Hi Fabrice This is the GET the AC is expecting: https://portal.fispy.mx:8443/login?username=($username)&password=($password) <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
If successful it will return as per image below. If it fails the AC will redirect back to the Portal Here is the configuration: url-template name PacketFence url https://wifi.fispy.mx/captive-portal url-parameter login-url destination_url https://portal.fispy.mx:8443/login?username=($username)&password=($password) HA Proxy output Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266 [06/Feb/2022:16:44:26.153] portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx} "GET /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password) HTTP/1.1" Only problem is that PacketFence is not updating the dynamic values with username and password for it to work AC = Access Controller. This manages the APs’ as they are operating in Fit/Lightweight mode. AP = Access Points. These are the actual radios. Best Regards, Jorge > On Feb 6, 2022, at 4:40 PM, Fabrice Durand <[email protected]> wrote: > > Hello Jorge, > > i have what i need at least to be able to support the web-auth. > The only thing i am not sure is at the end of the registration process what > we are supposed to do. > > I will create a branch on github in order for you to test. (it will be an > update of the Huawei switch module). > > For information, what is the ac-ip ac-mac versus ap-ip ap-mac ? > > Regards > Fabrice > > > Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <[email protected] > <mailto:[email protected]>> a écrit : > If I try to manually send the redirect in the browser here is what HA proxy > records. This is a simple copy and paste in the browser and the output: > > https://wifi.fispy.mx/captive-portal > <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 > <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> > > 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET > /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3 > <https://portal.fispy.mx:8443/login?username=539z&password=0uf3> HTTP/1.1" > > > It doesn’t let it go through as it seems that is trying to validate network > connectivity > > >> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <[email protected] >> <mailto:[email protected]>> wrote: >> >> Seems weird how the format of the URL is recorded/sent >> >> >> Here is a normal redirect, the url is formatted correctly, >> >> >> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577 >> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232] >> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/> >> 0/0/1/233/234 200 4910 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx >> <http://wifi.fispy.mx/>} "GET >> /captive-portal?destination_url=https://www.fispy.mx/ >> <https://www.fispy.mx/> HTTP/1.1" >> >> I’m not sure why the value sent by the AP has all the % and weird symbols >> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login> >> >> >>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hi Fabrice, >>> >>> Here are the options that can be added: >>> >>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ? >>> ap-group-name AP group name >>> ap-ip AP IP address >>> ap-location AP location >>> ap-mac AP MAC address >>> ap-name AP name >>> device-ip Device IP address >>> device-mac Device MAC address >>> login-url Device's login URL provided to the external portal server >>> mac-address Mac address >>> redirect-url The url in user original http packet >>> set Set >>> ssid SSID >>> sysname Device name >>> user-ipaddress User IP address >>> user-mac User MAC address >>> >>> >>> url-template name PacketFence >>> url https://wifi.fispy.mx/captive-portal >>> <https://wifi.fispy.mx/captive-portal> >>> url-parameter device-ip ac-ip user-ipaddress userip ssid ssid user-mac >>> ap-mac >>> >>> >>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} >>> "GET >>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9 >>> HTTP/1.1" >>> >>> >>> If we do not specify the URL on this configuration, where would PacketFence >>> get the value for the AC Web Authentication call? >>> >>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>> >>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>> >>> Best Regards, >>> Jorge >>> >>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand <[email protected] >>>> <mailto:[email protected]>> wrote: >>>> >>>> Hello Jorge, >>>> >>>> what we need is the user mac and the ap information. >>>> I found that >>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template >>>> >>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template> >>>> >>>> Is it possible to add extra parameters like user-mac ssid ap-ip ap-mac ? >>>> >>>> And if yes can you provide me the url generated by the controller when it >>>> redirect ? (haproxy-portal log) >>>> >>>> Regards >>>> Fabrice >>>> >>>> >>>> >>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla <[email protected] >>>> <mailto:[email protected]>> a écrit : >>>> Hi Team, >>>> >>>> Any input on this? We really would like to get this to work. >>>> >>>> Thank you! >>>> Jorge >>>> >>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <[email protected] >>>>> <mailto:[email protected]>> wrote: >>>>> >>>>> Hi Fabrice, >>>>> >>>>> This is the sequence: >>>>> >>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132 >>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663] >>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/> >>>>> 0/0/0/201/201 200 7146 - - ---- 3/1/0/0/0 0/0 {wifi.fispy.mx >>>>> <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133 >>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905] >>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/2/2 >>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>> /common/network-access-detection.gif?r=1643838705224 HTTP/1.1" >>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130 >>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927] >>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>> HTTP/1.1" >>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132 >>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060] >>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1 <http://127.0.0.1/> >>>>> 0/0/0/129/129 200 7146 - - ---- 4/2/0/0/0 0/0 {wifi.fispy.mx >>>>> <http://wifi.fispy.mx/>} "GET /access?lang= HTTP/1.1" >>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133 >>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219] >>>>> portal-http-10.0.255.99 static/127.0.0.1 <http://127.0.0.1/> 0/0/0/1/1 >>>>> 200 228 - - ---- 4/2/0/0/0 0/0 {10.0.255.99} "GET >>>>> /common/network-access-detection.gif?r=1643838716546 HTTP/1.1" >>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130 >>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287] >>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1 >>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ---- 4/1/0/0/0 0/0 >>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET >>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>> HTTP/1.1” >>>>> >>>>> >>>>> >>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand <[email protected] >>>>>> <mailto:[email protected]>> wrote: >>>>>> >>>>>> Hello Jorge, >>>>>> >>>>>> i will have a look closer. >>>>>> But i have a question, when the device is forwarded to the captive >>>>>> portal, (just before >>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>> >>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>) >>>>>> , what is the url ? >>>>>> You should be able to see it in the haproxy-portal.log file. >>>>>> >>>>>> Regards >>>>>> Fabrice >>>>>> >>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla <[email protected] >>>>>> <mailto:[email protected]>> a écrit : >>>>>> Hi Fabrice, >>>>>> >>>>>> >>>>>> We almost have the configuration working, but are not sure how to get >>>>>> the redirect to the client to work correctly. Attached is the >>>>>> documentation for Cisco ISE which we used for PacketFence as well. >>>>>> >>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei AC. >>>>>> >>>>>> This is the format the client should get from PacketFence. This is the >>>>>> only piece we are missing for this to work. >>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password) >>>>>> >>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)> >>>>>> >>>>>> >>>>>> If we manually click on the link above, then the flow of traffic works >>>>>> correctly CLIENT > AC > RADIUS (PacketFence), and authentication works. >>>>>> The problem is that when the user logs in to the portal the redirect is >>>>>> broken. The parameter for the redirect that PacketFence is serving, >>>>>> comes from a configuration parameter within the AC. This configuration >>>>>> works fine for Cisco ISE, but the URL format is not working for >>>>>> PacketFence. >>>>>> >>>>>> >>>>>> When we configure the redirect this is what the client is getting from >>>>>> PacketFence >>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin >>>>>> >>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin> >>>>>> >>>>>> >>>>>> url-template name PacketFence >>>>>> url https://wifi.fispy.mx/captive-portal >>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR THE >>>>>> REDIRECT TO PACKETFENCE >>>>>> >>>>>> >>>>>> >>>>>> AC CONFIG >>>>>> >>>>>> authentication-profile name PacketFence >>>>>> portal-access-profile PacketFence >>>>>> free-rule-template default_free_rule >>>>>> authentication-scheme PacketFence >>>>>> accounting-scheme PacketFence >>>>>> radius-server PacketFence >>>>>> force-push url https://www.fispy.mx <https://www.fispy.mx/> >>>>>> >>>>>> radius-server template PacketFence >>>>>> radius-server shared-key cipher >>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%# >>>>>> radius-server authentication 10.0.255.99 1812 source ip-address >>>>>> 10.7.255.2 weight 90 >>>>>> radius-server accounting 10.0.255.99 1813 source ip-address 10.7.255.2 >>>>>> weight 80 >>>>>> undo radius-server user-name domain-included >>>>>> calling-station-id mac-format unformatted >>>>>> called-station-id wlan-user-format ac-mac >>>>>> radius-server attribute translate >>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send >>>>>> radius-attribute disable HW-IP-Host-Address send >>>>>> radius-attribute disable HW-Connect-ID send >>>>>> radius-attribute disable HW-Version send >>>>>> radius-attribute disable HW-Product-ID send >>>>>> radius-attribute disable HW-Domain-Name send >>>>>> radius-attribute disable HW-User-Extend-Info send >>>>>> >>>>>> url-template name PacketFence >>>>>> url https://wifi.fispy.mx/captive-portal >>>>>> <https://wifi.fispy.mx/captive-portal> >>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE PARAMETER FOR THE >>>>>> REDIRECT TO PACKETFENCE >>>>>> >>>>>> web-auth-server PacketFence >>>>>> server-ip 10.0.255.99 >>>>>> port 443 >>>>>> url-template PacketFence >>>>>> protocol http >>>>>> http get-method enable >>>>>> >>>>>> portal-access-profile name PacketFence >>>>>> web-auth-server PacketFence direct >>>>>> >>>>>> >>>>>> authentication-scheme PacketFence >>>>>> authentication-mode radius >>>>>> >>>>>> wlan >>>>>> security-profile name FISPY-WiFi >>>>>> >>>>>> vap-profile name FISPY-WiFi >>>>>> service-vlan vlan-id 900 >>>>>> permit-vlan vlan-id 900 >>>>>> ssid-profile FISPY-WiFi >>>>>> security-profile FISPY-WiFi >>>>>> authentication-profile PacketFence >>>>>> sta-network-detect disable >>>>>> service-experience-analysis enable >>>>>> mdns-snooping enable >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> ###CISCO ISE CONFIG TO COMPARE### >>>>>> >>>>>> url-template name CISCO-ISE >>>>>> url >>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02 >>>>>> >>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02> >>>>>> parameter start-mark # >>>>>> url-parameter login-url switch_url https://portal.fispy.mx:8443/login >>>>>> <https://portal.fispy.mx:8443/login> >>>>>> >>>>>> #################################### >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand <[email protected] >>>>>>> <mailto:[email protected]>> wrote: >>>>>>> >>>>>>> Hello Jorge, >>>>>>> >>>>>>> do you have any Huawei documentation to implement that ? >>>>>>> >>>>>>> Regards >>>>>>> Fabrice >>>>>>> >>>>>>> >>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via PacketFence-users >>>>>>> <[email protected] >>>>>>> <mailto:[email protected]>> a écrit : >>>>>>> Hi Team, >>>>>>> >>>>>>> We were wondering if anyone has had any success in configuring Web Auth >>>>>>> for the Huawei AC? It’s somewhat critical for us to get this going. >>>>>>> >>>>>>> Thank you! >>>>>>> Jorge >>>>>>> >>>>>>> _______________________________________________ >>>>>>> PacketFence-users mailing list >>>>>>> [email protected] >>>>>>> <mailto:[email protected]> >>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users >>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users> >>>>>> >>>>>> >>>>>> >>>>> >>>> >>> >> >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
