Re: [PacketFence-users] Access to PF captive portal is blocked

[E.P. via PacketFence-users]

And my further attempts to put two and two together and look back in time into 
this mailing list showed that Fabrice already answered this question before 😉

Yes, I’d create an alias, e.g. eth0.1

So, under Configuration-Networks-Interfaces I click  “ADD VLAN”  and then add 
VLAN 1, add a new IP address to belong to the same subnet and then select type 
“portal” 

New interface eth0.1 gets created with IP address 172.16.0.223, I can reach it 
via IP and my interfaces and networks look like this:

 



 

What else am I doing to enable captive portal? I thought that it is enabled by 
default and I see httpd.portal is UP and running but I don’t see anything ports 
open on 172.16.0.223

And iptables allow all HTTP and HTTPS for input-portal-if chain

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 11:14 PM
To: 'packetfence-users@lists.sourceforge.net' 
<packetfence-users@lists.sourceforge.net>
Cc: 'Durand fabrice' <fdur...@inverse.ca>
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

I think it is slowly coming to me, Fabrice.

My PF is pure for RADIUS enforcement and PF has only one IP address of 
management type.

Now if I want WebAuth enforcement I would need to create one more interface of 
portal type

The question is can I create this portal type interface in the same subnet as 
the management interface ?

I would want to have them both in the same VLAN

 

Eugene

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Sunday, February 18, 2018 7:20 PM
To: 'packetfence-users@lists.sourceforge.net' 
<packetfence-users@lists.sourceforge.net>
Cc: 'Durand fabrice' <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Subject: RE: [PacketFence-users] Access to PF captive portal is blocked

 

Here it is, Fabrice

10.0.254.3 is the WiFi client and 172.16.0.222 is PF.

Tcpdump.pcap is attached and it is made right on PF

The second capture is made on the laptop connected to guest WiFi.

It contains pings to PF but all TCP SYN requests all are answered with RST.

 

Eugene

 

From: Durand fabrice via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net] 
Sent: Sunday, February 18, 2018 10:51 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: Durand fabrice <fdur...@inverse.ca <mailto:fdur...@inverse.ca> >
Subject: Re: [PacketFence-users] Access to PF captive portal is blocked

 

Hello Eugene,

do you have the capture ?

Regards
Fabrice

Le 2018-02-15 à 23:12, E.P. via PacketFence-users a écrit :

Hi Fabrice,

I dare sending it again believing my previous email fell into cracks.

Can you please advise what could be wrong (see below)

 

Eugene

 

 

From: E.P. [mailto:ype...@gmail.com] 
Sent: Wednesday, February 14, 2018 1:08 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: Access to PF captive portal is blocked

 

Hello folks,

I really hope someone who ran into a similar problem will shed some light.

Feeling bad we don’t hear anything from Fabrice or someone from inverse.

I have an out-of-band deployment of PF and my WiFi client gets connected and 
redirected to PF

I see redirects by capturing the traffic on PF by tcpdump.

But… I see that PF sends TCP resets even for TCP SYN packet coming from the 
client.

It seems to me it is just iptables firewall that blocks it. 

Why ? Where am I supposed to enter those IP addresses that are allowed to go 
through captive portal registration?

I do allow PF IP address in the pre-authorization access list and my ping to 
FQDN of PF succeeds normally.

It is only HTTP(s) doesn’t go through. 

Even manually entered URL in the client browser doesn’t open up any page, i.e. 
https://pf.blabla.com/captive-portal or https://172.16.0.222/captive-portal

 

Eugene

 

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

 

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net 
<mailto:PacketFence-users@lists.sourceforge.net> 
https://lists.sourceforge.net/lists/listinfo/packetfence-users

 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users