let me check what I have configured. But i think you do need n API enabled.
On Fri, Apr 24, 2020 at 11:12 AM Bill Handler <bhand...@pcsknox.com> wrote: > Again, apologies for my ignorance on this… > > > > When I created the Oauth credentials in the Google Developer site, I did > not enable an API. I’m thinking I missed doing that. Since I’m just > trying to authenticate users and not accessing anything within GSuite or > anything else along those lines, I’m not sure what API I may need. > > > > Ideas? > > > > Thanks, > > > > Bill > > > > *From:* Bill Handler > *Sent:* Friday, April 24, 2020 8:36 AM > *To:* Diego Garcia del Rio <garc...@gmail.com> > *Cc:* Jonathan Nathanson <jmhnathan...@gmail.com>; > packetfence-users@lists.sourceforge.net > *Subject:* RE: [PacketFence-users] Google oauth2 - > Behavior/Troubleshooting > > > > Diego, > > > > Thanks for the pointers. The logs appear to be now located in the > /usr/local/pf/logs directory. There is no logs folder in the > /usr/local/pf/var directory. > > > > I ran the restart command and tried to log in via Google again… Rechecked > the logs as I did before (grep OAuth), ran it a second time as ‘grep oauth’ > and now got some responses… (this is with the openid defaults) > > > > [root@packetfence_v10 logs]# cat *.log | grep OAuth > > Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding > Forward rules to allow connections to the OAuth2 Providers and passthrough. > (pf::iptables::generate_passthrough_rules) > > > > [root@packetfence_v10 logs]# cat *.log | grep oauth > > Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 172.16.172.237:50335 > [24/Apr/2020:07:43:35.454] portal-http-192.0.2.1 172.16.174.1-backend/ > 127.0.0.1 0/0/1/210/213 302 928 - - ---- 3/2/0/0/0 0/0 {pfv10.pcsknox.com} > "GET > /switchto/default_policy+default_registration_policy+default_oauth_policy > HTTP/1.1" > > Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 172.16.172.237:50627 > [24/Apr/2020:07:43:39.361] portal-http-192.0.2.1 172.16.174.1-backend/ > 127.0.0.1 0/0/0/1909/1910 302 1410 - - ---- 6/2/0/0/0 0/0 { > pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1" > > Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 172.16.172.237:51592 > [24/Apr/2020:07:44:52.404] portal-http-192.0.2.1 172.16.174.1-backend/ > 127.0.0.1 0/0/0/1827/1829 302 1410 - - ---- 4/2/0/0/0 0/0 { > pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1" > > Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 - > [24/Apr/2020:07:43:30 -0400] "A IN oauthaccountmanager.googleapis.com. > udp 52 false 512" NOERROR qr,rd,ra 102 61.289551ms > > [root@packetfence_v10 logs]# > > > > I put the old Google Auth config – yours with the userinfo.email settings > and restarted the pf service. Tried to authenticate the end-system again, > but still failed… > > > > Checked the logs as before, and here are the results (duplicate entries > from above removed for clarity): > > > > [root@packetfence_v10 logs]# cat *.log | grep OAuth > > Apr 24 08:17:32 packetfence_v10 packetfence: INFO -e(7334): Adding Forward > rules to allow connections to the OAuth2 Providers and passthrough. > (pf::iptables::generate_passthrough_rules) > > > > [root@packetfence_v10 logs]# cat *.log | grep oauth > > Apr 24 08:14:58 packetfence_v10 haproxy[244351]: 172.16.172.237:60742 > [24/Apr/2020:08:14:58.422] portal-http-192.0.2.1 172.16.174.1-backend/ > 127.0.0.1 0/0/1/439/440 302 1482 - - ---- 4/3/0/0/0 0/0 {pfv10.pcsknox.com} > "POST /oauth2/go HTTP/1.1" > > Apr 24 08:27:35 packetfence_v10 haproxy[8300]: 172.16.172.237:51328 > [24/Apr/2020:08:27:33.905] portal-http-192.0.2.1 172.16.174.1-backend/ > 127.0.0.1 0/0/0/1787/1788 302 1482 - - ---- 3/2/0/0/0 0/0 { > pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1" > > Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 - > [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com. > udp 52 false 512" NOERROR qr,rd,ra 102 23.614118ms > > Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 - > [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com. > udp 52 false 512" NOERROR qr,rd,ra 102 25.300084ms > > [root@packetfence_v10 logs]# > > > > I’m hopeful that this helps, but again, I’m not sure what I’m looking for… > > > > Thanks, > > > > Bill > > > > *From:* Diego Garcia del Rio <garc...@gmail.com> > *Sent:* Thursday, April 23, 2020 5:26 PM > *To:* Bill Handler <bhand...@pcsknox.com> > *Cc:* Jonathan Nathanson <jmhnathan...@gmail.com>; > packetfence-users@lists.sourceforge.net > *Subject:* Re: [PacketFence-users] Google oauth2 - > Behavior/Troubleshooting > > > > Hi bill > > > > Please look at ALL the log files under /usr/local/pf/var/logs (the httpd > logs only cover the requests from the devices). There will be two requests > going to google.. one where Packetfence is doing NAT for the devices to be > onboarded (this is the traffic from the user's browser) and then another > that will go from packetfence itself to google again, using the token > returned by the customer's browser to get the actual data from the google > account. > > > > also, I dont remember if any of the changes to google oauth take effect > immediately or you need to restart the PF service. (to restart the PF > service use this script: > > > > /usr/local/pf/bin/pfcmd service pf restart > > > > > > > > > > > > On Thu, Apr 23, 2020 at 3:37 PM Bill Handler <bhand...@pcsknox.com> wrote: > > I’m hoping I’ve set up the Google part correctly, if not the > authentication wouldn’t go through correct? I just needed to setup OAuth > 2.0 Client IDs. I don’t need any API Keys or Service Accounts correct? In > the Client ID I listed it as a web application > > > > Diego, > > > > Thanks for your help… This is my first experience with PacketFence, and > I’m feeling my way through it. I’m not entirely sure what all your > information means, so please pardon my ignorance. > > > > My Google Auth was set to the default openid that you listed. I changed > it to the older scope/protected resource urls with no change. > > > > I know that the request is going out to google, and that something is > coming back by seeing the url in the end-system’s browser. It seems like > PF is not authenticating the token. > > > > I am still unsure what log file the logging entries you pointed out go > to. I was in the logs folder and ran a ‘cat *.log | grep OAuth’ but came > back with no results. > > > > Jonathan, > > > > We’re not using the A3 variant from HiveManger/Extreme IQ, I’m just > working with PacketFence straight (Although we are an Extreme Networks > partner and the AeroHive gear is part of our offerings now… ). PacketFence > is only handing out DHCP on the registration VLAN, our internal DHCP is > handing out IPs on our data vlan, Firewall is handing out IPs on guest and > phone vlans. But, we’re never getting that far – the end-system is not > being given the role and stays as unregistered. > > > > httpd.portal.error Log has no entries for today. I did a packet capture > from the PF server and did see some traffic going to/from Google IP > addresses, but it was TLS or TCP Acks and I could not tell what the payload > was… > > > > Thanks, > > > > Bill > > > > *From:* Diego Garcia del Rio <garc...@gmail.com> > *Sent:* Thursday, April 23, 2020 10:43 AM > *To:* Jonathan Nathanson <jmhnathan...@gmail.com> > *Cc:* packetfence-users@lists.sourceforge.net; Bill Handler < > bhand...@pcsknox.com> > *Subject:* Re: [PacketFence-users] Google oauth2 - > Behavior/Troubleshooting > > > > Hi Jonathan, Bill, > > > > The device will get the role indeed after a disconnect / CoA but given > Bill mentions that his other auth methods work... I would be surprised that > CoA fails for this. Also, he should still be seeing the device having the > new role. > > > > Below is my config of the google authentication source (old GUI, sorry). > > > > > > <Pic removed> > > > > also, i seem to be using the OLD user information scheme / url: > > > > (look here: > https://github.com/inverse-inc/packetfence/commit/8f38c0e5b51ff5daf83f1720aef8253059fa1a96 > ) > > > > i am using this: > > has 'scope' => (isa => 'Str', is => 'rw', default => ' > https://www.googleapis.com/auth/userinfo.email'); > has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => ' > https://www.googleapis.com/oauth2/v2/userinfo'); > > > > instead of the new defaults which are these: > has 'scope' => (isa => 'Str', is => 'rw', default => 'openid email > profile'); > has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => ' > https://openidconnect.googleapis.com/v1/userinfo'); > > > > > > basically it looks like this: > > > > <Pic removed> > > > > > > So maybe your authorized scope in google is for this old schema and not > the new open-id one? > > > > Also, keep in mind that accessing the google login portal from mobile > devices can be tricky. Google blacklists the "embedded" browsers of most > phones so you need to launch chrome manually or contact google to get an > exception for your specific APP ID. > > > > Also, check your logs for any phrase like this: "OAuth2 Error: Failed to > get the token" > > > > (look at the code here: > https://github.com/inverse-inc/packetfence/blob/541c6c8545195881b136bc55edb7cd531594061d/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/OAuth.pm > ) > > > > > > you have these two logging entries in the code: (you might need to > increase the logging level to debug). > > > > get_logger->info("OAuth2 successfull for username > ".$self->username); > $self->source->lookup_from_provider_info($self->username, $info); > > * pf::auth_log::record_completed_oauth($self->source->id, > $self->current_mac, $pid, $pf::auth_log::COMPLETED, > $self->app->profile->name);* > > $self->update_person_from_fields(); > > $self->done(); > } > else { > > *get_logger->info("OAuth2: failed to validate the token, redireting to > login page."); get_logger->debug(sub { use Data::Dumper; "OAuth2 > failed response : ".Dumper($response) });* > pf::auth_log::change_record_status($self->source->id, > $self->current_mac, $pf::auth_log::FAILED, $self->app->profile->name); > $self->app->flash->{error} = "OAuth2 Error: Failed to validate the > token, please retry"; > $self->landing(); > > > > > > good luck! > > > > > > > > > > Cheers > > > > > > > > > > On Thu, Apr 23, 2020 at 3:04 AM Jonathan Nathanson <jmhnathan...@gmail.com> > wrote: > > I had this very similar problem recently. Does A3 manage DHCP in the reg > VLAN? > > > > The role should be assigned following a disconnect / COA packet sent to > the client device to get them to reconnect, I believe. > > > > You should do a packet trace and check. You might also want to check > corresponding log entries in httpd.portal.error to see if you can spot the > issue there. > > > > Jonathan > > > > On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > I’m running on v10, using the default whitelist in the Google Auth > config. The end system is talking to google, verified with wireshark, and > by inputting wrong password. > > > > The end system’s role never gets updated, even though I have a catchall > rule in place that should move it to a different VLAN. > > > > I have not done a packet capture on server’s interface yet. The end > system stays as unregistered, so the issue may be authenticating the token > between PF and google. > > > > I’ve only tested using Chrome and Firefox browsers and only if Chrome is > used does the redirect show accounts.blogger.com in the address field > after entering the google account credentials. > > > > Both browser windows show the you may need to login to your network with a > button; the button sends you back to the AUP. > > > > Is there a certain log that I would be able to see PF talking to google, > or just checking wireshark packets? > > Thanks, > > > > Bill > > > > Sent from my iPad > > > On Apr 22, 2020, at 5:15 PM, Diego Garcia del Rio <garc...@gmail.com> > wrote: > > Just to be sure, do you have all the proper whitelists as well? Its weird > that the user is directed to accounts.blogger.com... Also, you should be > able to see your PF server making a request to google to validate the > returned token. > > > > > > On which version of PF are you? I've been using google auth > successfully all the way up to 9.2 (I haven tested anything newer though). > > > > Also, not sure the logic you're using but you might want to check that the > google source is assigning a role to the device in question.. > > > > > > > > On Wed, Apr 22, 2020 at 5:51 PM Bill Handler via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > > Running into an issue with Google oauth2 authentication via Captive Portal… > > > > - Have it configured and set as an External Authentication Source > - Have all the correct settings on Google Developer site > > > > What’s happening is that after entering the username/password in the > Google display on the captive portal, the user is not put into the correct > VLAN/redirected. Authentication via AD/SMS/E-Mail works without issue. > > > > If using Chrome Browser, user is redirected to accounts.blogger.com with > a long string afterwards, within Firefox, the url shows as the portal url > with “?code=” with a long string – this is the token from Google I believe, > based on some of the documentation. > > > > The user stays in the registration VLAN and is not moved to the correct > role. Not sure where to check to see why the user is not moving. > > > > Any help is appreciated. > > > > Thanks, > > > > Bill > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users