST AP 3\
group=default\
controllerIp=172.16.105.10\
type=Ruckus\
registrationVlan=-1\
ExternalPortalEnforcement=Y\
deauthMethod=RADIUS\
radiusSecret=useStrongerSecret\
registrationUrl=http://172.16.105.103/Ruckus\
guestVlan=1\
uplink_dynamic=0\
UrlMap=Y\
\
[8c:0c:90:14:c8:40]\
description=Ruckus TEST AP 1\
group=default\
controllerIp=172.16.105.10\
type=Ruckus\
registrationVlan=-1\
ExternalPortalEnforcement=Y\
deauthMethod=RADIUS\
radiusSecret=useStrongerSecret\
registrationUrl=http://172.16.105.103/Ruckus\
guestVlan=1\
uplink_dynamic=0\
UrlMap=Y\
\
[8c:0c:90:15:14:90]\
description=Ruckus TEST AP 2\
group=default\
controllerIp=172.16.105.10\
type=Ruckus\
registrationVlan=-1\
ExternalPortalEnforcement=Y\
deauthMethod=RADIUS\
radiusSecret=useStrongerSecret\
registrationUrl=http://172.16.105.103/Ruckus\
guestVlan=1\
uplink_dynamic=0\
UrlMap=Y}

packetfence.log
Description: Binary data
On Jul 28, 2020, at 12:44 AM, Fabrice Durand <fdur...@inverse.ca> wrote:Hello Chrisb,it looks that you defined the Unifi switch module for your Ruckus AP.Jul 27 17:32:14 packetfence pfqueue: pfqueue(23832) INFO: [mac:58:d9:c3:5e:56:e5] Deauth on site: Default (pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)Fix that and make another try.RegardsFabriceLe 20-07-28 à 00 h 34, chr...@vcxtechnologies.com a écrit :Hi Please see the attached packefence.log fileThanks,Chris Brown From: Durand fabrice via PacketFence-users  Sent: Monday, July 27, 2020 3:25 PMTo: packetfence-users@lists.sourceforge.netCc: Durand fabrice Subject: Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs Hello Chrisb,can you post the packetfence.log file at the moment you register on the portal ?RegardsFabrice Le 20-07-23 à 20 h 11, chrisb--- via PacketFence-users a écrit :Hi,I’m looking for some help setting up Packetfence’s captive portal / web-auth to work with a Ruckus ZD1100 and various Ruckus APs. When I attempt to connect a device to the network I can get to the captive portal and use a null source to register with packetfence but I always get an error that says “your network should be enabled within a minute or two”I followed the Ruckus section of the Network Devices Configuration Guide and found that there is very little information about the configuration necessary in PacketFence itself in order to get PacketFence to talk to the Ruckus ZD1100 or the APs. Maybe I’m missing something, but following the instructions for configuring PacketFence to support the Ruckus Equipment gives me the exact same results as when I just delete the ZD1100 and APs from the PacketFence config and try to register a device.Relevant lines of switches.conf:[172.16.105.10]description=ZD1100group=defaultregistrationVlan=-1type=RuckusSNMPVersionTrap=2cradiusSecret=userStrongerSecretSNMPVersion=2c[8c:0c:90:14:c8:40]description=NOC TEST APgroup=defaultcontrollerIp=172.16.105.10type=RuckusAny help would be greatly appreiciated.Regards,Chris Brownchr...@vcxtechnologies.com ___PacketFence-users mailing listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: L

Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

[Fabrice Durand via PacketFence-users]

Hello Chrisb,

it looks that you defined the Unifi switch module for your Ruckus AP.

Jul 27 17:32:14 packetfence pfqueue: pfqueue(23832) INFO: 
[mac:58:d9:c3:5e:56:e5] Deauth on site: Default 
(pf::Switch::Ubiquiti::Unifi::_deauthenticateMacWithHTTP)


Fix that and make another try.

Regards

Fabrice


Le 20-07-28 à 00 h 34, chr...@vcxtechnologies.com a écrit :


Hi Please see the attached packefence.log file


Thanks,

Chris Brown

*From:* Durand fabrice via PacketFence-users 


*Sent:* Monday, July 27, 2020 3:25 PM
*To:* packetfence-users@lists.sourceforge.net
*Cc:* Durand fabrice 
*Subject:* Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

Hello Chrisb,

can you post the packetfence.log file at the moment you register on 
the portal ?


Regards

Fabrice

Le 20-07-23 à 20 h 11, chrisb--- via PacketFence-users a écrit :

Hi,


I’m looking for some help setting up Packetfence’s captive portal
/ web-auth to work with a Ruckus ZD1100 and various Ruckus APs.
When I attempt to connect a device to the network I can get to the
captive portal and use a null source to register with packetfence
but I always get an error that says “your network should be
enabled within a minute or two”


I followed the Ruckus section of the Network Devices Configuration
Guide and found that there is very little information about the
configuration necessary in PacketFence itself in order to get
PacketFence to talk to the Ruckus ZD1100 or the APs. Maybe I’m
missing something, but following the instructions for configuring
PacketFence to support the Ruckus Equipment gives me the exact
same results as when I just delete the ZD1100 and APs from the
PacketFence config and try to register a device.


Relevant lines of switches.conf:
[172.16.105.10]

description=ZD1100

group=default

registrationVlan=-1

type=Ruckus

SNMPVersionTrap=2c

radiusSecret=userStrongerSecret

SNMPVersion=2c

[8c:0c:90:14:c8:40]

description=NOC TEST AP

group=default

controllerIp=172.16.105.10

type=Ruckus


Any help would be greatly appreiciated.

Regards,



Chris Brown

chr...@vcxtechnologies.com <mailto:chr...@vcxtechnologies.com>




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net  
<mailto:PacketFence-users@lists.sourceforge.net>

https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org)

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

[chrisb--- via PacketFence-users]

Hi Please see the attached packefence.log file


Thanks,

Chris Brown



 

From: Durand fabrice via PacketFence-users
 
Sent: Monday, July 27, 2020 3:25 PM
To: packetfence-users@lists.sourceforge.net
Cc: Durand fabrice 
Subject: Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

 

Hello Chrisb,

can you post the packetfence.log file at the moment you register on the
portal ?

Regards

Fabrice

 

Le 20-07-23 à 20 h 11, chrisb--- via PacketFence-users a écrit :

Hi,


I’m looking for some help setting up Packetfence’s captive portal / web-auth
to work with a Ruckus ZD1100 and various Ruckus APs. When I attempt to
connect a device to the network I can get to the captive portal and use a
null source to register with packetfence but I always get an error that says
“your network should be enabled within a minute or two”


I followed the Ruckus section of the Network Devices Configuration Guide and
found that there is very little information about the configuration
necessary in PacketFence itself in order to get PacketFence to talk to the
Ruckus ZD1100 or the APs. Maybe I’m missing something, but following the
instructions for configuring PacketFence to support the Ruckus Equipment
gives me the exact same results as when I just delete the ZD1100 and APs
from the PacketFence config and try to register a device.


Relevant lines of switches.conf:
[172.16.105.10]

description=ZD1100

group=default

registrationVlan=-1

type=Ruckus

SNMPVersionTrap=2c

radiusSecret=userStrongerSecret

SNMPVersion=2c

[8c:0c:90:14:c8:40]

description=NOC TEST AP

group=default

controllerIp=172.16.105.10

type=Ruckus


Any help would be greatly appreiciated.

Regards,





Chris Brown

chr...@vcxtechnologies.com <mailto:chr...@vcxtechnologies.com> 

 






___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users



packetfence.log.log
Description: Binary data
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Web Auth with Ruckus APs

[Durand fabrice via PacketFence-users]

Hello Chrisb,

can you post the packetfence.log file at the moment you register on the 
portal ?


Regards

Fabrice


Le 20-07-23 à 20 h 11, chrisb--- via PacketFence-users a écrit :


Hi,


I’m looking for some help setting up Packetfence’s captive portal / 
web-auth to work with a Ruckus ZD1100 and various Ruckus APs. When I 
attempt to connect a device to the network I can get to the captive 
portal and use a null source to register with packetfence but I always 
get an error that says “your network should be enabled within a minute 
or two”



I followed the Ruckus section of the Network Devices Configuration 
Guide and found that there is very little information about the 
configuration necessary in PacketFence itself in order to get 
PacketFence to talk to the Ruckus ZD1100 or the APs. Maybe I’m missing 
something, but following the instructions for configuring PacketFence 
to support the Ruckus Equipment gives me the exact same results as 
when I just delete the ZD1100 and APs from the PacketFence config and 
try to register a device.



Relevant lines of switches.conf:
[172.16.105.10]

description=ZD1100

group=default

registrationVlan=-1

type=Ruckus

SNMPVersionTrap=2c

radiusSecret=userStrongerSecret

SNMPVersion=2c

[8c:0c:90:14:c8:40]

description=NOC TEST AP

group=default

controllerIp=172.16.105.10

type=Ruckus


Any help would be greatly appreiciated.

Regards,


Chris Brown

chr...@vcxtechnologies.com



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Web Auth with Ruckus APs

[chrisb--- via PacketFence-users]

Hi,


I'm looking for some help setting up Packetfence's captive portal / web-auth
to work with a Ruckus ZD1100 and various Ruckus APs. When I attempt to
connect a device to the network I can get to the captive portal and use a
null source to register with packetfence but I always get an error that says
"your network should be enabled within a minute or two"


I followed the Ruckus section of the Network Devices Configuration Guide and
found that there is very little information about the configuration
necessary in PacketFence itself in order to get PacketFence to talk to the
Ruckus ZD1100 or the APs. Maybe I'm missing something, but following the
instructions for configuring PacketFence to support the Ruckus Equipment
gives me the exact same results as when I just delete the ZD1100 and APs
from the PacketFence config and try to register a device.


Relevant lines of switches.conf:
[172.16.105.10]

description=ZD1100

group=default

registrationVlan=-1

type=Ruckus

SNMPVersionTrap=2c

radiusSecret=userStrongerSecret

SNMPVersion=2c

[8c:0c:90:14:c8:40]

description=NOC TEST AP

group=default

controllerIp=172.16.105.10

type=Ruckus


Any help would be greatly appreiciated.

Regards,




Chris Brown

chr...@vcxtechnologies.com

 

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal: 502 Bad Gateway

[Emanuele Gabrielli via PacketFence-users]

Hi all,
 I defined a scenario where the switch port  is configured so to manage
the following scenario:

 1) 802.1x authentication
 if fails:
2) mac auth authentication
if fails:
3) Captive portal authentication

The switch correctly applies configurations when the device doesn't
successfully authenticates with 802.1x nor mac address correctly assigning
the registration VLAN on the switch port.
Then the device successfully acquires a valid (in the registration subnet)
IP address.
When the bowser is redirected to the captive portal it responds with *HTTP
502 error Bad Gateway *

*httpd.portal.error* log file states:










*Deep recursion on subroutine
"captiveportal::PacketFence::DynamicRouting::Module::execute" at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm
line 343.Deep recursion on subroutine
"captiveportal::PacketFence::DynamicRouting::Module::done" at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Module/ShowLocalAccount.pm
line 38.Deep recursion on subroutine
"captiveportal::PacketFence::DynamicRouting::Module::Chained::next" at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Module.pm line
328.Deep recursion on subroutine
"captiveportal::PacketFence::DynamicRouting::Module::Root::done" at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Module/Chained.pm
line 54.Deep recursion on anonymous subroutine at
/usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 91.Deep
recursion on subroutine "Class::MOP::Class:::around" at
/usr/lib64/perl5/vendor_perl/Class/MOP/Method/Wrapped.pm line 162.Deep
recursion on subroutine
"captiveportal::PacketFence::DynamicRouting::Module::Root::show_preregistration_account"
at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Module/Root.pm
line 53.Deep recursion on subroutine
"captiveportal::PacketFence::DynamicRouting::Module::ShowLocalAccount::execute_child"
at /usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Module.pm
line 254.Out of memory!*

It seems like an infinite http redirection.
I also tried to disable *Preregistration* on the* guest connection profile*

The problem still occurs.
Thanks in advance,
Emanuele

*PS: *
I applied configurations defined in documentation:
https://packetfence.org/doc/PacketFence_Installation_Guide.html#_enabling_the_captive_portal--


Emanuele Gabrielli

Dipartimento di Informatica - Università di Roma "Sapienza"
Via Salaria, 113
00198 - Roma

tel.  +390649918313
email:gabrie...@di.uniroma1.it
personal page: https://sites.google.com/a/di.uniroma1.it/emanuele_gabrielli/
SkypeID: egabriell
-
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Redirect

[Ludovic Zammit via PacketFence-users]

Hello Micheal,

You’re mine up two different technologies.

If you have a registration network, don’t use the web authentication with the 
url "Registration: http://172.20.252.250/Meraki::MR_v2 
” but use Mac authentication that return 
the registration VLAN dynamically.

Uncheck the External portal and check the Role VLAN by ID from your PacketFence 
switch configuration on PF.

Thanks,

Ludovic Zammit
lzam...@inverse.ca  ::  +1.514.447.4918 (x145) ::  
www.inverse.ca 
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu ) 
and PacketFence (http://packetfence.org ) 




> On Jun 13, 2020, at 11:14 AM, Michael Brown via PacketFence-users 
>  wrote:
> 
> Hey Guys,
> 
> I am trying to get 802.1x with captive portal working for a byod wireless 
> network using MR42 and MR52 Meraki access points.
> 
> PacketFence Version: ZEN 10.0.1
> 
> PF Management IP - 172.20.254.250
> PF Registration IP- 172.20.252.250
> PF Isolation IP - 172.20.251.250
> 
> Added the Meraki MR52 I am testing with as a switch on Policies and Access 
> Control
> These are the settings I am using for the AP on PF
> Definition:
> Use CoA turned on
> External Portal Enforcement turned on
> 
> Roles:
> Role mapping by VLAN ID
> Registration: 252
> Isolation: 251
> 
> Role mapping by Web Auth URL
> Registration: http://172.20.252.250/Meraki::MR_v2 
> 
> 
> 
> On the client I join the wireless network.
> I get an IP from PacketFence dhcp
>   Client Details:
>   IP: 172.20.252.12
>   DNS: 172.20.252.250
>   Gateway: 172.20.252.250
> 
> Web browser opens once I receive the IP from DHCP and tries to load 
> http://172.20.252.250/Meraki::MR_v2  but 
> it looks like it gets caught in a redirect loop. Web page says 
> ERR_TOO_MANY_REDIRECTS and I wind up with the the following in the address 
> bar of the page that tried to load: 
> http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://www.msftconnecttest.com/redirect
>  
> 
> 
> 
> Any ideas what I am missing? 
> 
> Thanks,
> Mike
> 
> 
> Sent from Yahoo Mail for iPhone 
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Redirect

[Michael Brown via PacketFence-users]

Hey Guys,

I am trying to get 802.1x with captive portal working for a byod wireless 
network using MR42 and MR52 Meraki access points.
PacketFence Version: ZEN 10.0.1
PF Management IP - 172.20.254.250PF Registration IP- 172.20.252.250PF Isolation 
IP - 172.20.251.250
Added the Meraki MR52 I am testing with as a switch on Policies and Access 
ControlThese are the settings I am using for the AP on PFDefinition:Use CoA 
turned onExternal Portal Enforcement turned on
Roles:Role mapping by VLAN ID
Registration: 252Isolation: 251
Role mapping by Web Auth URLRegistration: http://172.20.252.250/Meraki::MR_v2

On the client I join the wireless network.I get an IP from PacketFence dhcp  
Client Details:  IP: 172.20.252.12  DNS: 172.20.252.250  Gateway: 172.20.252.250
Web browser opens once I receive the IP from DHCP and tries to load 
http://172.20.252.250/Meraki::MR_v2 but it looks like it gets caught in a 
redirect loop. Web page says ERR_TOO_MANY_REDIRECTS and I wind up with the the 
following in the address bar of the page that tried to load: 
http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://www.msftconnecttest.com/redirect

Any ideas what I am missing? 
Thanks,Mike

Sent from Yahoo Mail for iPhone
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issues v10.0.1

[Durand fabrice via PacketFence-users]

Hum weird, when you try to ping 192.0.2.1 from your device can you see 
the request on the registration interface ?


It's sounds to me that you have something local on your device that 
route 192.168.2.1 somewhere, can you verify the routing table ?


Regards

Fabrice


Le 20-06-05 à 12 h 01, Ryan Radschlag via PacketFence-users a écrit :

*Looks like the ip is assigned:*
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN 
group default qlen 1000

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
    inet 192.0.2.1/32 scope link lo
   valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever

*ha proxy is listening:*
tcp    0  0 192.0.2.1:443 0.0.0.0:*   LISTEN  
5067/haproxy


*Heres a tcpdump of the traffic to the registration vlan interface:*
 tcpdump -i ens224 -f "ether host 58:d5:0a:31:df:5c"
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens224, link-type EN10MB (Ethernet), capture size 262144 
bytes
10:56:48.485070 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 58:d5:0a:31:df:5c (oui Unknown), length 302
10:56:48.492603 IP hsd-pf-1.hjt1.org.bootps > 172.21.73.224.bootpc: 
BOOTP/DHCP, Reply, length 311
10:56:48.512188 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: 
BOOTP/DHCP, Request from 58:d5:0a:31:df:5c (oui Unknown), length 314
10:56:48.523678 IP PACKETFENCE-FQDN.bootps > 172.21.73.224.bootpc: 
BOOTP/DHCP, Reply, length 311
10:56:48.523933 ARP, Request who-has 172.21.73.224 tell 172.21.73.224, 
length 46
10:56:48.758141 IP 172.21.73.224.33093 > PACKETFENCE-FQDN.domain: 
59068+ A? connectivitycheck.gstatic.com. (47)
10:56:48.760636 IP PACKETFENCE-FQDN.domain > 172.21.73.224.33093: 
59068*- 1/0/0 A 192.0.2.1 (63)
10:56:48.784760 IP 172.21.73.224.40997 > PACKETFENCE-FQDN.domain: 
47264+ A? www.google.com . (32)
10:56:48.787507 IP PACKETFENCE-FQDN.domain > 172.21.73.224.40997: 
47264*- 1/0/0 A 192.0.2.1 (48)
10:56:48.869527 IP 172.21.73.224.30438 > PACKETFENCE-FQDN.domain: 
7217+ A? clients3.google.com. (37)
10:56:48.872752 IP PACKETFENCE-FQDN.domain > 172.21.73.224.30438: 
7217*- 1/0/0 A 192.0.2.1 (53)
10:56:48.899808 IP 172.21.73.224.8335 > PACKETFENCE-FQDN.domain: 
32889+ A? mtalk.google.com. (34)
10:56:48.902028 IP PACKETFENCE-FQDN.domain > 172.21.73.224.8335: 
32889*- 1/0/0 A 192.0.2.1 (50)
10:56:48.949836 IP 172.21.73.224.61471 > PACKETFENCE-FQDN.domain: 
50430+ A? epdg.epc.firstnet.com. (39)
10:56:48.952125 IP PACKETFENCE-FQDN.domain > 172.21.73.224.61471: 
50430*- 1/0/0 A 192.0.2.1 (55)
10:56:51.166407 IP 172.21.73.224.35915 > PACKETFENCE-FQDN.domain: 
45147+ A? portal.fb.com. (31)
10:56:51.167851 IP PACKETFENCE-FQDN.domain > 172.21.73.224.35915: 
45147*- 1/0/0 A 127.0.0.1 (47)
10:56:51.13 IP 172.21.73.224.7889 > PACKETFENCE-FQDN.domain: 
55966+ A? play.googleapis.com. (37)
10:56:52.002334 IP PACKETFENCE-FQDN.domain > 172.21.73.224.7889: 
55966*- 1/0/0 A 192.0.2.1 (53)
10:56:52.496457 IP 172.21.73.224.48223 > PACKETFENCE-FQDN.domain: 
53912+ A? www.googleapis.com . (36)
10:56:52.498854 IP PACKETFENCE-FQDN.domain > 172.21.73.224.48223: 
53912*- 1/0/0 A 192.0.2.1 (52)
10:56:53.726157 IP 172.21.73.224.31953 > PACKETFENCE-FQDN.domain: 
9356+ A? hsd-gwds-2.REDACTED. (37)
10:56:53.728471 IP PACKETFENCE-FQDN.domain > 172.21.73.224.31953: 
9356*- 1/0/0 A 192.0.2.1 (53)
10:56:53.771563 ARP, Request who-has 172.21.73.224 tell 
PACKETFENCE-FQDN, length 28
10:56:53.771756 ARP, Reply 172.21.73.224 is-at 58:d5:0a:31:df:5c (oui 
Unknown), length 46
10:56:54.145519 IP 172.21.73.224.16107 > PACKETFENCE-FQDN.domain: 
44342+ A? alt6-mtalk.google.com. (39)
10:56:54.147949 IP PACKETFENCE-FQDN.domain > 172.21.73.224.16107: 
44342*- 1/0/0 A 192.0.2.1 (55)
10:56:56.054402 IP 172.21.73.224.9702 > PACKETFENCE-FQDN.domain: 
60027+ A? connectivitycheck.gstatic.com. (47)
10:56:56.056859 IP PACKETFENCE-FQDN.domain > 172.21.73.224.9702: 
60027*- 1/0/0 A 192.0.2.1 (63)
10:57:04.182446 IP 172.21.73.224.51065 > PACKETFENCE-FQDN.domain: 
39299+ A? www.google.com . (32)
10:57:04.182572 IP 172.21.73.224.45952 > PACKETFENCE-FQDN.domain: 
51831+ A? connectivitycheck.gstatic.com. (47)
10:57:04.184986 IP PACKETFENCE-FQDN.domain > 172.21.73.224.45952: 
51831*- 1/0/0 A 192.0.2.1 (63)
10:57:04.185076 IP PACKETFENCE-FQDN.domain > 172.21.73.224.51065: 
39299*- 1/0/0 A 192.0.2.1 (48)
10:57:04.197947 IP 172.21.73.224.54046 > PACKETFENCE-FQDN.domain: 
48493+ A? mtalk.google.com. (34)
10:57:04.200061 IP PACKETFENCE-FQDN.domain > 172.21.73.224.54046: 
48493*- 1/0/0 A 192.0.2.1 (50)


I can ping the 192.0.2.1 locally from the pf server. I can't ping it 
from the registration vlan. I can access other things on the 
registration vlan, but can't access the actual pf IP address either. 
Can't manually access the portal with ip or hostname.

Re: [PacketFence-users] Captive Portal Issues v10.0.1

[Ryan Radschlag via PacketFence-users]

Looks like the ip is assigned:
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet 192.0.2.1/32 scope link lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever

ha proxy is listening:
tcp 00 192.0.2.1:443   0.0.0.0:*
LISTEN5067/haproxy

Heres a tcpdump of the traffic to the registration vlan interface: 
 tcpdump -i ens224 -f "ether host 58:d5:0a:31:df:5c"
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on ens224, link-type EN10MB (Ethernet), capture size 262144
bytes
10:56:48.485070 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 58:d5:0a:31:df:5c (oui Unknown), length 302
10:56:48.492603 IP hsd-pf-1.hjt1.org.bootps > 172.21.73.224.bootpc:
BOOTP/DHCP, Reply, length 311
10:56:48.512188 IP 0.0.0.0.bootpc > 255.255.255.255.bootps: BOOTP/DHCP,
Request from 58:d5:0a:31:df:5c (oui Unknown), length 314
10:56:48.523678 IP PACKETFENCE-FQDN.bootps > 172.21.73.224.bootpc:
BOOTP/DHCP, Reply, length 311
10:56:48.523933 ARP, Request who-has 172.21.73.224 tell 172.21.73.224,
length 46
10:56:48.758141 IP 172.21.73.224.33093 > PACKETFENCE-FQDN.domain:
59068+ A? connectivitycheck.gstatic.com. (47)
10:56:48.760636 IP PACKETFENCE-FQDN.domain > 172.21.73.224.33093:
59068*- 1/0/0 A 192.0.2.1 (63)
10:56:48.784760 IP 172.21.73.224.40997 > PACKETFENCE-FQDN.domain:
47264+ A? www.google.com. (32)
10:56:48.787507 IP PACKETFENCE-FQDN.domain > 172.21.73.224.40997:
47264*- 1/0/0 A 192.0.2.1 (48)
10:56:48.869527 IP 172.21.73.224.30438 > PACKETFENCE-FQDN.domain: 7217+
A? clients3.google.com. (37)
10:56:48.872752 IP PACKETFENCE-FQDN.domain > 172.21.73.224.30438:
7217*- 1/0/0 A 192.0.2.1 (53)
10:56:48.899808 IP 172.21.73.224.8335 > PACKETFENCE-FQDN.domain: 32889+
A? mtalk.google.com. (34)
10:56:48.902028 IP PACKETFENCE-FQDN.domain > 172.21.73.224.8335:
32889*- 1/0/0 A 192.0.2.1 (50)
10:56:48.949836 IP 172.21.73.224.61471 > PACKETFENCE-FQDN.domain:
50430+ A? epdg.epc.firstnet.com. (39)
10:56:48.952125 IP PACKETFENCE-FQDN.domain > 172.21.73.224.61471:
50430*- 1/0/0 A 192.0.2.1 (55)
10:56:51.166407 IP 172.21.73.224.35915 > PACKETFENCE-FQDN.domain:
45147+ A? portal.fb.com. (31)
10:56:51.167851 IP PACKETFENCE-FQDN.domain > 172.21.73.224.35915:
45147*- 1/0/0 A 127.0.0.1 (47)
10:56:51.13 IP 172.21.73.224.7889 > PACKETFENCE-FQDN.domain: 55966+
A? play.googleapis.com. (37)
10:56:52.002334 IP PACKETFENCE-FQDN.domain > 172.21.73.224.7889:
55966*- 1/0/0 A 192.0.2.1 (53)
10:56:52.496457 IP 172.21.73.224.48223 > PACKETFENCE-FQDN.domain:
53912+ A? www.googleapis.com. (36)
10:56:52.498854 IP PACKETFENCE-FQDN.domain > 172.21.73.224.48223:
53912*- 1/0/0 A 192.0.2.1 (52)
10:56:53.726157 IP 172.21.73.224.31953 > PACKETFENCE-FQDN.domain: 9356+
A? hsd-gwds-2.REDACTED. (37)
10:56:53.728471 IP PACKETFENCE-FQDN.domain > 172.21.73.224.31953:
9356*- 1/0/0 A 192.0.2.1 (53)
10:56:53.771563 ARP, Request who-has 172.21.73.224 tell
PACKETFENCE-FQDN, length 28
10:56:53.771756 ARP, Reply 172.21.73.224 is-at 58:d5:0a:31:df:5c (oui
Unknown), length 46
10:56:54.145519 IP 172.21.73.224.16107 > PACKETFENCE-FQDN.domain:
44342+ A? alt6-mtalk.google.com. (39)
10:56:54.147949 IP PACKETFENCE-FQDN.domain > 172.21.73.224.16107:
44342*- 1/0/0 A 192.0.2.1 (55)
10:56:56.054402 IP 172.21.73.224.9702 > PACKETFENCE-FQDN.domain: 60027+
A? connectivitycheck.gstatic.com. (47)
10:56:56.056859 IP PACKETFENCE-FQDN.domain > 172.21.73.224.9702:
60027*- 1/0/0 A 192.0.2.1 (63)
10:57:04.182446 IP 172.21.73.224.51065 > PACKETFENCE-FQDN.domain:
39299+ A? www.google.com. (32)
10:57:04.182572 IP 172.21.73.224.45952 > PACKETFENCE-FQDN.domain:
51831+ A? connectivitycheck.gstatic.com. (47)
10:57:04.184986 IP PACKETFENCE-FQDN.domain > 172.21.73.224.45952:
51831*- 1/0/0 A 192.0.2.1 (63)
10:57:04.185076 IP PACKETFENCE-FQDN.domain > 172.21.73.224.51065:
39299*- 1/0/0 A 192.0.2.1 (48)
10:57:04.197947 IP 172.21.73.224.54046 > PACKETFENCE-FQDN.domain:
48493+ A? mtalk.google.com. (34)
10:57:04.200061 IP PACKETFENCE-FQDN.domain > 172.21.73.224.54046:
48493*- 1/0/0 A 192.0.2.1 (50) 

I can ping the 192.0.2.1 locally from the pf server. I can't ping it
from the registration vlan. I can access other things on the
registration vlan, but can't access the actual pf IP address either.
Can't manually access the portal with ip or hostname.

-Ryan



This e-mail message together with any attachments or reply should not be
considered private or confidential because it may be archived and
subject to public disclosure under certain circumstances, such as
requests made pursuant to Wisconsin public records law.

The message is intended solely for the use of the individual or entity
to which they are addressed.  Please notify the sender immediately by
e-mail if you have 

Re: [PacketFence-users] Captive Portal Issues v10.0.1

[Durand fabrice via PacketFence-users]

If it's a layer 2 registration network then the dns will answer with the 
ip 192.0.2.1 (to fix the samsung captive portal detection)


So check to see if the ip is on the lo interface (ip a), if it's the 
case check to see if the haproxy-portal is listening on this ip (netstat 
-nlp| grep 443)


Also you can try to capture the traffic of the device and share the 
pcap. (thsrak -i ethx -f "ether host mac_address" -w /tmp/device.pcap


Regards

Fabrice


Le 20-06-04 à 13 h 07, Ryan Radschlag via PacketFence-users a écrit :
We're having issues with the clients not getting redirected to the 
captive portal. From what I can find, all of the DNS requests return 
192.0.2.1 now. Is this supposed to work? Our clients sit idle and cant 
get to the portal even if we manually enter the dns or ip address. 
Currently we're running in out of band deployment. Any pointers on how 
to get this working?


Thanks!
-Ryan

/

This e-mail message together with any attachments or reply should not 
be considered private or confidential because it may be archived and 
subject to public disclosure under certain circumstances, such as 
requests made pursuant to Wisconsin public records law.


The message is intended solely for the use of the individual or entity 
to which they are addressed. Please notify the sender immediately by 
e-mail if you have received this e-mail by mistake and delete this 
e-mail from your system. Please note that the views or opinions 
presented in this e-mail are solely those of the author and do not 
necessarily represent those of the School District of Hartford Jt. #1. 
Any unauthorized use, distribution, copying or disclosure by you or to 
any other person is prohibited./




___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Issues v10.0.1

[Ryan Radschlag via PacketFence-users]

We're having issues with the clients not getting redirected to the captive 
portal. From what I can find, all of the DNS requests return 192.0.2.1 now. Is 
this supposed to work? Our clients sit idle and cant get to the portal even if 
we manually enter the dns or ip address. Currently we're running in out of band 
deployment. Any pointers on how to get this working?

Thanks!
-Ryan



This e-mail message together with any attachments or reply should not be 
considered private or confidential because it may be archived and subject to 
public disclosure under certain circumstances, such as requests made pursuant 
to Wisconsin public records law.

The message is intended solely for the use of the individual or entity to which 
they are addressed.  Please notify the sender immediately by e-mail if you have 
received this e-mail by mistake and delete this e-mail from your system.  
Please note that the views or opinions presented in this e-mail are solely 
those of the author and do not necessarily represent those of the School 
District of Hartford Jt. #1.  Any unauthorized use, distribution, copying or 
disclosure by you or to any other person is prohibited. 



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Captive Portal Redirect Not Working

[Michael Brown via PacketFence-users]

 Hey Guys,

I am trying to get 802.1x with captive portal working for a byod wireless 
network using MR42 and MR52 Meraki access points.
PacketFence Version: ZEN 10.0.1
PF Management IP - 172.20.254.250PF Registration IP- 172.20.252.250PF Isolation 
IP - 172.20.251.250
Added the Meraki MR52 I am testing with as a switch on Policies and Access 
ControlThese are the settings I am using for the AP on PFDefinition:Use CoA 
turned onExternal Portal Enforcement turned on
Roles:Role mapping by VLAN ID
Registration: 252Isolation: 251
Role mapping by Web Auth URLRegistration: http://172.20.252.250/Meraki::MR_v2

On the client I join the wireless network.I get an IP from PacketFence dhcp  
Client Details:  IP: 172.20.252.12  DNS: 172.20.252.250  Gateway: 172.20.252.250
Web browser opens once I receive the IP from DHCP and tries to load 
http://172.20.252.250/Meraki::MR_v2 but it looks like it gets caught in a 
redirect loop. Web page says ERR_TOO_MANY_REDIRECTS and I wind up with the the 
following in the address bar of the page that tried to load: 
http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://172.20.252.250/Meraki::MR_v2/sidd6207a?_url=http://www.msftconnecttest.com/redirect

Any ideas what I am missing? 
Thanks,Mike  ___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Balance F5

[Domingos Varela via PacketFence-users]

Hello,

Did anyone here manage to configure the Pf captive portal on F5?
I have tried and I have not had successes.
We are already in the version 10.0 and the documentation on the F5 is the
same and has not worked.
Thanks
Regards

Cumprimentos,

*Domingos Varela*
Tel. +244 923 229 330 | Luanda - Angola


Domingos Varela  escreveu no dia quarta, 19/02/2020
à(s) 14:47:

> Hello,
>
> Is there any person in this group who has managed or has F5 to balance the
> PF?
> I’ve been trying for a long time and without being asked, the group’s
> staff even gave some inputs, but then they gave up.
>
> Can anyone help with this setup so that future implementations are easier
> for everyone?
> Thanks
>
> Regards
>
> Cumprimentos,
>
> *Domingos Varela*
> Tel. +244 923 229 330 | Luanda - Angola
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issues

[Zacharry Williams via PacketFence-users]

Ah that's the problem. If I use /Aruba or anything else I get the Not
Implemented. Get to /Aruba is not supported.

On Thu, Mar 12, 2020, 5:53 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> In this case, is it a webauth setup ? (
> https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_webauth
> )
>
> If it's the case, the portal URL must be https://PACKETFENCESERVER/Aruba .
>
>
> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/web/constants.pm#L105
>
>
> Le 20-03-12 à 14 h 31, Zacharry Williams via PacketFence-users a écrit :
>
> The bluedogrv SSID issues have been pretty much solved. I just did some
> tweaking to the bindings, and connection profile and people had to forget
> the network as the certificate changes made a few devices freak out. Little
> issues here and there but nothing major. it's really the captive portal
> that's holding me up. Details are in the last mail message.
>
> On Wed, Mar 11, 2020 at 6:06 PM Durand fabrice via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Do you have the logs related to this radius request ? (packetfence.log)
>>
>> It looks to me that you are doing 802.1x + web auth.
>>
>> For the ssid BlueDogRV, just configure it like
>> https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_all_aruba_os
>> (Secure SSID and not like WebAuth).
>>
>> Once done, connect to the ssid BlueDogRV, you are supposed to see :
>>
>> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
>> [mac:00:24:d7:90:be:84] handling radius autz request: from switch_ip =>
>> (192.168.100.216), connection_type => Wireless-802.11-EAP,switch_mac =>
>> (c8:b5:ad:ce:43:7c), mac => [00:24:d7:90:be:84], port => 0, username =>
>> "host/ tacos -016.BluedogRV.lan", ssid =>  "BlueDogRV"
>> (pf::radius::authorize)
>>
>> If it's the case then change the filter of your connection profile to use
>> SSID = BlueDogRV and add the source you want to use for machine auth.
>>
>> Let me know if it's ok.
>>
>> Regards
>>
>> Fabrice
>>
>>
>> Le 20-03-11 à 17 h 12, Zacharry Williams via PacketFence-users a écrit :
>>
>> User-Name = "host/ta-00614.BluedogRV.lan"
>> NAS-IP-Address = 192.168.100.217
>> NAS-Port = 0
>> Service-Type = Framed-User
>> Framed-MTU = 1100
>> State = 0x2880f3b42988e97dfdf00d5089857e6a
>> Called-Station-Id = "f0:5c:19:c2:13:96"
>> Calling-Station-Id = "9c:30:5b:1c:06:4b"
>> NAS-Identifier = "Aruba_Wireless"
>> NAS-Port-Type = Wireless-802.11
>> Event-Timestamp = "Mar 11 2020 08:58:36 PDT"
>> EAP-Message = 0x020800061a03
>> Aruba-Essid-Name = "BlueDogRV"
>> Aruba-Location-Id = "ID-PF-SLS"
>> Aruba-AP-Group = "PostFalls"
>> FreeRADIUS-Proxied-To = 127.0.0.1
>> EAP-Type = MSCHAPv2
>> Realm = "BluedogRV.lan"
>> Called-Station-SSID = "BlueDogRV"
>> PacketFence-Domain = "Bluedogrv"
>> PacketFence-KeyBalanced = "f20536da90cb9e178c302675355f1678"
>> PacketFence-Radius-Ip = "192.168.100.211"
>> PacketFence-NTLMv2-Only = ""
>> User-Password = "**"
>> SQL-User-Name = "host/ta-00614.BluedogRV.lan"
>>
>> It's there as Aruba-Essid-Name, which i'm guessing isn't being accepted.
>> Either way i deleted the switch and put it back in. Which seems to have
>> alleviated the majority of the issues.
>>
>> As for the captive portal, I'm thinking is in the same boat as there
>> aerohive stuff maybe? Where the url isn't being parsed correctly or
>> something?
>>
>> On Wed, Mar 11, 2020 at 10:45 AM Fabrice Durand via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>>> Ok so first there is no ssid sent in the radius request so you can't use
>>> a filter based on the ssid.
>>>
>>> So what you can do (removed the ssid):
>>>
>>>
>>> [Wireless_EAP]
>>> filter_match_style=all
>>> description=Wireless_EAP
>>> sources=tacos-MachineAuth
>>> filter=connection_type:Wireless-802.11-EAP
>>> autoregister=enabled
>>> redirecturl=https://www.tacos.com
>>> logo=/common/Logo-horz.png
>>>
>>> So when you will connect you will see "Instantiate profile
>>> Wireless_EAP"  and "Found authentication source(s) : 'tacos-MachineAuth'
>>> for realm ' tacos.lan'"
>>>
>>> Next you need to be sure that tacos-MachineAuth return a role.
>>>
>>> Test that and let me know.
>>>
>>> Regards
>>>
>>> Fabrice
>>> Le 20-03-11 à 12 h 07, Zacharry Williams via PacketFence-users a écrit :
>>>
>>> Okay so this is the one from today. get's matched to the
>>> Ethernet profile and denied.
>>>
>>>
>>> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
>>> [mac:00:24:d7:90:be:84] handling radius autz request: from switch_ip =>
>>> (192.168.100.216), connection_type => Wireless-802.11-EAP,switch_mac =>
>>> (c8:b5:ad:ce:43:7c), mac => [00:24:d7:90:be:84], port => 0, username =>
>>> "host/ tacos -016.BluedogRV.lan" (pf::radius::authorize)
>>> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
>>> [mac:00:24:d7:90:be:84] is doing machine auth with account 'host/ tacos .

Re: [PacketFence-users] Captive Portal Issues

[Durand fabrice via PacketFence-users]

In this case, is it a webauth setup ? 
(https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_webauth)


If it's the case, the portal URL must be https://PACKETFENCESERVER/Aruba .

https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/web/constants.pm#L105


Le 20-03-12 à 14 h 31, Zacharry Williams via PacketFence-users a écrit :
The bluedogrv SSID issues have been pretty much solved. I just did 
some tweaking to the bindings, and connection profile and people had 
to forget the network as the certificate changes made a few devices 
freak out. Little issues here and there but nothing major. it's really 
the captive portal that's holding me up. Details are in the last mail 
message.


On Wed, Mar 11, 2020 at 6:06 PM Durand fabrice via PacketFence-users 
> wrote:


Do you have the logs related to this radius request ?
(packetfence.log)

It looks to me that you are doing 802.1x + web auth.

For the ssid BlueDogRV, just configure it like

https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_all_aruba_os
(Secure SSID and not like WebAuth).

Once done, connect to the ssid BlueDogRV, you are supposed to see :


Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] handling radius autz request: from
switch_ip => (192.168.100.216), connection_type =>
Wireless-802.11-EAP,switch_mac => (c8:b5:ad:ce:43:7c), mac =>
[00:24:d7:90:be:84], port => 0, username => "host/ tacos
-016.BluedogRV.lan", ssid => "BlueDogRV" (pf::radius::authorize)

If it's the case then change the filter of your connection profile
to use SSID = BlueDogRV and add the source you want to use for
machine auth.

Let me know if it's ok.

Regards

Fabrice


Le 20-03-11 à 17 h 12, Zacharry Williams via PacketFence-users a
écrit :

User-Name = "host/ta-00614.BluedogRV.lan"
NAS-IP-Address = 192.168.100.217
NAS-Port = 0
Service-Type = Framed-User
Framed-MTU = 1100
State = 0x2880f3b42988e97dfdf00d5089857e6a
Called-Station-Id = "f0:5c:19:c2:13:96"
Calling-Station-Id = "9c:30:5b:1c:06:4b"
NAS-Identifier = "Aruba_Wireless"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Mar 11 2020 08:58:36 PDT"
EAP-Message = 0x020800061a03
Aruba-Essid-Name = "BlueDogRV"
Aruba-Location-Id = "ID-PF-SLS"
Aruba-AP-Group = "PostFalls"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Realm = "BluedogRV.lan"
Called-Station-SSID = "BlueDogRV"
PacketFence-Domain = "Bluedogrv"
PacketFence-KeyBalanced = "f20536da90cb9e178c302675355f1678"
PacketFence-Radius-Ip = "192.168.100.211"
PacketFence-NTLMv2-Only = ""
User-Password = "**"
SQL-User-Name = "host/ta-00614.BluedogRV.lan"

It's there as Aruba-Essid-Name, which i'm guessing isn't being
accepted.
Either way i deleted the switch and put it back in. Which seems
to have alleviated the majority of the issues.

As for the captive portal, I'm thinking is in the same boat as
there aerohive stuff maybe? Where the url isn't being parsed
correctly or something?

On Wed, Mar 11, 2020 at 10:45 AM Fabrice Durand via
PacketFence-users mailto:packetfence-users@lists.sourceforge.net>> wrote:

Ok so first there is no ssid sent in the radius request so
you can't use a filter based on the ssid.

So what you can do (removed the ssid):


[Wireless_EAP]
filter_match_style=all
description=Wireless_EAP
sources=tacos-MachineAuth
filter=connection_type:Wireless-802.11-EAP
autoregister=enabled
redirecturl=https://www.tacos.com
logo=/common/Logo-horz.png

So when you will connect you will see "Instantiate profile
Wireless_EAP"  and "Found authentication source(s) :
'tacos-MachineAuth' for realm ' tacos.lan'"

Next you need to be sure that tacos-MachineAuth return a role.

Test that and let me know.

Regards

Fabrice

Le 20-03-11 à 12 h 07, Zacharry Williams via
PacketFence-users a écrit :

Okay so this is the one from today. get's matched to the
Ethernet profile and denied.


Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
INFO: [mac:00:24:d7:90:be:84] handling radius autz request:
from switch_ip => (192.168.100.216), connection_type =>
Wireless-802.11-EAP,switch_mac => (c8:b5:ad:ce:43:7c), mac
=> [00:24:d7:90:be:84], port => 0, username => "host/ tacos
-016.BluedogRV.lan" (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
INFO: [mac:00:24:d7:90:be:84] is doing machine auth with
account 'host/ tacos . tacos.lan'. (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)

Re: [PacketFence-users] Captive Portal Issues

[Zacharry Williams via PacketFence-users]

The bluedogrv SSID issues have been pretty much solved. I just did some
tweaking to the bindings, and connection profile and people had to forget
the network as the certificate changes made a few devices freak out. Little
issues here and there but nothing major. it's really the captive portal
that's holding me up. Details are in the last mail message.

On Wed, Mar 11, 2020 at 6:06 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Do you have the logs related to this radius request ? (packetfence.log)
>
> It looks to me that you are doing 802.1x + web auth.
>
> For the ssid BlueDogRV, just configure it like
> https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_all_aruba_os
> (Secure SSID and not like WebAuth).
>
> Once done, connect to the ssid BlueDogRV, you are supposed to see :
>
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
> [mac:00:24:d7:90:be:84] handling radius autz request: from switch_ip =>
> (192.168.100.216), connection_type => Wireless-802.11-EAP,switch_mac =>
> (c8:b5:ad:ce:43:7c), mac => [00:24:d7:90:be:84], port => 0, username =>
> "host/ tacos -016.BluedogRV.lan", ssid =>  "BlueDogRV"
> (pf::radius::authorize)
>
> If it's the case then change the filter of your connection profile to use
> SSID = BlueDogRV and add the source you want to use for machine auth.
>
> Let me know if it's ok.
>
> Regards
>
> Fabrice
>
>
> Le 20-03-11 à 17 h 12, Zacharry Williams via PacketFence-users a écrit :
>
> User-Name = "host/ta-00614.BluedogRV.lan"
> NAS-IP-Address = 192.168.100.217
> NAS-Port = 0
> Service-Type = Framed-User
> Framed-MTU = 1100
> State = 0x2880f3b42988e97dfdf00d5089857e6a
> Called-Station-Id = "f0:5c:19:c2:13:96"
> Calling-Station-Id = "9c:30:5b:1c:06:4b"
> NAS-Identifier = "Aruba_Wireless"
> NAS-Port-Type = Wireless-802.11
> Event-Timestamp = "Mar 11 2020 08:58:36 PDT"
> EAP-Message = 0x020800061a03
> Aruba-Essid-Name = "BlueDogRV"
> Aruba-Location-Id = "ID-PF-SLS"
> Aruba-AP-Group = "PostFalls"
> FreeRADIUS-Proxied-To = 127.0.0.1
> EAP-Type = MSCHAPv2
> Realm = "BluedogRV.lan"
> Called-Station-SSID = "BlueDogRV"
> PacketFence-Domain = "Bluedogrv"
> PacketFence-KeyBalanced = "f20536da90cb9e178c302675355f1678"
> PacketFence-Radius-Ip = "192.168.100.211"
> PacketFence-NTLMv2-Only = ""
> User-Password = "**"
> SQL-User-Name = "host/ta-00614.BluedogRV.lan"
>
> It's there as Aruba-Essid-Name, which i'm guessing isn't being accepted.
> Either way i deleted the switch and put it back in. Which seems to have
> alleviated the majority of the issues.
>
> As for the captive portal, I'm thinking is in the same boat as there
> aerohive stuff maybe? Where the url isn't being parsed correctly or
> something?
>
> On Wed, Mar 11, 2020 at 10:45 AM Fabrice Durand via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
>> Ok so first there is no ssid sent in the radius request so you can't use
>> a filter based on the ssid.
>>
>> So what you can do (removed the ssid):
>>
>>
>> [Wireless_EAP]
>> filter_match_style=all
>> description=Wireless_EAP
>> sources=tacos-MachineAuth
>> filter=connection_type:Wireless-802.11-EAP
>> autoregister=enabled
>> redirecturl=https://www.tacos.com
>> logo=/common/Logo-horz.png
>>
>> So when you will connect you will see "Instantiate profile Wireless_EAP"
>> and "Found authentication source(s) : 'tacos-MachineAuth' for realm '
>> tacos.lan'"
>>
>> Next you need to be sure that tacos-MachineAuth return a role.
>>
>> Test that and let me know.
>>
>> Regards
>>
>> Fabrice
>> Le 20-03-11 à 12 h 07, Zacharry Williams via PacketFence-users a écrit :
>>
>> Okay so this is the one from today. get's matched to the Ethernet profile
>> and denied.
>>
>>
>> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
>> [mac:00:24:d7:90:be:84] handling radius autz request: from switch_ip =>
>> (192.168.100.216), connection_type => Wireless-802.11-EAP,switch_mac =>
>> (c8:b5:ad:ce:43:7c), mac => [00:24:d7:90:be:84], port => 0, username =>
>> "host/ tacos -016.BluedogRV.lan" (pf::radius::authorize)
>> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
>> [mac:00:24:d7:90:be:84] is doing machine auth with account 'host/ tacos .
>> tacos.lan'. (pf::radius::authorize)
>> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
>> [mac:00:24:d7:90:be:84] instantiating new pf::role object (pf::role::new)
>> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
>> [mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan
>> (pf::access_filter::new)
>> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
>> [mac:00:24:d7:90:be:84] No engine found for IsPhone
>> (pf::access_filter::test)
>> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
>> [mac:00:24:d7:90:be:84] Trying to match IP address to MAC
>> '00:24:d7:90:be:84' using SQL 'ip4log' table (pf::ip4log::mac2ip)
>> Mar 11 08:57:01 NAC1 

Re: [PacketFence-users] Captive Portal Issues

[Durand fabrice via PacketFence-users]

Do you have the logs related to this radius request ? (packetfence.log)

It looks to me that you are doing 802.1x + web auth.

For the ssid BlueDogRV, just configure it like 
https://packetfence.org/doc/PacketFence_Network_Devices_Configuration_Guide.html#_all_aruba_os 
(Secure SSID and not like WebAuth).


Once done, connect to the ssid BlueDogRV, you are supposed to see :


Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO: 
[mac:00:24:d7:90:be:84] handling radius autz request: from switch_ip => 
(192.168.100.216), connection_type => Wireless-802.11-EAP,switch_mac => 
(c8:b5:ad:ce:43:7c), mac => [00:24:d7:90:be:84], port => 0, username => 
"host/ tacos -016.BluedogRV.lan", ssid => "BlueDogRV" 
(pf::radius::authorize)


If it's the case then change the filter of your connection profile to 
use SSID = BlueDogRV and add the source you want to use for machine auth.


Let me know if it's ok.

Regards

Fabrice


Le 20-03-11 à 17 h 12, Zacharry Williams via PacketFence-users a écrit :

User-Name = "host/ta-00614.BluedogRV.lan"
NAS-IP-Address = 192.168.100.217
NAS-Port = 0
Service-Type = Framed-User
Framed-MTU = 1100
State = 0x2880f3b42988e97dfdf00d5089857e6a
Called-Station-Id = "f0:5c:19:c2:13:96"
Calling-Station-Id = "9c:30:5b:1c:06:4b"
NAS-Identifier = "Aruba_Wireless"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Mar 11 2020 08:58:36 PDT"
EAP-Message = 0x020800061a03
Aruba-Essid-Name = "BlueDogRV"
Aruba-Location-Id = "ID-PF-SLS"
Aruba-AP-Group = "PostFalls"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Realm = "BluedogRV.lan"
Called-Station-SSID = "BlueDogRV"
PacketFence-Domain = "Bluedogrv"
PacketFence-KeyBalanced = "f20536da90cb9e178c302675355f1678"
PacketFence-Radius-Ip = "192.168.100.211"
PacketFence-NTLMv2-Only = ""
User-Password = "**"
SQL-User-Name = "host/ta-00614.BluedogRV.lan"

It's there as Aruba-Essid-Name, which i'm guessing isn't being accepted.
Either way i deleted the switch and put it back in. Which seems to 
have alleviated the majority of the issues.


As for the captive portal, I'm thinking is in the same boat as there 
aerohive stuff maybe? Where the url isn't being parsed correctly or 
something?


On Wed, Mar 11, 2020 at 10:45 AM Fabrice Durand via PacketFence-users 
> wrote:


Ok so first there is no ssid sent in the radius request so you
can't use a filter based on the ssid.

So what you can do (removed the ssid):


[Wireless_EAP]
filter_match_style=all
description=Wireless_EAP
sources=tacos-MachineAuth
filter=connection_type:Wireless-802.11-EAP
autoregister=enabled
redirecturl=https://www.tacos.com
logo=/common/Logo-horz.png

So when you will connect you will see "Instantiate profile
Wireless_EAP"  and "Found authentication source(s) :
'tacos-MachineAuth' for realm ' tacos.lan'"

Next you need to be sure that tacos-MachineAuth return a role.

Test that and let me know.

Regards

Fabrice

Le 20-03-11 à 12 h 07, Zacharry Williams via PacketFence-users a
écrit :

Okay so this is the one from today. get's matched to the
Ethernet profile and denied.


Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] handling radius autz request: from
switch_ip => (192.168.100.216), connection_type =>
Wireless-802.11-EAP,switch_mac => (c8:b5:ad:ce:43:7c), mac =>
[00:24:d7:90:be:84], port => 0, username => "host/ tacos
-016.BluedogRV.lan" (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] is doing machine auth with account 'host/
tacos . tacos.lan'. (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
DEBUG: [mac:00:24:d7:90:be:84] instantiating new pf::role object
(pf::role::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
DEBUG: [mac:00:24:d7:90:be:84] instantiating new
pf::access_filter::vlan (pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
DEBUG: [mac:00:24:d7:90:be:84] No engine found for IsPhone
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
DEBUG: [mac:00:24:d7:90:be:84] Trying to match IP address to MAC
'00:24:d7:90:be:84' using SQL 'ip4log' table (pf::ip4log::mac2ip)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
DEBUG: [mac:00:24:d7:90:be:84] Viewing an 'ip4log' table entry
for the following MAC address '00:24:d7:90:be:84'
(pf::ip4log::_view_by_mac)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
DEBUG: [mac:00:24:d7:90:be:84] Matched MAC '00:24:d7:90:be:84' to
IP address '192.168.50.119' using SQL 'ip4log' table
(pf::ip4log::mac2ip)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641)
DEBUG: [mac:00:24:d7:90:be:84] Memory configuration is not valid

Re: [PacketFence-users] Captive Portal Issues

[Zacharry Williams via PacketFence-users]

User-Name = "host/ta-00614.BluedogRV.lan"
NAS-IP-Address = 192.168.100.217
NAS-Port = 0
Service-Type = Framed-User
Framed-MTU = 1100
State = 0x2880f3b42988e97dfdf00d5089857e6a
Called-Station-Id = "f0:5c:19:c2:13:96"
Calling-Station-Id = "9c:30:5b:1c:06:4b"
NAS-Identifier = "Aruba_Wireless"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Mar 11 2020 08:58:36 PDT"
EAP-Message = 0x020800061a03
Aruba-Essid-Name = "BlueDogRV"
Aruba-Location-Id = "ID-PF-SLS"
Aruba-AP-Group = "PostFalls"
FreeRADIUS-Proxied-To = 127.0.0.1
EAP-Type = MSCHAPv2
Realm = "BluedogRV.lan"
Called-Station-SSID = "BlueDogRV"
PacketFence-Domain = "Bluedogrv"
PacketFence-KeyBalanced = "f20536da90cb9e178c302675355f1678"
PacketFence-Radius-Ip = "192.168.100.211"
PacketFence-NTLMv2-Only = ""
User-Password = "**"
SQL-User-Name = "host/ta-00614.BluedogRV.lan"

It's there as Aruba-Essid-Name, which i'm guessing isn't being accepted.
Either way i deleted the switch and put it back in. Which seems to have
alleviated the majority of the issues.

As for the captive portal, I'm thinking is in the same boat as there
aerohive stuff maybe? Where the url isn't being parsed correctly or
something?

On Wed, Mar 11, 2020 at 10:45 AM Fabrice Durand via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Ok so first there is no ssid sent in the radius request so you can't use a
> filter based on the ssid.
>
> So what you can do (removed the ssid):
>
>
> [Wireless_EAP]
> filter_match_style=all
> description=Wireless_EAP
> sources=tacos-MachineAuth
> filter=connection_type:Wireless-802.11-EAP
> autoregister=enabled
> redirecturl=https://www.tacos.com
> logo=/common/Logo-horz.png
>
> So when you will connect you will see "Instantiate profile Wireless_EAP"
> and "Found authentication source(s) : 'tacos-MachineAuth' for realm '
> tacos.lan'"
>
> Next you need to be sure that tacos-MachineAuth return a role.
>
> Test that and let me know.
>
> Regards
>
> Fabrice
> Le 20-03-11 à 12 h 07, Zacharry Williams via PacketFence-users a écrit :
>
> Okay so this is the one from today. get's matched to the Ethernet profile
> and denied.
>
>
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
> [mac:00:24:d7:90:be:84] handling radius autz request: from switch_ip =>
> (192.168.100.216), connection_type => Wireless-802.11-EAP,switch_mac =>
> (c8:b5:ad:ce:43:7c), mac => [00:24:d7:90:be:84], port => 0, username =>
> "host/ tacos -016.BluedogRV.lan" (pf::radius::authorize)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
> [mac:00:24:d7:90:be:84] is doing machine auth with account 'host/ tacos .
> tacos.lan'. (pf::radius::authorize)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] instantiating new pf::role object (pf::role::new)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan
> (pf::access_filter::new)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] No engine found for IsPhone
> (pf::access_filter::test)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] Trying to match IP address to MAC
> '00:24:d7:90:be:84' using SQL 'ip4log' table (pf::ip4log::mac2ip)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] Viewing an 'ip4log' table entry for the following
> MAC address '00:24:d7:90:be:84' (pf::ip4log::_view_by_mac)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] Matched MAC '00:24:d7:90:be:84' to IP address
> '192.168.50.119' using SQL 'ip4log' table (pf::ip4log::mac2ip)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for key
> FilterEngine::Profile() in local cached_hash (pfconfig::cached::is_valid)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for key
> config::Profiles() in local cached_hash (pfconfig::cached::is_valid)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
> [mac:00:24:d7:90:be:84] Instantiate profile Ethernet802.1x
> (pf::Connection::ProfileFactory::_from_profile)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] instantiating new pf::Connection::Profile object
> (pf::Connection::Profile::new)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan
> (pf::access_filter::new)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] No engine found for AutoRegister
> (pf::access_filter::test)
> Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
> [mac:00:24:d7:90:be:84] Autoregistration set on profile Ethernet802.1x
> 

Re: [PacketFence-users] Captive Portal Issues

[Fabrice Durand via PacketFence-users]

Ok so first there is no ssid sent in the radius request so you can't use 
a filter based on the ssid.


So what you can do (removed the ssid):


[Wireless_EAP]
filter_match_style=all
description=Wireless_EAP
sources=tacos-MachineAuth
filter=connection_type:Wireless-802.11-EAP
autoregister=enabled
redirecturl=https://www.tacos.com
logo=/common/Logo-horz.png

So when you will connect you will see "Instantiate profile 
Wireless_EAP"  and "Found authentication source(s) : 'tacos-MachineAuth' 
for realm ' tacos.lan'"


Next you need to be sure that tacos-MachineAuth return a role.

Test that and let me know.

Regards

Fabrice

Le 20-03-11 à 12 h 07, Zacharry Williams via PacketFence-users a écrit :
Okay so this is the one from today. get's matched to the 
Ethernet profile and denied.



Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO: 
[mac:00:24:d7:90:be:84] handling radius autz request: from switch_ip 
=> (192.168.100.216), connection_type => 
Wireless-802.11-EAP,switch_mac => (c8:b5:ad:ce:43:7c), mac => 
[00:24:d7:90:be:84], port => 0, username => "host/ tacos 
-016.BluedogRV.lan" (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO: 
[mac:00:24:d7:90:be:84] is doing machine auth with account 'host/ 
tacos . tacos.lan'. (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] instantiating new pf::role object (pf::role::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan 
(pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] No engine found for IsPhone 
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] Trying to match IP address to MAC 
'00:24:d7:90:be:84' using SQL 'ip4log' table (pf::ip4log::mac2ip)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] Viewing an 'ip4log' table entry for the 
following MAC address '00:24:d7:90:be:84' (pf::ip4log::_view_by_mac)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] Matched MAC '00:24:d7:90:be:84' to IP address 
'192.168.50.119' using SQL 'ip4log' table (pf::ip4log::mac2ip)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for 
key FilterEngine::Profile() in local cached_hash 
(pfconfig::cached::is_valid)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for 
key config::Profiles() in local cached_hash (pfconfig::cached::is_valid)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO: 
[mac:00:24:d7:90:be:84] Instantiate profile Ethernet802.1x 
(pf::Connection::ProfileFactory::_from_profile)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] instantiating new pf::Connection::Profile 
object (pf::Connection::Profile::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan 
(pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] No engine found for AutoRegister 
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] Autoregistration set on profile Ethernet802.1x 
(pf::role::shouldAutoRegister)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan 
(pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] No engine found for NodeInfoForAutoReg 
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for 
key config::Profiles() in local cached_hash (pfconfig::cached::is_valid)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] Used realm tacos tacos.lan is associated to 
the configured realm tacos.lan 
(pf::config::util::get_realm_authentication_source)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO: 
[mac:00:24:d7:90:be:84] Found authentication source(s) : 'tacod1' for 
realm ' tacos.lan' (pf::config::util::filter_authentication_sources)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG: 
[mac:00:24:d7:90:be:84] EAP connection with a username "host/ tacos 
-016. tacos .lan". Trying to match rules from authentication sources. 
(pf::role::getNodeInfoForAutoReg)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) WARN: 
[mac:00:24:d7:90:be:84] Use of uninitialized value in concatenation 
(.) or string at 

Re: [PacketFence-users] Captive Portal Issues

[Zacharry Williams via PacketFence-users]

Okay so this is the one from today. get's matched to the Ethernet profile
and denied.


Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] handling radius autz request: from switch_ip =>
(192.168.100.216), connection_type => Wireless-802.11-EAP,switch_mac =>
(c8:b5:ad:ce:43:7c), mac => [00:24:d7:90:be:84], port => 0, username =>
"host/ tacos -016.BluedogRV.lan" (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] is doing machine auth with account 'host/ tacos .
tacos.lan'. (pf::radius::authorize)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::role object (pf::role::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan
(pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] No engine found for IsPhone
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Trying to match IP address to MAC
'00:24:d7:90:be:84' using SQL 'ip4log' table (pf::ip4log::mac2ip)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Viewing an 'ip4log' table entry for the following
MAC address '00:24:d7:90:be:84' (pf::ip4log::_view_by_mac)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Matched MAC '00:24:d7:90:be:84' to IP address
'192.168.50.119' using SQL 'ip4log' table (pf::ip4log::mac2ip)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for key
FilterEngine::Profile() in local cached_hash (pfconfig::cached::is_valid)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for key
config::Profiles() in local cached_hash (pfconfig::cached::is_valid)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] Instantiate profile Ethernet802.1x
(pf::Connection::ProfileFactory::_from_profile)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::Connection::Profile object
(pf::Connection::Profile::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan
(pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] No engine found for AutoRegister
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Autoregistration set on profile Ethernet802.1x
(pf::role::shouldAutoRegister)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] instantiating new pf::access_filter::vlan
(pf::access_filter::new)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] No engine found for NodeInfoForAutoReg
(pf::access_filter::test)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Memory configuration is not valid anymore for key
config::Profiles() in local cached_hash (pfconfig::cached::is_valid)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Used realm tacos tacos.lan is associated to the
configured realm tacos.lan
(pf::config::util::get_realm_authentication_source)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] Found authentication source(s) : 'tacod1' for realm
' tacos.lan' (pf::config::util::filter_authentication_sources)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] EAP connection with a username "host/ tacos -016.
tacos .lan". Trying to match rules from authentication sources.
(pf::role::getNodeInfoForAutoReg)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) WARN:
[mac:00:24:d7:90:be:84] Use of uninitialized value in concatenation (.) or
string at /usr/local/pf/lib/pf/authentication.pm line 389.
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Match called with parameters radius_request =>
HASH(0x55bbf87d1a00), rule_class => authentication, stripped_user_name => ,
SSID => , username => host/tacos-016. tacos .lan, realm => BluedogRV.lan,
context => radius, connection_type => Wireless-802.11-EAP
(pf::authentication::match2)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) DEBUG:
[mac:00:24:d7:90:be:84] Stripping username is enabled in this context
(radius). Will return a split username and realm.
(pf::config::util::strip_username_if_needed)
Mar 11 08:57:01 NAC1 packetfence_httpd.aaa: httpd.aaa(9641) INFO:
[mac:00:24:d7:90:be:84] Using sources tacos for 

Re: [PacketFence-users] Captive Portal Issues

[Zacharry Williams via PacketFence-users]

Here is the portal debug log for the our Aruba IAP's. first log is redirect
URL set to https://PACKETFENCESERVER/. Second is set to
https://PACKETFENCESERVER/Aruba::Instant_Access

 NAC1 packetfence_httpd.portal: httpd.portal(1228) DEBUG:
[mac:30:24:32:a3:ef:ad] hitting handler with URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) (pf::web::dispatcher::_handler)
Mar 11 09:45:37 NAC1 packetfence_httpd.portal: httpd.portal(1228) DEBUG:
[mac:30:24:32:a3:ef:ad] instantiating new pf::web::filter
(pf::web::filter::new)
Mar 11 09:45:37 NAC1 packetfence_httpd.portal: httpd.portal(1228) DEBUG:
[mac:30:24:32:a3:ef:ad] URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) is properly handled and should
now continue to the captive-portal / Catalyst
(pf::web::dispatcher::_handler)
Mar 11 09:46:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] hitting handler with URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) (pf::web::dispatcher::_handler)
Mar 11 09:46:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] instantiating new pf::web::filter
(pf::web::filter::new)
Mar 11 09:46:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) is properly handled and should
now continue to the captive-portal / Catalyst
(pf::web::dispatcher::_handler)
Mar 11 09:46:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] hitting handler with URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) (pf::web::dispatcher::_handler)
Mar 11 09:46:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] instantiating new pf::web::filter
(pf::web::filter::new)
Mar 11 09:46:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) is properly handled and should
now continue to the captive-portal / Catalyst
(pf::web::dispatcher::_handler)
Mar 11 09:46:37 NAC1 packetfence_httpd.portal: httpd.portal(1228) DEBUG:
[mac:30:24:32:a3:ef:ad] hitting handler with URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) (pf::web::dispatcher::_handler)
Mar 11 09:46:37 NAC1 packetfence_httpd.portal: httpd.portal(1228) DEBUG:
[mac:30:24:32:a3:ef:ad] instantiating new pf::web::filter
(pf::web::filter::new)
Mar 11 09:46:37 NAC1 packetfence_httpd.portal: httpd.portal(1228) DEBUG:
[mac:30:24:32:a3:ef:ad] URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) is properly handled and should
now continue to the captive-portal / Catalyst
(pf::web::dispatcher::_handler)
Mar 11 09:46:37 NAC1 packetfence_httpd.portal: httpd.portal(1228) DEBUG:
[mac:30:24:32:a3:ef:ad] hitting handler with URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) (pf::web::dispatcher::_handler)
Mar 11 09:46:37 NAC1 packetfence_httpd.portal: httpd.portal(1228) DEBUG:
[mac:30:24:32:a3:ef:ad] instantiating new pf::web::filter
(pf::web::filter::new)
Mar 11 09:46:37 NAC1 packetfence_httpd.portal: httpd.portal(1228) DEBUG:
[mac:30:24:32:a3:ef:ad] URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) is properly handled and should
now continue to the captive-portal / Catalyst
(pf::web::dispatcher::_handler)
Mar 11 09:47:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] hitting handler with URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) (pf::web::dispatcher::_handler)
Mar 11 09:47:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] instantiating new pf::web::filter
(pf::web::filter::new)
Mar 11 09:47:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) is properly handled and should
now continue to the captive-portal / Catalyst
(pf::web::dispatcher::_handler)
Mar 11 09:47:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] hitting handler with URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) (pf::web::dispatcher::_handler)
Mar 11 09:47:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] instantiating new pf::web::filter
(pf::web::filter::new)
Mar 11 09:47:07 NAC1 packetfence_httpd.portal: httpd.portal(1230) DEBUG:
[mac:30:24:32:a3:ef:ad] URI '/captive-portal' (URL:
http://NAC1.bluedogrv.lan/captive-portal) is properly handled and should
now continue to the captive-portal / Catalyst
(pf::web::dispatcher::_handler)
Mar 11 09:47:36 NAC1 packetfence_httpd.portal: httpd.portal(1226) DEBUG:
[mac:unknown] Adding session parameter from dispatcher session to Catalyst
session : _client_mac : 30:24:32:a3:ef:ad
(captiveportal::PacketFence::Model::Portal::Session::_build_dispatcherSession)
Mar 11 

Re: [PacketFence-users] Captive Portal Issues

[Zacharry Williams via PacketFence-users]

Yep I'm scrubbing them now. It's also matching clients connecting on
wireless-eap to wired-eap

On Tue, Mar 10, 2020, 4:53 PM Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> Hello,
>
> can you provide the packetfence.log file and the profiles.conf file ?
>
> Regards
>
> Fabrice
>
>
> Le 20-03-10 à 15 h 19, Zacharry Williams via PacketFence-users a écrit :
>
> Hey all,
>
> Randomly it matched the correct connection profile, one time. Is this like
> a 9.3 bug where connection profiles aren't being match?
>
> On Mon, Mar 9, 2020 at 3:06 PM Zacharry Williams 
> wrote:
>
>> Hey all,
>>
>> I've been working on setting up a guest LAN and a byod LAN for a few days
>> now. When I use a PSK or AD Authentication it works fine, but the captive
>> portal isn't working like I think it should be.
>> I revisited the guide a few times to check and I don't think i'm missing
>> any settings. I customized a captive portal with a logo and an acceptable
>> use policy but every time I get the captive portal, I don't get the portal
>> I customized but instead get the default one. It's like the default
>> connection profile is matched first. I set the httpd.aaa.conf logging to
>> debug but nothing shows up as to why it's picking that connection profile
>> in packetfence.log. I'm using Aruba instants, and managing them through
>> Aruba Central.
>>
>> Where are the logs to read into why it's picking that portal?
>>
>>
>
> ___
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issues

[Durand fabrice via PacketFence-users]

Hello,

can you provide the packetfence.log file and the profiles.conf file ?

Regards

Fabrice


Le 20-03-10 à 15 h 19, Zacharry Williams via PacketFence-users a écrit :

Hey all,

Randomly it matched the correct connection profile, one time. Is this 
like a 9.3 bug where connection profiles aren't being match?


On Mon, Mar 9, 2020 at 3:06 PM Zacharry Williams > wrote:


Hey all,

I've been working on setting up a guest LAN and a byod LAN for a
few days now. When I use a PSK or AD Authentication it works fine,
but the captive portal isn't working like I think it should be.
I revisited the guide a few times to check and I don't think i'm
missing any settings. I customized a captive portal with a logo
and an acceptable use policy but every time I get the captive
portal, I don't get the portal I customized but instead get the
default one. It's like the default connection profile is matched
first. I set the httpd.aaa.conf logging to debug but nothing shows
up as to why it's picking that connection profile in
packetfence.log. I'm using Aruba instants, and managing them
through Aruba Central.

Where are the logs to read into why it's picking that portal?



___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Captive Portal Issues

[Zacharry Williams via PacketFence-users]

Hey all,

Randomly it matched the correct connection profile, one time. Is this like
a 9.3 bug where connection profiles aren't being match?

On Mon, Mar 9, 2020 at 3:06 PM Zacharry Williams 
wrote:

> Hey all,
>
> I've been working on setting up a guest LAN and a byod LAN for a few days
> now. When I use a PSK or AD Authentication it works fine, but the captive
> portal isn't working like I think it should be.
> I revisited the guide a few times to check and I don't think i'm missing
> any settings. I customized a captive portal with a logo and an acceptable
> use policy but every time I get the captive portal, I don't get the portal
> I customized but instead get the default one. It's like the default
> connection profile is matched first. I set the httpd.aaa.conf logging to
> debug but nothing shows up as to why it's picking that connection profile
> in packetfence.log. I'm using Aruba instants, and managing them through
> Aruba Central.
>
> Where are the logs to read into why it's picking that portal?
>
>
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users