Radius request from the AC once it receives the correct values. This is sent back to Radius which in this case is PF
User-Name = “5blz” <<< VALUE NEEDED IN URL as username User-Password = "******” <<< VALUE NEEDED IN URL as password NAS-IP-Address = 10.7.255.2 NAS-Port = 900 Service-Type = Framed-User Framed-Protocol = PPP Framed-IP-Address = 10.9.91.31 Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" Calling-Station-Id = "f0:2f:4b:14:67:d9" NAS-Identifier = "AirEngine9700-M1" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "AirEngi00000000000900d5d66c0600187" Event-Timestamp = "Feb 7 2022 18:05:13 MST" NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" Huawei-Loopback-Address = "C0F6-C2A5-C4D0" Huawei-User-Mac = "\000\000\000\003" Stripped-User-Name = "5blz" Realm = "null" FreeRADIUS-Client-IP-Address = 10.7.255.2 Called-Station-SSID = "FISPY-WiFi" PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9" PacketFence-Radius-Ip = "10.0.255.99" SQL-User-Name = "5blz" > On Feb 7, 2022, at 3:58 PM, Jorge Nolla <jno...@gmail.com> wrote: > > Hi Fabrice, > > I did hardcode as follow: > > <form name="weblogin_form" data-autosubmit="1000" method="GET" > action="https://portal.fispy.mx:8443/login?username=bob&password=bob > <https://portal.fispy.mx:8443/login?username=bob&password=bob>" > style="display:none"> > > But the redirect which the client is getting, is only this part, not sure why: > > https://portal.fispy.mx:8443/login? <https://portal.fispy.mx:8443/login?> > > > Here is the flow of the External Portal Authentication as per Huawei. > Portal Server - Notify the STA of the login URL > STA - Send the username and password in HTTP GET POST. When this is > configured to use ISE as per the guide, the ISE server sends the redirect to > the STA as per the format. > https://portal.fispy.mx:8443/login?username=($username)&password=($password) > <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> > > > <PastedGraphic-1.tiff> > >> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <oeufd...@gmail.com> wrote: >> >> Did you try to hardcode that in the code and see if it works ? >> >> Also i don´t understand the goal of passing the username and password , is >> there any extra check after that ? What happen if the user register by >> sms/email ? >> >> And i just found that: >> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1 >> >> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1> >> Is it something that can be configured on the Hawei ? If yes then it will >> mimic the way the Cisco WLC works. >> >> Regards >> Fabrice >> >> >> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <jno...@gmail.com >> <mailto:jno...@gmail.com>> a écrit : >> Hi Fabrice, >> >> This line needs to be HTTPS for it to work >> <form name="weblogin_form" data-autosubmit="1000" method="GET" >> action="http://$controller_ip:8443/login?username=bob&password=bob >> <http://$controller_ip:8443/login?username=bob&password=bob>" >> style="display:none”> >> >> This needs to be the username and password which is being entered by the >> user in the PF portal, which is the Radius username and password >> username=bob&password=bob >> >> >>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <oeufd...@gmail.com >>> <mailto:oeufd...@gmail.com>> wrote: >>> >>> I just pushed a fix. >>> >>> cd /usr/local/pf >>> curl >>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff >>> >>> <https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff> >>> | patch -p1 >>> and restart >>> >>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <jno...@gmail.com >>> <mailto:jno...@gmail.com>> a écrit : >>> Here are the log outputs for /usr/local/pf/logs/packetfence.log >>> >>> >>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371) >>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive portal >>> URI (pf::web::externalportal::handle) >>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371) >>> ERROR: [mac:[undef]] Cannot load perl module for switch type >>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl >>> module have compilation errors. See the following message for details: >>> (pf::web::externalportal::handle) >>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370) >>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive portal >>> URI (pf::web::externalportal::handle) >>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370) >>> ERROR: [mac:[undef]] Cannot load perl module for switch type >>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl >>> module have compilation errors. See the following message for details: >>> (pf::web::externalportal::handle) >>> >>> >>> >>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <jno...@gmail.com >>>> <mailto:jno...@gmail.com>> wrote: >>>> >>>> Here is the output for HAProxy >>>> >>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814 >>>> <http://10.9.215.39:63814/> [07/Feb/2022:10:48:54.074] >>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>> <http://127.0.0.1/> 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0 >>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9 >>>> HTTP/1.1” >>>> >>>> >>>> >>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <jno...@gmail.com >>>>> <mailto:jno...@gmail.com>> wrote: >>>>> >>>>> Hi Fabrice, >>>>> >>>>> From the Pf portal after the patch is applied. >>>>> >>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is not >>>>> supported. >>>>> >>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com >>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>> >>>>>> >>>>>> This is the only option on the config. >>>>>> >>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png> >>>>>> >>>>>> >>>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com >>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>> >>>>>>> Hi Fabrice, >>>>>>> >>>>>>> Getting an error page from PF >>>>>>> >>>>>>> Not Implemented >>>>>>> GET no supported for current URL. >>>>>>> >>>>>>> How is the switch supposed to be defined in PF? >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>> >>>>>>>> I am just not sure what to set for username and password, if you do >>>>>>>> sms auth then there is no password. >>>>>>>> >>>>>>>> Also in the url it looks that it miss the mac address of the device , >>>>>>>> can you try to add device-mac and see if the device mac is in the url >>>>>>>> ? >>>>>>>> >>>>>>>> Here the first draft: >>>>>>>> >>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>> >>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>>>>>>> >>>>>>>> cd /usr/local/pf/ >>>>>>>> curl >>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>> >>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>>>>>>> | patch -p1 >>>>>>>> >>>>>>>> then restart packetfence. >>>>>>>> >>>>>>>> On the controller: >>>>>>>> >>>>>>>> url-template name PacketFence >>>>>>>> url https://wifi.fispy.mx/ <https://wifi.fispy.mx/captive-portal>Hawei >>>>>>>> url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid >>>>>>>> ssid user-mac ap-mac >>>>>>>> >>>>>>>> So when the device will be forwarded to the portal it should be able >>>>>>>> to recognise the mac address and the ip of the device (in the bottom). >>>>>>>> >>>>>>>> Register on the portal and you should be forwarded to >>>>>>>> http://$controller_ip:8443/login?username=bob&password=bob >>>>>>>> <http://$controller_ip:8443/login?username=bob&password=bob> >>>>>>>> >>>>>>>> Let me know how it behave. >>>>>>>> >>>>>>>> Regards >>>>>>>> Fabrice >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com >>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>> Hi Fabrice >>>>>>>> >>>>>>>> This is the GET the AC is expecting: >>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>> >>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>> >>>>>>>> If successful it will return as per image below. If it fails the AC >>>>>>>> will redirect back to the Portal >>>>>>>> >>>>>>>> <WebAuthentication.png> >>>>>>>> >>>>>>>> >>>>>>>> Here is the configuration: >>>>>>>> >>>>>>>> url-template name PacketFence >>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>> url-parameter login-url destination_url >>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>> >>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>> >>>>>>>> >>>>>>>> HA Proxy output >>>>>>>> >>>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 >>>>>>>> <http://10.9.70.173:52266/> [06/Feb/2022:16:44:26.153] >>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>> <http://127.0.0.1/> 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 >>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>> >>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>> HTTP/1.1" >>>>>>>> >>>>>>>> Only problem is that PacketFence is not updating the dynamic values >>>>>>>> with username and password for it to work >>>>>>>> >>>>>>>> AC = Access Controller. This manages the APs’ as they are operating in >>>>>>>> Fit/Lightweight mode. >>>>>>>> AP = Access Points. These are the actual radios. >>>>>>>> >>>>>>>> Best Regards, >>>>>>>> Jorge >>>>>>>> >>>>>>>> >>>>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>> >>>>>>>>> Hello Jorge, >>>>>>>>> >>>>>>>>> i have what i need at least to be able to support the web-auth. >>>>>>>>> The only thing i am not sure is at the end of the registration >>>>>>>>> process what we are supposed to do. >>>>>>>>> >>>>>>>>> I will create a branch on github in order for you to test. (it will >>>>>>>>> be an update of the Huawei switch module). >>>>>>>>> >>>>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Fabrice >>>>>>>>> >>>>>>>>> >>>>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com >>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>> If I try to manually send the redirect in the browser here is what HA >>>>>>>>> proxy records. This is a simple copy and paste in the browser and the >>>>>>>>> output: >>>>>>>>> >>>>>>>>> https://wifi.fispy.mx/captive-portal >>>>>>>>> <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>>>>>>>> >>>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>>>>>>> "GET >>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>>>>>>>> HTTP/1.1" >>>>>>>>> >>>>>>>>> >>>>>>>>> It doesn’t let it go through as it seems that is trying to validate >>>>>>>>> network connectivity >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>> >>>>>>>>>> Seems weird how the format of the URL is recorded/sent >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Here is a normal redirect, the url is formatted correctly, >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>>>>>>>>> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232] >>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>> <http://127.0.0.1/> 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 >>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>> /captive-portal?destination_url=https://www.fispy.mx/ >>>>>>>>>> <https://www.fispy.mx/> HTTP/1.1" >>>>>>>>>> >>>>>>>>>> I’m not sure why the value sent by the AP has all the % and weird >>>>>>>>>> symbols >>>>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>> >>>>>>>>>>> Hi Fabrice, >>>>>>>>>>> >>>>>>>>>>> Here are the options that can be added: >>>>>>>>>>> >>>>>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>>>>>>>>> ap-group-name AP group name >>>>>>>>>>> ap-ip AP IP address >>>>>>>>>>> ap-location AP location >>>>>>>>>>> ap-mac AP MAC address >>>>>>>>>>> ap-name AP name >>>>>>>>>>> device-ip Device IP address >>>>>>>>>>> device-mac Device MAC address >>>>>>>>>>> login-url Device's login URL provided to the external >>>>>>>>>>> portal server >>>>>>>>>>> mac-address Mac address >>>>>>>>>>> redirect-url The url in user original http packet >>>>>>>>>>> set Set >>>>>>>>>>> ssid SSID >>>>>>>>>>> sysname Device name >>>>>>>>>>> user-ipaddress User IP address >>>>>>>>>>> user-mac User MAC address >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> url-template name PacketFence >>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid >>>>>>>>>>> user-mac ap-mac >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx >>>>>>>>>>> <http://wifi.fispy.mx/>} "GET >>>>>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>>>>>>>>> HTTP/1.1" >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> If we do not specify the URL on this configuration, where would >>>>>>>>>>> PacketFence get the value for the AC Web Authentication call? >>>>>>>>>>> >>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>> >>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>> >>>>>>>>>>> Best Regards, >>>>>>>>>>> Jorge >>>>>>>>>>> >>>>>>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>> >>>>>>>>>>>> what we need is the user mac and the ap information. >>>>>>>>>>>> I found that >>>>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>>>>>>>>> >>>>>>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template> >>>>>>>>>>>> >>>>>>>>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip >>>>>>>>>>>> ap-mac ? >>>>>>>>>>>> >>>>>>>>>>>> And if yes can you provide me the url generated by the controller >>>>>>>>>>>> when it redirect ? (haproxy-portal log) >>>>>>>>>>>> >>>>>>>>>>>> Regards >>>>>>>>>>>> Fabrice >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>> Hi Team, >>>>>>>>>>>> >>>>>>>>>>>> Any input on this? We really would like to get this to work. >>>>>>>>>>>> >>>>>>>>>>>> Thank you! >>>>>>>>>>>> Jorge >>>>>>>>>>>> >>>>>>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>> >>>>>>>>>>>>> This is the sequence: >>>>>>>>>>>>> >>>>>>>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] >>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 >>>>>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= >>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] >>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> >>>>>>>>>>>>> 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] >>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] >>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 >>>>>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= >>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] >>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> >>>>>>>>>>>>> 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >>>>>>>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] >>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>> HTTP/1.1” >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>> >>>>>>>>>>>>>> i will have a look closer. >>>>>>>>>>>>>> But i have a question, when the device is forwarded to the >>>>>>>>>>>>>> captive portal, (just before >>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>>>>>>>>> , what is the url ? >>>>>>>>>>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Regards >>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>> >>>>>>>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> We almost have the configuration working, but are not sure how >>>>>>>>>>>>>> to get the redirect to the client to work correctly. Attached is >>>>>>>>>>>>>> the documentation for Cisco ISE which we used for PacketFence as >>>>>>>>>>>>>> well. >>>>>>>>>>>>>> >>>>>>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>>>>>>>>>> >>>>>>>>>>>>>> This is the format the client should get from PacketFence. This >>>>>>>>>>>>>> is the only piece we are missing for this to work. >>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> If we manually click on the link above, then the flow of traffic >>>>>>>>>>>>>> works correctly CLIENT > AC > RADIUS (PacketFence), and >>>>>>>>>>>>>> authentication works. The problem is that when the user logs in >>>>>>>>>>>>>> to the portal the redirect is broken. The parameter for the >>>>>>>>>>>>>> redirect that PacketFence is serving, comes from a configuration >>>>>>>>>>>>>> parameter within the AC. This configuration works fine for Cisco >>>>>>>>>>>>>> ISE, but the URL format is not working for PacketFence. >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> When we configure the redirect this is what the client is >>>>>>>>>>>>>> getting from PacketFence >>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER >>>>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> AC CONFIG >>>>>>>>>>>>>> >>>>>>>>>>>>>> authentication-profile name PacketFence >>>>>>>>>>>>>> portal-access-profile PacketFence >>>>>>>>>>>>>> free-rule-template default_free_rule >>>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>>> accounting-scheme PacketFence >>>>>>>>>>>>>> radius-server PacketFence >>>>>>>>>>>>>> force-push url https://www.fispy.mx <https://www.fispy.mx/> >>>>>>>>>>>>>> >>>>>>>>>>>>>> radius-server template PacketFence >>>>>>>>>>>>>> radius-server shared-key cipher >>>>>>>>>>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%# >>>>>>>>>>>>>> radius-server authentication 10.0.255.99 1812 source ip-address >>>>>>>>>>>>>> 10.7.255.2 weight 90 >>>>>>>>>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address >>>>>>>>>>>>>> 10.7.255.2 weight 80 >>>>>>>>>>>>>> undo radius-server user-name domain-included >>>>>>>>>>>>>> calling-station-id mac-format unformatted >>>>>>>>>>>>>> called-station-id wlan-user-format ac-mac >>>>>>>>>>>>>> radius-server attribute translate >>>>>>>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>>>>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>>>>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>>>>>>>>> radius-attribute disable HW-Version send >>>>>>>>>>>>>> radius-attribute disable HW-Product-ID send >>>>>>>>>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>>>>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>>>>>>>>> >>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER >>>>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>>> >>>>>>>>>>>>>> web-auth-server PacketFence >>>>>>>>>>>>>> server-ip 10.0.255.99 >>>>>>>>>>>>>> port 443 >>>>>>>>>>>>>> url-template PacketFence >>>>>>>>>>>>>> protocol http >>>>>>>>>>>>>> http get-method enable >>>>>>>>>>>>>> >>>>>>>>>>>>>> portal-access-profile name PacketFence >>>>>>>>>>>>>> web-auth-server PacketFence direct >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>>> authentication-mode radius >>>>>>>>>>>>>> >>>>>>>>>>>>>> wlan >>>>>>>>>>>>>> security-profile name FISPY-WiFi >>>>>>>>>>>>>> >>>>>>>>>>>>>> vap-profile name FISPY-WiFi >>>>>>>>>>>>>> service-vlan vlan-id 900 >>>>>>>>>>>>>> permit-vlan vlan-id 900 >>>>>>>>>>>>>> ssid-profile FISPY-WiFi >>>>>>>>>>>>>> security-profile FISPY-WiFi >>>>>>>>>>>>>> authentication-profile PacketFence >>>>>>>>>>>>>> sta-network-detect disable >>>>>>>>>>>>>> service-experience-analysis enable >>>>>>>>>>>>>> mdns-snooping enable >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>>>>>>>>> >>>>>>>>>>>>>> url-template name CISCO-ISE >>>>>>>>>>>>>> url >>>>>>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>>>>>>>>> >>>>>>>>>>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02> >>>>>>>>>>>>>> parameter start-mark # >>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> >>>>>>>>>>>>>> >>>>>>>>>>>>>> #################################### >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via >>>>>>>>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net >>>>>>>>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit : >>>>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> We were wondering if anyone has had any success in configuring >>>>>>>>>>>>>>> Web Auth for the Huawei AC? It’s somewhat critical for us to >>>>>>>>>>>>>>> get this going. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Thank you! >>>>>>>>>>>>>>> Jorge >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>>>>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users