Hi Fabrice, Let me check what the difference is in configuration on the AC side, I’ll report within the hour. Any clues as to why the parameters are not being passed?
> On Feb 8, 2022, at 8:55 AM, Fabrice Durand <oeufd...@gmail.com> wrote: > > Hello Jorge, > > i really think that it´s not the correct way to support the web auth in > Huawei. > The only thing you can do with the portal is to authenticate with a username > and password, there is no way to do anything else (sms/email/sponsor/....). > > Also when you authenticate on the portal , the portal validate your username > and password and with the workflow you have it will authenticate twice > (portal and radius) and it doesn´t make sense. > > So if you want to keep this way then you will need a simple html page with a > username and password field that post on https://portal.fispy.mx:8443/login > <https://portal.fispy.mx:8443/login> then configure packetfence to > authenticate the username and password from radius. > > The other way who looks really better is to use that: > (https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2 > > <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2>) > > <download.png> > > As i said , it´s exactly how it works with the cisco wlc and it will support > all authentication mechanisms available on the portal. > > Regards > Fabrice > > > > > Le lun. 7 févr. 2022 à 20:25, Jorge Nolla <jno...@gmail.com > <mailto:jno...@gmail.com>> a écrit : > > Radius request from the AC once it receives the correct values. This is sent > back to Radius which in this case is PF > > User-Name = “5blz” <<< VALUE NEEDED IN URL as username > User-Password = "******” <<< VALUE NEEDED IN URL as password > NAS-IP-Address = 10.7.255.2 > NAS-Port = 900 > Service-Type = Framed-User > Framed-Protocol = PPP > Framed-IP-Address = 10.9.91.31 > Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi" > Calling-Station-Id = "f0:2f:4b:14:67:d9" > NAS-Identifier = "AirEngine9700-M1" > NAS-Port-Type = Wireless-802.11 > Acct-Session-Id = "AirEngi00000000000900d5d66c0600187" > Event-Timestamp = "Feb 7 2022 18:05:13 MST" > NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900" > Huawei-Loopback-Address = "C0F6-C2A5-C4D0" > Huawei-User-Mac = "\000\000\000\003" > Stripped-User-Name = "5blz" > Realm = "null" > FreeRADIUS-Client-IP-Address = 10.7.255.2 > Called-Station-SSID = "FISPY-WiFi" > PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9" > PacketFence-Radius-Ip = "10.0.255.99" > SQL-User-Name = "5blz" > >> On Feb 7, 2022, at 3:58 PM, Jorge Nolla <jno...@gmail.com >> <mailto:jno...@gmail.com>> wrote: >> >> Hi Fabrice, >> >> I did hardcode as follow: >> >> <form name="weblogin_form" data-autosubmit="1000" method="GET" >> action="https://portal.fispy.mx:8443/login?username=bob&password=bob >> <https://portal.fispy.mx:8443/login?username=bob&password=bob>" >> style="display:none"> >> >> But the redirect which the client is getting, is only this part, not sure >> why: >> >> https://portal.fispy.mx:8443/login? <https://portal.fispy.mx:8443/login?> >> >> >> Here is the flow of the External Portal Authentication as per Huawei. >> Portal Server - Notify the STA of the login URL >> STA - Send the username and password in HTTP GET POST. When this is >> configured to use ISE as per the guide, the ISE server sends the redirect to >> the STA as per the format. >> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >> >> >> <PastedGraphic-1.tiff> >> >>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <oeufd...@gmail.com >>> <mailto:oeufd...@gmail.com>> wrote: >>> >>> Did you try to hardcode that in the code and see if it works ? >>> >>> Also i don´t understand the goal of passing the username and password , is >>> there any extra check after that ? What happen if the user register by >>> sms/email ? >>> >>> And i just found that: >>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1 >>> >>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1> >>> Is it something that can be configured on the Hawei ? If yes then it will >>> mimic the way the Cisco WLC works. >>> >>> Regards >>> Fabrice >>> >>> >>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <jno...@gmail.com >>> <mailto:jno...@gmail.com>> a écrit : >>> Hi Fabrice, >>> >>> This line needs to be HTTPS for it to work >>> <form name="weblogin_form" data-autosubmit="1000" method="GET" >>> action="http://$controller_ip:8443/login?username=bob&password=bob >>> <http://$controller_ip:8443/login?username=bob&password=bob>" >>> style="display:none”> >>> >>> This needs to be the username and password which is being entered by the >>> user in the PF portal, which is the Radius username and password >>> username=bob&password=bob >>> >>> >>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <oeufd...@gmail.com >>>> <mailto:oeufd...@gmail.com>> wrote: >>>> >>>> I just pushed a fix. >>>> >>>> cd /usr/local/pf >>>> curl >>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff >>>> >>>> <https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff> >>>> | patch -p1 >>>> and restart >>>> >>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <jno...@gmail.com >>>> <mailto:jno...@gmail.com>> a écrit : >>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log >>>> >>>> >>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371) >>>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive >>>> portal URI (pf::web::externalportal::handle) >>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]: httpd.portal(61371) >>>> ERROR: [mac:[undef]] Cannot load perl module for switch type >>>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl >>>> module have compilation errors. See the following message for details: >>>> (pf::web::externalportal::handle) >>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370) >>>> INFO: [mac:[undef]] URI '/Huawei' is detected as an external captive >>>> portal URI (pf::web::externalportal::handle) >>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]: httpd.portal(61370) >>>> ERROR: [mac:[undef]] Cannot load perl module for switch type >>>> 'pf::Switch::Huawei'. Either switch type is unknown or switch type perl >>>> module have compilation errors. See the following message for details: >>>> (pf::web::externalportal::handle) >>>> >>>> >>>> >>>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <jno...@gmail.com >>>>> <mailto:jno...@gmail.com>> wrote: >>>>> >>>>> Here is the output for HAProxy >>>>> >>>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814 >>>>> <http://10.9.215.39:63814/> [07/Feb/2022:10:48:54.074] >>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>> <http://127.0.0.1/> 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0 >>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9 >>>>> HTTP/1.1” >>>>> >>>>> >>>>> >>>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <jno...@gmail.com >>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>> >>>>>> Hi Fabrice, >>>>>> >>>>>> From the Pf portal after the patch is applied. >>>>>> >>>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is not >>>>>> supported. >>>>>> >>>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <jno...@gmail.com >>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>> >>>>>>> >>>>>>> This is the only option on the config. >>>>>>> >>>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png> >>>>>>> >>>>>>> >>>>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <jno...@gmail.com >>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>> >>>>>>>> Hi Fabrice, >>>>>>>> >>>>>>>> Getting an error page from PF >>>>>>>> >>>>>>>> Not Implemented >>>>>>>> GET no supported for current URL. >>>>>>>> >>>>>>>> How is the switch supposed to be defined in PF? >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>> >>>>>>>>> I am just not sure what to set for username and password, if you do >>>>>>>>> sms auth then there is no password. >>>>>>>>> >>>>>>>>> Also in the url it looks that it miss the mac address of the device , >>>>>>>>> can you try to add device-mac and see if the device mac is in the >>>>>>>>> url ? >>>>>>>>> >>>>>>>>> Here the first draft: >>>>>>>>> >>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>>> >>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>>>>>>>> >>>>>>>>> cd /usr/local/pf/ >>>>>>>>> curl >>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff >>>>>>>>> >>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff> >>>>>>>>> | patch -p1 >>>>>>>>> >>>>>>>>> then restart packetfence. >>>>>>>>> >>>>>>>>> On the controller: >>>>>>>>> >>>>>>>>> url-template name PacketFence >>>>>>>>> url https://wifi.fispy.mx/ >>>>>>>>> <https://wifi.fispy.mx/captive-portal>Hawei >>>>>>>>> url-parameter device-ip device-mac ac-ip user-ipaddress userip ssid >>>>>>>>> ssid user-mac ap-mac >>>>>>>>> >>>>>>>>> So when the device will be forwarded to the portal it should be able >>>>>>>>> to recognise the mac address and the ip of the device (in the bottom). >>>>>>>>> >>>>>>>>> Register on the portal and you should be forwarded to >>>>>>>>> http://$controller_ip:8443/login?username=bob&password=bob >>>>>>>>> <http://$controller_ip:8443/login?username=bob&password=bob> >>>>>>>>> >>>>>>>>> Let me know how it behave. >>>>>>>>> >>>>>>>>> Regards >>>>>>>>> Fabrice >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <jno...@gmail.com >>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>> Hi Fabrice >>>>>>>>> >>>>>>>>> This is the GET the AC is expecting: >>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>> >>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>> >>>>>>>>> If successful it will return as per image below. If it fails the AC >>>>>>>>> will redirect back to the Portal >>>>>>>>> >>>>>>>>> <WebAuthentication.png> >>>>>>>>> >>>>>>>>> >>>>>>>>> Here is the configuration: >>>>>>>>> >>>>>>>>> url-template name PacketFence >>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>> url-parameter login-url destination_url >>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>> >>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>> >>>>>>>>> >>>>>>>>> HA Proxy output >>>>>>>>> >>>>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 >>>>>>>>> <http://10.9.70.173:52266/> [06/Feb/2022:16:44:26.153] >>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>> <http://127.0.0.1/> 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 >>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>> >>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>> HTTP/1.1" >>>>>>>>> >>>>>>>>> Only problem is that PacketFence is not updating the dynamic values >>>>>>>>> with username and password for it to work >>>>>>>>> >>>>>>>>> AC = Access Controller. This manages the APs’ as they are operating >>>>>>>>> in Fit/Lightweight mode. >>>>>>>>> AP = Access Points. These are the actual radios. >>>>>>>>> >>>>>>>>> Best Regards, >>>>>>>>> Jorge >>>>>>>>> >>>>>>>>> >>>>>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>> >>>>>>>>>> Hello Jorge, >>>>>>>>>> >>>>>>>>>> i have what i need at least to be able to support the web-auth. >>>>>>>>>> The only thing i am not sure is at the end of the registration >>>>>>>>>> process what we are supposed to do. >>>>>>>>>> >>>>>>>>>> I will create a branch on github in order for you to test. (it will >>>>>>>>>> be an update of the Huawei switch module). >>>>>>>>>> >>>>>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? >>>>>>>>>> >>>>>>>>>> Regards >>>>>>>>>> Fabrice >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <jno...@gmail.com >>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>> If I try to manually send the redirect in the browser here is what >>>>>>>>>> HA proxy records. This is a simple copy and paste in the browser and >>>>>>>>>> the output: >>>>>>>>>> >>>>>>>>>> https://wifi.fispy.mx/captive-portal >>>>>>>>>> <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>>>>>>>>> >>>>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>>>>>>>>> "GET >>>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 >>>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> >>>>>>>>>> HTTP/1.1" >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> It doesn’t let it go through as it seems that is trying to validate >>>>>>>>>> network connectivity >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>> >>>>>>>>>>> Seems weird how the format of the URL is recorded/sent >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Here is a normal redirect, the url is formatted correctly, >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >>>>>>>>>>> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232] >>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>> <http://127.0.0.1/> 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 >>>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>> /captive-portal?destination_url=https://www.fispy.mx/ >>>>>>>>>>> <https://www.fispy.mx/> HTTP/1.1" >>>>>>>>>>> >>>>>>>>>>> I’m not sure why the value sent by the AP has all the % and weird >>>>>>>>>>> symbols >>>>>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>> >>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>> >>>>>>>>>>>> Here are the options that can be added: >>>>>>>>>>>> >>>>>>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>>>>>>>>>>> ap-group-name AP group name >>>>>>>>>>>> ap-ip AP IP address >>>>>>>>>>>> ap-location AP location >>>>>>>>>>>> ap-mac AP MAC address >>>>>>>>>>>> ap-name AP name >>>>>>>>>>>> device-ip Device IP address >>>>>>>>>>>> device-mac Device MAC address >>>>>>>>>>>> login-url Device's login URL provided to the external >>>>>>>>>>>> portal server >>>>>>>>>>>> mac-address Mac address >>>>>>>>>>>> redirect-url The url in user original http packet >>>>>>>>>>>> set Set >>>>>>>>>>>> ssid SSID >>>>>>>>>>>> sysname Device name >>>>>>>>>>>> user-ipaddress User IP address >>>>>>>>>>>> user-mac User MAC address >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid >>>>>>>>>>>> user-mac ap-mac >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx >>>>>>>>>>>> <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> If we do not specify the URL on this configuration, where would >>>>>>>>>>>> PacketFence get the value for the AC Web Authentication call? >>>>>>>>>>>> >>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>> >>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>> >>>>>>>>>>>> Best Regards, >>>>>>>>>>>> Jorge >>>>>>>>>>>> >>>>>>>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>> >>>>>>>>>>>>> what we need is the user mac and the ap information. >>>>>>>>>>>>> I found that >>>>>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>>>>>>>>>>> >>>>>>>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template> >>>>>>>>>>>>> >>>>>>>>>>>>> Is it possible to add extra parameters like user-mac ssid ap-ip >>>>>>>>>>>>> ap-mac ? >>>>>>>>>>>>> >>>>>>>>>>>>> And if yes can you provide me the url generated by the controller >>>>>>>>>>>>> when it redirect ? (haproxy-portal log) >>>>>>>>>>>>> >>>>>>>>>>>>> Regards >>>>>>>>>>>>> Fabrice >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>> >>>>>>>>>>>>> Any input on this? We really would like to get this to work. >>>>>>>>>>>>> >>>>>>>>>>>>> Thank you! >>>>>>>>>>>>> Jorge >>>>>>>>>>>>> >>>>>>>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>> <mailto:jno...@gmail.com>> wrote: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>>> >>>>>>>>>>>>>> This is the sequence: >>>>>>>>>>>>>> >>>>>>>>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] >>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 >>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= >>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] >>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> >>>>>>>>>>>>>> 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >>>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] >>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 >>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] >>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 >>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET /access?lang= >>>>>>>>>>>>>> HTTP/1.1" >>>>>>>>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] >>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> >>>>>>>>>>>>>> 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >>>>>>>>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] >>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 >>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>> HTTP/1.1” >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> i will have a look closer. >>>>>>>>>>>>>>> But i have a question, when the device is forwarded to the >>>>>>>>>>>>>>> captive portal, (just before >>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>>>>>>>>>>> , what is the url ? >>>>>>>>>>>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com >>>>>>>>>>>>>>> <mailto:jno...@gmail.com>> a écrit : >>>>>>>>>>>>>>> Hi Fabrice, >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> We almost have the configuration working, but are not sure how >>>>>>>>>>>>>>> to get the redirect to the client to work correctly. Attached >>>>>>>>>>>>>>> is the documentation for Cisco ISE which we used for >>>>>>>>>>>>>>> PacketFence as well. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> This is the format the client should get from PacketFence. This >>>>>>>>>>>>>>> is the only piece we are missing for this to work. >>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> If we manually click on the link above, then the flow of >>>>>>>>>>>>>>> traffic works correctly CLIENT > AC > RADIUS (PacketFence), and >>>>>>>>>>>>>>> authentication works. The problem is that when the user logs in >>>>>>>>>>>>>>> to the portal the redirect is broken. The parameter for the >>>>>>>>>>>>>>> redirect that PacketFence is serving, comes from a >>>>>>>>>>>>>>> configuration parameter within the AC. This configuration works >>>>>>>>>>>>>>> fine for Cisco ISE, but the URL format is not working for >>>>>>>>>>>>>>> PacketFence. >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> When we configure the redirect this is what the client is >>>>>>>>>>>>>>> getting from PacketFence >>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER >>>>>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> AC CONFIG >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> authentication-profile name PacketFence >>>>>>>>>>>>>>> portal-access-profile PacketFence >>>>>>>>>>>>>>> free-rule-template default_free_rule >>>>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>>>> accounting-scheme PacketFence >>>>>>>>>>>>>>> radius-server PacketFence >>>>>>>>>>>>>>> force-push url https://www.fispy.mx <https://www.fispy.mx/> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> radius-server template PacketFence >>>>>>>>>>>>>>> radius-server shared-key cipher >>>>>>>>>>>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%# >>>>>>>>>>>>>>> radius-server authentication 10.0.255.99 1812 source >>>>>>>>>>>>>>> ip-address 10.7.255.2 weight 90 >>>>>>>>>>>>>>> radius-server accounting 10.0.255.99 1813 source ip-address >>>>>>>>>>>>>>> 10.7.255.2 weight 80 >>>>>>>>>>>>>>> undo radius-server user-name domain-included >>>>>>>>>>>>>>> calling-station-id mac-format unformatted >>>>>>>>>>>>>>> called-station-id wlan-user-format ac-mac >>>>>>>>>>>>>>> radius-server attribute translate >>>>>>>>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>>>>>>>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>>>>>>>>>>> radius-attribute disable HW-Connect-ID send >>>>>>>>>>>>>>> radius-attribute disable HW-Version send >>>>>>>>>>>>>>> radius-attribute disable HW-Product-ID send >>>>>>>>>>>>>>> radius-attribute disable HW-Domain-Name send >>>>>>>>>>>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> url-template name PacketFence >>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal >>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER >>>>>>>>>>>>>>> FOR THE REDIRECT TO PACKETFENCE >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> web-auth-server PacketFence >>>>>>>>>>>>>>> server-ip 10.0.255.99 >>>>>>>>>>>>>>> port 443 >>>>>>>>>>>>>>> url-template PacketFence >>>>>>>>>>>>>>> protocol http >>>>>>>>>>>>>>> http get-method enable >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> portal-access-profile name PacketFence >>>>>>>>>>>>>>> web-auth-server PacketFence direct >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> authentication-scheme PacketFence >>>>>>>>>>>>>>> authentication-mode radius >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> wlan >>>>>>>>>>>>>>> security-profile name FISPY-WiFi >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> vap-profile name FISPY-WiFi >>>>>>>>>>>>>>> service-vlan vlan-id 900 >>>>>>>>>>>>>>> permit-vlan vlan-id 900 >>>>>>>>>>>>>>> ssid-profile FISPY-WiFi >>>>>>>>>>>>>>> security-profile FISPY-WiFi >>>>>>>>>>>>>>> authentication-profile PacketFence >>>>>>>>>>>>>>> sta-network-detect disable >>>>>>>>>>>>>>> service-experience-analysis enable >>>>>>>>>>>>>>> mdns-snooping enable >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> url-template name CISCO-ISE >>>>>>>>>>>>>>> url >>>>>>>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02> >>>>>>>>>>>>>>> parameter start-mark # >>>>>>>>>>>>>>> url-parameter login-url switch_url >>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login >>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> #################################### >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com >>>>>>>>>>>>>>>> <mailto:oeufd...@gmail.com>> wrote: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Hello Jorge, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> do you have any Huawei documentation to implement that ? >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Regards >>>>>>>>>>>>>>>> Fabrice >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via >>>>>>>>>>>>>>>> PacketFence-users <packetfence-users@lists.sourceforge.net >>>>>>>>>>>>>>>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit : >>>>>>>>>>>>>>>> Hi Team, >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> We were wondering if anyone has had any success in configuring >>>>>>>>>>>>>>>> Web Auth for the Huawei AC? It’s somewhat critical for us to >>>>>>>>>>>>>>>> get this going. >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Thank you! >>>>>>>>>>>>>>>> Jorge >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> PacketFence-users mailing list >>>>>>>>>>>>>>>> PacketFence-users@lists.sourceforge.net >>>>>>>>>>>>>>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>>>>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users