So the reason why the captive portal was not showing up was because port 80
and 443 were not listening on the registration interface. They were only
listening on the local interface 127.0.0.1. Fabrice helped me figure this
out by pointing to the haproxy service which is responsible for forwarding
the request to 127.0.0.1. I found that haproxy was not running on my server
and that it was failing to start because of my certificates. I fixed my ssl
certificates and now my clients are finally getting the captive portal
page. Thanks!
On Tue, Feb 13, 2018 at 2:45 PM, Chris Abel <ca...@wildwoodprograms.org>
wrote:
> Hello all,
>
> I have set up a new packetfence server set up with dynamic vlans in
> out-of-band and am having issues with the captive portal popping up when
> clients connect to the AP. The clients get put into the registration vlan
> and are assigned the registration interface as the DNS server. blackhole
> DNS seems to be working as all dns requests get forwarded to the
> registration interface's IP address and the client is able to ping that
> address.
>
> tcpdump is showing a lot of these:
> pf.domain.com.https > 10.11.100.13.53213: Flags [R.], seq 0, ack
> 4117981027, win 0, length 0
>
> The address 10.11.100.13 is the client that is connected to the AP that
> will need to register with the captive portal.
>
> netstat is showing the following:
>
> netstat -tnlp | grep http
> tcp 0 0 127.0.0.1:80 0.0.0.0:*
> LISTEN 1995/httpd
> tcp 0 0 127.0.0.1:443 0.0.0.0:*
> LISTEN 1995/httpd
> tcp 0 0 127.0.0.1:7070 0.0.0.0:*
> LISTEN 1892/httpd
> tcp 0 0 10.10.0.68:7070 0.0.0.0:*
> LISTEN 1892/httpd
> tcp 0 0 127.0.0.1:9090 0.0.0.0:*
> LISTEN 1879/httpd
> tcp 0 0 10.10.0.68:9090 0.0.0.0:*
> LISTEN 1879/httpd
> tcp 0 0 10.10.0.68:1443 0.0.0.0:*
> LISTEN 1832/httpd
> tcp 0 0 10.10.0.68:1444 0.0.0.0:*
> LISTEN 1995/httpd
> tcp 0 0 0.0.0.0:5252 0.0.0.0:*
> LISTEN 1844/httpd
> tcp 0 0 10.10.0.68:9191 0.0.0.0:*
> LISTEN 1832/httpd
> tcp 0 0 0.0.0.0:9000 0.0.0.0:*
> LISTEN 1939/httpd
> tcp6 0 0 :::8888 :::*
> LISTEN 1787/pfhttpd
> tcp6 0 0 :::8889 :::*
> LISTEN 1787/pfhttpd
> tcp6 0 0 :::8777 :::*
> LISTEN 1793/pfhttpd
>
> 10.10.0.68 is the management interface of my pf server. I'm not sure if
> this looks correct. Should I have port 80 and 443 mapped to my management
> interface?
>
> My pf.conf looks like this:
>
> [general]
>
> #
>
> # general.domain
>
> #
>
> # Domain name of PacketFence system.
>
> domain=domain.com
>
> #
>
> # general.hostname
>
> #
>
> # Hostname of PacketFence system. This is concatenated with the domain
> in Apache rewriting rules and therefore must be resolvable by clients.
>
> hostname=pf
>
> #
>
> # general.dhcpservers
>
> #
>
> # Comma-delimited list of DHCP servers. Passthroughs are created to
> allow DHCP transactions from even "trapped" nodes.
>
> dhcpservers=127.0.0.1,10.10.0.254
>
> #
>
> # general.timezone
>
> #
>
> #System's timezone in string format. List generated from Perl library
> DataTime::TimeZone
>
> timezone=America/New_York
>
>
> [alerting]
>
> #
>
> # alerting.emailaddr
>
> #
>
> # Email address to which notifications of rogue DHCP servers, violations
> with an action of "email", or any other
>
> # PacketFence-related message goes to.
>
> emailaddr=
>
> #
>
> # alerting.smtpserver
>
> #
>
> # Server through which to send messages to the above emailaddr. The
> default is localhost - be sure you're running an SMTP
>
> # host locally if you don't change it!
>
> smtpserver=aspmx.l.google.com
>
>
> [database]
>
> #
>
> # database.user
>
> #
>
> # Username of the account with access to the MySQL database used by
> PacketFence. Changing this parameter after the initial configuration will
> *not* change it in the database it self, only in the configuration.
>
> user=
>
> #
>
> # database.pass
>
> #
>
> # Password for the mysql database used by PacketFence. Changing this
> parameter after the initial configuration will *not* change it in the
> database it self, only in the configuration.
>
> pass=
>
>
> [services]
>
> #
>
> # services.pfbandwidthd
>
> #
>
> # Should pfbandwidthd be managed by PacketFence?
>
> pfbandwidthd=enabled
>
>
> [captive_portal]
>
> #
>
> # captive_portal.network_detection_ip
>
> #
>
> # This IP is used as the webserver who hosts the
> common/network-access-detection.gif
> which is used to detect if network
>
> # access was enabled.
>
> # It cannot be a domain name since it is used in registration or
> quarantine where DNS is blackholed.
>
> # It is recommended that you allow your users to reach your packetfence
> server and put your LAN's PacketFence IP.
>
> # By default we will make this reach PacketFence's website as an easy
> solution.
>
> #
>
> network_detection_ip=10.10.0.68
>
>
> [interface eth0]
>
> ip=10.10.0.68
>
> type=management,portal
>
> mask=255.255.252.0
>
>
> [interface eth0.200]
>
> enforcement=vlan
>
> ip=10.10.100.253
>
> type=internal
>
> mask=255.255.255.0
>
>
> [interface eth0.201]
>
> enforcement=vlan
>
> ip=10.10.101.253
>
> type=internal
>
> mask=255.255.255.0
>
>
>
> Should eth0.200 and eth0.201 be of type internal? Shouldn't they say
> registration and isolation?
>
>
> Thanks for any help you can provide. If you need more information let me
> know.
> --
> Chris Abel
> Systems and Network Administrator
> Wildwood Programs
> 2995 Curry Road Extension
> Schenectady, NY 12303
> 518-836-2341 <(518)%20836-2341>
>
--
Chris Abel
Systems and Network Administrator
Wildwood Programs
2995 Curry Road Extension
Schenectady, NY 12303
518-836-2341
--
IMPORTANT NOTICE: This message and any attachments are solely for the
intended recipient and may contain confidential information, which is, or
may be, legally privileged or otherwise protected by law from further
disclosure. If you are not the intended recipient, any disclosure, copying,
use, or distribution of the information included in this email and any
attachments is prohibited. If you have received this communication in
error, please notify the sender by reply email and immediately and
permanently delete this email and any attachments.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
