Re: [PacketFence-users] Fortigate Web Auth External Captive Portal

[Roo via PacketFence-users]

Yes, External portal is enabled..


[root@PacketFence-ZEN logs]# cat ../conf/switches.conf
#
# Copyright (C) 2005-2018 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
type=Fortinet::FortiGate
useCoA=N

[10.210.31.1]
description=calgaryforti
VlanMap=N
registrationUrl=http://myv1it-pfn.DOMAIN.com/Fortinet::FortiGate
macDetectionRole=macDetection
isolationRole=isolation
defaultRole=Authorize_any
registrationRole=Pre-Auth-For-WebRedirect
guestRole=Authorize_any
UrlMap=Y
useCoA=Y
ExternalPortalEnforcement=Y

Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:unknown] Instantiate profile CaptiveWifi
(pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:35 PacketFence-ZEN pfqueue: pfqueue(19675) INFO: [mac:unknown]
Device Mac OS X is a Mac OS X or macOS (pf::fingerbank::__ANON__)
Jun 22 14:01:35 PacketFence-ZEN pfqueue: pfqueue(19667) INFO: [mac:unknown]
Device Mac OS X is a Mac OS X or macOS (pf::fingerbank::__ANON__)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with
empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null for
matching (pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule (catchall)
in source null, returning actions. (pf::Authentication::Source::match_rule)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule (catchall)
in source null, returning actions. (pf::Authentication::Source::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with
empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null for
matching (pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule (catchall)
in source null, returning actions. (pf::Authentication::Source::match_rule)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule (catchall)
in source null, returning actions. (pf::Authentication::Source::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with
empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null for
matching (pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with
empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null for
matching (pf::authentication::match)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] No provisioner found for
78:31:c1:c1:b5:62. Continuing.
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] violation 1300003
force-closed for 78:31:c1:c1:b5:62 (pf::violation::violation_force_close)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Releasing device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
(10.210.31.1) (pf::api::desAssociate)
Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radius.pm
line 144. (pf::Switch::catch {...} )
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
(10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radius.pm
line 144. (pf::Switch::catch {...} )
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
(10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radius.pm
line 144. (pf::Switch::catch {...} )
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
(10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radius.pm
line 144. (pf::Switch::catch {...} )
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
(10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radius.pm
line 144. (pf::Switch::catch {...} )
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:10 PacketFence-ZEN pfqueue: pfqueue(20354) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
(10.210.31.1) (pf::api::desAssociate)


Just continues looping trying a vlan change.

I may blow away my ZEN install and start from scratch... but no guide for
Fortinet::FortiGate use.

On Thu, Jun 21, 2018 at 6:48 PM, Durand fabrice via PacketFence-users <
packetfence-users@lists.sourceforge.net> wrote:

> hello Roo,
>
> did you enabled external captive portal in the switch config ? (can i see
> switches.conf ?)
>
> Can i see the whole registration process (packetfence.log) ?
>
> Regards
>
> Fabrice
>
> Le 2018-06-21 à 18:51, Roo via PacketFence-users a écrit :
>
> Hello, newer to Packetfence.  I've been able to setup a few things (802.1x
> wired/wireless, AD integration etc.)
>
> Struggling with Captive Portal on Fortigate external captive portal ie:
> http://cookbook.fortinet.com/using-an-external-captive-
> portal-for-wifi-security/
>
> I've got fortigate redirecting to Packetfence, and packet fence serving
> the portal, successfully authenticating to the portal, but it's not calling
> the Fortinet::FortiGate module to post back to the fortigate.. It's
> treating it like a VLAN reassignment instead of using the code for the
> switch type.
>
> I've defined the switch as type  Fortinet::FortiGate, tried to force it
> with switch Filter Engines ala the example:
> [login]
> filter = params.login
> operator = defined
>
> [post]
> filter = params.post
> operator = defined
>
> [magic]
> filter = params.magic
> operator = defined
>
> [usermac]
> filter = params.usermac
> operator = defined
>
> [apmac]
> filter = params.apmac
> operator = defined
>
> [apip]
> filter = params.apip
> operator = defined
>
> [userip]
> filter = params.userip
> operator = defined
>
> [1:login&post&magic&usermac&apmac&apip&userip]
> scope = external_portal
> switch = Fortinet::FortiGate
>
> Nothing seems to trigger the post back to the Fortigate.
> un 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
> default (pf::Connection::ProfileFactory::_from_profile)
> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
> http://pfn01.DOMAIN.com/?login since it points to the captive portal
> (captiveportal::PacketFence::DynamicRouting::Application::
> process_destination_url)
> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while communicating
> with the Fingerbank collector. 401 Unauthorized (pf::fingerbank::endpoint_
> attributes)
> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) WARN: [mac:78:31:c1:c1:b5:62] Use of uninitialized value
> in string ne at 
> /usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
> line 134.
>  (captiveportal::PacketFence::DynamicRouting::Application::
> process_fingerbank)
> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while communicating
> with the Fingerbank collector. 401 Unauthorized (pf::fingerbank::update_
> collector_endpoint_data)
> Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR:
> [mac:unknown] Error while communicating with the Fingerbank collector. 401
> Unauthorized (pf::fingerbank::endpoint_attributes)
> Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR:
> [mac:unknown] Unable to fetch query arguments for Fingerbank query.
> Aborting. (pf::fingerbank::process)
> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Releasing device
> (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] User default has
> authenticated on the portal. (Class::MOP::Class:::after)
> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
> (manage_register called) (pf::enforcement::reevaluate_access)
> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
> forced. (pf::enforcement::_should_we_reassign_vlan)
> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] switch port is
> (10.210.31.1) ifIndex external connection type: WiFi 802.1X
> (pf::enforcement::_vlan_reevaluation)
> Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
> [mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
> (10.210.31.1) (pf::api::desAssociate)
> Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
> [mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
> Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) WARN:
> [mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
> answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radi
> us.pm line 144. (pf::Switch::catch {...} )
> Jun 21 22:
>
> In my browser tools, I see Post url is set, magic value etc that the
> fortigate send to the portal...
>
> Also can't seem to get rid of those pesky fingerbank errors.. don't think
> thats related, but possible I suppose.
>
> Do you have an example of how to setup Fortigate external captive
> authentication and packetfence?  Other values I need to configure?  Sample
> for the Role by Web Auth URL?
>
> Cheers.
> Neil.
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing 
> listPacketFence-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users