This seems to work (reusing the data-autosubmit function)
[root@PacketFence-ZEN pf]# diff -u
./lib/pf/Switch/Fortinet/FortiGate.pm.orig
./lib/pf/Switch/Fortinet/FortiGate.pm
--- ./lib/pf/Switch/Fortinet/FortiGate.pm.orig 2018-06-23
14:37:57.759748442 +0000
+++ ./lib/pf/Switch/Fortinet/FortiGate.pm 2018-06-23
14:38:42.012368287 +0000
@@ -146,15 +146,13 @@
my $post = $cgi_session->param("ecwp-original-param-post");
my $html_form = qq[
- <form name="weblogin_form" method="POST" action="$post">
+ <form name="weblogin_form" data-autosubmit="1000" method="POST"
action="$post">
<input type="hidden" name="username" value="$mac">
<input type="hidden" name="password" value="$mac">
<input type="hidden" name="magic" value="$magic">
<input type="submit" style="display:none;">
</form>
- <script language="JavaScript" type="text/javascript">
- window.setTimeout('document.weblogin_form.submit();', 1000);
- </script>
+ <script src="/content/autosubmit.js"
type="text/javascript"></script>
];
$logger->debug("Generated the following html form : ".$html_form);
May need to be worked into the other webauth wifi's too:
[root@PacketFence-ZEN pf]# grep -R weblogin_form.submit *
lib/pf/Switch/Meraki/MR.pm:
window.setTimeout('document.weblogin_form.submit();', 1000);
lib/pf/Switch/Mikrotik.pm:
window.setTimeout('document.weblogin_form.submit();', 1000);
lib/pf/Switch/Ruckus.pm:
window.setTimeout('document.weblogin_form.submit();', 1000);
Cheers,
On Mon, Jun 25, 2018 at 4:54 PM, Durand fabrice <[email protected]> wrote:
> Hello Roo,
>
> probably related to that:
>
> https://github.com/inverse-inc/packetfence/commit/
> ac196bd5f072e1fd8cfec0cc2a098c26824dfba4#diff-
> db0dd3a67b96e7fb44359d45258c282c
>
> I will make a try.
>
> Regards
>
> Fabrice
>
>
>
> Le 2018-06-25 à 15:48, Roo a écrit :
>
> So I've got this figured out, but found a bit of a what I believe is a bug
> through the process that took me a bit to work through...
>
> Durand, there is a code update at the end of this long email that made
> this work.. not sure if it's a bug or not.
>
>
> Just commentary so people understand - the process is clients hit the SSID
> and get dhcp etc, then the Fortigate/AP redirects (with a magic token) to
> the external captive portal (Packetfence). Once authenticated by
> packetfence, packetfence returns some client side javascript (read - it
> executes in your browser) to post back to the fortigate the
> Username/Password/Magic Token, then the FortiGate/AP controller makes a
> Radius request to Packetfence with the mac address for username/password,
> which PF should now accept, and all is well.
> http://cookbook.fortinet.com/using-an-external-captive-
> portal-for-wifi-security/
>
> In this example (going from memory so could hit something wrong) -
> Fortigate Firewall/AP controller is 10.1.1.1, Packetfence is 10.1.1.2,
> Fortiap's are on the subnet 10.1.2.0/24
>
> Packetfence Setup:
> 1) setup packetfence with a Portal interface (either add the service on
> mgmt - what I did or I'm sure it'll work via separate interface).
> 2) Add a switch for your Fortinet AP (I used subnet for many AP's) as
> type: Fortinet::FortiGate, enable Portal enforcement, set your
> "Controller IP" also to your Fortigate IP you will be doing radius from.
> 3) Add a switch for your Fortinet Firewall/APControllers as type:
> Fortinet::FortiGate,
> enable Portal enforcement
>
> Example:
> [root@PacketFence-ZEN logs]# cat ../conf/switches.conf
> [10.1.1.1]
> description=Controller
> type=Fortinet::FortiGate
> radiusSecret= ubersecretencryptionkey
> ExternalPortalEnforcement=Y
>
> [10.1.2.0/24]
> controllerIp=10.1.1.1
> description= FortiAP's
> type=Fortinet::FortiGate
> cliAccess=Y
> ExternalPortalEnforcement=Y
>
> 4) I added a test user to packetfence for username/pass authentication in
> the captive Portal
>
> Fortinet setup:
> 5) Setup Fortigate RADIUS Definition:
> config user radius
> edit "packetfencetest"
> set server "10.1.1.2"
> set secret ENC ubersecretencryptionkey
> set nas-ip 10.210.1.1
> next
> end
>
> Note - I had an issue of the Radius request not setting nas-ip which sent
> radius requests from 0.0.0.0 which took some debugging to figure out - just
> FYI.
>
> 6) Create the User group to associate Radius to the SSID:
> config user group
> edit "Captive_Guest_wifi"
> set member "packetfencetest"
> next
> end
>
> 7) Setup an Interface for wifi subnet - I use a 3rd party dhcp server but
> relay also to packetfence so it can discover they "nodes".
> Config system interface
> edit "Guesttest"
> set vdom "root"
> set dhcp-relay-service enable
> set ip 192.168.5.1 255.255.255.0
> set allowaccess ping
> set type vap-switch
> set device-identification enable
> set role lan
> set dhcp-relay-ip "3rd party dhcp server" "10.1.1.2"
> next
>
>
> 8) Setup Fortigate SSID - set the external-web auth URL (without
> http/https) to the packetfence IP/DNS name, but append /Fortinet::FortiGate
> - this tells packetfence to utilize that authentication method (I was
> missing this at the start of my setup which caused packetfence to think it
> was an 802.1x request and not external portal).
>
>
> config wireless-controller vap
> edit "Guesttest"
> set vdom "root"
> set ssid "Guesttest"
> set security captive-portal
> set selected-usergroups "Captive_Guest_wifi"
> set security-exempt-list "Guesttest-exempt-list"
> set intra-vap-privacy enable
> set schedule "always"
> set external-web "10.1.1.2/Fortinet::FortiGate"
> next
> end
>
>
>
> 9) Setup your firewall policy for this interface for whatever access you
> want, but precede it with the ability to access packetfence over 80/443
> without authenticating (captive-portal-exempt)
>
> config firewall policy
> edit -1
> set name "Packetfence registration"
> set uuid 02365b36-73fb-51e8-c374-4048538de983
> set srcintf "Guesttest"
> set dstintf "any"
> set srcaddr "all"
> set dstaddr "Object for Packetfence"
> set action accept
> set schedule "always"
> set service "HTTP" "HTTPS"
> set captive-portal-exempt enable
> next
> edit -1
> set name "Internet for Guests Dynamic IP Cal"
> set srcintf " Guesttest"
> set dstintf "wan1"
> set srcaddr "all"
> set dstaddr "all"
> set action accept
> set schedule "always"
> set service "ALL"
> set utm-status enable
> set webfilter-profile "Guest_WebFilter"
> set dnsfilter-profile "Guest_DNS"
> set application-list "Guest_AppCtrl"
> set profile-protocol-options "default"
> set traffic-shaper "Guest_Ts"
> set traffic-shaper-reverse "Guest_Ts"
> set nat enable
> next
> end
>
>
> *********************
> I had a browser side issue in multiple browsers that the client side JS
> wasn't executing due to the content-security-policy delivered in the header
> disallowing inline JS with the post back to the firewall to run... so the
> request never made it back to the fortigate for the second half of the
> process.I found the issue in console logs of chrome
>
> I fixed it via altering the source - *Durand*, if you deem it proper (I
> know very little about Content-security-policy), please update.
>
> In /usr/local/pf/lib/captiveportal.pm
> Changed from:
> $c->response->header('Content-Security-Policy' => "default-src
> 'none'; script-src 'self'; connect-src 'self'; img-src 'self'
> http://$captive_portal_network_detection_ip/; style-src 'self'; font-src
> 'self';");
>
> To:
> $c->response->header('Content-Security-Policy' => "default-src
> 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; connect-src
> 'self'; img-src 'self' http://$captive_portal_network_detection_ip/;
> style-src 'self' 'unsafe-inline'; font-src 'self';");
>
> I believe all that was required was the script-src -
> unsafe-inline/unsafe-eval but saw some style errors so added style-src
> unsafe-inline also.
>
> Now I'm off to setup COA/deauthentication.. and then try out an idea for
> distributed architecture (Will start a new email to discuss).
>
> Cheers.
>
> On Fri, Jun 22, 2018 at 7:04 PM, Durand fabrice <[email protected]>
> wrote:
>
>> Packetfence doesn't detect that it's an external portal authentication,
>> the device is suppose to hit the portal with an url like that:
>>
>> https://<FGT_IP>/fgtauth?magic=session_id&username=<usernam
>> e>&password=<password>
>>
>> Can is see httpd.portal.access ?
>>
>> Regards
>>
>> Fabrice
>>
>>
>>
>>
>> Le 2018-06-22 à 10:10, Roo a écrit :
>>
>> Yes, External portal is enabled..
>>
>>
>> [root@PacketFence-ZEN logs]# cat ../conf/switches.conf
>> #
>> # Copyright (C) 2005-2018 Inverse inc.
>> #
>> # See the enclosed file COPYING for license information (GPL).
>> # If you did not receive this file, see
>> # http://www.fsf.org/licensing/licenses/gpl.html
>> [default]
>> type=Fortinet::FortiGate
>> useCoA=N
>>
>> [10.210.31.1]
>> description=calgaryforti
>> VlanMap=N
>> registrationUrl=http://myv1it-pfn.DOMAIN.com/Fortinet::FortiGate
>> macDetectionRole=macDetection
>> isolationRole=isolation
>> defaultRole=Authorize_any
>> registrationRole=Pre-Auth-For-WebRedirect
>> guestRole=Authorize_any
>> UrlMap=Y
>> useCoA=Y
>> ExternalPortalEnforcement=Y
>>
>> Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:unknown] Instantiate profile CaptiveWifi
>> (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:34 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:35 PacketFence-ZEN pfqueue: pfqueue(19675) INFO:
>> [mac:unknown] Device Mac OS X is a Mac OS X or macOS
>> (pf::fingerbank::__ANON__)
>> Jun 22 14:01:35 PacketFence-ZEN pfqueue: pfqueue(19667) INFO:
>> [mac:unknown] Device Mac OS X is a Mac OS X or macOS
>> (pf::fingerbank::__ANON__)
>> Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
>> http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive
>> portal (captiveportal::PacketFence::DynamicRouting::Application::pr
>> ocess_destination_url)
>> Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:42 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
>> http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive
>> portal (captiveportal::PacketFence::DynamicRouting::Application::pr
>> ocess_destination_url)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
>> http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive
>> portal (captiveportal::PacketFence::DynamicRouting::Application::pr
>> ocess_destination_url)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with
>> empty/invalid rule class. Defaulting to 'authentication'
>> (pf::authentication::match)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null for
>> matching (pf::authentication::match)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule (catchall)
>> in source null, returning actions. (pf::Authentication::Source::m
>> atch_rule)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule (catchall)
>> in source null, returning actions. (pf::Authentication::Source::match)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with
>> empty/invalid rule class. Defaulting to 'authentication'
>> (pf::authentication::match)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null for
>> matching (pf::authentication::match)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule (catchall)
>> in source null, returning actions. (pf::Authentication::Source::m
>> atch_rule)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Matched rule (catchall)
>> in source null, returning actions. (pf::Authentication::Source::match)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with
>> empty/invalid rule class. Defaulting to 'authentication'
>> (pf::authentication::match)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null for
>> matching (pf::authentication::match)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) WARN: [mac:78:31:c1:c1:b5:62] Calling match with
>> empty/invalid rule class. Defaulting to 'authentication'
>> (pf::authentication::match)
>> Jun 22 14:01:48 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Using sources null for
>> matching (pf::authentication::match)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
>> http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive
>> portal (captiveportal::PacketFence::DynamicRouting::Application::pr
>> ocess_destination_url)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] No provisioner found for
>> 78:31:c1:c1:b5:62. Continuing. (captiveportal::PacketFence::D
>> ynamicRouting::Module::Provisioning::execute_child)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] violation 1300003
>> force-closed for 78:31:c1:c1:b5:62 (pf::violation::violation_force_close)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
>> http://myv1it-pfn01.DOMAIN.com/?login since it points to the captive
>> portal (captiveportal::PacketFence::DynamicRouting::Application::pr
>> ocess_destination_url)
>> Jun 22 14:01:49 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Releasing device
>> (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
>> Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
>> (manage_register called) (pf::enforcement::reevaluate_access)
>> Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
>> forced. (pf::enforcement::_should_we_reassign_vlan)
>> Jun 22 14:01:50 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19343) INFO: [mac:78:31:c1:c1:b5:62] switch port is
>> (10.210.31.1) ifIndex external connection type: WiFi 802.1X
>> (pf::enforcement::_vlan_reevaluation)
>> Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) INFO:
>> [mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
>> (10.210.31.1) (pf::api::desAssociate)
>> Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) INFO:
>> [mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
>> Jun 22 14:01:51 PacketFence-ZEN pfqueue: pfqueue(20344) WARN:
>> [mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
>> answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radi
>> us.pm line 144. (pf::Switch::catch {...} )
>> Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
>> device. (captiveportal::PacketFence::DynamicRouting::Module::Root::u
>> nknown_state)
>> Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
>> (manage_register called) (pf::enforcement::reevaluate_access)
>> Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
>> forced. (pf::enforcement::_should_we_reassign_vlan)
>> Jun 22 14:01:59 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is
>> (10.210.31.1) ifIndex external connection type: WiFi 802.1X
>> (pf::enforcement::_vlan_reevaluation)
>> Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) INFO:
>> [mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
>> (10.210.31.1) (pf::api::desAssociate)
>> Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) INFO:
>> [mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
>> Jun 22 14:02:00 PacketFence-ZEN pfqueue: pfqueue(20345) WARN:
>> [mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
>> answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radi
>> us.pm line 144. (pf::Switch::catch {...} )
>> Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
>> device. (captiveportal::PacketFence::DynamicRouting::Module::Root::u
>> nknown_state)
>> Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
>> (manage_register called) (pf::enforcement::reevaluate_access)
>> Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
>> forced. (pf::enforcement::_should_we_reassign_vlan)
>> Jun 22 14:02:02 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is
>> (10.210.31.1) ifIndex external connection type: WiFi 802.1X
>> (pf::enforcement::_vlan_reevaluation)
>> Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) INFO:
>> [mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
>> (10.210.31.1) (pf::api::desAssociate)
>> Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) INFO:
>> [mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
>> Jun 22 14:02:03 PacketFence-ZEN pfqueue: pfqueue(20351) WARN:
>> [mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
>> answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radi
>> us.pm line 144. (pf::Switch::catch {...} )
>> Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
>> device. (captiveportal::PacketFence::DynamicRouting::Module::Root::u
>> nknown_state)
>> Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
>> (manage_register called) (pf::enforcement::reevaluate_access)
>> Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
>> forced. (pf::enforcement::_should_we_reassign_vlan)
>> Jun 22 14:02:04 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is
>> (10.210.31.1) ifIndex external connection type: WiFi 802.1X
>> (pf::enforcement::_vlan_reevaluation)
>> Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) INFO:
>> [mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
>> (10.210.31.1) (pf::api::desAssociate)
>> Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) INFO:
>> [mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
>> Jun 22 14:02:05 PacketFence-ZEN pfqueue: pfqueue(20352) WARN:
>> [mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
>> answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radi
>> us.pm line 144. (pf::Switch::catch {...} )
>> Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
>> device. (captiveportal::PacketFence::DynamicRouting::Module::Root::u
>> nknown_state)
>> Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
>> (manage_register called) (pf::enforcement::reevaluate_access)
>> Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
>> forced. (pf::enforcement::_should_we_reassign_vlan)
>> Jun 22 14:02:05 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is
>> (10.210.31.1) ifIndex external connection type: WiFi 802.1X
>> (pf::enforcement::_vlan_reevaluation)
>> Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) INFO:
>> [mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
>> (10.210.31.1) (pf::api::desAssociate)
>> Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) INFO:
>> [mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
>> Jun 22 14:02:06 PacketFence-ZEN pfqueue: pfqueue(20353) WARN:
>> [mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
>> answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radi
>> us.pm line 144. (pf::Switch::catch {...} )
>> Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
>> device. (captiveportal::PacketFence::DynamicRouting::Module::Root::u
>> nknown_state)
>> Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
>> (manage_register called) (pf::enforcement::reevaluate_access)
>> Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
>> forced. (pf::enforcement::_should_we_reassign_vlan)
>> Jun 22 14:02:08 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19480) INFO: [mac:78:31:c1:c1:b5:62] switch port is
>> (10.210.31.1) ifIndex external connection type: WiFi 802.1X
>> (pf::enforcement::_vlan_reevaluation)
>> Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>> CaptiveWifi (pf::Connection::ProfileFactory::_from_profile)
>> Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] User default has
>> authenticated on the portal. (Class::MOP::Class:::after)
>> Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] Reevaluating access of
>> device. (captiveportal::PacketFence::DynamicRouting::Module::Root::u
>> nknown_state)
>> Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
>> (manage_register called) (pf::enforcement::reevaluate_access)
>> Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
>> forced. (pf::enforcement::_should_we_reassign_vlan)
>> Jun 22 14:02:09 PacketFence-ZEN packetfence_httpd.portal:
>> httpd.portal(19972) INFO: [mac:78:31:c1:c1:b5:62] switch port is
>> (10.210.31.1) ifIndex external connection type: WiFi 802.1X
>> (pf::enforcement::_vlan_reevaluation)
>> Jun 22 14:02:10 PacketFence-ZEN pfqueue: pfqueue(20354) INFO:
>> [mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
>> (10.210.31.1) (pf::api::desAssociate)
>>
>>
>> Just continues looping trying a vlan change.
>>
>> I may blow away my ZEN install and start from scratch... but no guide for
>> Fortinet::FortiGate use.
>>
>> On Thu, Jun 21, 2018 at 6:48 PM, Durand fabrice via PacketFence-users <
>> [email protected]> wrote:
>>
>>> hello Roo,
>>>
>>> did you enabled external captive portal in the switch config ? (can i
>>> see switches.conf ?)
>>>
>>> Can i see the whole registration process (packetfence.log) ?
>>>
>>> Regards
>>>
>>> Fabrice
>>>
>>> Le 2018-06-21 à 18:51, Roo via PacketFence-users a écrit :
>>>
>>> Hello, newer to Packetfence. I've been able to setup a few things
>>> (802.1x wired/wireless, AD integration etc.)
>>>
>>> Struggling with Captive Portal on Fortigate external captive portal ie:
>>> http://cookbook.fortinet.com/using-an-external-captive-p
>>> ortal-for-wifi-security/
>>>
>>> I've got fortigate redirecting to Packetfence, and packet fence serving
>>> the portal, successfully authenticating to the portal, but it's not calling
>>> the Fortinet::FortiGate module to post back to the fortigate.. It's
>>> treating it like a VLAN reassignment instead of using the code for the
>>> switch type.
>>>
>>> I've defined the switch as type Fortinet::FortiGate, tried to force it
>>> with switch Filter Engines ala the example:
>>> [login]
>>> filter = params.login
>>> operator = defined
>>>
>>> [post]
>>> filter = params.post
>>> operator = defined
>>>
>>> [magic]
>>> filter = params.magic
>>> operator = defined
>>>
>>> [usermac]
>>> filter = params.usermac
>>> operator = defined
>>>
>>> [apmac]
>>> filter = params.apmac
>>> operator = defined
>>>
>>> [apip]
>>> filter = params.apip
>>> operator = defined
>>>
>>> [userip]
>>> filter = params.userip
>>> operator = defined
>>>
>>> [1:login&post&magic&usermac&apmac&apip&userip]
>>> scope = external_portal
>>> switch = Fortinet::FortiGate
>>>
>>> Nothing seems to trigger the post back to the Fortigate.
>>> un 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Instantiate profile
>>> default (pf::Connection::ProfileFactory::_from_profile)
>>> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Replacing destination URL
>>> http://pfn01.DOMAIN.com/?login since it points to the captive portal
>>> (captiveportal::PacketFence::DynamicRouting::Application::pr
>>> ocess_destination_url)
>>> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while communicating
>>> with the Fingerbank collector. 401 Unauthorized
>>> (pf::fingerbank::endpoint_attributes)
>>> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) WARN: [mac:78:31:c1:c1:b5:62] Use of uninitialized value
>>> in string ne at /usr/local/pf/lib/captiveporta
>>> l/PacketFence/DynamicRouting/Application.pm line 134.
>>> (captiveportal::PacketFence::DynamicRouting::Application::p
>>> rocess_fingerbank)
>>> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) ERROR: [mac:78:31:c1:c1:b5:62] Error while communicating
>>> with the Fingerbank collector. 401 Unauthorized
>>> (pf::fingerbank::update_collector_endpoint_data)
>>> Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR:
>>> [mac:unknown] Error while communicating with the Fingerbank collector. 401
>>> Unauthorized (pf::fingerbank::endpoint_attributes)
>>> Jun 21 22:27:04 PacketFence-ZEN pfqueue: pfqueue(3009) ERROR:
>>> [mac:unknown] Unable to fetch query arguments for Fingerbank query.
>>> Aborting. (pf::fingerbank::process)
>>> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] Releasing device
>>> (captiveportal::PacketFence::DynamicRouting::Module::Root::release)
>>> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] User default has
>>> authenticated on the portal. (Class::MOP::Class:::after)
>>> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] re-evaluating access
>>> (manage_register called) (pf::enforcement::reevaluate_access)
>>> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] VLAN reassignment is
>>> forced. (pf::enforcement::_should_we_reassign_vlan)
>>> Jun 21 22:27:04 PacketFence-ZEN packetfence_httpd.portal:
>>> httpd.portal(3121) INFO: [mac:78:31:c1:c1:b5:62] switch port is
>>> (10.210.31.1) ifIndex external connection type: WiFi 802.1X
>>> (pf::enforcement::_vlan_reevaluation)
>>> Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
>>> [mac:78:31:c1:c1:b5:62] [78:31:c1:c1:b5:62] DesAssociating mac on switch
>>> (10.210.31.1) (pf::api::desAssociate)
>>> Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) INFO:
>>> [mac:78:31:c1:c1:b5:62] deauthenticating (pf::Switch::radiusDisconnect)
>>> Jun 21 22:27:05 PacketFence-ZEN pfqueue: pfqueue(4321) WARN:
>>> [mac:78:31:c1:c1:b5:62] Unable to perform RADIUS Disconnect-Request: No
>>> answer from 10.210.31.1 on port 3799 at /usr/local/pf/lib/pf/util/radi
>>> us.pm line 144. (pf::Switch::catch {...} )
>>> Jun 21 22:
>>>
>>> In my browser tools, I see Post url is set, magic value etc that the
>>> fortigate send to the portal...
>>>
>>> Also can't seem to get rid of those pesky fingerbank errors.. don't
>>> think thats related, but possible I suppose.
>>>
>>> Do you have an example of how to setup Fortigate external captive
>>> authentication and packetfence? Other values I need to configure? Sample
>>> for the Role by Web Auth URL?
>>>
>>> Cheers.
>>> Neil.
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>>
>>>
>>>
>>> _______________________________________________
>>> PacketFence-users mailing
>>> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> PacketFence-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>
>>>
>>
>>
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
