Re: [PacketFence-users] sponsored access
Any thoughts on this guys? Cheers, Andi From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] Sent: 08 July 2016 15:19 To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] sponsored access Apologies for the barrage of emails. I think this is now something to do with the captive portal detection on androids, as it seems that after about 20-30 seconds of being in the captive portal the device then decides it has no internet access, which timing wise coincides with roughly the amount of time that was taking place between sending the sponsored request and the staff member accepting the invite (in production this will actually be a lot longer). Looking at httpd.portal.access log I see the following: 192.168.225.28 - - [07/Jul/2016:14:35:11 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:19 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MOB30M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/51.0.2704.81 Mobile Safari/537.36" 192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:21 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:23 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" Which looks to me like one of the generate_204 gets is actually getting a 302 response back. I do have the Captive Portal detection mechanism bypass option ticked, so I'm not sure why this is still receiving a redirect. Cheers, Andi From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] Sent: 08 July 2016 14:32 To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] sponsored access As an update, this isn't happening with a laptop, so might be something to do with the Android device, but something is definitely stopping it communicating with whatever part of the internet it requires as soon as it is pending approval. Maybe a particular entry needs to be added to the captive portal detection for this OS version? Cheers, Andi From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] Sent: 07 July 2016 15:15 To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Subject: [PacketFence-users] sponsored access Hi all, I'm having trouble with my sponsored guest access where the registration isn't completing until the guest node leaves and then reconnects to the captive portal, when packetfence then sees the registered mac address and puts the node in the correct vlan. This doesn't seem to be happening with my email registered guests. Log snippet of the point until the registration process halts: Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:unknown] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] [cc:fa:00:f4:4a:c3] Activation code sent to email amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk> from andi.mor...@gmail.com<mailto:andi.mor...@gmail.com> successfully verified. for activation type: sponsor (pf::activation::validate_code) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Sponsor needs
Re: [PacketFence-users] sponsored access
Apologies for the barrage of emails. I think this is now something to do with the captive portal detection on androids, as it seems that after about 20-30 seconds of being in the captive portal the device then decides it has no internet access, which timing wise coincides with roughly the amount of time that was taking place between sending the sponsored request and the staff member accepting the invite (in production this will actually be a lot longer). Looking at httpd.portal.access log I see the following: 192.168.225.28 - - [07/Jul/2016:14:35:11 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:19 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5 Build/MOB30M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/51.0.2704.81 Mobile Safari/537.36" 192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:20 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:21 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" 192.168.225.28 - - [07/Jul/2016:14:35:23 +0100] "GET /generate_204 HTTP/1.1" 302 1147 "-" "Dalvik/2.1.0 (Linux; U; Android 6.0.1; Nexus 5 Build/MOB30M)" Which looks to me like one of the generate_204 gets is actually getting a 302 response back. I do have the Captive Portal detection mechanism bypass option ticked, so I'm not sure why this is still receiving a redirect. Cheers, Andi From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] Sent: 08 July 2016 14:32 To: packetfence-users@lists.sourceforge.net Subject: Re: [PacketFence-users] sponsored access As an update, this isn't happening with a laptop, so might be something to do with the Android device, but something is definitely stopping it communicating with whatever part of the internet it requires as soon as it is pending approval. Maybe a particular entry needs to be added to the captive portal detection for this OS version? Cheers, Andi From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] Sent: 07 July 2016 15:15 To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Subject: [PacketFence-users] sponsored access Hi all, I'm having trouble with my sponsored guest access where the registration isn't completing until the guest node leaves and then reconnects to the captive portal, when packetfence then sees the registered mac address and puts the node in the correct vlan. This doesn't seem to be happening with my email registered guests. Log snippet of the point until the registration process halts: Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:unknown] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] [cc:fa:00:f4:4a:c3] Activation code sent to email amor...@cardiffmet.ac.uk<mailto:amor...@cardiffmet.ac.uk> from andi.mor...@gmail.com<mailto:andi.mor...@gmail.com> successfully verified. for activation type: sponsor (pf::activation::validate_code) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Sponsor needs to authenticate in order to activate guest. Guest token: 3386be07684696d271b7f891b6a729d7 (captiveportal::PacketFence::Controller::Activate::Email::doSponsorRegistration) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Memory configuration is not valid anymore
Re: [PacketFence-users] sponsored access
As an update, this isn't happening with a laptop, so might be something to do with the Android device, but something is definitely stopping it communicating with whatever part of the internet it requires as soon as it is pending approval. Maybe a particular entry needs to be added to the captive portal detection for this OS version? Cheers, Andi From: Morris, Andi [mailto:amor...@cardiffmet.ac.uk] Sent: 07 July 2016 15:15 To: packetfence-users@lists.sourceforge.net Subject: [PacketFence-users] sponsored access Hi all, I'm having trouble with my sponsored guest access where the registration isn't completing until the guest node leaves and then reconnects to the captive portal, when packetfence then sees the registered mac address and puts the node in the correct vlan. This doesn't seem to be happening with my email registered guests. Log snippet of the point until the registration process halts: Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:unknown] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] [cc:fa:00:f4:4a:c3] Activation code sent to email amor...@cardiffmet.ac.uk from andi.mor...@gmail.com successfully verified. for activation type: sponsor (pf::activation::validate_code) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Sponsor needs to authenticate in order to activate guest. Guest token: 3386be07684696d271b7f891b6a729d7 (captiveportal::PacketFence::Controller::Activate::Email::doSponsorRegistration) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Memory configuration is not valid anymore for key interfaces::management_network in local cached_hash (pfconfig::cached::is_valid) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] [cc:fa:00:f4:4a:c3] Activation code sent to email amor...@cardiffmet.ac.uk from andi.mor...@gmail.com successfully verified. for activation type: sponsor (pf::activation::validate_code) Jul 07 14:39:31 httpd.portal(22552) ERROR: [mac:0] unable to read password file '/usr/local/pf/conf/admin.conf' (pf::Authentication::Source::HtpasswdSource::authenticate) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] [DCLL01] Authentication successful for sm18818 (pf::Authentication::Source::LDAPSource::authenticate) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Authentication successful for 'sm18818' in source DCLL01 (AD) (pf::authentication::authenticate) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Successfully authenticated sm18818/192.168.42.42/0 (captiveportal::PacketFence::Controller::Authenticate::authenticationLogin) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Using sources DCLL01 for matching (pf::authentication::match) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Using sources sponsor for matching (pf::authentication::match) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Matched rule (Staff_Sponsor) in source sponsor, returning actions. (pf::Authentication::Source::match) Jul 07 14:39:32 httpd.portal(22552) INFO: [mac:0] a new temporary account has been requested for andi.mor...@gmail.com. Deleting previous entry (pf::password::generate) Jul 07 14:39:32 httpd.portal(22552) INFO: [mac:0] new temporary
[PacketFence-users] sponsored access
Hi all, I'm having trouble with my sponsored guest access where the registration isn't completing until the guest node leaves and then reconnects to the captive portal, when packetfence then sees the registered mac address and puts the node in the correct vlan. This doesn't seem to be happening with my email registered guests. Log snippet of the point until the registration process halts: Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:unknown] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] [cc:fa:00:f4:4a:c3] Activation code sent to email amor...@cardiffmet.ac.uk from andi.mor...@gmail.com successfully verified. for activation type: sponsor (pf::activation::validate_code) Jul 07 14:39:20 httpd.portal(22569) INFO: [mac:0] Sponsor needs to authenticate in order to activate guest. Guest token: 3386be07684696d271b7f891b6a729d7 (captiveportal::PacketFence::Controller::Activate::Email::doSponsorRegistration) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Memory configuration is not valid anymore for key interfaces::management_network in local cached_hash (pfconfig::cached::is_valid) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:unknown] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:unknown] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Unable to match MAC address to IP '192.168.42.42' (pf::iplog::ip2mac) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Instantiate profile default (pf::Portal::ProfileFactory::_from_profile) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] [cc:fa:00:f4:4a:c3] Activation code sent to email amor...@cardiffmet.ac.uk from andi.mor...@gmail.com successfully verified. for activation type: sponsor (pf::activation::validate_code) Jul 07 14:39:31 httpd.portal(22552) ERROR: [mac:0] unable to read password file '/usr/local/pf/conf/admin.conf' (pf::Authentication::Source::HtpasswdSource::authenticate) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] [DCLL01] Authentication successful for sm18818 (pf::Authentication::Source::LDAPSource::authenticate) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Authentication successful for 'sm18818' in source DCLL01 (AD) (pf::authentication::authenticate) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Successfully authenticated sm18818/192.168.42.42/0 (captiveportal::PacketFence::Controller::Authenticate::authenticationLogin) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Using sources DCLL01 for matching (pf::authentication::match) Jul 07 14:39:31 httpd.portal(22552) WARN: [mac:0] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Using sources sponsor for matching (pf::authentication::match) Jul 07 14:39:31 httpd.portal(22552) INFO: [mac:0] Matched rule (Staff_Sponsor) in source sponsor, returning actions. (pf::Authentication::Source::match) Jul 07 14:39:32 httpd.portal(22552) INFO: [mac:0] a new temporary account has been requested for andi.mor...@gmail.com. Deleting previous entry (pf::password::generate) Jul 07 14:39:32 httpd.portal(22552) INFO: [mac:0] new temporary account successfully generated (pf::password::generate) At this point the node is still marked as unregistered in the admin GUI and the device is saying that registration is pending approval. I've noticed that as soon as the sponsor email gets sent the node reports as losing internet access, which is why I think the transaction never finishes. I wonder if there is something strange going on when the node is pending registration. I'm running version 6.2.0 on CentOS and the device I'm testing with is an Android