Re: [PacketFence-users] Fortigate Web Auth External Captive Portal

[Durand fabrice via PacketFence-users]

Packetfence doesn't detect that it's an external portal authentication, 
the device is suppose to hit the portal with an url like that:

 
https://<FGT_IP>/fgtauth?magic=session_id&username=<username>&password=<password>
Can is see httpd.portal.access ?

Regards

Fabrice




Le 2018-06-22 à 10:10, Roo a écrit :
Yes, External portal is enabled..


[root@PacketFence-ZEN logs]# cat ../conf/switches.conf
#
# Copyright (C) 2005-2018 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
[default]
type=Fortinet::FortiGate
useCoA=N

[10.210.31.1]
description=calgaryforti
VlanMap=N
registrationUrl=http://myv1it-pfn.DOMAIN.com/Fortinet::FortiGate
macDetectionRole=macDetection
isolationRole=isolation
defaultRole=Authorize_any
registrationRole=Pre-Auth-For-WebRedirect
guestRole=Authorize_any
UrlMap=Y
useCoA=Y
ExternalPortalEnforcement=Y

Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:unknown] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:35 PacketFence-ZEN pfqueue: pfqueue(19675) INFO: 
[mac:unknown] Device Mac OS X is a Mac OS X or macOS 
(pf::fingerbank::__ANON__)
Jun 22 14:01:35 PacketFence-ZEN pfqueue: pfqueue(19667) INFO: 
[mac:unknown] Device Mac OS X is a Mac OS X or macOS 
(pf::fingerbank::__ANON__)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Replacing 
destination URL http://myv1it-pfn01.DOMAIN.com/?login since it points 
to the captive portal 
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing 
destination URL http://myv1it-pfn01.DOMAIN.com/?login since it points 
to the captive portal 
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing 
destination URL http://myv1it-pfn01.DOMAIN.com/?login since it points 
to the captive portal 
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with 
empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null 
for matching (pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule 
(catchall) in source null, returning actions. 
(pf::Authentication::Source::match_rule)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule 
(catchall) in source null, returning actions. 
(pf::Authentication::Source::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with 
empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null 
for matching (pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule 
(catchall) in source null, returning actions. 
(pf::Authentication::Source::match_rule)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule 
(catchall) in source null, returning actions. 
(pf::Authentication::Source::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with 
empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null 
for matching (pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with 
empty/invalid rule class. Defaulting to 'authentication' 
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null 
for matching (pf::authentication::match)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Replacing 
destination URL http://myv1it-pfn01.DOMAIN.com/?login since it points 
to the captive portal 
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] No provisioner found 
for 78:31:c1:c1:b5:62. Continuing. 
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] violation 1300003 
force-closed for 78:31:c1:c1:b5:62 (pf::violation::violation_force_close)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing 
destination URL http://myv1it-pfn01.DOMAIN.com/?login since it points 
to the captive portal 
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Releasing device 
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access 
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is 
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] switch port is 
(10.210.31.1) ifIndex external connection type: WiFi 802.1X 
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) INFO: 
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on 
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) INFO: 
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) WARN: 
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: 
No answer from 10.210.31.1 on port 3799 at 
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144. 
(pf::Switch::catch {...} )
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access 
of device. 
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access 
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is 
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is 
(10.210.31.1) ifIndex external connection type: WiFi 802.1X 
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) INFO: 
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on 
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) INFO: 
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) WARN: 
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: 
No answer from 10.210.31.1 on port 3799 at 
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144. 
(pf::Switch::catch {...} )
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access 
of device. 
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access 
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is 
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is 
(10.210.31.1) ifIndex external connection type: WiFi 802.1X 
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) INFO: 
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on 
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) INFO: 
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) WARN: 
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: 
No answer from 10.210.31.1 on port 3799 at 
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144. 
(pf::Switch::catch {...} )
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access 
of device. 
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access 
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is 
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is 
(10.210.31.1) ifIndex external connection type: WiFi 802.1X 
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) INFO: 
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on 
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) INFO: 
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) WARN: 
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: 
No answer from 10.210.31.1 on port 3799 at 
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144. 
(pf::Switch::catch {...} )
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access 
of device. 
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access 
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is 
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is 
(10.210.31.1) ifIndex external connection type: WiFi 802.1X 
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) INFO: 
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on 
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) INFO: 
[mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) WARN: 
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: 
No answer from 10.210.31.1 on port 3799 at 
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144. 
(pf::Switch::catch {...} )
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access 
of device. 
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access 
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is 
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is 
(10.210.31.1) ifIndex external connection type: WiFi 802.1X 
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile 
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has 
authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access 
of device. 
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access 
(manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is 
forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal: 
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is 
(10.210.31.1) ifIndex external connection type: WiFi 802.1X 
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:10 PacketFence-ZEN pfqueue: pfqueue(20354) INFO: 
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on 
switch (10.210.31.1) (pf::api::desAssociate)


Just continues looping trying a vlan change.

I may blow away my ZEN install and start from scratch... but no guide 
for Fortinet::FortiGate use.

On Thu, Jun 21, 2018 at 6:48 PM, Durand fabrice via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net>> wrote:

    hello Roo,

    did you enabled external captive portal in the switch config ?
    (can i see switches.conf ?)

    Can i see the whole registration process (packetfence.log) ?

    Regards

    Fabrice


    Le 2018-06-21 à 18:51, Roo via PacketFence-users a écrit :
    Hello, newer to Packetfence.  I've been able to setup a few
    things (802.1x wired/wireless, AD integration etc.)

    Struggling with Captive Portal on Fortigate external captive
    portal ie:
    
http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/
    
<http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/>

    I've got fortigate redirecting to Packetfence, and packet fence
    serving the portal, successfully authenticating to the portal,
    but it's not calling the Fortinet::FortiGate module to post back
    to the fortigate.. It's treating it like a VLAN reassignment
    instead of using the code for the switch type.

    I've defined the switch as type Fortinet::FortiGate, tried to
    force it with switch Filter Engines ala the example:
    [login]
    filter = params.login
    operator = defined

    [post]
    filter = params.post
    operator = defined

    [magic]
    filter = params.magic
    operator = defined

    [usermac]
    filter = params.usermac
    operator = defined

    [apmac]
    filter = params.apmac
    operator = defined

    [apip]
    filter = params.apip
    operator = defined

    [userip]
    filter = params.userip
    operator = defined

    [1:login&post&magic&usermac&apmac&apip&userip]
    scope = external_portal
    switch = Fortinet::FortiGate

    Nothing seems to trigger the post back to the Fortigate.
    un 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
    profile default (pf::Connection::ProfileFactory::_from_profile)
    Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Replacing
    destination URL http://pfn01.DOMAIN.com/?login since it points to
    the captive portal
    
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
    Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while
    communicating with the Fingerbank collector. 401 Unauthorized
    (pf::fingerbank::endpoint_attributes)
    Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) WARN: [mac:78:31:c1:c1:b5:62] Use of
    uninitialized value in string ne at
    /usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
    line 134.
     
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
    Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while
    communicating with the Fingerbank collector. 401 Unauthorized
    (pf::fingerbank::update_collector_endpoint_data)
    Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR:
    [mac:unknown] Error while communicating with the Fingerbank
    collector. 401 Unauthorized (pf::fingerbank::endpoint_attributes)
    Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR:
    [mac:unknown] Unable to fetch query arguments for Fingerbank
    query. Aborting. (pf::fingerbank::process)
    Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Releasing device
    (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
    Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] User default has
    authenticated on the portal. (Class::MOP::Class:::after)
    Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating
    access (manage_register called) (pf::enforcement::reevaluate_access)
    Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] VLAN
    reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
    Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
    httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] switch port is
    (10.210.31.1) ifIndex external connection type: WiFi 802.1X
    (pf::enforcement::_vlan_reevaluation)
    Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
    [mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on
    switch (10.210.31.1) (pf::api::desAssociate)
    Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
    [mac:78:31:c1:c1:b5:62] deauthenticating
    (pf::Switch::radiusDisconnect)
    Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) WARN:
    [mac:78:31:c1:c1:b5:62] Unable to perform RADIUS
    Disconnect-Request: No answer from 10.210.31.1 on port 3799 at
    /usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144.
    (pf::Switch::catch {...} )
    Jun 21 22:

    In my browser tools, I see Post url is set, magic value etc that
    the fortigate send to the portal...

    Also can't seem to get rid of those pesky fingerbank errors..
    don't think thats related, but possible I suppose.

    Do you have an example of how to setup Fortigate external captive
    authentication and packetfence?  Other values I need to
    configure?  Sample for the Role by Web Auth URL?

    Cheers.
    Neil.


    
------------------------------------------------------------------------------
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org!http://sdm.link/slashdot


    _______________________________________________
    PacketFence-users mailing list
    PacketFence-users@lists.sourceforge.net
    <mailto:PacketFence-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users
    <https://lists.sourceforge.net/lists/listinfo/packetfence-users>


    
------------------------------------------------------------------------------
    Check out the vibrant tech community on one of the world's most
    engaging tech sites, Slashdot.org! http://sdm.link/slashdot
    _______________________________________________
    PacketFence-users mailing list
    PacketFence-users@lists.sourceforge.net
    <mailto:PacketFence-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/packetfence-users
    <https://lists.sourceforge.net/lists/listinfo/packetfence-users>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users