Ok I have partially succeeded with this. I have tested it on more phones. Apparently it is just issue with SSL captive portal on Blackberry Android 8.1 devices. Despite adding certificate in their store the android pseudo browser shows blank. When Secure redirection in Captive portal configuration is turned off it worked. I must point out that when using captive portal with SSL on registration network with packetfence dns and dhcp it worked correctly even on these Blackberry Keyone devices.
---- On Tue, 08 Jan 2019 07:53:38 +0100 Pedersen Michel via PacketFence-users <[email protected]> wrote ---- > Hi Caique, > > What does the client status look like in the WLC when the clients are in > the registration state? Look at the “Security Information” for the client > > Here is an example from my WLC (software 8.3.143) with Packetfence and the > client in registration state: > > Radius NAC state should be in “WEBAUTH_REQD” with the correct AAA Override > ACL name (case sensitive so check that if it’s not showing correctly) and > the redirect URL should also be showing up. > > You wouldn’t happen to be using the Cisco AnyConnect client with the NAM > module to manage the wireless/wired network connections by any chance? That > will override standard windows behaviour giving you the prompt (so you’d > manually have to open the web browser and navigate to an external address) > > > > Fra: Caique Araujo via PacketFence-users > [mailto:[email protected]] > Sendt: 4. januar 2019 15:21 > Til: [email protected] > Kopi: Caique Araujo <[email protected]> > Emne: Re: [PacketFence-users] Web Authentication using Packetfence and WLC > > gentlemen, > > I'm with this same problem, I already tried the help forum to try to > correct and so far I could not. Will I be accompanying you if you can, could > you please help me? > > > Regards, > Caique Araujo > > Em sex, 4 de jan de 2019 às 11:42, Kalcho via PacketFence-users > <[email protected]> escreveu: > Hello Fabrice, > > Yes it receives a radius request from the controller. > Here is the output of the packetfence.log: > > Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: > [mac:cc:fd:17:ef:b3:e5] handling radius autz request: from switch_ip => > (172.16.0.10), connection_type => Wireless-802.11-NoEAP,switch_mac => > (88:90:8d:a1:59:d0), mac => [cc:fd:17:ef:b3:e5], port => 1, username => > "cc:fd:17:ef:b3:e5", ssid => BYOD (pf::radius::authorize) > Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: > [mac:cc:fd:17:ef:b3:e5] Instantiate profile byod-profile > (pf::Connection::ProfileFactory::_from_profile) > Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: > [mac:cc:fd:17:ef:b3:e5] is of status unreg; belongs into registration VLAN > (pf::role::getRegistrationRole) > Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: > [mac:cc:fd:17:ef:b3:e5] (172.16.0.10) Added VLAN 501 to the returned RADIUS > Access-Accept (pf::Switch::returnRadiusAccessAccept) > Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: > [mac:cc:fd:17:ef:b3:e5] (172.16.0.10) Added role Pre-Auth-For-WebRedirect-PF > to the returned RADIUS Access-Accept (pf::Switch::returnRadiusAccessAccept) > Jan 4 08:15:54 packetfence packetfence_httpd.aaa: httpd.aaa(2051) INFO: > [mac:cc:fd:17:ef:b3:e5] Adding web authentication redirection to reply using > role: 'Pre-Auth-For-WebRedirect-PF' and URL: > 'http://172.16.0.10/Cisco::WLC/sid0cf3c4?' > (pf::Switch::Cisco::WLC::returnRadiusAccessAccept) > Jan 4 08:15:57 packetfence packetfence_httpd.portal: httpd.portal(27455) > INFO: [mac:[undef]] URI '/Cisco::WLC/sid0cf3c4' is detected as an external > captive portal URI (pf::web::externalportal::handle) > > By radius audit log, do you mean on radius.log? > Here is the output of radius.log: > > Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Closing connection > (1409): Hit idle_timeout, was idle for 121 seconds > Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Closing connection > (1410): Hit idle_timeout, was idle for 121 seconds > Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Closing connection > (1408): Hit idle_timeout, was idle for 121 seconds > Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Opening additional > connection (1411), 1 of 64 pending slots used > Jan 4 08:15:54 packetfence auth[2865]: Need 2 more connections to reach > min connections (3) > Jan 4 08:15:54 packetfence auth[2865]: rlm_sql (sql): Opening additional > connection (1412), 1 of 63 pending slots used > Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Closing connection > (1309): Hit idle_timeout, was idle for 160 seconds > Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Closing connection > (1308): Hit idle_timeout, was idle for 121 seconds > Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Closing connection > (1310): Hit idle_timeout, was idle for 121 seconds > Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Opening additional > connection (1311), 1 of 64 pending slots used > Jan 4 08:15:54 packetfence auth[2865]: Need 2 more connections to reach > min connections (3) > Jan 4 08:15:54 packetfence auth[2865]: rlm_rest (rest): Opening additional > connection (1312), 1 of 63 pending slots used > Jan 4 08:15:54 packetfence auth[2865]: [mac:cc:fd:17:ef:b3:e5] Accepted > user: and returned VLAN 501 > Jan 4 08:15:54 packetfence auth[2865]: (58671) Login OK: > [cc:fd:17:ef:b3:e5] (from client 172.16.0.20 port 1 cli cc:fd:17:ef:b3:e5) > > > Packetfence management IP is 172.16.0.10 and WLC IP is 172.16.0.20. > This is the ip dhcp pool configuration on the L3 switch: > ip dhcp pool BYOD > network 192.168.1.0 255.255.255.0 > default-router 192.168.1.1 > dns-server 172.30.0.250 172.30.0.251 > > This is SVI defined on the same L3 switch: > interface Vlan501 > description PF_BYOD > ip address 192.168.1.1 255.255.255.0 > ip helper-address 172.16.0.10 > > WLC is directly connected tp the L3 switch, and has virtual interface in > this 501 VLAN which is used by this BYOD SSID. > > It happens that I am successfully connected to this BYOD SSID and receive > IP, but when pseudo browser opens on Android, as a result of redirection it > shows blank page now. Even tried this with windows laptop. But just shows > blank page with waiting from response from msftconnecttest.com > > If you need more info feel free. > > ---- On Fri, 04 Jan 2019 01:38:08 +0100 Durand fabrice via > PacketFence-users <[email protected]> wrote ---- > > Hello Kalcho, > > > > does packetfence receive a radius request from the controller ? > > > > If yes can you paste a radius request/reply ? (check in radius audit log > > for that) > > > > Regards > > > > Fabrice > > > > > > Le 19-01-03 à 10 h 09, Kalcho via PacketFence-users a écrit : > > > Hello all, > > > > > > I have configured Web Authentication for Cisco WLC as described in > Network Devices Guide. > > > I am using network 192.168.1.0/24 for this WiFi SSID, which is open > with Mac filtering. > > > I am using two access list Pre-Auth-For-WebRedirect-PF and > Authorize_any. > > > I have added WLC in the packetfence, and activated "Role by Switch > Role": registration->Pre-Auth-For-WebRedirect-PF, and default->Authorize_any. > > > > > > These two access lists are defined on the WLC. > > > Authorize_any permits everything, while Pre-Auth-For-WebRedirect-PF > > > 1. permits DNS traffic > > > 2. permits DHCP traffic > > > 3. permit packets to Packetfence management interface as destination > and source. > > > > > > I have also added portal role on management interface. > > > Management interface is on 172.16.0.10. > > > VLAN which is assigned to WiFi SSID interface uses network > 192.168.1.0/24 which is routable and uses production DHCP hosted on L3 > switch. Also it uses production DNS servers. > > > > > > Clients when connected receive correct DHCP address. > > > I am having problem that not being redirected to the captive portal > automatically. I can open it in browser, but no redirection. I guess this > has something to do with the fact I am not using packetfence DHCP and DNS. > > > > > > > > > > > > > > > > > > _______________________________________________ > > > PacketFence-users mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > _______________________________________________ > > PacketFence-users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > > > > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > > -- > Atenciosamente, > Caique Araujo > _______________________________________________ > PacketFence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
