Hi Fabrice,

Let me check what the difference is in configuration on the AC side, I’ll 
report within the hour. Any clues as to why the parameters are not being passed?


> On Feb 8, 2022, at 8:55 AM, Fabrice Durand <oeufd...@gmail.com> wrote:
> 
> Hello Jorge,
> 
> i really think that it´s not the correct way to support the web auth in 
> Huawei.
> The only thing you can do with the portal is to authenticate with a username 
> and password, there is no way to do anything else (sms/email/sponsor/....).
> 
> Also when you authenticate on the portal , the portal validate your username 
> and password and with the workflow you have it will authenticate twice 
> (portal and radius) and it doesn´t make sense.
> 
> So if you want to keep this way then you will need a simple html page with a 
> username and password field that post on https://portal.fispy.mx:8443/login 
> <https://portal.fispy.mx:8443/login> then configure packetfence to 
> authenticate the username and password from radius.
> 
> The other way who looks really better is to use that: 
> (https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2
>  
> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2>)
> 
> <download.png>
>  
> As i said , it´s exactly how it works with the cisco wlc and it will support 
> all authentication mechanisms available on the portal.
> 
> Regards
> Fabrice
> 
> 
> 
> 
> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla <jno...@gmail.com 
> <mailto:jno...@gmail.com>> a écrit :
> 
> Radius request from the AC once it receives the correct values. This is sent 
> back to Radius which in this case is PF
> 
> User-Name = “5blz”  <<< VALUE NEEDED IN URL as username
> User-Password = "******”   <<< VALUE NEEDED IN URL as password
> NAS-IP-Address = 10.7.255.2
> NAS-Port = 900
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = 10.9.91.31
> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi"
> Calling-Station-Id = "f0:2f:4b:14:67:d9"
> NAS-Identifier = "AirEngine9700-M1"
> NAS-Port-Type = Wireless-802.11
> Acct-Session-Id = "AirEngi00000000000900d5d66c0600187"
> Event-Timestamp = "Feb  7 2022 18:05:13 MST"
> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
> Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
> Huawei-User-Mac = "\000\000\000\003"
> Stripped-User-Name = "5blz"
> Realm = "null"
> FreeRADIUS-Client-IP-Address = 10.7.255.2
> Called-Station-SSID = "FISPY-WiFi"
> PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9"
> PacketFence-Radius-Ip = "10.0.255.99"
> SQL-User-Name = "5blz"
> 
>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla <jno...@gmail.com 
>> <mailto:jno...@gmail.com>> wrote:
>> 
>> Hi Fabrice,
>> 
>> I did hardcode as follow:
>> 
>> <form name="weblogin_form" data-autosubmit="1000" method="GET" 
>> action="https://portal.fispy.mx:8443/login?username=bob&password=bob 
>> <https://portal.fispy.mx:8443/login?username=bob&password=bob>" 
>> style="display:none">
>> 
>> But the redirect which the client is getting, is only this part, not sure 
>> why:
>> 
>> https://portal.fispy.mx:8443/login? <https://portal.fispy.mx:8443/login?>
>> 
>> 
>> Here is the flow of the External Portal Authentication as per Huawei. 
>> Portal Server - Notify the STA of the login URL
>> STA - Send the username and password in HTTP GET POST. When this is 
>> configured to use ISE as per the guide, the ISE server sends the redirect to 
>> the STA as per the format. 
>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) 
>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>> 
>> 
>> <PastedGraphic-1.tiff>
>> 
>>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <oeufd...@gmail.com 
>>> <mailto:oeufd...@gmail.com>> wrote:
>>> 
>>> Did you try to hardcode that in the code and see if it works ?
>>> 
>>> Also i don´t understand the goal of passing the username and password , is 
>>> there any extra check after that ? What happen if the user register by 
>>> sms/email ?
>>> 
>>> And i just found that:
>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1
>>>  
>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1>
>>> Is it something that can be configured on the Hawei ? If yes then it will 
>>> mimic the way the Cisco WLC works.
>>> 
>>> Regards
>>> Fabrice
>>> 
>>> 
>>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <jno...@gmail.com 
>>> <mailto:jno...@gmail.com>> a écrit :
>>> Hi Fabrice,
>>> 
>>> This line needs to be HTTPS for it to work
>>> <form name="weblogin_form" data-autosubmit="1000" method="GET" 
>>> action="http://$controller_ip:8443/login?username=bob&password=bob 
>>> <http://$controller_ip:8443/login?username=bob&password=bob>" 
>>> style="display:none”>
>>> 
>>> This needs to be the username and password which is being entered by the 
>>> user in the PF portal, which is the Radius username and password
>>> username=bob&password=bob
>>> 
>>> 
>>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <oeufd...@gmail.com 
>>>> <mailto:oeufd...@gmail.com>> wrote:
>>>> 
>>>> I just pushed a fix.
>>>> 
>>>> cd /usr/local/pf
>>>> curl 
>>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff
>>>>  
>>>> <https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff>
>>>>  | patch -p1
>>>> and restart
>>>> 
>>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <jno...@gmail.com 
>>>> <mailto:jno...@gmail.com>> a écrit :
>>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log
>>>> 
>>>> 
>>>> Feb  7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371) 
>>>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive 
>>>> portal URI (pf::web::externalportal::handle)
>>>> Feb  7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371) 
>>>> ERROR: [mac:[undef]] Cannot load perl module for switch type 
>>>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl 
>>>> module have compilation errors. See the following message for details:  
>>>> (pf::web::externalportal::handle)
>>>> Feb  7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370) 
>>>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive 
>>>> portal URI (pf::web::externalportal::handle)
>>>> Feb  7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370) 
>>>> ERROR: [mac:[undef]] Cannot load perl module for switch type 
>>>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl 
>>>> module have compilation errors. See the following message for details:  
>>>> (pf::web::externalportal::handle)
>>>> 
>>>> 
>>>> 
>>>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <jno...@gmail.com 
>>>>> <mailto:jno...@gmail.com>> wrote:
>>>>> 
>>>>> Here is the output for HAProxy
>>>>> 
>>>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814 
>>>>> <http://10.9.215.39:63814/> [07/Feb/2022:10:48:54.074] 
>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 
>>>>> <http://127.0.0.1/> 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0 
>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET 
>>>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9
>>>>>  HTTP/1.1”
>>>>> 
>>>>> 
>>>>> 
>>>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <jno...@gmail.com 
>>>>>> <mailto:jno...@gmail.com>> wrote:
>>>>>> 
>>>>>> Hi Fabrice,
>>>>>> 
>>>>>> From the Pf portal after the patch is applied.
>>>>>> 
>>>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is not 
>>>>>> supported.
>>>>>> 
>>>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com 
>>>>>>> <mailto:jno...@gmail.com>> wrote:
>>>>>>> 
>>>>>>> 
>>>>>>> This is the only option on the config.
>>>>>>> 
>>>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png>
>>>>>>> 
>>>>>>> 
>>>>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com 
>>>>>>>> <mailto:jno...@gmail.com>> wrote:
>>>>>>>> 
>>>>>>>> Hi Fabrice,
>>>>>>>> 
>>>>>>>> Getting an error page from PF
>>>>>>>> 
>>>>>>>> Not Implemented
>>>>>>>> GET no supported for current URL.
>>>>>>>> 
>>>>>>>> How is the switch supposed to be defined in PF?
>>>>>>>> 
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com 
>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote:
>>>>>>>>> 
>>>>>>>>> I am just not sure what to set for username and password, if you do 
>>>>>>>>> sms auth then there is no password.
>>>>>>>>> 
>>>>>>>>> Also in the url it looks that it miss the mac address of the device , 
>>>>>>>>> can you try to add  device-mac and see if the device mac is in the 
>>>>>>>>> url ?
>>>>>>>>> 
>>>>>>>>> Here the first draft:
>>>>>>>>> 
>>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
>>>>>>>>>  
>>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff>
>>>>>>>>> 
>>>>>>>>> cd /usr/local/pf/
>>>>>>>>> curl 
>>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
>>>>>>>>>  
>>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff>
>>>>>>>>>  | patch -p1
>>>>>>>>> 
>>>>>>>>> then restart packetfence.
>>>>>>>>> 
>>>>>>>>> On the controller:
>>>>>>>>> 
>>>>>>>>> url-template name PacketFence
>>>>>>>>>  url https://wifi.fispy.mx/ 
>>>>>>>>> <https://wifi.fispy.mx/captive-portal>Hawei
>>>>>>>>>  url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid 
>>>>>>>>> ssid user-mac ap-mac
>>>>>>>>> 
>>>>>>>>> So when the device will be forwarded to the portal it should be able 
>>>>>>>>> to recognise the mac address and the ip of the device (in the bottom).
>>>>>>>>> 
>>>>>>>>> Register on the portal and you should be forwarded to 
>>>>>>>>> http://$controller_ip:8443/login?username=bob&password=bob 
>>>>>>>>> <http://$controller_ip:8443/login?username=bob&password=bob>
>>>>>>>>> 
>>>>>>>>> Let me know how it behave.
>>>>>>>>> 
>>>>>>>>> Regards
>>>>>>>>> Fabrice
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>  
>>>>>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com 
>>>>>>>>> <mailto:jno...@gmail.com>> a écrit :
>>>>>>>>> Hi Fabrice
>>>>>>>>> 
>>>>>>>>> This is the GET the AC is expecting:
>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>  
>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>> 
>>>>>>>>> If successful it will return as per image below. If it fails the AC 
>>>>>>>>> will redirect back to the Portal
>>>>>>>>> 
>>>>>>>>> <WebAuthentication.png>
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> Here is the configuration:
>>>>>>>>> 
>>>>>>>>> url-template name PacketFence
>>>>>>>>>  url https://wifi.fispy.mx/captive-portal 
>>>>>>>>> <https://wifi.fispy.mx/captive-portal>
>>>>>>>>>  url-parameter login-url destination_url 
>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>  
>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> HA Proxy output
>>>>>>>>> 
>>>>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 
>>>>>>>>> <http://10.9.70.173:52266/> [06/Feb/2022:16:44:26.153] 
>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 
>>>>>>>>> <http://127.0.0.1/> 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 
>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET 
>>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>  
>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>>  HTTP/1.1"
>>>>>>>>> 
>>>>>>>>> Only problem is that PacketFence is not updating the dynamic values 
>>>>>>>>> with username and password for it to work
>>>>>>>>> 
>>>>>>>>> AC = Access Controller. This manages the APs’ as they are operating 
>>>>>>>>> in Fit/Lightweight mode.
>>>>>>>>> AP = Access Points. These are the actual radios.
>>>>>>>>> 
>>>>>>>>> Best Regards,
>>>>>>>>> Jorge
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com 
>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote:
>>>>>>>>>> 
>>>>>>>>>> Hello Jorge,
>>>>>>>>>> 
>>>>>>>>>> i have what i need at least to be able to support the web-auth.
>>>>>>>>>> The only thing i am not sure is at the end of the registration 
>>>>>>>>>> process what we are supposed to do.
>>>>>>>>>> 
>>>>>>>>>> I will create a branch on github in order for you to test. (it will 
>>>>>>>>>> be an update of the Huawei switch module).
>>>>>>>>>> 
>>>>>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ?
>>>>>>>>>> 
>>>>>>>>>> Regards
>>>>>>>>>> Fabrice
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com 
>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit :
>>>>>>>>>> If I try to manually send the redirect in the browser here is what 
>>>>>>>>>> HA proxy records. This is a simple copy and paste in the browser and 
>>>>>>>>>> the output:
>>>>>>>>>> 
>>>>>>>>>> https://wifi.fispy.mx/captive-portal 
>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3
>>>>>>>>>>  <https://portal.fispy.mx:8443/login?username=539z&password=0uf3>
>>>>>>>>>> 
>>>>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} 
>>>>>>>>>> "GET 
>>>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3
>>>>>>>>>>  <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> 
>>>>>>>>>> HTTP/1.1"
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>> It doesn’t let it go through as it seems that is trying to validate 
>>>>>>>>>> network connectivity 
>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com 
>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote:
>>>>>>>>>>> 
>>>>>>>>>>> Seems weird how the format of the URL is recorded/sent 
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Here is a normal redirect, the url is formatted correctly,
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 
>>>>>>>>>>> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232] 
>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 
>>>>>>>>>>> <http://127.0.0.1/> 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 
>>>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET 
>>>>>>>>>>> /captive-portal?destination_url=https://www.fispy.mx/ 
>>>>>>>>>>> <https://www.fispy.mx/> HTTP/1.1"
>>>>>>>>>>> 
>>>>>>>>>>>  I’m not sure why the value sent by the AP has all the % and weird 
>>>>>>>>>>> symbols 
>>>>>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin 
>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>
>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com 
>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote:
>>>>>>>>>>>> 
>>>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>>> 
>>>>>>>>>>>> Here are the options that can be added:
>>>>>>>>>>>> 
>>>>>>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ?
>>>>>>>>>>>>   ap-group-name   AP group name
>>>>>>>>>>>>   ap-ip           AP IP address
>>>>>>>>>>>>   ap-location     AP location
>>>>>>>>>>>>   ap-mac          AP MAC address
>>>>>>>>>>>>   ap-name         AP name
>>>>>>>>>>>>   device-ip       Device IP address
>>>>>>>>>>>>   device-mac      Device MAC address
>>>>>>>>>>>>   login-url       Device's login URL provided to the external 
>>>>>>>>>>>> portal server
>>>>>>>>>>>>   mac-address     Mac address
>>>>>>>>>>>>   redirect-url    The url in user original http packet
>>>>>>>>>>>>   set             Set
>>>>>>>>>>>>   ssid            SSID
>>>>>>>>>>>>   sysname         Device name
>>>>>>>>>>>>   user-ipaddress  User IP address
>>>>>>>>>>>>   user-mac        User MAC address
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> url-template name PacketFence
>>>>>>>>>>>>  url https://wifi.fispy.mx/captive-portal 
>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>
>>>>>>>>>>>>  url-parameter device-ip ac-ip user-ipaddress userip ssid ssid 
>>>>>>>>>>>> user-mac ap-mac
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx 
>>>>>>>>>>>> <http://wifi.fispy.mx/>} "GET 
>>>>>>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9
>>>>>>>>>>>>  HTTP/1.1"
>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>>> If we do not specify the URL on this configuration, where would 
>>>>>>>>>>>> PacketFence get the value for the AC Web Authentication call?
>>>>>>>>>>>> 
>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>>>>  
>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>>>>> 
>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>> Jorge
>>>>>>>>>>>> 
>>>>>>>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com 
>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote:
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Hello Jorge,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> what we need is the user mac and the ap information.
>>>>>>>>>>>>> I found that 
>>>>>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template
>>>>>>>>>>>>>  
>>>>>>>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template>
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip 
>>>>>>>>>>>>> ap-mac ?
>>>>>>>>>>>>> 
>>>>>>>>>>>>> And if yes can you provide me the url generated by the controller 
>>>>>>>>>>>>> when it redirect ?  (haproxy-portal log)
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Regards
>>>>>>>>>>>>> Fabrice
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com 
>>>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit :
>>>>>>>>>>>>> Hi Team,
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Any input on this? We really would like to get this to work.
>>>>>>>>>>>>> 
>>>>>>>>>>>>> Thank you!
>>>>>>>>>>>>> Jorge
>>>>>>>>>>>>> 
>>>>>>>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com 
>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> This is the sequence:
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> Feb  2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 
>>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] 
>>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 
>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 
>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= 
>>>>>>>>>>>>>> HTTP/1.1"
>>>>>>>>>>>>>> Feb  2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 
>>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] 
>>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 
>>>>>>>>>>>>>> 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET 
>>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1"
>>>>>>>>>>>>>> Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 
>>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] 
>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 
>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 
>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET 
>>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>>>>>  HTTP/1.1"
>>>>>>>>>>>>>> Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 
>>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] 
>>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 
>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 
>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= 
>>>>>>>>>>>>>> HTTP/1.1"
>>>>>>>>>>>>>> Feb  2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 
>>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] 
>>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 
>>>>>>>>>>>>>> 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET 
>>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1"
>>>>>>>>>>>>>> Feb  2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 
>>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] 
>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 
>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 
>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET 
>>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>>>>>  HTTP/1.1”
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com 
>>>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote:
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Hello Jorge,
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> i will have a look closer.
>>>>>>>>>>>>>>> But i have a question, when the device is forwarded to the 
>>>>>>>>>>>>>>> captive portal, (just before 
>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>)
>>>>>>>>>>>>>>>  , what is the url ?
>>>>>>>>>>>>>>> You should be able to see it in the haproxy-portal.log file.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>> Fabrice
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com 
>>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit :
>>>>>>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> We almost have the configuration working, but are not sure how 
>>>>>>>>>>>>>>> to get the redirect to the client to work correctly. Attached 
>>>>>>>>>>>>>>> is the documentation for Cisco ISE which we used for 
>>>>>>>>>>>>>>> PacketFence as well.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> This is the format the client should get from PacketFence. This 
>>>>>>>>>>>>>>> is the only piece we are missing for this to work.
>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> If we manually click on the link above, then the flow of 
>>>>>>>>>>>>>>> traffic works correctly CLIENT > AC > RADIUS (PacketFence), and 
>>>>>>>>>>>>>>> authentication works. The problem is that when the user logs in 
>>>>>>>>>>>>>>> to the portal the redirect is broken. The parameter for the 
>>>>>>>>>>>>>>> redirect that PacketFence is serving, comes from a 
>>>>>>>>>>>>>>> configuration parameter within the AC. This configuration works 
>>>>>>>>>>>>>>> fine for Cisco ISE, but the URL format is not working for 
>>>>>>>>>>>>>>> PacketFence.
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> When we configure the redirect this is what the client is 
>>>>>>>>>>>>>>> getting from PacketFence
>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin>
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> url-template name PacketFence
>>>>>>>>>>>>>>>  url https://wifi.fispy.mx/captive-portal 
>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>
>>>>>>>>>>>>>>>  url-parameter login-url switch_url 
>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login 
>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login>  <<< THIS IS THE PARAMETER 
>>>>>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> AC CONFIG
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> authentication-profile name PacketFence
>>>>>>>>>>>>>>>  portal-access-profile PacketFence
>>>>>>>>>>>>>>>  free-rule-template default_free_rule
>>>>>>>>>>>>>>>  authentication-scheme PacketFence
>>>>>>>>>>>>>>>  accounting-scheme PacketFence
>>>>>>>>>>>>>>>  radius-server PacketFence
>>>>>>>>>>>>>>>  force-push url https://www.fispy.mx <https://www.fispy.mx/>
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> radius-server template PacketFence
>>>>>>>>>>>>>>>  radius-server shared-key cipher 
>>>>>>>>>>>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%#
>>>>>>>>>>>>>>>  radius-server authentication 10.0.255.99 1812 source 
>>>>>>>>>>>>>>> ip-address 10.7.255.2 weight 90
>>>>>>>>>>>>>>>  radius-server accounting 10.0.255.99 1813 source ip-address 
>>>>>>>>>>>>>>> 10.7.255.2 weight 80
>>>>>>>>>>>>>>>  undo radius-server user-name domain-included
>>>>>>>>>>>>>>>  calling-station-id mac-format unformatted
>>>>>>>>>>>>>>>  called-station-id wlan-user-format ac-mac
>>>>>>>>>>>>>>>  radius-server attribute translate
>>>>>>>>>>>>>>>  radius-attribute disable HW-NAS-Startup-Time-Stamp send
>>>>>>>>>>>>>>>  radius-attribute disable HW-IP-Host-Address send
>>>>>>>>>>>>>>>  radius-attribute disable HW-Connect-ID send
>>>>>>>>>>>>>>>  radius-attribute disable HW-Version send
>>>>>>>>>>>>>>>  radius-attribute disable HW-Product-ID send
>>>>>>>>>>>>>>>  radius-attribute disable HW-Domain-Name send
>>>>>>>>>>>>>>>  radius-attribute disable HW-User-Extend-Info send
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> url-template name PacketFence
>>>>>>>>>>>>>>>  url https://wifi.fispy.mx/captive-portal 
>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>
>>>>>>>>>>>>>>>  url-parameter login-url switch_url 
>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login 
>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login>  <<< THIS IS THE PARAMETER 
>>>>>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> web-auth-server PacketFence
>>>>>>>>>>>>>>>  server-ip 10.0.255.99
>>>>>>>>>>>>>>>  port 443
>>>>>>>>>>>>>>>  url-template PacketFence
>>>>>>>>>>>>>>>  protocol http
>>>>>>>>>>>>>>>  http get-method enable
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> portal-access-profile name PacketFence
>>>>>>>>>>>>>>>  web-auth-server PacketFence direct
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> authentication-scheme PacketFence
>>>>>>>>>>>>>>>   authentication-mode radius
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> wlan
>>>>>>>>>>>>>>>  security-profile name FISPY-WiFi
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>  vap-profile name FISPY-WiFi
>>>>>>>>>>>>>>>   service-vlan vlan-id 900
>>>>>>>>>>>>>>>   permit-vlan vlan-id 900
>>>>>>>>>>>>>>>   ssid-profile FISPY-WiFi
>>>>>>>>>>>>>>>   security-profile FISPY-WiFi
>>>>>>>>>>>>>>>   authentication-profile PacketFence
>>>>>>>>>>>>>>>   sta-network-detect disable
>>>>>>>>>>>>>>>   service-experience-analysis enable
>>>>>>>>>>>>>>>   mdns-snooping enable
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE###
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> url-template name CISCO-ISE
>>>>>>>>>>>>>>>  url 
>>>>>>>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02
>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02>
>>>>>>>>>>>>>>>  parameter start-mark #
>>>>>>>>>>>>>>>  url-parameter login-url switch_url 
>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login 
>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login>
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> ####################################
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com 
>>>>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote:
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Hello Jorge,
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> do you have any Huawei documentation to implement that ?
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>>> Fabrice
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via 
>>>>>>>>>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net 
>>>>>>>>>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit :
>>>>>>>>>>>>>>>> Hi Team,
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> We were wondering if anyone has had any success in configuring 
>>>>>>>>>>>>>>>> Web Auth for the Huawei AC? It’s somewhat critical for us to 
>>>>>>>>>>>>>>>> get this going.
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> Thank you!
>>>>>>>>>>>>>>>> Jorge
>>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>> PacketFence-users mailing list  
>>>>>>>>>>>>>>>> PacketFence-users@lists.sourceforge.net 
>>>>>>>>>>>>>>>> <mailto:PacketFence-users@lists.sourceforge.net>
>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>>>>>>>>>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>>>  
>>>>>>>>>>>>>>> 
>>>>>>>>>>>>>> 
>>>>>>>>>>>>> 
>>>>>>>>>>>> 
>>>>>>>>>>> 
>>>>>>>>>> 
>>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>> 
>>>> 
>>> 
>> 
> 

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to