Greetings,
i managed to work around this issue, although I still believe this is not the
correct behavior and should be treated as a bug. More to that later.
I changed the method "_isSwitchSupported" in the File
/usr/local/pf/lib/pf/radius.pm like below:
sub _isSwitchSupported {
my ($self, $args) = @_;
my $logger = $self->logger;
if ($args->{'connection_type'} == $WIRED_MAC_AUTH) {
return $args->{'switch'}->supportsWiredMacAuth();
} elsif ($args->{'connection_type'} == $WIRED_802_1X) {
return $args->{'switch'}->supportsWiredDot1x();
} elsif ($args->{'connection_type'} == $WIRELESS_MAC_AUTH) {
# TODO implement supportsWirelessMacAuth (or supportsWireless)
$logger->trace("Wireless doesn't have a supports...() call for now,
always say it's supported");
return $TRUE;
} elsif ($args->{'connection_type'} == $WIRELESS_802_1X) {
# TODO implement supportsWirelessMacAuth (or supportsWireless)
$logger->trace("Wireless doesn't have a supports...() call for now,
always say it's supported");
return $TRUE;
}
return $TRUE;
}
I'm aware that this is a really dirty workaround but it's the only thing that
helped. Afterwards I edited the file
/usr/local/pf/sbin/httpd.aaa-docker-wrapper to include the lib folder from
packetfence:
args="$args -v/usr/local/pf/lib/:/usr/local/pf/lib/
-v/usr/local/pf/conf/:/usr/local/pf/conf/
-v/usr/local/pf/var/conf/:/usr/local/pf/var/conf/ -p 100.64.0.1:7070:7070 -p
127.0.0.1:7070:7070"
After a restart of packetfence-httpd.aaa the Fortigate Auth got accepted and
I'm able to use the captive portal.
Now to my thoughts:
I think the RADIUS Request gets treated incorrectly as there is no
Connection-Type being sent with the original Request (I've looked at the
wireshark trace of the requests). I've compared the trace to a real CLI-Request
from a Cisco switch and the difference is that the FortiGate fills the
Connect-Info field with the value "web-auth" whereas the Cisco doesn’t attach
this field at all. Also, the Fortigate provides the Called-Station-Id +
Calling-Station-Id -> this should be treated like a normal radius
authentication but gets classified as some kind of cli-auth.
I've opened a bug-report on github, but maybe its only some kind of
misunderstanding from my side:
https://github.com/inverse-inc/packetfence/issues/7402
I'd be happy to provide packet-traces or additional logs if needed.
Mit freundlichen Grüßen
i.A. Heiko Matthies
IT
ASAP Engineering GmbH Sachsstraße 1A | 85080 Gaimersheim
Tel. +49 8458 3389 252 | Fax. +49 (8458) 3389 399 |
heiko.matth...@asap.de | www.asap.de
Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408
Datenschutz: Ausführliche Informationen zum Umgang mit Ihren personenbezogenen
Daten bei ASAP erhalten Sie auf unserer Website unter
www.asap.de\datenschutz.-----Ursprüngliche Nachricht-----
Von: Matthies, Heiko <heiko.matth...@asap.de>
Gesendet: Freitag, 2. Dezember 2022 10:38
An: packetfence-users@lists.sourceforge.net
Betreff: AW: Issues doing captive-portal auth with FortiGate and FortiAPs
Greetings,
I troubleshooted some more and found out, that I receive the following message
in packetfence.log:
Dec 2 10:19:42 packetfence httpd.aaa-docker-wrapper[110944]: httpd.aaa(1855)
INFO: [mac:a0:51:0b:6a:47:b2] handling radius autz request: from switch_ip =>
(10.255.20.19), connection_type => CLI-Access,switch_mac =>
(d4:76:a0:d2:b9:50), mac => [a0:51:0b:6a:47:b2], port => external, username =>
"group\matthieh" (pf::radius::authorize) Dec 2 10:19:42 packetfence
httpd.aaa-docker-wrapper[110944]: httpd.aaa(1855) WARN: [mac:a0:51:0b:6a:47:b2]
(10.255.20.19) Sending REJECT since switch is unsupported
(pf::radius::_switchUnsupportedReply)
I then checked the code in /usr/local/pf/lib/pf/radius.pm and found the
following lines:
sub _isSwitchSupported {
my ($self, $args) = @_;
my $logger = $self->logger;
if ($args->{'connection_type'} == $WIRED_MAC_AUTH) {
return $args->{'switch'}->supportsWiredMacAuth();
} elsif ($args->{'connection_type'} == $WIRED_802_1X) {
return $args->{'switch'}->supportsWiredDot1x();
} elsif ($args->{'connection_type'} == $WIRELESS_MAC_AUTH) {
# TODO implement supportsWirelessMacAuth (or supportsWireless)
$logger->trace("Wireless doesn't have a supports...() call for now,
always say it's supported");
return $TRUE;
} elsif ($args->{'connection_type'} == $WIRELESS_802_1X) {
# TODO implement supportsWirelessMacAuth (or supportsWireless)
$logger->trace("Wireless doesn't have a supports...() call for now,
always say it's supported");
return $TRUE;
}
}
=item * _switchUnsupportedReply - what is sent to RADIUS when a switch is
unsupported
=cut
sub _switchUnsupportedReply {
my ($self, $args) = @_;
my $logger = $self->logger;
$logger->warn("(" . $args->{'switch'}->{_id} . ") Sending REJECT since
switch is unsupported");
$args->{'switch'}->disconnectRead();
$args->{'switch'}->disconnectWrite();
return [$RADIUS::RLM_MODULE_FAIL, ('Reply-Message' => "Network device does
not support this mode of operation")]; }
If I read this correctly, the FortiAP sends CLI-Access as connection type but
as it seems, this is not supported in radius.pm. Is this a bug?
Kind Regards,
Heiko Matthies
Von: Matthies, Heiko via PacketFence-users
<packetfence-users@lists.sourceforge.net>
Gesendet: Donnerstag, 1. Dezember 2022 17:42
An: packetfence-users@lists.sourceforge.net
Cc: Matthies, Heiko <heiko.matth...@asap.de>
Betreff: [PacketFence-users] Issues doing captive-portal auth with FortiGate
and FortiAPs
Greetings,
we are currently testing out packetfence captive-portal auth in connection with
FortiGate and FortiAPs. I followed the instructions from the following mailing
list post:
https://sourceforge.net/p/packetfence/mailman/packetfence-users/thread/0b65c462-4c0c-24fe-5e10-405102e8de36%40inverse.ca/#msg36349338
The redirection from the access-point to the captive portal works just fine and
I successfully log in and get my role. Afterwards (as described in the post
above), the FortiGate/FortiAP is trying to authenticate against PacketFence but
fails with the following log message:
User-Name = "a0:51:0b:6a:47:b2"
User-Password = "******"
NAS-IP-Address = 10.255.20.19
Service-Type = Login-User
Framed-IP-Address = 10.23.87.5
Called-Station-Id = "d4:76:a0:d2:b9:50:ASAP-Gast (Testing)"
Calling-Station-Id = "a0:51:0b:6a:47:b2"
NAS-Identifier = "IN19FW-0015"
NAS-Port-Type = Virtual
Acct-Session-Id = "7676961b"
Event-Timestamp = "Dec 1 2022 17:29:05 CET"
Connect-Info = "web-auth"
Fortinet-Vdom-Name = "root"
Fortinet-SSID = "ASAP-Gast (Testing)"
Fortinet-AP-Name = "PU221ETF21002253"
Stripped-User-Name = "a0:51:0b:6a:47:b2"
Realm = "null"
FreeRADIUS-Client-IP-Address = 10.255.20.19 Called-Station-SSID = "ASAP-Gast
(Testing)"
PacketFence-KeyBalanced = "82ca871f42fbfecb44407d06a8699cd7"
PacketFence-Radius-Ip = "10.20.10.55"
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest:
{\"control:PacketFence-Request-Time\":1669912145,\"control:PacketFence-IfIndex\":\"external\",\"control:PacketFence-Connection-Type\":\"CLI-Access\",\"control:PacketFence-Switch-Id\":\"10.255.20.19\",\"control:PacketFence-Authorization-Status\":\"allow\",\"control:PacketFence-Switch-Mac\":\"d4:76:a0:d2:b9:50\",\"control:PacketFence-Switch-Ip-Address\":\"10.255.20.19\",\"Reply-Message\":\"Network
device does not support this mode of
operation\",\"control:PacketFence-Eap-Type\":0,\"control:PacketFence-UserName\":\"a0:51:0b:6a:47:b2\",\"control:PacketFence-Mac\":\"a0:51:0b:6a:47:b2\"}"
SQL-User-Name = "a0:51:0b:6a:47:b2"
I first thought that this has something to do with the CLI-Access not enabled
on the corresponding switch but I double checked, both flags (for External
Portal Enforcement and CLI/VPN Access) are enabled. Is there something I'm
missing? The debug log from radiusd didn't yield any results either.
Thank you in advance!
Kind Regards,
Heiko Matthies
ASAP Engineering GmbH Sachsstraße 1A | 85080 Gaimersheim Tel. +49 8458 3389 252
| Fax. +49 (8458) 3389 399 | mailto:heiko.matth...@asap.de | http://www.asap.de
Geschäftsführer: Michael Neisen, Robert Werner, Christian Schweiger | Sitz der
Gesellschaft: Gaimersheim | Amtsgericht: Ingolstadt HRB 5408
Datenschutz: Ausführliche Informationen zum Umgang mit Ihren personenbezogenen
Daten bei ASAP erhalten Sie auf unserer Website unter
http://www.asap.de/datenschutz/
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
