Hi.. those errors are not errors. They are jus the logs of pfdns and its
still related to the user trying / reaching google.
you should look at the logs (especially packetfence.log) for any other
messages around the time. Most of the log messages SHOULD have the mac
address of the device trying to connect so you can grep for those
(you can also use grep -i to make grep case insensitive, so "grep -i oauth"
should find... all variations of oauth..
also try to set the debug level for the portal module to dEBUG or TRACE:
like this:
conf/log.conf.d/pfqueue.conf
Change to following line from this
log4perl.rootLogger = INFO, PFQUEUE
To this
log4perl.rootLogger = TRACE, PFQUEUE
Then you can either wait 5 minutes (that is the time it takes for the
logging level to be updated)
Or restart the service if you do not want to wait.
But adapt it to the portal module instead of pfqueue.conf
On Fri, Apr 24, 2020 at 11:14 AM Diego Garcia del Rio <garc...@gmail.com>
wrote:
> let me check what I have configured. But i think you do need n API
> enabled.
>
> On Fri, Apr 24, 2020 at 11:12 AM Bill Handler <bhand...@pcsknox.com>
> wrote:
>
>> Again, apologies for my ignorance on this…
>>
>>
>>
>> When I created the Oauth credentials in the Google Developer site, I did
>> not enable an API. I’m thinking I missed doing that. Since I’m just
>> trying to authenticate users and not accessing anything within GSuite or
>> anything else along those lines, I’m not sure what API I may need.
>>
>>
>>
>> Ideas?
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Bill
>>
>>
>>
>> *From:* Bill Handler
>> *Sent:* Friday, April 24, 2020 8:36 AM
>> *To:* Diego Garcia del Rio <garc...@gmail.com>
>> *Cc:* Jonathan Nathanson <jmhnathan...@gmail.com>;
>> packetfence-users@lists.sourceforge.net
>> *Subject:* RE: [PacketFence-users] Google oauth2 -
>> Behavior/Troubleshooting
>>
>>
>>
>> Diego,
>>
>>
>>
>> Thanks for the pointers. The logs appear to be now located in the
>> /usr/local/pf/logs directory. There is no logs folder in the
>> /usr/local/pf/var directory.
>>
>>
>>
>> I ran the restart command and tried to log in via Google again…
>> Rechecked the logs as I did before (grep OAuth), ran it a second time as
>> ‘grep oauth’ and now got some responses… (this is with the openid defaults)
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>>
>> Apr 24 07:33:37 packetfence_v10 packetfence: INFO -e(243390): Adding
>> Forward rules to allow connections to the OAuth2 Providers and passthrough.
>> (pf::iptables::generate_passthrough_rules)
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep oauth
>>
>> Apr 24 07:43:35 packetfence_v10 haproxy[244351]: 172.16.172.237:50335
>> [24/Apr/2020:07:43:35.454] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/1/210/213 302 928 - - ---- 3/2/0/0/0 0/0 {pfv10.pcsknox.com}
>> "GET
>> /switchto/default_policy+default_registration_policy+default_oauth_policy
>> HTTP/1.1"
>>
>> Apr 24 07:43:41 packetfence_v10 haproxy[244351]: 172.16.172.237:50627
>> [24/Apr/2020:07:43:39.361] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/0/1909/1910 302 1410 - - ---- 6/2/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 07:44:54 packetfence_v10 haproxy[244351]: 172.16.172.237:51592
>> [24/Apr/2020:07:44:52.404] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/0/1827/1829 302 1410 - - ---- 4/2/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 07:43:30 packetfence_v10 pfdns: 172.16.172.237 -
>> [24/Apr/2020:07:43:30 -0400] "A IN oauthaccountmanager.googleapis.com.
>> udp 52 false 512" NOERROR qr,rd,ra 102 61.289551ms
>>
>> [root@packetfence_v10 logs]#
>>
>>
>>
>> I put the old Google Auth config – yours with the userinfo.email settings
>> and restarted the pf service. Tried to authenticate the end-system again,
>> but still failed…
>>
>>
>>
>> Checked the logs as before, and here are the results (duplicate entries
>> from above removed for clarity):
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep OAuth
>>
>> Apr 24 08:17:32 packetfence_v10 packetfence: INFO -e(7334): Adding
>> Forward rules to allow connections to the OAuth2 Providers and passthrough.
>> (pf::iptables::generate_passthrough_rules)
>>
>>
>>
>> [root@packetfence_v10 logs]# cat *.log | grep oauth
>>
>> Apr 24 08:14:58 packetfence_v10 haproxy[244351]: 172.16.172.237:60742
>> [24/Apr/2020:08:14:58.422] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/1/439/440 302 1482 - - ---- 4/3/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 08:27:35 packetfence_v10 haproxy[8300]: 172.16.172.237:51328
>> [24/Apr/2020:08:27:33.905] portal-http-192.0.2.1 172.16.174.1-backend/
>> 127.0.0.1 0/0/0/1787/1788 302 1482 - - ---- 3/2/0/0/0 0/0 {
>> pfv10.pcsknox.com} "POST /oauth2/go HTTP/1.1"
>>
>> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
>> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
>> udp 52 false 512" NOERROR qr,rd,ra 102 23.614118ms
>>
>> Apr 24 08:27:59 packetfence_v10 pfdns: 172.16.172.237 -
>> [24/Apr/2020:08:27:59 -0400] "A IN oauthaccountmanager.googleapis.com.
>> udp 52 false 512" NOERROR qr,rd,ra 102 25.300084ms
>>
>> [root@packetfence_v10 logs]#
>>
>>
>>
>> I’m hopeful that this helps, but again, I’m not sure what I’m looking for…
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Bill
>>
>>
>>
>> *From:* Diego Garcia del Rio <garc...@gmail.com>
>> *Sent:* Thursday, April 23, 2020 5:26 PM
>> *To:* Bill Handler <bhand...@pcsknox.com>
>> *Cc:* Jonathan Nathanson <jmhnathan...@gmail.com>;
>> packetfence-users@lists.sourceforge.net
>> *Subject:* Re: [PacketFence-users] Google oauth2 -
>> Behavior/Troubleshooting
>>
>>
>>
>> Hi bill
>>
>>
>>
>> Please look at ALL the log files under /usr/local/pf/var/logs (the httpd
>> logs only cover the requests from the devices). There will be two requests
>> going to google.. one where Packetfence is doing NAT for the devices to be
>> onboarded (this is the traffic from the user's browser) and then another
>> that will go from packetfence itself to google again, using the token
>> returned by the customer's browser to get the actual data from the google
>> account.
>>
>>
>>
>> also, I dont remember if any of the changes to google oauth take effect
>> immediately or you need to restart the PF service. (to restart the PF
>> service use this script:
>>
>>
>>
>> /usr/local/pf/bin/pfcmd service pf restart
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Apr 23, 2020 at 3:37 PM Bill Handler <bhand...@pcsknox.com>
>> wrote:
>>
>> I’m hoping I’ve set up the Google part correctly, if not the
>> authentication wouldn’t go through correct? I just needed to setup OAuth
>> 2.0 Client IDs. I don’t need any API Keys or Service Accounts correct? In
>> the Client ID I listed it as a web application
>>
>>
>>
>> Diego,
>>
>>
>>
>> Thanks for your help… This is my first experience with PacketFence, and
>> I’m feeling my way through it. I’m not entirely sure what all your
>> information means, so please pardon my ignorance.
>>
>>
>>
>> My Google Auth was set to the default openid that you listed. I changed
>> it to the older scope/protected resource urls with no change.
>>
>>
>>
>> I know that the request is going out to google, and that something is
>> coming back by seeing the url in the end-system’s browser. It seems like
>> PF is not authenticating the token.
>>
>>
>>
>> I am still unsure what log file the logging entries you pointed out go
>> to. I was in the logs folder and ran a ‘cat *.log | grep OAuth’ but came
>> back with no results.
>>
>>
>>
>> Jonathan,
>>
>>
>>
>> We’re not using the A3 variant from HiveManger/Extreme IQ, I’m just
>> working with PacketFence straight (Although we are an Extreme Networks
>> partner and the AeroHive gear is part of our offerings now… ). PacketFence
>> is only handing out DHCP on the registration VLAN, our internal DHCP is
>> handing out IPs on our data vlan, Firewall is handing out IPs on guest and
>> phone vlans. But, we’re never getting that far – the end-system is not
>> being given the role and stays as unregistered.
>>
>>
>>
>> httpd.portal.error Log has no entries for today. I did a packet capture
>> from the PF server and did see some traffic going to/from Google IP
>> addresses, but it was TLS or TCP Acks and I could not tell what the payload
>> was…
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Bill
>>
>>
>>
>> *From:* Diego Garcia del Rio <garc...@gmail.com>
>> *Sent:* Thursday, April 23, 2020 10:43 AM
>> *To:* Jonathan Nathanson <jmhnathan...@gmail.com>
>> *Cc:* packetfence-users@lists.sourceforge.net; Bill Handler <
>> bhand...@pcsknox.com>
>> *Subject:* Re: [PacketFence-users] Google oauth2 -
>> Behavior/Troubleshooting
>>
>>
>>
>> Hi Jonathan, Bill,
>>
>>
>>
>> The device will get the role indeed after a disconnect / CoA but given
>> Bill mentions that his other auth methods work... I would be surprised that
>> CoA fails for this. Also, he should still be seeing the device having the
>> new role.
>>
>>
>>
>> Below is my config of the google authentication source (old GUI, sorry).
>>
>>
>>
>>
>>
>> <Pic removed>
>>
>>
>>
>> also, i seem to be using the OLD user information scheme / url:
>>
>>
>>
>> (look here:
>> https://github.com/inverse-inc/packetfence/commit/8f38c0e5b51ff5daf83f1720aef8253059fa1a96
>> )
>>
>>
>>
>> i am using this:
>>
>> has 'scope' => (isa => 'Str', is => 'rw', default => '
>> https://www.googleapis.com/auth/userinfo.email');
>> has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => '
>> https://www.googleapis.com/oauth2/v2/userinfo');
>>
>>
>>
>> instead of the new defaults which are these:
>> has 'scope' => (isa => 'Str', is => 'rw', default => 'openid email
>> profile');
>> has 'protected_resource_url' => (isa => 'Str', is => 'rw', default => '
>> https://openidconnect.googleapis.com/v1/userinfo');
>>
>>
>>
>>
>>
>> basically it looks like this:
>>
>>
>>
>> <Pic removed>
>>
>>
>>
>>
>>
>> So maybe your authorized scope in google is for this old schema and not
>> the new open-id one?
>>
>>
>>
>> Also, keep in mind that accessing the google login portal from mobile
>> devices can be tricky. Google blacklists the "embedded" browsers of most
>> phones so you need to launch chrome manually or contact google to get an
>> exception for your specific APP ID.
>>
>>
>>
>> Also, check your logs for any phrase like this: "OAuth2 Error: Failed to
>> get the token"
>>
>>
>>
>> (look at the code here:
>> https://github.com/inverse-inc/packetfence/blob/541c6c8545195881b136bc55edb7cd531594061d/html/captive-portal/lib/captiveportal/PacketFence/DynamicRouting/Module/Authentication/OAuth.pm
>> )
>>
>>
>>
>>
>>
>> you have these two logging entries in the code: (you might need to
>> increase the logging level to debug).
>>
>>
>>
>> get_logger->info("OAuth2 successfull for username
>> ".$self->username);
>> $self->source->lookup_from_provider_info($self->username, $info);
>>
>> * pf::auth_log::record_completed_oauth($self->source->id,
>> $self->current_mac, $pid, $pf::auth_log::COMPLETED,
>> $self->app->profile->name);*
>>
>> $self->update_person_from_fields();
>>
>> $self->done();
>> }
>> else {
>>
>> *get_logger->info("OAuth2: failed to validate the token, redireting to
>> login page."); get_logger->debug(sub { use Data::Dumper; "OAuth2
>> failed response : ".Dumper($response) });*
>> pf::auth_log::change_record_status($self->source->id,
>> $self->current_mac, $pf::auth_log::FAILED, $self->app->profile->name);
>> $self->app->flash->{error} = "OAuth2 Error: Failed to validate
>> the token, please retry";
>> $self->landing();
>>
>>
>>
>>
>>
>> good luck!
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> Cheers
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Apr 23, 2020 at 3:04 AM Jonathan Nathanson <
>> jmhnathan...@gmail.com> wrote:
>>
>> I had this very similar problem recently. Does A3 manage DHCP in the reg
>> VLAN?
>>
>>
>>
>> The role should be assigned following a disconnect / COA packet sent to
>> the client device to get them to reconnect, I believe.
>>
>>
>>
>> You should do a packet trace and check. You might also want to check
>> corresponding log entries in httpd.portal.error to see if you can spot the
>> issue there.
>>
>>
>>
>> Jonathan
>>
>>
>>
>> On Thu, 23 Apr 2020 at 01:32, Bill Handler via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> I’m running on v10, using the default whitelist in the Google Auth
>> config. The end system is talking to google, verified with wireshark, and
>> by inputting wrong password.
>>
>>
>>
>> The end system’s role never gets updated, even though I have a catchall
>> rule in place that should move it to a different VLAN.
>>
>>
>>
>> I have not done a packet capture on server’s interface yet. The end
>> system stays as unregistered, so the issue may be authenticating the token
>> between PF and google.
>>
>>
>>
>> I’ve only tested using Chrome and Firefox browsers and only if Chrome is
>> used does the redirect show accounts.blogger.com in the address field
>> after entering the google account credentials.
>>
>>
>>
>> Both browser windows show the you may need to login to your network with
>> a button; the button sends you back to the AUP.
>>
>>
>>
>> Is there a certain log that I would be able to see PF talking to google,
>> or just checking wireshark packets?
>>
>> Thanks,
>>
>>
>>
>> Bill
>>
>>
>>
>> Sent from my iPad
>>
>>
>> On Apr 22, 2020, at 5:15 PM, Diego Garcia del Rio <garc...@gmail.com>
>> wrote:
>>
>> Just to be sure, do you have all the proper whitelists as well? Its weird
>> that the user is directed to accounts.blogger.com... Also, you should be
>> able to see your PF server making a request to google to validate the
>> returned token.
>>
>>
>>
>>
>>
>> On which version of PF are you? I've been using google auth
>> successfully all the way up to 9.2 (I haven tested anything newer though).
>>
>>
>>
>> Also, not sure the logic you're using but you might want to check that
>> the google source is assigning a role to the device in question..
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Apr 22, 2020 at 5:51 PM Bill Handler via PacketFence-users <
>> packetfence-users@lists.sourceforge.net> wrote:
>>
>> Running into an issue with Google oauth2 authentication via Captive
>> Portal…
>>
>>
>>
>> - Have it configured and set as an External Authentication Source
>> - Have all the correct settings on Google Developer site
>>
>>
>>
>> What’s happening is that after entering the username/password in the
>> Google display on the captive portal, the user is not put into the correct
>> VLAN/redirected. Authentication via AD/SMS/E-Mail works without issue.
>>
>>
>>
>> If using Chrome Browser, user is redirected to accounts.blogger.com with
>> a long string afterwards, within Firefox, the url shows as the portal url
>> with “?code=” with a long string – this is the token from Google I believe,
>> based on some of the documentation.
>>
>>
>>
>> The user stays in the registration VLAN and is not moved to the correct
>> role. Not sure where to check to see why the user is not moving.
>>
>>
>>
>> Any help is appreciated.
>>
>>
>>
>> Thanks,
>>
>>
>>
>> Bill
>>
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
