The function is like that ? :
sub returnRadiusAccessAccept {
my ($this, $vlan, $mac, $port, $connection_type, $user_name, $ssid,
$wasInline, $user_role) = @_;
my $logger = Log::Log4perl::get_logger( ref($this) );
my $radius_reply_ref = {};
my $role = $this->getRoleByName($user_role);
# Roles are configured and the user should have one
if (defined($role) && isenabled($this->{_RoleMap})) {
my $node_info = node_view($mac);
my $violation = pf::violation::violation_view_top($mac);
if ($node_info->{'status'} eq $pf::node::STATUS_REGISTERED &&
!defined($violation)) {
$radius_reply_ref = {
'User-Name' => $mac,
$this->returnRoleAttribute => $role,
};
}
else {
my (%session_id);
pf::web::util::session(\%session_id,undef,6);
$session_id{client_mac} = $mac;
$session_id{wlan} = $ssid;
$session_id{switch_id} = $this->{_id};
pf::locationlog::locationlog_set_session($mac,
$session_id{_session_id});
my $portal_url;
if ( $ssid eq "Webreg-Production") {
$portal_url='http://10.4.0.3';
}elsif ( $ssid eq "Augie-Guest") {
$portal_url='http://10.5.0.3';
} else {
$portal_url=$this->{'_portalURL'};
}
$radius_reply_ref = {
'User-Name' => $mac,
'Cisco-AVPair' =>
["url-redirect-acl=$role","url-redirect=".$portal_url."/cep$session_id{_session_id}"],
};
}
$logger->info("[$mac] (".$this->{'_id'}.") Returning ACCEPT with
role: $role");
}
Also check the httpd.admin... log files, you should be able to see what
is the error.
Regards
Fabrice
Le 2015-05-21 12:28, J Nelson a écrit :
> Closer, but not quite. So, my code now looks like:
>
> my $portal_url;
> if ( $ssid eq "Webreg-Production") {
> $portal_url='http://10.4.0.3';
> }elsif ( $ssid eq "Augie-Guest") {
> $portal_url='http://10.5.0.3';
> } else {
> $portal_url=$this->{'_portalURL'};
> };
>
> $radius_reply_ref = {
> 'User-Name' => $mac,
> 'Cisco-AVPair' =>
> ["url-redirect-acl=$role","url-redirect=".$portal_url."/cep$session_id{_session_id}"],
> };
> }
>
> So this is what I am experiencing now:
> Webreg-Production SSID works
> Augie-Guest SSID continues to loop
> in the packetfence GUI, under Network, when I click Switches i get:
> *Error!* An error occured while contacting the server. Please try
> again later.
> I'm not seeing an error when packetfence starts.
>
> On Thu, May 21, 2015 at 10:40 AM, Fabrice DURAND <[email protected]
> <mailto:[email protected]>> wrote:
>
> Hi Nelson,
>
> my bad:
>
> $portal_url="10.4.0.3"; => $portal_url='http://10.4.0.3';
> $portal_url="10.5.0.3"; => $portal_url='http://10.5.0.3';
>
> Regards
> Fabrice
>
>
> Le 2015-05-21 10:47, J Nelson a écrit :
>> Fabrice,
>>
>> I tried to add what you provided to the code of WLC_http.pm, but
>> once I do it, I get put into an endless redirect loop on both
>> networks. I do see that each network is trying to redirect to
>> the proper portal IP. I'm putting what I have in WLC_http.pm -
>> i'm including some lines before and after the code tweak you
>> provided - just so you can see if anything is missing
>> before/after like a { or ; somewhere.
>>
>> my $role = $this->getRoleByName($user_role);
>> # Roles are configured and the user should have one
>> if (defined($role) && isenabled($this->{_RoleMap})) {
>> my $node_info = node_view($mac);
>> if ($node_info->{'status'} eq $pf::node::STATUS_REGISTERED) {
>> $radius_reply_ref = {
>> 'User-Name' => $mac,
>> $this->returnRoleAttribute => $role,
>> };
>> }
>> else {
>> my (%session_id);
>> pf::web::util::session(\%session_id,undef,6);
>> $session_id{client_mac} = $mac;
>> $session_id{wlan} = $ssid;
>> $session_id{switch_id} = $this->{_id};
>> my $portal_url;
>> if ( $ssid eq "Webreg-Production") {
>> $portal_url="10.4.0.3";
>> }elsif ( $ssid eq "Augie-Guest") {
>> $portal_url="10.5.0.3";
>> } else {
>> $portal_url=$this->{'_portalURL'};
>> }
>>
>> $radius_reply_ref = {
>> 'User-Name' => $mac,
>> 'Cisco-AVPair' =>
>>
>> ["url-redirect-acl=$role","url-redirect=".$portal_url."/cep$session_id{_session_id}"],
>> };
>>
>> }
>> $logger->info("[$mac] (".$this->{'_id'}.") Returning
>> ACCEPT with role: $role");
>> }
>>
>>
>>
>>
>> On Wed, May 20, 2015 at 9:33 AM, Fabrice DURAND
>> <[email protected] <mailto:[email protected]>> wrote:
>>
>> Hi John,
>>
>> so you will have to go in the code because there is only one
>> portal url per switch config.
>>
>> So let's do a hack:
>>
>> https://github.com/inverse-inc/packetfence/blob/devel/lib/pf/Switch/Cisco/WLC_http.pm#L161
>>
>> my $portal_url;
>> if ( $ssid eq "Staff") {
>> $portal_url="10.4.0.3";
>> }elsif ( $ssid eq "Guest") {
>> $portal_url="10.5.0.3";
>> } else {
>> $portal_url=$this->{'_portalURL'};
>> }
>>
>> $radius_reply_ref = {
>> 'User-Name' => $mac,
>> 'Cisco-AVPair' =>
>>
>> ["url-redirect-acl=$role","url-redirect=".$portal_url."/cep$session_id{_session_id}"],
>> };
>>
>>
>> Regards
>> Fabrice
>>
>>
>>
>> Le 2015-05-20 09:40, J Nelson a écrit :
>>> Fabrice, I am purely Web Auth via Cisco WLC.
>>>
>>> So, in that configuration, I dont believe there is any way
>>> to change VLANs - as Web Auth is purely controlling access
>>> via ACL's on the WLC.
>>> - now if i'm wrong on this, I need to be pointed in the
>>> right direction.
>>>
>>> So, I am trying to figure out how to basically have two
>>> registration interfaces in a pure WLC Web Auth setup:
>>> Vlan4 - Staff/Fac
>>> Vlan5 - Guest
>>>
>>> but, it looks like I can only have portal, since i setup
>>> Vlan 4 first - the portal exists on that address
>>> space/subnet. So, the issue I'm having, when i join the
>>> Guest network, a client in that network is unable to get to
>>> the portal page. It looks like a redirect is happening, but
>>> i just cant get to it (the PF portal). The ACL on the WLC
>>> is indicating that the traffic is being passed, but I dont
>>> believe IPtables on the PF box is allowing it. A client in
>>> the Guest network definitely cannot get to http/https on the
>>> PF portal ip address (confirming via an NMAP scan).
>>>
>>> So i guess the question is, providing you understand what
>>> I'm trying to accomplish,can i have multiple Registration
>>> interfaces that use the same PF portal? And what are the
>>> configuration requirements? Throwing up two PF boxes - one
>>> for Staff/Fac/Student one for Guest would certainly work,
>>> just curious if I can do it all in one box.
>>>
>>> thanks..
>>>
>>> On Wed, May 20, 2015 at 8:23 AM, Fabrice DURAND
>>> <[email protected] <mailto:[email protected]>> wrote:
>>>
>>> Hello Nelson,
>>>
>>> i am not sure to understand what you really want to do.
>>>
>>> Let's say you have a registration network: VLAN 4
>>> A production network for the staff and a production
>>> network for the guest (5).
>>>
>>> When a device is unreg then packetfence will return the
>>> vlan 5 and the device will hit the portal.
>>> Then depending if it's a Staff or a guest then after
>>> registration the device will be placed on his production
>>> network (depending of his role).
>>>
>>> Is it something like that you want to achieve ?
>>>
>>> Regards
>>> Fabrice
>>>
>>>
>>> Le 2015-05-19 14:18, J Nelson a écrit :
>>>> any role configured on a different subnet other than
>>>> the native subnet where the captive portal is located
>>>> will not work.
>>>>
>>>> So, what i do have working is my Fac-Staff SSID which
>>>> is on VLAN 4/10.4.0.0/24 <http://10.4.0.0/24>
>>>> captive portal is located at: 10.4.0.3
>>>> WLC is configured at Network | Switches | and is
>>>> configured to do Role by Switch Role, where WLC ACL’s
>>>> are entered to define Registration and then Fac-Staff
>>>> access upon registration.
>>>>
>>>> The Portal URL is in the Fac-Staff registration network
>>>> - IP address, in this case: 10.4.0.3
>>>>
>>>> So, the problem I’m running into, is that i want Guests
>>>> on a different subnet and SSID other than where
>>>> Fac-Staff reside. So I create a new interface, on a
>>>> different subnet, as: Type - Registration, and
>>>> configure a new SSID on the WLC side.
>>>>
>>>> So, for now, I configure the WLC under switches with
>>>> the same ACL’s as Fac-Staff for the Guest role - just
>>>> for simplicity i’m using the same ACL’s for now, since
>>>> I know they work.
>>>>
>>>> The Guest network info is: vlan 5 | 10.5.0.0
>>>>
>>>> So, when logging on as guest, it appears as though a
>>>> redirect attempts to happen, but doing a port scan
>>>> shows that a computer attached to the guest SSID does
>>>> not have http/https available to them on 10.4.0.3 - the
>>>> captive portal.
>>>>
>>>> looking at the PF iptables config, it appears as though
>>>> there is a variable that says any registration network
>>>> should have access to the captive portal. but that
>>>> seems t not be the case.
>>>>
>>>> So, why am i trying to configure this?
>>>> with guests on a different vlan, i can very easily
>>>> control the bandwidth available to them in multiple
>>>> places - from the WLC, from the core switches, or from
>>>> our NetEnforcer.
>>>>
>>>> Basic network configuration is correct: PF can ping
>>>> guest network gateway and WLC interfaces as well.
>>>>
>>>> But, it seems to me like its definitely in IPTables,
>>>> but I'm hesitant to make changes in case what i'm
>>>> trying to accomplish is way off base.
>>>>
>>>> Hopefully its somewhat clear what i’m trying to do
>>>> here, any ideas?
>>>>
>>>> --
>>>> Justin Nelson
>>>> Network Engineer
>>>> Augustana College
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> One dashboard for servers and applications across
>>>> Physical-Virtual-Cloud
>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>> Performance metrics, stats and reports that give you
>>>> Actionable Insights
>>>> Deep dive visibility with transaction tracing using APM
>>>> Insight.
>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>
>>>>
>>>> _______________________________________________
>>>> PacketFence-users mailing list
>>>> [email protected]
>>>> <mailto:[email protected]>
>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>> --
>>> Fabrice Durand
>>> [email protected] <mailto:[email protected]> ::
>>> +1.514.447.4918 <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca
>>> <http://www.inverse.ca>
>>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>>> PacketFence (http://packetfence.org)
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across
>>> Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+
>>> applications
>>> Performance metrics, stats and reports that give you
>>> Actionable Insights
>>> Deep dive visibility with transaction tracing using APM
>>> Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> <mailto:[email protected]>
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>>
>>> --
>>> Justin Nelson
>>> Network Engineer
>>> Augustana College
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across
>>> Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable
>>> Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> <mailto:[email protected]>
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>> --
>> Fabrice Durand
>> [email protected] <mailto:[email protected]> :: +1.514.447.4918
>> <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca <http://www.inverse.ca>
>> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and
>> PacketFence (http://packetfence.org)
>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across
>> Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you
>> Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> <mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>
>>
>>
>>
>> --
>> Justin Nelson
>> Network Engineer
>> Augustana College
>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> <mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
> --
> Fabrice Durand
> [email protected] <mailto:[email protected]> :: +1.514.447.4918
> <tel:%2B1.514.447.4918> (x135) :: www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
>
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across
> Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable
> Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> --
> Justin Nelson
> Network Engineer
> Augustana College
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
0xF78F957E.asc
Description: application/pgp-keys
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
