Hi Caique, What does the client status look like in the WLC when the clients are in the registration state? Look at the “Security Information” for the client
Here is an example from my WLC (software 8.3.143) with Packetfence and the client in registration state: Radius NAC state should be in “WEBAUTH_REQD” with the correct AAA Override ACL name (case sensitive so check that if it’s not showing correctly) and the redirect URL should also be showing up. You wouldn’t happen to be using the Cisco AnyConnect client with the NAM module to manage the wireless/wired network connections by any chance? That will override standard windows behaviour giving you the prompt (so you’d manually have to open the web browser and navigate to an external address) [cid:[email protected]] Fra: Caique Araujo via PacketFence-users [mailto:[email protected]] Sendt: 4. januar 2019 15:21 Til: [email protected] Kopi: Caique Araujo <[email protected]> Emne: Re: [PacketFence-users] Web Authentication using Packetfence and WLC gentlemen, I'm with this same problem, I already tried the help forum to try to correct and so far I could not. Will I be accompanying you if you can, could you please help me? Regards, Caique Araujo Em sex, 4 de jan de 2019 às 11:42, Kalcho via PacketFence-users <[email protected]<mailto:[email protected]>> escreveu: Hello Fabrice, Yes it receives a radius request from the controller. Here is the output of the packetfence.log: Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] handling radius autz request: from switch_ip => (172.16.0.10), connection_type => Wireless-802.11-NoEAP,switch_mac => (88:90:8d:a1:59:d0), mac => [cc:fd:17:ef:b3:e5], port => 1, username => "cc:fd:17:ef:b3:e5", ssid => BYOD (pf::radius::authorize) Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] Instantiate profile byod-profile (pf::Connection::ProfileFactory::_from_profile) Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] is of status unreg; belongs into registration VLAN (pf::role::getRegistrationRole) Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] (172.16.0.10) Added VLAN 501 to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] (172.16.0.10) Added role Pre-Auth-For-WebRedirect-PF to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: [mac:cc:fd:17:ef:b3:e5] Adding web authentication redirection to reply using role: 'Pre-Auth-For-WebRedirect-PF' and URL: 'http://172.16.0.10/Cisco::WLC/sid0cf3c4?' (pf::Switch::Cisco::WLC::returnRadiusAccessAccept) Jan 4 08:15:57 packetfence packetfence_httpd.portal: httpd.portal(27455) INFO: [mac:[undef]] URI '/Cisco::WLC/sid0cf3c4' is detected as an external captive portal URI (pf::web::externalportal::handle) By radius audit log, do you mean on radius.log? Here is the output of radius.log: Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Closing connection (1409): Hit idle_timeout, was idle for 121 seconds Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Closing connection (1410): Hit idle_timeout, was idle for 121 seconds Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Closing connection (1408): Hit idle_timeout, was idle for 121 seconds Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Opening additional connection (1411), 1 of 64 pending slots used Jan 4 08:15:54 packetfence auth[2865]: Need 2 more connections to reach min connections (3) Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Opening additional connection (1412), 1 of 63 pending slots used Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Closing connection (1309): Hit idle_timeout, was idle for 160 seconds Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Closing connection (1308): Hit idle_timeout, was idle for 121 seconds Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Closing connection (1310): Hit idle_timeout, was idle for 121 seconds Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Opening additional connection (1311), 1 of 64 pending slots used Jan 4 08:15:54 packetfence auth[2865]: Need 2 more connections to reach min connections (3) Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Opening additional connection (1312), 1 of 63 pending slots used Jan 4 08:15:54 packetfence auth[2865]: [mac:cc:fd:17:ef:b3:e5] Accepted user: and returned VLAN 501 Jan 4 08:15:54 packetfence auth[2865]: (58671) Login OK: [cc:fd:17:ef:b3:e5] (from client 172.16.0.20 port 1 cli cc:fd:17:ef:b3:e5) Packetfence management IP is 172.16.0.10 and WLC IP is 172.16.0.20. This is the ip dhcp pool configuration on the L3 switch: ip dhcp pool BYOD network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 172.30.0.250 172.30.0.251 This is SVI defined on the same L3 switch: interface Vlan501 description PF_BYOD ip address 192.168.1.1 255.255.255.0 ip helper-address 172.16.0.10 WLC is directly connected tp the L3 switch, and has virtual interface in this 501 VLAN which is used by this BYOD SSID. It happens that I am successfully connected to this BYOD SSID and receive IP, but when pseudo browser opens on Android, as a result of redirection it shows blank page now. Even tried this with windows laptop. But just shows blank page with waiting from response from msftconnecttest.com<http://msftconnecttest.com> If you need more info feel free. ---- On Fri, 04 Jan 2019 01:38:08 +0100 Durand fabrice via PacketFence-users <[email protected]<mailto:[email protected]>> wrote ---- > Hello Kalcho, > > does packetfence receive a radius request from the controller ? > > If yes can you paste a radius request/reply ? (check in radius audit log > for that) > > Regards > > Fabrice > > > Le 19-01-03 à 10 h 09, Kalcho via PacketFence-users a écrit : > > Hello all, > > > > I have configured Web Authentication for Cisco WLC as described in Network > > Devices Guide. > > I am using network 192.168.1.0/24<http://192.168.1.0/24> for this WiFi > > SSID, which is open with Mac filtering. > > I am using two access list Pre-Auth-For-WebRedirect-PF and Authorize_any. > > I have added WLC in the packetfence, and activated "Role by Switch Role": > > registration->Pre-Auth-For-WebRedirect-PF, and default->Authorize_any. > > > > These two access lists are defined on the WLC. > > Authorize_any permits everything, while Pre-Auth-For-WebRedirect-PF > > 1. permits DNS traffic > > 2. permits DHCP traffic > > 3. permit packets to Packetfence management interface as destination and > > source. > > > > I have also added portal role on management interface. > > Management interface is on 172.16.0.10. > > VLAN which is assigned to WiFi SSID interface uses network > > 192.168.1.0/24<http://192.168.1.0/24> which is routable and uses > > production DHCP hosted on L3 switch. Also it uses production DNS servers. > > > > Clients when connected receive correct DHCP address. > > I am having problem that not being redirected to the captive portal > > automatically. I can open it in browser, but no redirection. I guess this > > has something to do with the fact I am not using packetfence DHCP and DNS. > > > > > > > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected]<mailto:[email protected]> > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > _______________________________________________ > PacketFence-users mailing list > [email protected]<mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Atenciosamente, Caique Araujo
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
