Hello, newer to Packetfence. I've been able to setup a few things (802.1x
wired/wireless, AD integration etc.)
Struggling with Captive Portal on Fortigate external captive portal ie:
http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/
I've got fortigate redirecting to Packetfence, and packet fence serving the
portal, successfully authenticating to the portal, but it's not calling the
Fortinet::FortiGate module to post back to the fortigate.. It's treating it
like a VLAN reassignment instead of using the code for the switch type.
I've defined the switch as type Fortinet::FortiGate, tried to force it
with switch Filter Engines ala the example:
[login]
filter = params.login
operator = defined
[post]
filter = params.post
operator = defined
[magic]
filter = params.magic
operator = defined
[usermac]
filter = params.usermac
operator = defined
[apmac]
filter = params.apmac
operator = defined
[apip]
filter = params.apip
operator = defined
[userip]
filter = params.userip
operator = defined
[1:login&post&magic&usermac&apmac&apip&userip]
scope = external_portal
switch = Fortinet::FortiGate
Nothing seems to trigger the post back to the Fortigate.
un 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal: httpd.portal(3121)
INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile default
(pf::Connection::ProfileFactory::_from_profile)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
http://pfn01.DOMAIN.com/?login since it points to the captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while communicating
with the Fingerbank collector. 401 Unauthorized
(pf::fingerbank::endpoint_attributes)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) WARN: [mac:78:31:c1:c1:b5:62] Use of uninitialized value
in string ne at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
line 134.
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while communicating
with the Fingerbank collector. 401 Unauthorized
(pf::fingerbank::update_collector_endpoint_data)
Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR: [mac:unknown]
Error while communicating with the Fingerbank collector. 401 Unauthorized
(pf::fingerbank::endpoint_attributes)
Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR: [mac:unknown]
Unable to fetch query arguments for Fingerbank query. Aborting.
(pf::fingerbank::process)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Releasing device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
(10.210.31.1) (pf::api::desAssociate)
Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radius.pm
line 144. (pf::Switch::catch {...} )
Jun 21 22:
In my browser tools, I see Post url is set, magic value etc that the
fortigate send to the portal...
Also can't seem to get rid of those pesky fingerbank errors.. don't think
thats related, but possible I suppose.
Do you have an example of how to setup Fortigate external captive
authentication and packetfence? Other values I need to configure? Sample
for the Role by Web Auth URL?
Cheers.
Neil.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
