Fabrice, I figured out why the AC is formatting in that way,
6.3.7.3.6 The URL of the Redirected Portal Page Contains %XX, Which Cannot Be Identified by Some Portal Servers When a third-party Portal server is connected, the browser can be redirected to the URL of the Portal page, but the Portal page cannot be opened. The URL of the Portal page contains %XX, for example, http://12.12.12.1:8080/portal?ac %2Dip=100%2E1%2E1%2E1&userip=200%2E1%2E1%2E172&ssid=portal %5Ftest. By default, the Portal URL encoding and decoding function is enabled on the device. URL encoding encodes special characters (that is, characters that are not simple 7- bit ASCII characters, such as Chinese characters) in hexadecimal format using the percent sign (%), including special characters such as the equal sign (=), ampersand (&), and percent sign (%). The URL encoding is actually a hexadecimal character ASCII code. However, there is a slight change, and "%" needs to be added to the beginning. For example, the ASCII code of a backslash (\) is 92, and the hexadecimal number of 92 is 5c. Therefore, the URL encoding result of a backslash (\) is %5c. The URL coding table can be found on the Internet. Some Portal servers do not support this encoding format. When the URL encoding function is enabled on the device, redirection fails. Disable the Portal URL encoding function on the device. [Huawei] undo portal url-encode enable This worked, now we get the correct output: Feb 6 16:34:19 wifi haproxy[2427]: 10.9.70.173:51832 [06/Feb/2022:16:34:18.789] portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 0/0/1/387/388 302 1018 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET /captive-portal?ac-ip=10.7.255.2&userip=10.9.70.173&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9 HTTP/1.1" > On Feb 6, 2022, at 4:29 PM, Jorge Nolla <jno...@gmail.com> wrote: > > If I try to manually send the redirect in the browser here is what HA proxy > records. This is a simple copy and paste in the browser and the output: > > https://wifi.fispy.mx/captive-portal > <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 > <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> > > 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET > /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 > <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> HTTP/1.1" > > > It doesn’t let it go through as it seems that is trying to validate network > connectivity > > >> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com >> <mailto:jno...@gmail.com>> wrote: >> >> Seems weird how the format of the URL is recorded/sent >> >> >> Here is a normal redirect, the url is formatted correctly, >> >> >> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >> [06/Feb/2022:16:03:41.232] portal-https-10.0.255.99~ >> 10.0.255.99-backend/127.0.0.1 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 >> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >> /captive-portal?destination_url=https://www.fispy.mx/ >> <https://www.fispy.mx/> HTTP/1.1" >> >> I’m not sure why the value sent by the AP has all the % and weird symbols >> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >> >> >>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com >>> <mailto:jno...@gmail.com>> wrote: >>> >>> Hi Fabrice, >>> >>> Here are the options that can be added: >>> >>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>> ap-group-name AP group name >>> ap-ip AP IP address >>> ap-location AP location >>> ap-mac AP MAC address >>> ap-name AP name >>> device-ip Device IP address >>> device-mac Device MAC address >>> login-url Device's login URL provided to the external portal server >>> mac-address Mac address >>> redirect-url The url in user original http packet >>> set Set >>> ssid SSID >>> sysname Device name >>> user-ipaddress User IP address >>> user-mac User MAC address >>> >>> >>> url-template name PacketFence >>> url https://wifi.fispy.mx/captive-portal >>> <https://wifi.fispy.mx/captive-portal> >>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac >>> ap-mac >>> >>> >>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>> "GET >>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>> HTTP/1.1" >>> >>> >>> If we do not specify the URL on this configuration, where would PacketFence >>> get the value for the AC Web Authentication call? >>> >>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>> >>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>> >>> Best Regards, >>> Jorge >>> >>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com >>>> <mailto:oeufd...@gmail.com>> wrote: >>>> >>>> Hello Jorge, >>>> >>>> what we need is the user mac and the ap information. >>>> I found that >>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>> >>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template> >>>> >>>> Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ? >>>> >>>> And if yes can you provide me the url generated by the controller when it >>>> redirect ? (haproxy-portal log) >>>> >>>> Regards >>>> Fabrice >>>> >>>> >>>> >>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com >>>> <mailto:jno...@gmail.com>> a écrit : >>>> Hi Team, >>>> >>>> Any input on this? We really would like to get this to work. >>>> >>>> Thank you! >>>> Jorge >>>> >>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com >>>>> <mailto:jno...@gmail.com>> wrote: >>>>> >>>>> Hi Fabrice, >>>>> >>>>> This is the sequence: >>>>> >>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] >>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/> >>>>> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 {wifi.fispy.mx >>>>> <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] >>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/2/2 >>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] >>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>> HTTP/1.1" >>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] >>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/> >>>>> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 {wifi.fispy.mx >>>>> <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] >>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/1/1 >>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] >>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>> HTTP/1.1” >>>>> >>>>> >>>>> >>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com >>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>> >>>>>> Hello Jorge, >>>>>> >>>>>> i will have a look closer. >>>>>> But i have a question, when the device is forwarded to the captive >>>>>> portal, (just before >>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>> >>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>> , what is the url ? >>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>> >>>>>> Regards >>>>>> Fabrice >>>>>> >>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com >>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>> Hi Fabrice, >>>>>> >>>>>> >>>>>> We almost have the configuration working, but are not sure how to get >>>>>> the redirect to the client to work correctly. Attached is the >>>>>> documentation for Cisco ISE which we used for PacketFence as well. >>>>>> >>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>> >>>>>> This is the format the client should get from PacketFence. This is the >>>>>> only piece we are missing for this to work. >>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>> >>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>> >>>>>> >>>>>> If we manually click on the link above, then the flow of traffic works >>>>>> correctly CLIENT > AC > RADIUS (PacketFence), and authentication works. >>>>>> The problem is that when the user logs in to the portal the redirect is >>>>>> broken. The parameter for the redirect that PacketFence is serving, >>>>>> comes from a configuration parameter within the AC. This configuration >>>>>> works fine for Cisco ISE, but the URL format is not working for >>>>>> PacketFence. >>>>>> >>>>>> >>>>>> When we configure the redirect this is what the client is getting from >>>>>> PacketFence >>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>> >>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin> >>>>>> >>>>>> >>>>>> url-template name PacketFence >>>>>> url https://wifi.fispy.mx/captive-portal >>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR THE >>>>>> REDIRECT TO PACKETFENCE >>>>>> >>>>>> >>>>>> >>>>>> AC CONFIG >>>>>> >>>>>> authentication-profile name PacketFence >>>>>> portal-access-profile PacketFence >>>>>> free-rule-template default_free_rule >>>>>> authentication-scheme PacketFence >>>>>> accounting-scheme PacketFence >>>>>> radius-server PacketFence >>>>>> force-push url https://www.fispy.mx <https://www.fispy.mx/> >>>>>> >>>>>> radius-server template PacketFence >>>>>> radius-server shared-key cipher >>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%# >>>>>> radius-server authentication 10.0.255.99 1812 source ip-address >>>>>> 10.7.255.2 weight 90 >>>>>> radius-server accounting 10.0.255.99 1813 source ip-address 10.7.255.2 >>>>>> weight 80 >>>>>> undo radius-server user-name domain-included >>>>>> calling-station-id mac-format unformatted >>>>>> called-station-id wlan-user-format ac-mac >>>>>> radius-server attribute translate >>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>> radius-attribute disable HW-Connect-ID send >>>>>> radius-attribute disable HW-Version send >>>>>> radius-attribute disable HW-Product-ID send >>>>>> radius-attribute disable HW-Domain-Name send >>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>> >>>>>> url-template name PacketFence >>>>>> url https://wifi.fispy.mx/captive-portal >>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR THE >>>>>> REDIRECT TO PACKETFENCE >>>>>> >>>>>> web-auth-server PacketFence >>>>>> server-ip 10.0.255.99 >>>>>> port 443 >>>>>> url-template PacketFence >>>>>> protocol http >>>>>> http get-method enable >>>>>> >>>>>> portal-access-profile name PacketFence >>>>>> web-auth-server PacketFence direct >>>>>> >>>>>> >>>>>> authentication-scheme PacketFence >>>>>> authentication-mode radius >>>>>> >>>>>> wlan >>>>>> security-profile name FISPY-WiFi >>>>>> >>>>>> vap-profile name FISPY-WiFi >>>>>> service-vlan vlan-id 900 >>>>>> permit-vlan vlan-id 900 >>>>>> ssid-profile FISPY-WiFi >>>>>> security-profile FISPY-WiFi >>>>>> authentication-profile PacketFence >>>>>> sta-network-detect disable >>>>>> service-experience-analysis enable >>>>>> mdns-snooping enable >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>> >>>>>> url-template name CISCO-ISE >>>>>> url >>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>> >>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02> >>>>>> parameter start-mark # >>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>> <https://portal.fispy.mx:8443/login> >>>>>> >>>>>> #################################### >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com >>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>> >>>>>>> Hello Jorge, >>>>>>> >>>>>>> do you have any Huawei documentation to implement that ? >>>>>>> >>>>>>> Regards >>>>>>> Fabrice >>>>>>> >>>>>>> >>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users >>>>>>> <packetfence-users@lists.sourceforge.net >>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit : >>>>>>> Hi Team, >>>>>>> >>>>>>> We were wondering if anyone has had any success in configuring Web Auth >>>>>>> for the Huawei AC? It’s somewhat critical for us to get this going. >>>>>>> >>>>>>> Thank you! >>>>>>> Jorge >>>>>>> >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users