Ok so in a perfect world AAA URL redirect should be something like http://192.168.254.1/cep....
Can you run freeradius in debug mode: pkill radiusd radiusd -d /usr/local/pf/raddb -X and paste what is the debug when you try to connect. Regards Fabrice Le 2014-10-23 15:14, Christopher Mielke a écrit : > Here is the output: > > show client detail a088b41773a4 > Client MAC Address............................... a0:88:b4:17:73:a4 > Client Username ................................. N/A > AP MAC Address................................... 00:27:0d:4a:77:b0 > AP Name.......................................... dial1142wap-test > AP radio slot Id................................. 0 > Client State..................................... Associated > Client NAC OOB State............................. Access > Wireless LAN Id.................................. 4 > Hotspot (802.11u)................................ Not Supported > BSSID............................................ 00:27:0d:4a:77:b3 > Connected For ................................... 36 secs > Channel.......................................... 1 > IP Address....................................... Unknown > Gateway Address.................................. Unknown > Netmask.......................................... Unknown > IPv6 Address..................................... fe80::bc0b:5c58:e766:93de > Association Id................................... 1 > Authentication Algorithm......................... Open System > Reason Code...................................... 1 > Status Code...................................... 0 > Session Timeout.................................. 1800 > Client CCX version............................... 4 > Client E2E version............................... 1 > QoS Level........................................ Silver > Avg data Rate.................................... 0 > Burst data Rate.................................. 0 > Avg Real time data Rate.......................... 0 > Burst Real Time data Rate........................ 0 > 802.1P Priority Tag.............................. disabled > CTS Security Group Tag........................... Not Applicable > KTS CAC Capability............................... No > WMM Support...................................... Enabled > APSD ACs....................................... BK BE VI VO > Power Save....................................... OFF > Current Rate..................................... 54.0 > Supported Rates.................................. 12.0,18.0,24.0,36.0,48.0, > ............................................. 54.0 > Mobility State................................... Local > Mobility Move Count.............................. 0 > Security Policy Completed........................ Yes > Policy Manager State............................. RUN > Policy Manager Rule Created...................... Yes > AAA Override ACL Name............................ none > AAA Override ACL Applied Status.................. Unavailable > AAA Override Flex ACL Name....................... none > AAA Override Flex ACL Applied Status............. Unavailable > AAA URL redirect................................. none > Audit Session ID................................. ac1fff1400000016544952a8 > AAA Role Type.................................... none > Local Policy Applied............................. none > IPv4 ACL Name.................................... PreAuth4WebRedirect > FlexConnect ACL Applied Status................... Unavailable > IPv4 ACL Applied Status.......................... Yes > IPv6 ACL Name.................................... none > IPv6 ACL Applied Status.......................... Unavailable > Layer2 ACL Name.................................. none > Layer2 ACL Applied Status........................ Unavailable > mDNS Status...................................... Enabled > mDNS Profile Name................................ default-mdns-profile > No. of mDNS Services Advertised.................. 0 > Policy Type...................................... N/A > Encryption Cipher................................ None > Protected Management Frame ...................... No > Management Frame Protection...................... No > EAP Type......................................... Unknown > Interface........................................ guest-wl > VLAN............................................. 500 > Quarantine VLAN.................................. 0 > Access VLAN...................................... 500 > Client Capabilities: > CF Pollable................................ Not implemented > CF Poll Request............................ Not implemented > Short Preamble............................. Implemented > PBCC....................................... Not implemented > Channel Agility............................ Not implemented > Listen Interval............................ 90 > Fast BSS Transition........................ Not implemented > Client Wifi Direct Capabilities: > WFD capable................................ No > Manged WFD capable......................... No > Cross Connection Capable................... No > Support Concurrent Operation............... No > Fast BSS Transition Details: > Client Statistics: > Number of Bytes Received................... 12120 > Number of Bytes Sent....................... 0 > Total Number of Bytes Sent................. 0 > Total Number of Bytes Recv................. 12120 > Number of Bytes Sent (last 90s)............ 0 > Number of Bytes Recv (last 90s)............ 12120 > Number of Packets Received................. 126 > Number of Packets Sent..................... 0 > Number of Interim-Update Sent.............. 0 > Number of EAP Id Request Msg Timeouts...... 0 > Number of EAP Id Request Msg Failures...... 0 > Number of EAP Request Msg Timeouts......... 0 > Number of EAP Request Msg Failures......... 0 > Number of EAP Key Msg Timeouts............. 0 > Number of EAP Key Msg Failures............. 0 > Number of Data Retries..................... 0 > Number of RTS Retries...................... 0 > Number of Duplicate Received Packets....... 0 > Number of Decrypt Failed Packets........... 0 > Number of Mic Failured Packets............. 0 > Number of Mic Missing Packets.............. 0 > Number of RA Packets Dropped............... 0 > Number of Policy Errors.................... 0 > Radio Signal Strength Indicator............ -67 dBm > Signal to Noise Ratio...................... 25 dB > Client Rate Limiting Statistics: > Number of Data Packets Recieved............ 0 > Number of Data Rx Packets Dropped.......... 0 > Number of Data Bytes Recieved.............. 0 > Number of Data Rx Bytes Dropped............ 0 > Number of Realtime Packets Recieved........ 0 > Number of Realtime Rx Packets Dropped...... 0 > Number of Realtime Bytes Recieved.......... 0 > Number of Realtime Rx Bytes Dropped........ 0 > Number of Data Packets Sent................ 0 > Number of Data Tx Packets Dropped.......... 0 > Number of Data Bytes Sent.................. 0 > Number of Data Tx Bytes Dropped............ 0 > Number of Realtime Packets Sent............ 0 > Number of Realtime Tx Packets Dropped...... 0 > Number of Realtime Bytes Sent.............. 0 > Number of Realtime Tx Bytes Dropped........ 0 > Nearby AP Statistics: > dial1142wap-test(slot 0) > antenna0: 36 secs ago.................... -64 dBm > antenna1: 36 secs ago.................... -66 dBm > dial1142wap-test(slot 1) > antenna0: 112 secs ago................... -77 dBm > antenna1: 112 secs ago................... -77 dBm > DNS Server details: > DNS server IP ............................. 0.0.0.0 > DNS server IP ............................. 0.0.0.0 > Assisted Roaming Prediction List details: > > Client Dhcp Required: True > Allowed (URL)IP Addresses > ------------------------- > > > > > > > Thanks, > _______________________________________ > Chris Mielke | Lead, ISS Network Systems > Drake Technology Services (DTS) | Drake University > > T 515.271.4640 > E [email protected] > > > > > On 10/23/14, 1:57 PM, "Fabrice DURAND" <[email protected]> wrote: > >> Strange it doesn´t detect that it´s a wlc redirection. >> Can you paste a sh client @mac (wlc) ? >> >> Regards >> Fabrice >> >> Le 2014-10-23 14:35, Christopher Mielke a écrit : >>> I didn’t try to ping because of the ACL, but I was able to telnet to the >>> server on port 80. When I open a browser it tries to redirect to >>> >>> “https://pf.drake.edu/captive-portal?destination_url=http://192.168.254.1 >>> 0/ >>> &”, but then it times out. >>> >>> Thanks, >>> _______________________________________ >>> Chris Mielke | Lead, ISS Network Systems >>> Drake Technology Services (DTS) | Drake University >>> >>> T 515.271.4640 >>> E [email protected] >>> >>> >>> >>> >>> On 10/23/14, 12:39 PM, "Fabrice DURAND" <[email protected]> wrote: >>> >>>> Yes this is correct but are you able to ping the portal ip address ? >>>> (Also change the acl to allow icmp) >>>> >>>> Fabrice >>>> >>>> Le 2014-10-23 12:36, Christopher Mielke a écrit : >>>>> Sorry it took so long to respond. I had to rebuild my test >>>>> environment. >>>>> I >>>>> am able to connect to the SSID and on the wlc I can see the “PreAuth” >>>>> access-list is being applied. However, when I open a web browser I do >>>>> not >>>>> get to the captive portal. I am pointing to production DNS right now. >>>>> Is >>>>> that correct? >>>>> >>>>> Thanks, >>>>> _______________________________________ >>>>> Chris Mielke | Lead, ISS Network Systems >>>>> Drake Technology Services (DTS) | Drake University >>>>> >>>>> T 515.271.4640 >>>>> E [email protected] >>>>> >>>>> >>>>> >>>>> >>>>> On 10/15/14, 12:23 PM, "Fabrice DURAND" <[email protected]> wrote: >>>>> >>>>>> Hello Christopher, >>>>>> >>>>>> it depend of your network configuration, but you can use an alias >>>>>> (eth0:1) as the ip address of the captive portal. >>>>>> >>>>>> But let´s start with a simple config, in packetfence create a >>>>>> management >>>>>> interface, registration interface and a isolation interface. >>>>>> >>>>>> The registration interface must be able to talk with the wlc and the >>>>>> devices connected on and don´t forget to disable dhcp on the reg >>>>>> interface. >>>>>> So on the wlc side configure an ACL (Pre-Auth-For-WebRedirect) that >>>>>> forward the traffic to the ip address of the registration interface >>>>>> and >>>>>> configure another ACL (Authorize_any) to allow any any and configure >>>>>> the >>>>>> WLC to be the dhcp server for the client. >>>>>> >>>>>> Then try to connect on the ssid and check the status of the client in >>>>>> the WLC, if all is ok you will be able to see that the ACL applied to >>>>>> the client is the Pre-Auth-For-WebRedirect. >>>>>> >>>>>> Let me know if it´s ok. >>>>>> >>>>>> Regards >>>>>> Fabrice >>>>>> >>>>>> Le 2014-10-14 17:49, Christopher Mielke a écrit : >>>>>>> I am completely new to PacketFence and trying to set up WebAuth for >>>>>>> a >>>>>>> guest SSID using a Cisco WLC running 7.6.130.0. I have installed >>>>>>> PacketFence ZEN 4.4.1 and have it running. I am trying to follow the >>>>>>> instructions for ³Wireless LAN Controller (WLC) Web Auth² from the >>>>>>> network >>>>>>> configuration guide, but I¹m confused about the captive portal >>>>>>> configuration. In the guide it says the captive portal is using IP >>>>>>> address >>>>>>> 172.16.0.250 and the administration (I presume management) interface >>>>>>> uses >>>>>>> IP address 172.16.0.249. How do I set up a captive portal IP address >>>>>>> in >>>>>>> the same subnet as the management IP address? I apparently cannot >>>>>>> use >>>>>>> the >>>>>>> management IP for the captive portal because iptables blocks HTTP(S) >>>>>>> traffic to that IP address because it is in the >>>>>>> ³input-management-if² >>>>>>> chain. >>>>>>> >>>>>>> >>>>>>> Thanks, >>>>>>> Chris >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> --------------------------------------------------------------------- >>>>>>> -- >>>>>>> -- >>>>>>> ----- >>>>>>> Comprehensive Server Monitoring with Site24x7. >>>>>>> Monitor 10 servers for $9/Month. >>>>>>> Get alerted through email, SMS, voice calls or mobile push >>>>>>> notifications. >>>>>>> Take corrective actions from your mobile device. >>>>>>> http://p.sf.net/sfu/Zoho >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> [email protected] >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>> -- >>>>>> Fabrice Durand >>>>>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca >>>>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>>>> PacketFence >>>>>> (http://packetfence.org) >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ---------------------------------------------------------------------- >>>>>> -- >>>>>> -- >>>>>> ---- >>>>>> Comprehensive Server Monitoring with Site24x7. >>>>>> Monitor 10 servers for $9/Month. >>>>>> Get alerted through email, SMS, voice calls or mobile push >>>>>> notifications. >>>>>> Take corrective actions from your mobile device. >>>>>> http://p.sf.net/sfu/Zoho >>>>>> _______________________________________________ >>>>>> PacketFence-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>> ----------------------------------------------------------------------- >>>>> -- >>>>> ----- >>>>> _______________________________________________ >>>>> PacketFence-users mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>> -- >>>> Fabrice Durand >>>> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca >>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and >>>> PacketFence >>>> (http://packetfence.org) >>>> >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> -- >>>> ---- >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>> ------------------------------------------------------------------------- >>> ----- >>> _______________________________________________ >>> PacketFence-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> -- >> Fabrice Durand >> [email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca >> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence >> (http://packetfence.org) >> >> >> -------------------------------------------------------------------------- >> ---- >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users ------------------------------------------------------------------------------ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
