Hello Roo,
probably related to that:
https://github.com/inverse-inc/packetfence/commit/ac196bd5f072e1fd8cfec0cc2a098c26824dfba4#diff-db0dd3a67b96e7fb44359d45258c282c
I will make a try.
Regards
Fabrice
Le 2018-06-25 à 15:48, Roo a écrit :
So I've got this figured out, but found a bit of a what I believe is a
bug through the process that took me a bit to work through...
Durand, there is a code update at the end of this long email that made
this work.. not sure if it's a bug or not.
Just commentary so people understand - the process is clients hit the
SSID and get dhcp etc, then the Fortigate/AP redirects (with a magic
token) to the external captive portal (Packetfence). Once
authenticated by packetfence, packetfence returns some client side
javascript (read - it executes in your browser)to post back to the
fortigate the Username/Password/Magic Token, then the FortiGate/AP
controller makes a Radius request to Packetfence with the mac address
for username/password, which PF should now accept, and all is well.
http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/
In this example (going from memory so could hit something wrong) -
Fortigate Firewall/AP controller is 10.1.1.1, Packetfence is 10.1.1.2,
Fortiap's are on the subnet 10.1.2.0/24 <http://10.1.2.0/24>
Packetfence Setup:
1) setup packetfence with a Portal interface (either add the service
on mgmt - what I did or I'm sure it'll work via separate interface).
2) Add a switch for your Fortinet AP (I used subnet for many AP's) as
type: Fortinet::FortiGate, enable Portal enforcement, set your
"Controller IP" also to your Fortigate IP you will be doing radius from.
3) Add a switch for your Fortinet Firewall/APControllers as type:
Fortinet::FortiGate, enable Portal enforcement
Example:
[root@PacketFence-ZEN logs]# cat ../conf/switches.conf
[10.1.1.1]
description=Controller
type=Fortinet::FortiGate
radiusSecret= ubersecretencryptionkey
ExternalPortalEnforcement=Y
[10.1.2.0/24 <http://10.1.2.0/24>]
controllerIp=10.1.1.1
description= FortiAP's
type=Fortinet::FortiGate
cliAccess=Y
ExternalPortalEnforcement=Y
4) I added a test user to packetfence for username/pass authentication
in the captive Portal
Fortinet setup:
5) Setup Fortigate RADIUS Definition:
config user radius
edit "packetfencetest"
set server "10.1.1.2"
set secret ENC ubersecretencryptionkey
set nas-ip 10.210.1.1
next
end
Note - I had an issue of the Radius request not setting nas-ip which
sent radius requests from 0.0.0.0 which took some debugging to figure
out - just FYI.
6) Create the User group to associate Radius to the SSID:
config user group
edit "Captive_Guest_wifi"
set member "packetfencetest"
next
end
7) Setup an Interface for wifi subnet - I use a 3rd party dhcp server
but relay also to packetfence so it can discover they "nodes".
Config system interface
edit "Guesttest"
set vdom "root"
set dhcp-relay-service enable
set ip 192.168.5.1 255.255.255.0
set allowaccess ping
set type vap-switch
set device-identification enable
set role lan
set dhcp-relay-ip "3rd party dhcp server" "10.1.1.2"
next
8) Setup Fortigate SSID - set the external-web auth URL (without
http/https) to the packetfence IP/DNS name, but append
/Fortinet::FortiGate - this tells packetfence to utilize that
authentication method (I was missing this at the start of my setup
which caused packetfence to think it was an 802.1x request and not
external portal).
config wireless-controller vap
edit "Guesttest"
set vdom "root"
set ssid "Guesttest"
set security captive-portal
set selected-usergroups "Captive_Guest_wifi"
set security-exempt-list "Guesttest-exempt-list"
set intra-vap-privacy enable
set schedule "always"
set external-web "10.1.1.2/Fortinet::FortiGate
<http://10.1.1.2/Fortinet::FortiGate>"
next
end
9) Setup your firewall policy for this interface for whatever access
you want, but precede it with the ability to access packetfence over
80/443 without authenticating (captive-portal-exempt)
config firewall policy
edit -1
set name "Packetfence registration"
set uuid 02365b36-73fb-51e8-c374-4048538de983
set srcintf "Guesttest"
set dstintf "any"
set srcaddr "all"
set dstaddr "Object for Packetfence"
set action accept
set schedule "always"
set service "HTTP" "HTTPS"
set captive-portal-exempt enable
next
edit -1
set name "Internet for Guests Dynamic IP Cal"
set srcintf " Guesttest"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set webfilter-profile "Guest_WebFilter"
set dnsfilter-profile "Guest_DNS"
set application-list "Guest_AppCtrl"
set profile-protocol-options "default"
set traffic-shaper "Guest_Ts"
set traffic-shaper-reverse "Guest_Ts"
set nat enable
next
end
*********************
I had a browser side issue in multiple browsers that the client side
JS wasn't executing due to the content-security-policy delivered in
the header disallowing inline JS with the post back to the firewall to
run... so the request never made it back to the fortigate for the
second half of the process.I found the issue in console logs of chrome
I fixed it via altering the source - *Durand*, if you deem it proper
(I know very little about Content-security-policy), please update.
In /usr/local/pf/lib/captiveportal.pm <http://captiveportal.pm>
Changed from:
$c->response->header('Content-Security-Policy' => "default-src 'none';
script-src 'self'; connect-src 'self'; img-src 'self'
http://$captive_portal_network_detection_ip/; style-src 'self';
font-src 'self';");
To:
$c->response->header('Content-Security-Policy' => "default-src 'none';
script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src 'self';
img-src 'self' http://$captive_portal_network_detection_ip/; style-src
'self' 'unsafe-inline'; font-src 'self';");
I believe all that was required was the script-src -
unsafe-inline/unsafe-eval but saw some style errors so added style-src
unsafe-inline also.
Now I'm off to setup COA/deauthentication.. and then try out an idea
for distributed architecture (Will start a new email to discuss).
Cheers.
On Fri, Jun 22, 2018 at 7:04 PM, Durand fabrice <[email protected]
<mailto:[email protected]>> wrote:
Packetfence doesn't detect that it's an external portal
authentication, the device is suppose to hit the portal with an
url like that:
https://<FGT_IP>/fgtauth?magic=session_id&username=<username>&password=<password>
Can is see httpd.portal.access ?
Regards
Fabrice
Le 2018-06-22 à 10:10, Roo a écrit :
Yes, External portal is enabled..
[root@PacketFence-ZEN logs]# cat ../conf/switches.conf
#
# Copyright (C) 2005-2018 Inverse inc.
#
# See the enclosed file COPYING for license information (GPL).
# If you did not receive this file, see
# http://www.fsf.org/licensing/licenses/gpl.html
<http://www.fsf.org/licensing/licenses/gpl.html>
[default]
type=Fortinet::FortiGate
useCoA=N
[10.210.31.1]
description=calgaryforti
VlanMap=N
registrationUrl=http://myv1it-pfn.DOMAIN.com/Fortinet::FortiGate
<http://myv1it-pfn.DOMAIN.com/Fortinet::FortiGate>
macDetectionRole=macDetection
isolationRole=isolation
defaultRole=Authorize_any
registrationRole=Pre-Auth-For-WebRedirect
guestRole=Authorize_any
UrlMap=Y
useCoA=Y
ExternalPortalEnforcement=Y
Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:unknown] Instantiate profile
CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:35 PacketFence-ZEN pfqueue: pfqueue(19675) INFO:
[mac:unknown] Device Mac OS X is a Mac OS X or macOS
(pf::fingerbank::__ANON__)
Jun 22 14:01:35 PacketFence-ZEN pfqueue: pfqueue(19667) INFO:
[mac:unknown] Device Mac OS X is a Mac OS X or macOS
(pf::fingerbank::__ANON__)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Replacing
destination URL http://myv1it-pfn01.DOMAIN.com/?login
<http://myv1it-pfn01.DOMAIN.com/?login> since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing
destination URL http://myv1it-pfn01.DOMAIN.com/?login
<http://myv1it-pfn01.DOMAIN.com/?login> since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing
destination URL http://myv1it-pfn01.DOMAIN.com/?login
<http://myv1it-pfn01.DOMAIN.com/?login> since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources
null for matching (pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule
(catchall) in source null, returning actions.
(pf::Authentication::Source::match_rule)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule
(catchall) in source null, returning actions.
(pf::Authentication::Source::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources
null for matching (pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule
(catchall) in source null, returning actions.
(pf::Authentication::Source::match_rule)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule
(catchall) in source null, returning actions.
(pf::Authentication::Source::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources
null for matching (pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match
with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources
null for matching (pf::authentication::match)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Replacing
destination URL http://myv1it-pfn01.DOMAIN.com/?login
<http://myv1it-pfn01.DOMAIN.com/?login> since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] No provisioner
found for 78:31:c1:c1:b5:62. Continuing.
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] violation
1300003 force-closed for 78:31:c1:c1:b5:62
(pf::violation::violation_force_close)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing
destination URL http://myv1it-pfn01.DOMAIN.com/?login
<http://myv1it-pfn01.DOMAIN.com/?login> since it points to the
captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Releasing
device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] VLAN
reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating
(pf::Switch::radiusDisconnect)
Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS
Disconnect-Request: No answer from 10.210.31.1 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144.
(pf::Switch::catch {...} )
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating
access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN
reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating
(pf::Switch::radiusDisconnect)
Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS
Disconnect-Request: No answer from 10.210.31.1 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144.
(pf::Switch::catch {...} )
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating
access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN
reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating
(pf::Switch::radiusDisconnect)
Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS
Disconnect-Request: No answer from 10.210.31.1 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144.
(pf::Switch::catch {...} )
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating
access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN
reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating
(pf::Switch::radiusDisconnect)
Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS
Disconnect-Request: No answer from 10.210.31.1 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144.
(pf::Switch::catch {...} )
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating
access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN
reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on
switch (10.210.31.1) (pf::api::desAssociate)
Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating
(pf::Switch::radiusDisconnect)
Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS
Disconnect-Request: No answer from 10.210.31.1 on port 3799 at
/usr/local/pf/lib/pf/util/radius.pm <http://radius.pm> line 144.
(pf::Switch::catch {...} )
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating
access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN
reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default
has authenticated on the portal. (Class::MOP::Class:::after)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating
access of device.
(captiveportal::PacketFence::DynamicRouting::Module::Root::unknown_state)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating
access (manage_register called) (pf::enforcement::reevaluate_access)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN
reassignment is forced. (pf::enforcement::_should_we_reassign_vlan)
Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is
(10.210.31.1) ifIndex external connection type: WiFi 802.1X
(pf::enforcement::_vlan_reevaluation)
Jun 22 14:02:10 PacketFence-ZEN pfqueue: pfqueue(20354) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on
switch (10.210.31.1) (pf::api::desAssociate)
Just continues looping trying a vlan change.
I may blow away my ZEN install and start from scratch... but no
guide for Fortinet::FortiGate use.
On Thu, Jun 21, 2018 at 6:48 PM, Durand fabrice via
PacketFence-users <[email protected]
<mailto:[email protected]>> wrote:
hello Roo,
did you enabled external captive portal in the switch config
? (can i see switches.conf ?)
Can i see the whole registration process (packetfence.log) ?
Regards
Fabrice
Le 2018-06-21 à 18:51, Roo via PacketFence-users a écrit :
Hello, newer to Packetfence. I've been able to setup a few
things (802.1x wired/wireless, AD integration etc.)
Struggling with Captive Portal on Fortigate external captive
portal ie:
http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/
<http://cookbook.fortinet.com/using-an-external-captive-portal-for-wifi-security/>
I've got fortigate redirecting to Packetfence, and packet
fence serving the portal, successfully authenticating to the
portal, but it's not calling the Fortinet::FortiGate module
to post back to the fortigate.. It's treating it like a VLAN
reassignment instead of using the code for the switch type.
I've defined the switch as type Fortinet::FortiGate, tried
to force it with switch Filter Engines ala the example:
[login]
filter = params.login
operator = defined
[post]
filter = params.post
operator = defined
[magic]
filter = params.magic
operator = defined
[usermac]
filter = params.usermac
operator = defined
[apmac]
filter = params.apmac
operator = defined
[apip]
filter = params.apip
operator = defined
[userip]
filter = params.userip
operator = defined
[1:login&post&magic&usermac&apmac&apip&userip]
scope = external_portal
switch = Fortinet::FortiGate
Nothing seems to trigger the post back to the Fortigate.
un 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Instantiate
profile default (pf::Connection::ProfileFactory::_from_profile)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Replacing
destination URL http://pfn01.DOMAIN.com/?login since it
points to the captive portal
(captiveportal::PacketFence::DynamicRouting::Application::process_destination_url)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error
while communicating with the Fingerbank collector. 401
Unauthorized (pf::fingerbank::endpoint_attributes)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) WARN: [mac:78:31:c1:c1:b5:62] Use of
uninitialized value in string ne at
/usr/local/pf/lib/captiveportal/PacketFence/DynamicRouting/Application.pm
line 134.
(captiveportal::PacketFence::DynamicRouting::Application::process_fingerbank)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error
while communicating with the Fingerbank collector. 401
Unauthorized (pf::fingerbank::update_collector_endpoint_data)
Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009)
ERROR: [mac:unknown] Error while communicating with the
Fingerbank collector. 401 Unauthorized
(pf::fingerbank::endpoint_attributes)
Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009)
ERROR: [mac:unknown] Unable to fetch query arguments for
Fingerbank query. Aborting. (pf::fingerbank::process)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Releasing
device
(captiveportal::PacketFence::DynamicRouting::Module::Root::release)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] User
default has authenticated on the portal.
(Class::MOP::Class:::after)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62]
re-evaluating access (manage_register called)
(pf::enforcement::reevaluate_access)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] VLAN
reassignment is forced.
(pf::enforcement::_should_we_reassign_vlan)
Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] switch port
is (10.210.31.1) ifIndex external connection type: WiFi
802.1X (pf::enforcement::_vlan_reevaluation)
Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
[mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating
mac on switch (10.210.31.1) (pf::api::desAssociate)
Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
[mac:78:31:c1:c1:b5:62] deauthenticating
(pf::Switch::radiusDisconnect)
Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) WARN:
[mac:78:31:c1:c1:b5:62] Unable to perform RADIUS
Disconnect-Request: No answer from 10.210.31.1 on port 3799
at /usr/local/pf/lib/pf/util/radius.pm <http://radius.pm>
line 144. (pf::Switch::catch {...} )
Jun 21 22:
In my browser tools, I see Post url is set, magic value etc
that the fortigate send to the portal...
Also can't seem to get rid of those pesky fingerbank
errors.. don't think thats related, but possible I suppose.
Do you have an example of how to setup Fortigate external
captive authentication and packetfence? Other values I need
to configure? Sample for the Role by Web Auth URL?
Cheers.
Neil.
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
<https://lists.sourceforge.net/lists/listinfo/packetfence-users>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
