Hello Jake, as Diego said it can be a lack of the dhcp option for the RFC7710 in your dhcp server (i coded the dhcp server with all my love and you still don't want to use it). It can also be a certificate issue, if the certificate expiration date is more than x months then apple devices don like it and will not follow the redirection.
If you are able to take a capture from packetfence for a device who have the issue, t would be easier to troubleshoot. Regards Fabrice Le jeu. 8 juil. 2021 à 17:16, Diego García del Río via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hi jake, > > Its ok.. thats what I had understood > > im just surprised that registration / isolation works with an external > dhcp server. I guess thats what the dhcp listener process is there for > (snooping the dhcp client information). In general I always expected > packetfence to identify the client by the fact that its acting as dhcp > server for the registration/isolation networks. In fact, while external > dhcp servers can be used for production traffic, isolation/registration is > meant to be handled with the internal dhcp (as far as I understand). I > mean, the system seems to be working for you otherwise so it probably works > fine... but the whole thing is very strange. > > sorry for derailing the topic. > > > > > > *Diego Garcia del Rio* | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 > (x103) | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar | Juan Carlos Cruz > 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina | > https://goo.gl/maps/NZCFPwVkFFf14cR67 > > > On Thu, 8 Jul 2021 at 15:31, Sallee, Jake via PacketFence-users < > packetfence-users@lists.sourceforge.net> wrote: > >> I apologize if I did not phrase that correctly. >> >> We ARE using PF for isolation and registration, what we are not using is >> the DHCP functionality that PF offers. >> >> We are using our own DHCP servers to provide IPs to clients for >> registration and isolation, as well as the standard production networks. >> >> Jake Sallee >> Godfather of Bandwidth >> System Engineer and Security Specialist >> University of Mary Hardin-Baylor >> WWW.UMHB.EDU >> >> 900 College St. >> Belton, Texas >> 76513 >> >> Fone: 254-295-4658 >> Phax: 254-295-4221 >> >> ________________________________________ >> From: Diego García del Río <dgar...@mediatel.com.ar> >> Sent: Thursday, July 8, 2021 1:06 PM >> To: packetfence-users@lists.sourceforge.net >> Cc: Sallee, Jake >> Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices >> >> EXTERNAL Exercise Caution >> not using packetfence for isolation/registration is quite surprising. Is >> that supported at all? >> >> Im guessing it works for you.. but still quite surprising. (unless you're >> using the built-in captive portal of your APs) >> >> but if you're using an external dhcp server then the RFC7710 path seems >> moot... >> >> >> >> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) >> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar< >> http://www.mediatel.com.ar/> | Juan Carlos Cruz 2360 – 4B (1636), >> Vicente López, Buenos Aires, Argentina | >> https://goo.gl/maps/NZCFPwVkFFf14cR67 >> >> >> On Thu, 8 Jul 2021 at 14:16, Sallee, Jake via PacketFence-users < >> packetfence-users@lists.sourceforge.net<mailto: >> packetfence-users@lists.sourceforge.net>> wrote: >> > you might want to check /usr/local/pg/logs for the file >> httpd.portal.access and look for the string rfc7710 in there? >> >> First, thank you for the effort but I didn't see anything in the logs >> about rfc7710. But, I have not enabled debugging in the logs yet so there >> is still hope. >> >> Quick question though, currently we do not use PF for our DHCP (even for >> registration or isolation). With that in mind would the info you mention >> still show up in the logs? >> >> Jake Sallee >> Godfather of Bandwidth >> System Engineer and Security Specialist >> University of Mary Hardin-Baylor >> WWW.UMHB.EDU<http://WWW.UMHB.EDU> >> >> 900 College St. >> Belton, Texas >> 76513 >> >> Fone: 254-295-4658 >> Phax: 254-295-4221 >> >> ________________________________________ >> From: Diego García del Río <dgar...@mediatel.com.ar<mailto: >> dgar...@mediatel.com.ar>> >> Sent: Wednesday, July 7, 2021 5:47 PM >> To: packetfence-users@lists.sourceforge.net<mailto: >> packetfence-users@lists.sourceforge.net> >> Cc: Sallee, Jake >> Subject: Re: [PacketFence-users] Captive Portal Issue on Mobile Devices >> >> EXTERNAL Exercise Caution >> you might want to check /usr/local/pg/logs for the file >> httpd.portal.access and look for the string rfc7710 in there... >> >> (and sorry, its RFC 7710bis, not 7720bis) >> >> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) >> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar< >> http://www.mediatel.com.ar><http://www.mediatel.com.ar/> | Juan Carlos >> Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina | >> https://goo.gl/maps/NZCFPwVkFFf14cR67 >> >> >> On Wed, 7 Jul 2021 at 19:45, Diego García del Río < >> dgar...@mediatel.com.ar<mailto:dgar...@mediatel.com.ar><mailto: >> dgar...@mediatel.com.ar<mailto:dgar...@mediatel.com.ar>>> wrote: >> Hi.. I asume you're running your portal on https? release 10.2 had >> introduced dhcp-based portal discovery (RFC 7720bis support) and apple >> devices, most of which should be running a 2020 or newer os, should support >> it. if you can capture traffic on the portal interface on your cluster, you >> should see that the url for packetfence should be returned in a dhcp option >> (that finishes in "/rfc7710"). I believe the logs might show it (but only >> maybe in debug level) >> >> the clients then query that url. Can you check if the proper, >> load-balanced url is being returned? >> >> somehow maybe the device is failing to contact the /rfc7710 endpoint or >> something, like the client being authenticated is being returned and thus >> the apple device think its logged in? >> >> its a wild guess.. but it would be one option why you see this on apple >> devices. >> >> (newer windows releases should support it as well, but not 100% sure when >> /what release it would be). Android 11 also added support, but of course, >> there you have a much more fragmented ecosystem and i haven't seen >> non-google devices implementing it yet. >> >> >> >> >> Diego Garcia del Rio | CTO | Mediatel S.A. | Tel: +54 11 5218 0463 (x103) >> | Cel: +54 9 11 4530-4697 | www.mediatel.com.ar< >> http://www.mediatel.com.ar><http://www.mediatel.com.ar/> | Juan Carlos >> Cruz 2360 – 4B (1636), Vicente López, Buenos Aires, Argentina | >> https://goo.gl/maps/NZCFPwVkFFf14cR67 >> >> >> On Wed, 7 Jul 2021 at 18:35, Sallee, Jake via PacketFence-users < >> packetfence-users@lists.sourceforge.net<mailto: >> packetfence-users@lists.sourceforge.net><mailto: >> packetfence-users@lists.sourceforge.net<mailto: >> packetfence-users@lists.sourceforge.net>>> wrote: >> Hello all! >> >> This is a strange one and I hope someone out there has faced this demon >> before and can help. >> >> We are running PF 10.3 (with latest maintenance patches) in a 3 node >> cluster. >> >> TLDR: Captive portal issues on iPhones and some mobile devices, cant >> find any reason in the logs as to why it would be happening. Started >> happening out of the blue, updated to 10.3 and applied all patches but >> nothing helped. >> >> Long version: >> >> The issue seems to be centered around WiFi on iPhones and some mobile >> computers (laptops, tables, etc) where some are Apple products and some are >> not. Android phones seem not to be affected. >> >> When an unregistered endpoint is assigned an IP in the registration >> network the device notices the captive portal and tries to open a browser >> window to facilitate the registration process. >> >> However this is where things begin to go wrong. >> >> Some of the time the page does not load at all, after a brief wait of >> perhaps 7 seconds, the mobile browser generates an error saying the page >> cannot be loaded. When the error is dismissed the browser automatically >> closes and the user is dumped to the home screen on their device. >> >> Sometimes it does load but the custom logo is not displayed (loads a >> broken jpg). Sometimes the page loads as plain text and no CSS. >> >> If the page does load enough for the user to accept the AUP and fill out >> the registration form. When the user submits the form, however the same >> browser error is displayed and the user id bounced out of the browser app. >> >> If the error occurs AFTER submitting the registration form, the device >> still shows as unregistered in PF. However, if the user rejoins the >> network the captive portal page will be presented but it will be the >> enabling access page with the progress bar (and a still broken jpg). >> Interestingly, the device will now show as registered in PF and will have >> the correct role assigned. >> >> I have been scouring the logs and can?t seem to find any entries that >> would point to a cause. Desktops and Laptops with full OS on them do not >> seem to have the issue. >> >> Any help would be greatly appreciated. >> >> Jake Sallee >> Godfather of Bandwidth >> System Engineer and Security Specialist >> University of Mary Hardin-Baylor >> WWW.UMHB.EDU<http://WWW.UMHB.EDU><http://WWW.UMHB.EDU> >> >> 900 College St. >> Belton, Texas >> 76513 >> >> Fone: 254-295-4658 >> Phax: 254-295-4221 >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net<mailto: >> PacketFence-users@lists.sourceforge.net><mailto: >> PacketFence-users@lists.sourceforge.net<mailto: >> PacketFence-users@lists.sourceforge.net>> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net<mailto: >> PacketFence-users@lists.sourceforge.net> >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> >> >> _______________________________________________ >> PacketFence-users mailing list >> PacketFence-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/packetfence-users >> > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
