Re: [PacketFence-users] Huawei AC6005 Wireless Controller doesn’t support Web Auth. #4790

[Jorge Nolla via PacketFence-users]

Hi Fabrice,

This is the sequence:

Feb  2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 [02/Feb/2022:14:51:32.663] 
portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 0/0/0/201/201 200 7146 - 
- ---- 3/1/0/0/0 0/0 {wifi.fispy.mx} "GET /access?lang= HTTP/1.1"
Feb  2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 [02/Feb/2022:14:51:37.905] 
portal-http-10.0.255.99 static/127.0.0.1 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0 
0/0 {10.0.255.99} "GET /common/network-access-detection.gif?r=1643838705224 
HTTP/1.1"
Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 [02/Feb/2022:14:51:43.927] 
portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 0/0/0/122/122 302 1018 
- - ---- 4/1/0/0/0 0/0 {wifi.fispy.mx} "GET 
/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin 
HTTP/1.1"
Feb  2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 [02/Feb/2022:14:51:44.060] 
portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 0/0/0/129/129 200 7146 - 
- ---- 4/2/0/0/0 0/0 {wifi.fispy.mx} "GET /access?lang= HTTP/1.1"
Feb  2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 [02/Feb/2022:14:51:49.219] 
portal-http-10.0.255.99 static/127.0.0.1 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0 
0/0 {10.0.255.99} "GET /common/network-access-detection.gif?r=1643838716546 
HTTP/1.1"
Feb  2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 [02/Feb/2022:14:51:55.287] 
portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 0/0/0/136/136 302 1018 
- - ---- 4/1/0/0/0 0/0 {wifi.fispy.mx} "GET 
/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin 
HTTP/1.1”



> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <oeufd...@gmail.com> wrote:
> 
> Hello Jorge,
> 
> i will have a look closer.
> But i have a question, when the device is forwarded to the captive portal, 
> (just before 
> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>  
> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin>)
>  , what is the url ?
> You should be able to see it in the haproxy-portal.log file.
> 
> Regards
> Fabrice
> 
> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <jno...@gmail.com 
> <mailto:jno...@gmail.com>> a écrit :
> Hi Fabrice,
> 
> 
> We almost have the configuration working, but are not sure how to get the 
> redirect to the client to work correctly. Attached is the documentation for 
> Cisco ISE which we used for PacketFence as well.
> 
> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC.
> 
> This is the format the client should get from PacketFence. This is the only 
> piece we are missing for this to work.
> https://portal.fispy.mx:8443/login?username=($username)&password=($password) 
> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
> 
> 
> If we manually click on the link above, then the flow of traffic works 
> correctly CLIENT > AC > RADIUS (PacketFence), and authentication works. The 
> problem is that when the user logs in to the portal the redirect is broken. 
> The parameter for the redirect that PacketFence is serving, comes from a 
> configuration parameter within the AC. This configuration works fine for 
> Cisco ISE, but the URL format is not working for PacketFence.
> 
> 
> When we configure the redirect this is what the client is getting from 
> PacketFence
> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>  
> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin>
> 
> 
> url-template name PacketFence
>  url https://wifi.fispy.mx/captive-portal 
> <https://wifi.fispy.mx/captive-portal>
>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login 
> <https://portal.fispy.mx:8443/login>  <<< THIS IS THE PARAMETER FOR THE 
> REDIRECT TO PACKETFENCE
> 
> 
> 
> AC CONFIG
> 
> authentication-profile name PacketFence
>  portal-access-profile PacketFence
>  free-rule-template default_free_rule
>  authentication-scheme PacketFence
>  accounting-scheme PacketFence
>  radius-server PacketFence
>  force-push url https://www.fispy.mx <https://www.fispy.mx/>
> 
> radius-server template PacketFence
>  radius-server shared-key cipher 
> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%#
>  radius-server authentication 10.0.255.99 1812 source ip-address 10.7.255.2 
> weight 90
>  radius-server accounting 10.0.255.99 1813 source ip-address 10.7.255.2 
> weight 80
>  undo radius-server user-name domain-included
>  calling-station-id mac-format unformatted
>  called-station-id wlan-user-format ac-mac
>  radius-server attribute translate
>  radius-attribute disable HW-NAS-Startup-Time-Stamp send
>  radius-attribute disable HW-IP-Host-Address send
>  radius-attribute disable HW-Connect-ID send
>  radius-attribute disable HW-Version send
>  radius-attribute disable HW-Product-ID send
>  radius-attribute disable HW-Domain-Name send
>  radius-attribute disable HW-User-Extend-Info send
> 
> url-template name PacketFence
>  url https://wifi.fispy.mx/captive-portal 
> <https://wifi.fispy.mx/captive-portal>
>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login 
> <https://portal.fispy.mx:8443/login>  <<< THIS IS THE PARAMETER FOR THE 
> REDIRECT TO PACKETFENCE
> 
> web-auth-server PacketFence
>  server-ip 10.0.255.99
>  port 443
>  url-template PacketFence
>  protocol http
>  http get-method enable
> 
> portal-access-profile name PacketFence
>  web-auth-server PacketFence direct
> 
> 
> authentication-scheme PacketFence
>   authentication-mode radius
> 
> wlan
>  security-profile name FISPY-WiFi
> 
>  vap-profile name FISPY-WiFi
>   service-vlan vlan-id 900
>   permit-vlan vlan-id 900
>   ssid-profile FISPY-WiFi
>   security-profile FISPY-WiFi
>   authentication-profile PacketFence
>   sta-network-detect disable
>   service-experience-analysis enable
>   mdns-snooping enable
> 
> 
> 
> 
> ###CISCO ISE CONFIG TO COMPARE###
> 
> url-template name CISCO-ISE
>  url 
> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02
>  
> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02>
>  parameter start-mark #
>  url-parameter login-url switch_url https://portal.fispy.mx:8443/login 
> <https://portal.fispy.mx:8443/login>
> 
> ####################################
> 
> 
> 
> 
> 
> 
>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <oeufd...@gmail.com 
>> <mailto:oeufd...@gmail.com>> wrote:
>> 
>> Hello Jorge,
>> 
>> do you have any Huawei documentation to implement that ?
>> 
>> Regards
>> Fabrice
>> 
>> 
>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users 
>> <packetfence-users@lists.sourceforge.net 
>> <mailto:packetfence-users@lists.sourceforge.net>> a écrit :
>> Hi Team,
>> 
>> We were wondering if anyone has had any success in configuring Web Auth for 
>> the Huawei AC? It’s somewhat critical for us to get this going.
>> 
>> Thank you!
>> Jorge
>> 
>> _______________________________________________
>> PacketFence-users mailing list  
>> PacketFence-users@lists.sourceforge.net 
>> <mailto:PacketFence-users@lists.sourceforge.net>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users 
>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
> 
>  
> 



_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users