hello Roo,
did you enabled external captive portal in the switch config ? (can i
see switches.conf ?)
Can i see the whole registration process (packetfence.log) ?
Regards
Fabrice
Le 2018-06-21 à 18:51, Roo via PacketFence-users a écrit :
Hello, newer to Packetfence. I've been able to setup a few things
(802.1x wired/wireless, AD integration etc.)
Struggling with Captive Portal on Fortigate external captive portal
ie:
http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/
I've got fortigate redirecting to Packetfence, and packet fence
serving the portal, successfully authenticating to the portal, but
it's not calling the Fortinet::FortiGate module to post back to the
fortigate.. It's treating it like a VLAN reassignment instead of using
the code for the switch type.
I've defined the switch as type Fortinet::FortiGate, tried to force it
with switch Filter Engines ala the example:
[login]
filter = params.login
operator = defined
[post]
filter = params.post
operator = defined
[magic]
filter = params.magic
operator = defined
[usermac]
filter = params.usermac
operator = defined
[apmac]
filter = params.apmac
operator = defined
[apip]
filter = params.apip
operator = defined
[userip]
filter = params.userip
operator = defined
[1:login&post&magic&usermac&apmac&apip&userip]
scope = external_portal
switch = Fortinet::FortiGate
Nothing seems to trigger the post back to the Fortigate.
un 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
default (pf::Connection::ProfileFactory::_from_profile)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination
URL http://pfn01.DOMAIN.com/?login since it points to the captive
portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while
communicating with the Fingerbank collector. 401 Unauthorized
(pf::fingerbank::endpoint_attributes)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) WARN: [mac:78:31:c1:c1:b5:62] Use of uninitialized
value in string ne at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
line 134.
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while
communicating with the Fingerbank collector. 401 Unauthorized
(pf::fingerbank::update_collector_endpoint_data)
Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR:
[mac:unknown] Error while communicating with the Fingerbank collector.
401 Unauthorized (pf::fingerbank::endpoint_attributes)
Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR:
[mac:unknown] Unable to fetch query arguments for Fingerbank query.
Aborting. (pf::fingerbank::process)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Releasing device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on
switch (10.210.31.1) (pf::api::desAssociate)
Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request:
No answer from 10.210.31.1 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144.
(pf::Switch::catch {...} )
Jun 21 22:
In my browser tools, I see Post url is set, magic value etc that the
fortigate send to the portal...
Also can't seem to get rid of those pesky fingerbank errors.. don't
think thats related, but possible I suppose.
Do you have an example of how to setup Fortigate external captive
authentication and packetfence? Other values I need to configure?
Sample for the Role by Web Auth URL?
Cheers.
Neil.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
