let me check what I have configured. But i think you do need n API enabled.
On Fri, Apr 24, 2020 at 11:12 AM Bill Handler <bhand...@pcsknox.com> wrote:
> Again, apologies for my ignorance on this…
>
>
>
> When I created the Oauth credentials in the Google Developer site, I did
> not enable an API. I’m thinking I missed doing that. Since I’m just
> trying to authenticate users and not accessing anything within GSuite or
> anything else along those lines, I’m not sure what API I may need.
>
>
>
> Ideas?
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Bill Handler
> *Sent:* Friday, April 24, 2020 8:36 AM
> *To:* Diego Garcia del Rio <garc...@gmail.com>
> *Cc:* Jonathan Nathanson <jmhnathan...@gmail.com>;
> packetfence-users@lists.sourceforge.net
> *Subject:* RE: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Diego,
>
>
>
> Thanks for the pointers. The logs appear to be now located in the
> /usr/local/pf/logs directory. There is no logs folder in the
> /usr/local/pf/var directory.
>
>
>
> I ran the restart command and tried to log in via Google again… Rechecked
> the logs as I did before (grep OAuth), ran it a second time as ‘grep oauth’
> and now got some responses… (this is with the openid defaults)
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>
> Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding
> Forward rules to allow connections to the OAuth2 Providers and passthrough.
> (pf::iptables::generate_passthrough_rules)
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep oauth
>
> Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 172.16.172.237:50335
> [24/Apr/2020:07:43:35.454] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/1/210/213 302 928 - - ---- 3/2/0/0/0 0/0 {pfv10.pcsknox.com}
> "GET
> /switchto/default_policy+default_registration_policy+default_oauth_policy
> HTTP/1.1"
>
> Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 172.16.172.237:50627
> [24/Apr/2020:07:43:39.361] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/0/1909/1910 302 1410 - - ---- 6/2/0/0/0 0/0 {
> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>
> Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 172.16.172.237:51592
> [24/Apr/2020:07:44:52.404] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/0/1827/1829 302 1410 - - ---- 4/2/0/0/0 0/0 {
> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>
> Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 -
> [24/Apr/2020:07:43:30 -0400] "A IN oauthaccountmanager.googleapis.com.
> udp 52 false 512" NOERROR qr,rd,ra 102 61.289551ms
>
> [root@packetfence_v10 logs]#
>
>
>
> I put the old Google Auth config – yours with the userinfo.email settings
> and restarted the pf service. Tried to authenticate the end-system again,
> but still failed…
>
>
>
> Checked the logs as before, and here are the results (duplicate entries
> from above removed for clarity):
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>
> Apr 24 08:17:32 packetfence_v10 packetfence: INFO -e(7334): Adding Forward
> rules to allow connections to the OAuth2 Providers and passthrough.
> (pf::iptables::generate_passthrough_rules)
>
>
>
> [root@packetfence_v10 logs]# cat *.log | grep oauth
>
> Apr 24 08:14:58 packetfence_v10 haproxy[244351]: 172.16.172.237:60742
> [24/Apr/2020:08:14:58.422] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/1/439/440 302 1482 - - ---- 4/3/0/0/0 0/0 {pfv10.pcsknox.com}
> "POST /oauth2/go HTTP/1.1"
>
> Apr 24 08:27:35 packetfence_v10 haproxy[8300]: 172.16.172.237:51328
> [24/Apr/2020:08:27:33.905] portal-http-192.0.2.1 172.16.174.1-backend/
> 127.0.0.1 0/0/0/1787/1788 302 1482 - - ---- 3/2/0/0/0 0/0 {
> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>
> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
> udp 52 false 512" NOERROR qr,rd,ra 102 23.614118ms
>
> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
> udp 52 false 512" NOERROR qr,rd,ra 102 25.300084ms
>
> [root@packetfence_v10 logs]#
>
>
>
> I’m hopeful that this helps, but again, I’m not sure what I’m looking for…
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Diego Garcia del Rio <garc...@gmail.com>
> *Sent:* Thursday, April 23, 2020 5:26 PM
> *To:* Bill Handler <bhand...@pcsknox.com>
> *Cc:* Jonathan Nathanson <jmhnathan...@gmail.com>;
> packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Hi bill
>
>
>
> Please look at ALL the log files under /usr/local/pf/var/logs (the httpd
> logs only cover the requests from the devices). There will be two requests
> going to google.. one where Packetfence is doing NAT for the devices to be
> onboarded (this is the traffic from the user's browser) and then another
> that will go from packetfence itself to google again, using the token
> returned by the customer's browser to get the actual data from the google
> account.
>
>
>
> also, I dont remember if any of the changes to google oauth take effect
> immediately or you need to restart the PF service. (to restart the PF
> service use this script:
>
>
>
> /usr/local/pf/bin/pfcmd service pf restart
>
>
>
>
>
>
>
>
>
>
>
> On Thu, Apr 23, 2020 at 3:37 PM Bill Handler <bhand...@pcsknox.com> wrote:
>
> I’m hoping I’ve set up the Google part correctly, if not the
> authentication wouldn’t go through correct? I just needed to setup OAuth
> 2.0 Client IDs. I don’t need any API Keys or Service Accounts correct? In
> the Client ID I listed it as a web application
>
>
>
> Diego,
>
>
>
> Thanks for your help… This is my first experience with PacketFence, and
> I’m feeling my way through it. I’m not entirely sure what all your
> information means, so please pardon my ignorance.
>
>
>
> My Google Auth was set to the default openid that you listed. I changed
> it to the older scope/protected resource urls with no change.
>
>
>
> I know that the request is going out to google, and that something is
> coming back by seeing the url in the end-system’s browser. It seems like
> PF is not authenticating the token.
>
>
>
> I am still unsure what log file the logging entries you pointed out go
> to. I was in the logs folder and ran a ‘cat *.log | grep OAuth’ but came
> back with no results.
>
>
>
> Jonathan,
>
>
>
> We’re not using the A3 variant from HiveManger/Extreme IQ, I’m just
> working with PacketFence straight (Although we are an Extreme Networks
> partner and the AeroHive gear is part of our offerings now… ). PacketFence
> is only handing out DHCP on the registration VLAN, our internal DHCP is
> handing out IPs on our data vlan, Firewall is handing out IPs on guest and
> phone vlans. But, we’re never getting that far – the end-system is not
> being given the role and stays as unregistered.
>
>
>
> httpd.portal.error Log has no entries for today. I did a packet capture
> from the PF server and did see some traffic going to/from Google IP
> addresses, but it was TLS or TCP Acks and I could not tell what the payload
> was…
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> *From:* Diego Garcia del Rio <garc...@gmail.com>
> *Sent:* Thursday, April 23, 2020 10:43 AM
> *To:* Jonathan Nathanson <jmhnathan...@gmail.com>
> *Cc:* packetfence-users@lists.sourceforge.net; Bill Handler <
> bhand...@pcsknox.com>
> *Subject:* Re: [PacketFence-users] Google oauth2 -
> Behavior/Troubleshooting
>
>
>
> Hi Jonathan, Bill,
>
>
>
> The device will get the role indeed after a disconnect / CoA but given
> Bill mentions that his other auth methods work... I would be surprised that
> CoA fails for this. Also, he should still be seeing the device having the
> new role.
>
>
>
> Below is my config of the google authentication source (old GUI, sorry).
>
>
>
>
>
> <Pic removed>
>
>
>
> also, i seem to be using the OLD user information scheme / url:
>
>
>
> (look here:
> https://github.com/inverse-inc/packetfence/commit/8f38c0e5b51ff5daf83f1720aef8253059fa1a96
> )
>
>
>
> i am using this:
>
> has 'scope' => (isa => 'Str', is => 'rw', default => '
> https://www.googleapis.com/auth/userinfo.email');
> has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => '
> https://www.googleapis.com/oauth2/v2/userinfo');
>
>
>
> instead of the new defaults which are these:
> has 'scope' => (isa => 'Str', is => 'rw', default => 'openid email
> profile');
> has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => '
> https://openidconnect.googleapis.com/v1/userinfo');
>
>
>
>
>
> basically it looks like this:
>
>
>
> <Pic removed>
>
>
>
>
>
> So maybe your authorized scope in google is for this old schema and not
> the new open-id one?
>
>
>
> Also, keep in mind that accessing the google login portal from mobile
> devices can be tricky. Google blacklists the "embedded" browsers of most
> phones so you need to launch chrome manually or contact google to get an
> exception for your specific APP ID.
>
>
>
> Also, check your logs for any phrase like this: "OAuth2 Error: Failed to
> get the token"
>
>
>
> (look at the code here:
> https://github.com/inverse-inc/packetfence/blob/541c6c8545195881b136bc55edb7cd531594061d/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/OAuth.pm
> )
>
>
>
>
>
> you have these two logging entries in the code: (you might need to
> increase the logging level to debug).
>
>
>
> get_logger->info("OAuth2 successfull for username
> ".$self->username);
> $self->source->lookup_from_provider_info($self->username, $info);
>
> * pf::auth_log::record_completed_oauth($self->source->id,
> $self->current_mac, $pid, $pf::auth_log::COMPLETED,
> $self->app->profile->name);*
>
> $self->update_person_from_fields();
>
> $self->done();
> }
> else {
>
> *get_logger->info("OAuth2: failed to validate the token, redireting to
> login page."); get_logger->debug(sub { use Data::Dumper; "OAuth2
> failed response : ".Dumper($response) });*
> pf::auth_log::change_record_status($self->source->id,
> $self->current_mac, $pf::auth_log::FAILED, $self->app->profile->name);
> $self->app->flash->{error} = "OAuth2 Error: Failed to validate the
> token, please retry";
> $self->landing();
>
>
>
>
>
> good luck!
>
>
>
>
>
>
>
>
>
> Cheers
>
>
>
>
>
>
>
>
>
> On Thu, Apr 23, 2020 at 3:04 AM Jonathan Nathanson <jmhnathan...@gmail.com>
> wrote:
>
> I had this very similar problem recently. Does A3 manage DHCP in the reg
> VLAN?
>
>
>
> The role should be assigned following a disconnect / COA packet sent to
> the client device to get them to reconnect, I believe.
>
>
>
> You should do a packet trace and check. You might also want to check
> corresponding log entries in httpd.portal.error to see if you can spot the
> issue there.
>
>
>
> Jonathan
>
>
>
> On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> I’m running on v10, using the default whitelist in the Google Auth
> config. The end system is talking to google, verified with wireshark, and
> by inputting wrong password.
>
>
>
> The end system’s role never gets updated, even though I have a catchall
> rule in place that should move it to a different VLAN.
>
>
>
> I have not done a packet capture on server’s interface yet. The end
> system stays as unregistered, so the issue may be authenticating the token
> between PF and google.
>
>
>
> I’ve only tested using Chrome and Firefox browsers and only if Chrome is
> used does the redirect show accounts.blogger.com in the address field
> after entering the google account credentials.
>
>
>
> Both browser windows show the you may need to login to your network with a
> button; the button sends you back to the AUP.
>
>
>
> Is there a certain log that I would be able to see PF talking to google,
> or just checking wireshark packets?
>
> Thanks,
>
>
>
> Bill
>
>
>
> Sent from my iPad
>
>
> On Apr 22, 2020, at 5:15 PM, Diego Garcia del Rio <garc...@gmail.com>
> wrote:
>
> Just to be sure, do you have all the proper whitelists as well? Its weird
> that the user is directed to accounts.blogger.com... Also, you should be
> able to see your PF server making a request to google to validate the
> returned token.
>
>
>
>
>
> On which version of PF are you? I've been using google auth
> successfully all the way up to 9.2 (I haven tested anything newer though).
>
>
>
> Also, not sure the logic you're using but you might want to check that the
> google source is assigning a role to the device in question..
>
>
>
>
>
>
>
> On Wed, Apr 22, 2020 at 5:51 PM Bill Handler via PacketFence-users <
> packetfence-users@lists.sourceforge.net> wrote:
>
> Running into an issue with Google oauth2 authentication via Captive Portal…
>
>
>
> - Have it configured and set as an External Authentication Source
> - Have all the correct settings on Google Developer site
>
>
>
> What’s happening is that after entering the username/password in the
> Google display on the captive portal, the user is not put into the correct
> VLAN/redirected. Authentication via AD/SMS/E-Mail works without issue.
>
>
>
> If using Chrome Browser, user is redirected to accounts.blogger.com with
> a long string afterwards, within Firefox, the url shows as the portal url
> with “?code=” with a long string – this is the token from Google I believe,
> based on some of the documentation.
>
>
>
> The user stays in the registration VLAN and is not moved to the correct
> role. Not sure where to check to see why the user is not moving.
>
>
>
> Any help is appreciated.
>
>
>
> Thanks,
>
>
>
> Bill
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
