Hi Fabrice,
This is the output when It receives an accounting message from the controller:
^C[root@wifi jnolla]# radsniff -i any -f "port 1813" -x
Logging all events
Sniffing on (any)
2022-02-09 18:10:33.642001 (1) Accounting-Request Id 147 any:10.7.255.2:62395
-> 10.0.255.99:1813 +0.000
User-Name = "62:ca:49:92:a0:3d"
NAS-IP-Address = 10.7.255.2
NAS-Port = 900
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.9.239.159
Called-Station-Id = "C0-F6-C2-A5-C4-D0:FISPY-WiFi"
Calling-Station-Id = "62ca-4992-a03d"
NAS-Identifier = "AirEngine9700-M1"
NAS-Port-Type = Wireless-802.11
Acct-Status-Type = Interim-Update
Acct-Delay-Time = 0
Acct-Input-Octets = 131762920
Acct-Output-Octets = 194531281
Acct-Session-Id = "AirEngi0000000000090083f40606001b4"
Acct-Authentic = RADIUS
Acct-Session-Time = 33887
Acct-Input-Packets = 211695
Acct-Output-Packets = 221103
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Event-Timestamp = "Feb 9 2022 18:10:32 MST"
NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
Huawei-User-Mac = "\000\000\000\003"
Authenticator-Field = 0x86cc68cf43a59904f7d3c0e36e910008
2022-02-09 18:10:33.661871 (2) Accounting-Response Id 147 any:10.7.255.2:62395
<- 10.0.255.99:1813 +0.019 +0.019
Reply-Message = "Accounting ok"
Authenticator-Field = 0xdfccea5174f4312f6e0784825583dbdf
2022-02-09 18:10:38.861871 (1) Cleaning up request packet ID 147
2022-02-09 18:10:49.323597 (3) Accounting-Request Id 148 any:10.7.255.2:62395
-> 10.0.255.99:1813 +15.681
User-Name = "62:ca:49:92:a0:3d"
NAS-IP-Address = 10.7.255.2
NAS-Port = 900
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Address = 10.9.239.159
Called-Station-Id = "C0-F6-C2-A5-C4-D0:FISPY-WiFi"
Calling-Station-Id = "62ca-4992-a03d"
NAS-Identifier = "AirEngine9700-M1"
NAS-Port-Type = Wireless-802.11
Acct-Status-Type = Interim-Update
Acct-Delay-Time = 0
Acct-Input-Octets = 131775665
Acct-Output-Octets = 194533397
Acct-Session-Id = "AirEngi0000000000090083f40606001b4"
Acct-Authentic = RADIUS
Acct-Session-Time = 33902
Acct-Input-Packets = 211773
Acct-Output-Packets = 221123
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Event-Timestamp = "Feb 9 2022 18:10:48 MST"
NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
Huawei-User-Mac = "\000\000\000\003"
Authenticator-Field = 0x3fbec8864dcb325273ce4ba1da28e690
2022-02-09 18:10:49.342798 (4) Accounting-Response Id 148 any:10.7.255.2:62395
<- 10.0.255.99:1813 +15.700 +0.019
Reply-Message = "Accounting ok"
Authenticator-Field = 0x15b54405e404decb5b3db3f58cc8d2cb
2022-02-09 18:10:54.542798 (3) Cleaning up request packet ID 148
> On Feb 9, 2022, at 6:04 PM, Fabrice Durand <[email protected]> wrote:
>
> You have to restart pfacct and radiusd-acct.
>
> And check the accounting packet, not sure you have the realm in the username
> attribute.
>
> raddebug -f /usr/local/pf/var/run/radiusd-acct.sock -t 300
> or
> radsniff -i any -f "port 1813" -x
>
> Regards
> Fabrice
>
> Le mer. 9 févr. 2022 à 19:57, Jorge Nolla <[email protected]
> <mailto:[email protected]>> a écrit :
> I noticed pfacct running and made the change, still no luck.
>
> <Screen Shot 2022-02-09 at 5.56.32 PM.png>
>
>> On Feb 9, 2022, at 5:55 PM, Fabrice Durand <[email protected]
>> <mailto:[email protected]>> wrote:
>>
>> Hello Jorge,
>> you have to enable radius-acct service.
>>
>> It´s radius-acct who is able to proxy the request to another server, not
>> pfacct (btw you can keep it enabled).
>>
>> Regards
>> Fabrice
>>
>>
>> Le mer. 9 févr. 2022 à 19:21, Jorge Nolla <[email protected]
>> <mailto:[email protected]>> a écrit :
>>
>> Another configuration file with references to the billing server Splynx:
>>
>> [root@wifi raddb]# cat mods-config/perl/multi_domain_constants.pm
>> <http://multi_domain_constants.pm/>
>> package multi_domain_constants;
>>
>> our $VAR1 = {
>> '1' => {
>> 'ConfigRealm' => {
>> 'local' => {
>> 'radius_strip_username'
>> => 'disabled',
>> 'eap' => 'default',
>> 'admin_strip_username' =>
>> 'disabled',
>> 'portal_strip_username'
>> => 'disabled'
>> },
>> 'default' => {
>>
>> 'radius_acct_proxy_type' => 'load-balance',
>>
>> 'radius_auth_compute_in_pf' => 'disabled',
>>
>> 'eduroam_radius_auth_proxy_type' => 'keyed-balance',
>>
>> 'radius_auth_proxy_type' => 'keyed-balance',
>> 'portal_strip_username'
>> => 'disabled',
>> 'admin_strip_username'
>> => 'disabled',
>> 'radius_auth' => '',
>> 'radius_strip_username'
>> => 'disabled',
>> 'eap' => 'default',
>> 'eduroam_radius_acct'
>> => '',
>>
>> 'eduroam_radius_acct_proxy_type' => 'load-balance',
>>
>> 'permit_custom_attributes' => 'disabled',
>>
>> 'eduroam_radius_auth_compute_in_pf' => 'enabled',
>> 'eduroam_radius_auth'
>> => '',
>> 'radius_acct' => ''
>> },
>> 'null' => {
>> 'eap' => 'default',
>> 'radius_strip_username' =>
>> 'disabled',
>> 'admin_strip_username' =>
>> 'disabled',
>> 'portal_strip_username' =>
>> 'disabled'
>> },
>> 'fispy.mx <http://fispy.mx/>' => {
>> 'eduroam_radius_acct'
>> => '',
>> 'eap' => 'default',
>>
>> 'radius_strip_username' => 'enabled',
>> 'admin_strip_username'
>> => 'enabled',
>> 'radius_auth' =>
>> 'Splynx',
>>
>> 'portal_strip_username' => 'enabled',
>>
>> 'eduroam_radius_auth_proxy_type' => 'keyed-balance',
>>
>> 'radius_auth_proxy_type' => 'keyed-balance',
>>
>> 'radius_acct_proxy_type' => 'load-balance',
>>
>> 'radius_auth_compute_in_pf' => 'enabled',
>> 'eduroam_radius_auth'
>> => '',
>> 'radius_acct' =>
>> 'Splynx',
>>
>> 'eduroam_radius_auth_compute_in_pf' => 'enabled',
>>
>> 'eduroam_radius_acct_proxy_type' => 'load-balance',
>>
>> 'permit_custom_attributes' => 'disabled'
>> }
>> },
>> 'ConfigDomain' => {},
>> 'ConfigOrderedRealm' => [
>> 'default',
>> 'local',
>> 'null',
>> 'fispy.mx <http://fispy.mx/>'
>> ]
>> },
>> '0' => {
>> 'ConfigDomain' => {},
>> 'ConfigRealm' => {},
>> 'ConfigOrderedRealm' => []
>> }
>> };
>> our $DATA = $VAR1;
>> 1;
>> [root@wifi raddb]#
>>
>>
>>
>>> On Feb 9, 2022, at 5:19 PM, Jorge Nolla <[email protected]
>>> <mailto:[email protected]>> wrote:
>>>
>>> Hi Team,
>>>
>>> Still can’t get accounting to proxy to the billing server. I don’t see the
>>> configuration on the proxy.conf so I imagine is pulling from this file.
>>>
>>>
>>> [root@wifi raddb]# cat proxy.conf.inc
>>> # This file is generated from a template at
>>> /usr/local/pf/conf/radiusd/proxy.conf.inc
>>> # Any changes made to this file will be lost on restart
>>>
>>> # Eduroam integration is not configured
>>>
>>> realm default {
>>>
>>> }
>>> realm local {
>>>
>>> }
>>> realm null {
>>>
>>> }
>>> realm fispy.mx <http://fispy.mx/> {
>>>
>>> auth_pool = auth_pool_fispy.mx <http://auth_pool_fispy.mx/>
>>> acct_pool = acct_pool_fispy.mx <http://acct_pool_fispy.mx/>
>>> }
>>> home_server_pool auth_pool_fispy.mx <http://auth_pool_fispy.mx/> {
>>> type = keyed-balance
>>> home_server = Splynx
>>> }
>>>
>>> home_server_pool acct_pool_fispy.mx <http://acct_pool_fispy.mx/> {
>>> type = load-balance
>>> home_server = Splynx
>>> }
>>>
>>>
>>> realm eduroam.default {
>>>
>>> }
>>>
>>> realm eduroam.local {
>>>
>>> }
>>>
>>> realm eduroam.null {
>>>
>>> }
>>>
>>> realm eduroam.fispy.mx <http://eduroam.fispy.mx/> {
>>>
>>> }
>>>
>>>
>>>
>>>
>>> home_server Splynx {
>>> ipaddr = 10.0.254.100
>>> port = 1812
>>> secret = @Put@Madr3
>>> type = auth+acct
>>> status_check = status-server
>>> }
>>>
>>>
>>>
>>> # pfacct configuration
>>>
>>> realm pfacct {
>>> acct_pool = pfacct_pool
>>> nostrip
>>> }
>>>
>>> home_server_pool pfacct_pool {
>>> home_server = pfacct_local
>>> }
>>>
>>> home_server pfacct_local {
>>> type = acct
>>> ipaddr = 127.0.0.1
>>> port = 1813
>>> secret = 'ZDQ3YzUzMjkxM2M1NjBhM2IyMTJjNWE0'
>>> src_ipaddr = 10.0.255.99
>>> }
>>>
>>>> On Feb 8, 2022, at 11:51 AM, Jorge Nolla <[email protected]
>>>> <mailto:[email protected]>> wrote:
>>>>
>>>> Fabrice,
>>>>
>>>> For some reason I cannot get accounting forwarding to the Billing/Radius
>>>> Server. This server has the plans for the customers.
>>>>
>>>> <Screen Shot 2022-02-08 at 11.48.23 AM.png>
>>>>
>>>>
>>>> <Screen Shot 2022-02-08 at 11.50.20 AM.png>
>>>>
>>>>
>>>> <Screen Shot 2022-02-08 at 11.48.01 AM.png>
>>>>
>>>>
>>>> <Screen Shot 2022-02-08 at 11.51.33 AM.png>
>>>>
>>>>> On Feb 8, 2022, at 11:39 AM, Jorge Nolla <[email protected]
>>>>> <mailto:[email protected]>> wrote:
>>>>>
>>>>> Hi Fabrice,
>>>>>
>>>>> It worked. I had to change to HTTPS and DNS for the cert on the server to
>>>>> work. We also changed the method to GET. Will try POST, not sure if this
>>>>> will make a difference.
>>>>>
>>>>> my $html_form = qq[
>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET"
>>>>> action="https://portal.fispy.mx:8443/login
>>>>> <https://portal.fispy.mx:8443/login>">
>>>>> <input type="hidden" name="username" value="$mac">
>>>>> <input type="hidden" name="password" value="$mac">
>>>>> </form>
>>>>> <script src="/content/autosubmit.js"
>>>>> type="text/javascript"></script>
>>>>>
>>>>> Here is the a sample of the radius info on PF. Top entry is with new
>>>>> configuration MAC address as username. Bottom one is the old
>>>>> configuration, where we were submitting the url request manually.
>>>>>
>>>>> <Screen Shot 2022-02-08 at 11.34.52 AM.png>
>>>>>
>>>>>
>>>>>> On Feb 8, 2022, at 9:30 AM, Fabrice Durand <[email protected]
>>>>>> <mailto:[email protected]>> wrote:
>>>>>>
>>>>>> Yes, that's it.
>>>>>>
>>>>>> Le mar. 8 févr. 2022 à 11:23, Jorge Nolla <[email protected]
>>>>>> <mailto:[email protected]>> a écrit :
>>>>>> Fabrice,
>>>>>>
>>>>>> The document you had provided didn’t layout the configuration steps. I
>>>>>> think this might be the correct document for the configuration you are
>>>>>> referring. If you have a chance take a look and let me know.
>>>>>>
>>>>>> https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064
>>>>>> <https://support.huawei.com/enterprise/mx/knowledge/EKB1100055064>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> On Feb 8, 2022, at 9:14 AM, Fabrice Durand <[email protected]
>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>
>>>>>>> You can try that instead:
>>>>>>>
>>>>>>> my $html_form = qq[
>>>>>>> <form name="weblogin_form" data-autosubmit="1000" method="POST"
>>>>>>> action="http://$controller_ip:8443/login
>>>>>>> <http://$controller_ip:8443/login>">
>>>>>>> <input type="hidden" name="username" value="$mac">
>>>>>>> <input type="hidden" name="password" value="$mac">
>>>>>>> </form>
>>>>>>> <script src="/content/autosubmit.js"
>>>>>>> type="text/javascript"></script>
>>>>>>> ];
>>>>>>>
>>>>>>> It will pass the mac address of the device in the radius request as
>>>>>>> username and password instead of the real username and password who has
>>>>>>> been authenticated previously on the portal.
>>>>>>> Then you just need to configure the registration role in the switch
>>>>>>> configuration to be -1 (packetfence side) and if the device is unreg
>>>>>>> then the request will be rejected.
>>>>>>>
>>>>>>>
>>>>>>> Le mar. 8 févr. 2022 à 11:04, Jorge Nolla <[email protected]
>>>>>>> <mailto:[email protected]>> a écrit :
>>>>>>> Hi Fabrice,
>>>>>>>
>>>>>>> Let me check what the difference is in configuration on the AC side,
>>>>>>> I’ll report within the hour. Any clues as to why the parameters are not
>>>>>>> being passed?
>>>>>>>
>>>>>>>
>>>>>>>> On Feb 8, 2022, at 8:55 AM, Fabrice Durand <[email protected]
>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>
>>>>>>>> Hello Jorge,
>>>>>>>>
>>>>>>>> i really think that it´s not the correct way to support the web auth
>>>>>>>> in Huawei.
>>>>>>>> The only thing you can do with the portal is to authenticate with a
>>>>>>>> username and password, there is no way to do anything else
>>>>>>>> (sms/email/sponsor/....).
>>>>>>>>
>>>>>>>> Also when you authenticate on the portal , the portal validate your
>>>>>>>> username and password and with the workflow you have it will
>>>>>>>> authenticate twice (portal and radius) and it doesn´t make sense.
>>>>>>>>
>>>>>>>> So if you want to keep this way then you will need a simple html page
>>>>>>>> with a username and password field that post on
>>>>>>>> https://portal.fispy.mx:8443/login
>>>>>>>> <https://portal.fispy.mx:8443/login> then configure packetfence to
>>>>>>>> authenticate the username and password from radius.
>>>>>>>>
>>>>>>>> The other way who looks really better is to use that:
>>>>>>>> (https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2
>>>>>>>>
>>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_2>)
>>>>>>>>
>>>>>>>> <download.png>
>>>>>>>>
>>>>>>>> As i said , it´s exactly how it works with the cisco wlc and it will
>>>>>>>> support all authentication mechanisms available on the portal.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>> Fabrice
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Le lun. 7 févr. 2022 à 20:25, Jorge Nolla <[email protected]
>>>>>>>> <mailto:[email protected]>> a écrit :
>>>>>>>>
>>>>>>>> Radius request from the AC once it receives the correct values. This
>>>>>>>> is sent back to Radius which in this case is PF
>>>>>>>>
>>>>>>>> User-Name = “5blz” <<< VALUE NEEDED IN URL as username
>>>>>>>> User-Password = "******” <<< VALUE NEEDED IN URL as password
>>>>>>>> NAS-IP-Address = 10.7.255.2
>>>>>>>> NAS-Port = 900
>>>>>>>> Service-Type = Framed-User
>>>>>>>> Framed-Protocol = PPP
>>>>>>>> Framed-IP-Address = 10.9.91.31
>>>>>>>> Called-Station-Id = "c0:f6:c2:a5:c4:d0:FISPY-WiFi"
>>>>>>>> Calling-Station-Id = "f0:2f:4b:14:67:d9"
>>>>>>>> NAS-Identifier = "AirEngine9700-M1"
>>>>>>>> NAS-Port-Type = Wireless-802.11
>>>>>>>> Acct-Session-Id = "AirEngi00000000000900d5d66c0600187"
>>>>>>>> Event-Timestamp = "Feb 7 2022 18:05:13 MST"
>>>>>>>> NAS-Port-Id = "slot=0;subslot=0;port=0;vlanid=900"
>>>>>>>> Huawei-Loopback-Address = "C0F6-C2A5-C4D0"
>>>>>>>> Huawei-User-Mac = "\000\000\000\003"
>>>>>>>> Stripped-User-Name = "5blz"
>>>>>>>> Realm = "null"
>>>>>>>> FreeRADIUS-Client-IP-Address = 10.7.255.2
>>>>>>>> Called-Station-SSID = "FISPY-WiFi"
>>>>>>>> PacketFence-KeyBalanced = "aa86741e358fa86079a91aaf4dc581f9"
>>>>>>>> PacketFence-Radius-Ip = "10.0.255.99"
>>>>>>>> SQL-User-Name = "5blz"
>>>>>>>>
>>>>>>>>> On Feb 7, 2022, at 3:58 PM, Jorge Nolla <[email protected]
>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>
>>>>>>>>> Hi Fabrice,
>>>>>>>>>
>>>>>>>>> I did hardcode as follow:
>>>>>>>>>
>>>>>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET"
>>>>>>>>> action="https://portal.fispy.mx:8443/login?username=bob&password=bob
>>>>>>>>> <https://portal.fispy.mx:8443/login?username=bob&password=bob>"
>>>>>>>>> style="display:none">
>>>>>>>>>
>>>>>>>>> But the redirect which the client is getting, is only this part, not
>>>>>>>>> sure why:
>>>>>>>>>
>>>>>>>>> https://portal.fispy.mx:8443/login?
>>>>>>>>> <https://portal.fispy.mx:8443/login?>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Here is the flow of the External Portal Authentication as per Huawei.
>>>>>>>>> Portal Server - Notify the STA of the login URL
>>>>>>>>> STA - Send the username and password in HTTP GET POST. When this is
>>>>>>>>> configured to use ISE as per the guide, the ISE server sends the
>>>>>>>>> redirect to the STA as per the format.
>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>
>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> <PastedGraphic-1.tiff>
>>>>>>>>>
>>>>>>>>>> On Feb 7, 2022, at 2:51 PM, Fabrice Durand <[email protected]
>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>
>>>>>>>>>> Did you try to hardcode that in the code and see if it works ?
>>>>>>>>>>
>>>>>>>>>> Also i don´t understand the goal of passing the username and
>>>>>>>>>> password , is there any extra check after that ? What happen if the
>>>>>>>>>> user register by sms/email ?
>>>>>>>>>>
>>>>>>>>>> And i just found that:
>>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1
>>>>>>>>>>
>>>>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008282/4d5793da/understanding-nac#dc_cfg_nac_2006u_1_1>
>>>>>>>>>> Is it something that can be configured on the Hawei ? If yes then it
>>>>>>>>>> will mimic the way the Cisco WLC works.
>>>>>>>>>>
>>>>>>>>>> Regards
>>>>>>>>>> Fabrice
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Le lun. 7 févr. 2022 à 16:01, Jorge Nolla <[email protected]
>>>>>>>>>> <mailto:[email protected]>> a écrit :
>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>
>>>>>>>>>> This line needs to be HTTPS for it to work
>>>>>>>>>> <form name="weblogin_form" data-autosubmit="1000" method="GET"
>>>>>>>>>> action="http://$controller_ip:8443/login?username=bob&password=bob
>>>>>>>>>> <http://$controller_ip:8443/login?username=bob&password=bob>"
>>>>>>>>>> style="display:none”>
>>>>>>>>>>
>>>>>>>>>> This needs to be the username and password which is being entered by
>>>>>>>>>> the user in the PF portal, which is the Radius username and password
>>>>>>>>>> username=bob&password=bob
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> On Feb 7, 2022, at 12:03 PM, Fabrice Durand <[email protected]
>>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> I just pushed a fix.
>>>>>>>>>>>
>>>>>>>>>>> cd /usr/local/pf
>>>>>>>>>>> curl
>>>>>>>>>>> https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff
>>>>>>>>>>>
>>>>>>>>>>> <https://github.com/inverse-inc/packetfence/commit/7628afddf46e0226667560dc33df192f9c4cf420.diff>
>>>>>>>>>>> | patch -p1
>>>>>>>>>>> and restart
>>>>>>>>>>>
>>>>>>>>>>> Le lun. 7 févr. 2022 à 13:46, Jorge Nolla <[email protected]
>>>>>>>>>>> <mailto:[email protected]>> a écrit :
>>>>>>>>>>> Here are the log outputs for /usr/local/pf/logs/packetfence.log
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]:
>>>>>>>>>>> httpd.portal(61371) INFO: [mac:[undef]] URI '/Huawei' is detected
>>>>>>>>>>> as an external captive portal URI (pf::web::externalportal::handle)
>>>>>>>>>>> Feb 7 11:03:04 wifi packetfence_httpd.portal[61371]:
>>>>>>>>>>> httpd.portal(61371) ERROR: [mac:[undef]] Cannot load perl module
>>>>>>>>>>> for switch type 'pf::Switch::Huawei'. Either switch type is unknown
>>>>>>>>>>> or switch type perl module have compilation errors. See the
>>>>>>>>>>> following message for details: (pf::web::externalportal::handle)
>>>>>>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]:
>>>>>>>>>>> httpd.portal(61370) INFO: [mac:[undef]] URI '/Huawei' is detected
>>>>>>>>>>> as an external captive portal URI (pf::web::externalportal::handle)
>>>>>>>>>>> Feb 7 11:03:06 wifi packetfence_httpd.portal[61370]:
>>>>>>>>>>> httpd.portal(61370) ERROR: [mac:[undef]] Cannot load perl module
>>>>>>>>>>> for switch type 'pf::Switch::Huawei'. Either switch type is unknown
>>>>>>>>>>> or switch type perl module have compilation errors. See the
>>>>>>>>>>> following message for details: (pf::web::externalportal::handle)
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> On Feb 7, 2022, at 10:50 AM, Jorge Nolla <[email protected]
>>>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>>>
>>>>>>>>>>>> Here is the output for HAProxy
>>>>>>>>>>>>
>>>>>>>>>>>> Feb 7 10:48:54 wifi haproxy[2285]: 10.9.215.39:63814
>>>>>>>>>>>> <http://10.9.215.39:63814/> [07/Feb/2022:10:48:54.074]
>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1
>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/13/13 501 413 - - ---- 2/1/0/0/0 0/0
>>>>>>>>>>>> {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET
>>>>>>>>>>>> /Huawei?ac-ip=10.7.255.2&userip=10.9.215.39&ssid=FISPY-WiFi&ap-mac=f02f4b1467d9
>>>>>>>>>>>> HTTP/1.1”
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> On Feb 7, 2022, at 10:06 AM, Jorge Nolla <[email protected]
>>>>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>>>>
>>>>>>>>>>>>> From the Pf portal after the patch is applied.
>>>>>>>>>>>>>
>>>>>>>>>>>>> type: 'Huawei' is not a valid value The chosen type (Huawei) is
>>>>>>>>>>>>> not supported.
>>>>>>>>>>>>>
>>>>>>>>>>>>>> On Feb 6, 2022, at 6:49 PM, Jorge Nolla <[email protected]
>>>>>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> This is the only option on the config.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> <Screen Shot 2022-02-06 at 6.48.16 PM.png>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Feb 6, 2022, at 6:41 PM, Jorge Nolla <[email protected]
>>>>>>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Getting an error page from PF
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Not Implemented
>>>>>>>>>>>>>>> GET no supported for current URL.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> How is the switch supposed to be defined in PF?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On Feb 6, 2022, at 5:55 PM, Fabrice Durand <[email protected]
>>>>>>>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> I am just not sure what to set for username and password, if
>>>>>>>>>>>>>>>> you do sms auth then there is no password.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Also in the url it looks that it miss the mac address of the
>>>>>>>>>>>>>>>> device , can you try to add device-mac and see if the device
>>>>>>>>>>>>>>>> mac is in the url ?
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Here the first draft:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> cd /usr/local/pf/
>>>>>>>>>>>>>>>> curl
>>>>>>>>>>>>>>>> https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <https://github.com/inverse-inc/packetfence/compare/feature/Huawei_web_auth.diff>
>>>>>>>>>>>>>>>> | patch -p1
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> then restart packetfence.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> On the controller:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> url-template name PacketFence
>>>>>>>>>>>>>>>> url https://wifi.fispy.mx/
>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>Hawei
>>>>>>>>>>>>>>>> url-parameter device-ip device-mac ac-ip user-ipaddress
>>>>>>>>>>>>>>>> userip ssid ssid user-mac ap-mac
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> So when the device will be forwarded to the portal it should
>>>>>>>>>>>>>>>> be able to recognise the mac address and the ip of the device
>>>>>>>>>>>>>>>> (in the bottom).
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Register on the portal and you should be forwarded to
>>>>>>>>>>>>>>>> http://$controller_ip:8443/login?username=bob&password=bob
>>>>>>>>>>>>>>>> <http://$controller_ip:8443/login?username=bob&password=bob>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Let me know how it behave.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>>> Fabrice
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Le dim. 6 févr. 2022 à 18:58, Jorge Nolla <[email protected]
>>>>>>>>>>>>>>>> <mailto:[email protected]>> a écrit :
>>>>>>>>>>>>>>>> Hi Fabrice
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> This is the GET the AC is expecting:
>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> If successful it will return as per image below. If it fails
>>>>>>>>>>>>>>>> the AC will redirect back to the Portal
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <WebAuthentication.png>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Here is the configuration:
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> url-template name PacketFence
>>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal
>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>
>>>>>>>>>>>>>>>> url-parameter login-url destination_url
>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> HA Proxy output
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Feb 6 16:44:26 wifi haproxy[2427]: 10.9.70.173:52266
>>>>>>>>>>>>>>>> <http://10.9.70.173:52266/> [06/Feb/2022:16:44:26.153]
>>>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1
>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/202/202 200 9003 - - ---- 2/1/0/0/0
>>>>>>>>>>>>>>>> 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET
>>>>>>>>>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>>>>>>>>> HTTP/1.1"
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Only problem is that PacketFence is not updating the dynamic
>>>>>>>>>>>>>>>> values with username and password for it to work
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> AC = Access Controller. This manages the APs’ as they are
>>>>>>>>>>>>>>>> operating in Fit/Lightweight mode.
>>>>>>>>>>>>>>>> AP = Access Points. These are the actual radios.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>>>>> Jorge
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> On Feb 6, 2022, at 4:40 PM, Fabrice Durand
>>>>>>>>>>>>>>>>> <[email protected] <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Hello Jorge,
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> i have what i need at least to be able to support the
>>>>>>>>>>>>>>>>> web-auth.
>>>>>>>>>>>>>>>>> The only thing i am not sure is at the end of the
>>>>>>>>>>>>>>>>> registration process what we are supposed to do.
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> I will create a branch on github in order for you to test.
>>>>>>>>>>>>>>>>> (it will be an update of the Huawei switch module).
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> For information, what is the ac-ip ac-mac versus ap-ip ap-mac
>>>>>>>>>>>>>>>>> ?
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>>>> Fabrice
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> Le dim. 6 févr. 2022 à 18:30, Jorge Nolla <[email protected]
>>>>>>>>>>>>>>>>> <mailto:[email protected]>> a écrit :
>>>>>>>>>>>>>>>>> If I try to manually send the redirect in the browser here is
>>>>>>>>>>>>>>>>> what HA proxy records. This is a simple copy and paste in the
>>>>>>>>>>>>>>>>> browser and the output:
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal
>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> 4875 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx
>>>>>>>>>>>>>>>>> <http://wifi.fispy.mx/>} "GET
>>>>>>>>>>>>>>>>> /captive-portal?destination_url=https://portal.fispy.mx:8443/login?username=539z&password=0uf3
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=539z&password=0uf3>
>>>>>>>>>>>>>>>>> HTTP/1.1"
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>> It doesn’t let it go through as it seems that is trying to
>>>>>>>>>>>>>>>>> validate network connectivity
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> On Feb 6, 2022, at 4:07 PM, Jorge Nolla <[email protected]
>>>>>>>>>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Seems weird how the format of the URL is recorded/sent
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Here is a normal redirect, the url is formatted correctly,
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> Feb 6 16:03:41 wifi haproxy[2427]: 10.99.1.20:63577
>>>>>>>>>>>>>>>>>> <http://10.99.1.20:63577/> [06/Feb/2022:16:03:41.232]
>>>>>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1
>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/1/233/234 200 4910 - - ----
>>>>>>>>>>>>>>>>>> 2/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>} "GET
>>>>>>>>>>>>>>>>>> /captive-portal?destination_url=https://www.fispy.mx/
>>>>>>>>>>>>>>>>>> <https://www.fispy.mx/> HTTP/1.1"
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> I’m not sure why the value sent by the AP has all the % and
>>>>>>>>>>>>>>>>>> weird symbols
>>>>>>>>>>>>>>>>>> destination%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> On Feb 6, 2022, at 4:00 PM, Jorge Nolla <[email protected]
>>>>>>>>>>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Here are the options that can be added:
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> [AirEngine9700-M1-url-template-PacketFence]url-parameter ?
>>>>>>>>>>>>>>>>>>> ap-group-name AP group name
>>>>>>>>>>>>>>>>>>> ap-ip AP IP address
>>>>>>>>>>>>>>>>>>> ap-location AP location
>>>>>>>>>>>>>>>>>>> ap-mac AP MAC address
>>>>>>>>>>>>>>>>>>> ap-name AP name
>>>>>>>>>>>>>>>>>>> device-ip Device IP address
>>>>>>>>>>>>>>>>>>> device-mac Device MAC address
>>>>>>>>>>>>>>>>>>> login-url Device's login URL provided to the
>>>>>>>>>>>>>>>>>>> external portal server
>>>>>>>>>>>>>>>>>>> mac-address Mac address
>>>>>>>>>>>>>>>>>>> redirect-url The url in user original http packet
>>>>>>>>>>>>>>>>>>> set Set
>>>>>>>>>>>>>>>>>>> ssid SSID
>>>>>>>>>>>>>>>>>>> sysname Device name
>>>>>>>>>>>>>>>>>>> user-ipaddress User IP address
>>>>>>>>>>>>>>>>>>> user-mac User MAC address
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> url-template name PacketFence
>>>>>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal
>>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>
>>>>>>>>>>>>>>>>>>> url-parameter device-ip ac-ip user-ipaddress userip ssid
>>>>>>>>>>>>>>>>>>> ssid user-mac ap-mac
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> 200 9003 - - ---- 2/1/0/0/0 0/0 {wifi.fispy.mx
>>>>>>>>>>>>>>>>>>> <http://wifi.fispy.mx/>} "GET
>>>>>>>>>>>>>>>>>>> /captive-portal?ac%2Dip=10%2E7%2E255%2E2&userip=10%2E9%2E70%2E173&ssid=FISPY%2DWiFi&ap%2Dmac=f02f4b1467d9
>>>>>>>>>>>>>>>>>>> HTTP/1.1"
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> If we do not specify the URL on this configuration, where
>>>>>>>>>>>>>>>>>>> would PacketFence get the value for the AC Web
>>>>>>>>>>>>>>>>>>> Authentication call?
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>>>>>>>> Jorge
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> On Feb 5, 2022, at 8:23 PM, Fabrice Durand
>>>>>>>>>>>>>>>>>>>> <[email protected] <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Hello Jorge,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> what we need is the user mac and the ap information.
>>>>>>>>>>>>>>>>>>>> I found that
>>>>>>>>>>>>>>>>>>>> https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> <https://support.huawei.com/enterprise/en/doc/EDOC1100008283/659354b1/display-url-template>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Is it possible to add extra parameters like user-mac ssid
>>>>>>>>>>>>>>>>>>>> ap-ip ap-mac ?
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> And if yes can you provide me the url generated by the
>>>>>>>>>>>>>>>>>>>> controller when it redirect ? (haproxy-portal log)
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>>>>>>> Fabrice
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Le sam. 5 févr. 2022 à 20:42, Jorge Nolla
>>>>>>>>>>>>>>>>>>>> <[email protected] <mailto:[email protected]>> a écrit :
>>>>>>>>>>>>>>>>>>>> Hi Team,
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Any input on this? We really would like to get this to
>>>>>>>>>>>>>>>>>>>> work.
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>> Thank you!
>>>>>>>>>>>>>>>>>>>> Jorge
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> On Feb 2, 2022, at 7:48 PM, Jorge Nolla <[email protected]
>>>>>>>>>>>>>>>>>>>>> <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> This is the sequence:
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:32 wifi haproxy[2427]: 10.9.79.52:61132
>>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:32.663]
>>>>>>>>>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1
>>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/201/201 200 7146 - - ----
>>>>>>>>>>>>>>>>>>>>> 3/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>}
>>>>>>>>>>>>>>>>>>>>> "GET /access?lang= HTTP/1.1"
>>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:37 wifi haproxy[2427]: 10.9.79.52:61133
>>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:37.905]
>>>>>>>>>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1
>>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/2/2 200 228 - - ---- 4/2/0/0/0
>>>>>>>>>>>>>>>>>>>>> 0/0 {10.0.255.99} "GET
>>>>>>>>>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838705224
>>>>>>>>>>>>>>>>>>>>> HTTP/1.1"
>>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61130
>>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:43.927]
>>>>>>>>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1
>>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/122/122 302 1018 - - ----
>>>>>>>>>>>>>>>>>>>>> 4/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>}
>>>>>>>>>>>>>>>>>>>>> "GET
>>>>>>>>>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>>>>>>>>>>>> HTTP/1.1"
>>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:44 wifi haproxy[2427]: 10.9.79.52:61132
>>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61132/> [02/Feb/2022:14:51:44.060]
>>>>>>>>>>>>>>>>>>>>> portal-http-10.0.255.99 10.0.255.99-backend/127.0.0.1
>>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/129/129 200 7146 - - ----
>>>>>>>>>>>>>>>>>>>>> 4/2/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>}
>>>>>>>>>>>>>>>>>>>>> "GET /access?lang= HTTP/1.1"
>>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:49 wifi haproxy[2427]: 10.9.79.52:61133
>>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61133/> [02/Feb/2022:14:51:49.219]
>>>>>>>>>>>>>>>>>>>>> portal-http-10.0.255.99 static/127.0.0.1
>>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/1/1 200 228 - - ---- 4/2/0/0/0
>>>>>>>>>>>>>>>>>>>>> 0/0 {10.0.255.99} "GET
>>>>>>>>>>>>>>>>>>>>> /common/network-access-detection.gif?r=1643838716546
>>>>>>>>>>>>>>>>>>>>> HTTP/1.1"
>>>>>>>>>>>>>>>>>>>>> Feb 2 14:51:55 wifi haproxy[2427]: 10.9.79.52:61130
>>>>>>>>>>>>>>>>>>>>> <http://10.9.79.52:61130/> [02/Feb/2022:14:51:55.287]
>>>>>>>>>>>>>>>>>>>>> portal-https-10.0.255.99~ 10.0.255.99-backend/127.0.0.1
>>>>>>>>>>>>>>>>>>>>> <http://127.0.0.1/> 0/0/0/136/136 302 1018 - - ----
>>>>>>>>>>>>>>>>>>>>> 4/1/0/0/0 0/0 {wifi.fispy.mx <http://wifi.fispy.mx/>}
>>>>>>>>>>>>>>>>>>>>> "GET
>>>>>>>>>>>>>>>>>>>>> /captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>>>>>>>>>>>> HTTP/1.1”
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> On Feb 2, 2022, at 7:12 PM, Fabrice Durand
>>>>>>>>>>>>>>>>>>>>>> <[email protected] <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Hello Jorge,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> i will have a look closer.
>>>>>>>>>>>>>>>>>>>>>> But i have a question, when the device is forwarded to
>>>>>>>>>>>>>>>>>>>>>> the captive portal, (just before
>>>>>>>>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch_url=https://portal.fispy.mx:8443/login>)
>>>>>>>>>>>>>>>>>>>>>> , what is the url ?
>>>>>>>>>>>>>>>>>>>>>> You should be able to see it in the haproxy-portal.log
>>>>>>>>>>>>>>>>>>>>>> file.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>>>>>>>>> Fabrice
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Le mer. 2 févr. 2022 à 10:18, Jorge Nolla
>>>>>>>>>>>>>>>>>>>>>> <[email protected] <mailto:[email protected]>> a écrit :
>>>>>>>>>>>>>>>>>>>>>> Hi Fabrice,
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> We almost have the configuration working, but are not
>>>>>>>>>>>>>>>>>>>>>> sure how to get the redirect to the client to work
>>>>>>>>>>>>>>>>>>>>>> correctly. Attached is the documentation for Cisco ISE
>>>>>>>>>>>>>>>>>>>>>> which we used for PacketFence as well.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> Portal.fispy.mx <http://portal.fispy.mx/> is the Huawei
>>>>>>>>>>>>>>>>>>>>>> AC.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> This is the format the client should get from
>>>>>>>>>>>>>>>>>>>>>> PacketFence. This is the only piece we are missing for
>>>>>>>>>>>>>>>>>>>>>> this to work.
>>>>>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login?username=($username)&password=($password)
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login?username=($username)&password=($password)>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> If we manually click on the link above, then the flow of
>>>>>>>>>>>>>>>>>>>>>> traffic works correctly CLIENT > AC > RADIUS
>>>>>>>>>>>>>>>>>>>>>> (PacketFence), and authentication works. The problem is
>>>>>>>>>>>>>>>>>>>>>> that when the user logs in to the portal the redirect is
>>>>>>>>>>>>>>>>>>>>>> broken. The parameter for the redirect that PacketFence
>>>>>>>>>>>>>>>>>>>>>> is serving, comes from a configuration parameter within
>>>>>>>>>>>>>>>>>>>>>> the AC. This configuration works fine for Cisco ISE, but
>>>>>>>>>>>>>>>>>>>>>> the URL format is not working for PacketFence.
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> When we configure the redirect this is what the client
>>>>>>>>>>>>>>>>>>>>>> is getting from PacketFence
>>>>>>>>>>>>>>>>>>>>>> https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal?switch%5Furl=https%3A%2F%2Fportal%2Efispy%2Emx%3A8443%2Flogin>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> url-template name PacketFence
>>>>>>>>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal
>>>>>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>
>>>>>>>>>>>>>>>>>>>>>> url-parameter login-url switch_url
>>>>>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login
>>>>>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE
>>>>>>>>>>>>>>>>>>>>>> PARAMETER FOR THE REDIRECT TO PACKETFENCE
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> AC CONFIG
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> authentication-profile name PacketFence
>>>>>>>>>>>>>>>>>>>>>> portal-access-profile PacketFence
>>>>>>>>>>>>>>>>>>>>>> free-rule-template default_free_rule
>>>>>>>>>>>>>>>>>>>>>> authentication-scheme PacketFence
>>>>>>>>>>>>>>>>>>>>>> accounting-scheme PacketFence
>>>>>>>>>>>>>>>>>>>>>> radius-server PacketFence
>>>>>>>>>>>>>>>>>>>>>> force-push url https://www.fispy.mx
>>>>>>>>>>>>>>>>>>>>>> <https://www.fispy.mx/>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> radius-server template PacketFence
>>>>>>>>>>>>>>>>>>>>>> radius-server shared-key cipher
>>>>>>>>>>>>>>>>>>>>>> %^%#*)l=:1.X-Yd$\<~orEF@]<}NMejv3)E^\6;7:NUY%^%#
>>>>>>>>>>>>>>>>>>>>>> radius-server authentication 10.0.255.99 1812 source
>>>>>>>>>>>>>>>>>>>>>> ip-address 10.7.255.2 weight 90
>>>>>>>>>>>>>>>>>>>>>> radius-server accounting 10.0.255.99 1813 source
>>>>>>>>>>>>>>>>>>>>>> ip-address 10.7.255.2 weight 80
>>>>>>>>>>>>>>>>>>>>>> undo radius-server user-name domain-included
>>>>>>>>>>>>>>>>>>>>>> calling-station-id mac-format unformatted
>>>>>>>>>>>>>>>>>>>>>> called-station-id wlan-user-format ac-mac
>>>>>>>>>>>>>>>>>>>>>> radius-server attribute translate
>>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-NAS-Startup-Time-Stamp send
>>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-IP-Host-Address send
>>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-Connect-ID send
>>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-Version send
>>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-Product-ID send
>>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-Domain-Name send
>>>>>>>>>>>>>>>>>>>>>> radius-attribute disable HW-User-Extend-Info send
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> url-template name PacketFence
>>>>>>>>>>>>>>>>>>>>>> url https://wifi.fispy.mx/captive-portal
>>>>>>>>>>>>>>>>>>>>>> <https://wifi.fispy.mx/captive-portal>
>>>>>>>>>>>>>>>>>>>>>> url-parameter login-url switch_url
>>>>>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login
>>>>>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login> <<< THIS IS THE
>>>>>>>>>>>>>>>>>>>>>> PARAMETER FOR THE REDIRECT TO PACKETFENCE
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> web-auth-server PacketFence
>>>>>>>>>>>>>>>>>>>>>> server-ip 10.0.255.99
>>>>>>>>>>>>>>>>>>>>>> port 443
>>>>>>>>>>>>>>>>>>>>>> url-template PacketFence
>>>>>>>>>>>>>>>>>>>>>> protocol http
>>>>>>>>>>>>>>>>>>>>>> http get-method enable
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> portal-access-profile name PacketFence
>>>>>>>>>>>>>>>>>>>>>> web-auth-server PacketFence direct
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> authentication-scheme PacketFence
>>>>>>>>>>>>>>>>>>>>>> authentication-mode radius
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> wlan
>>>>>>>>>>>>>>>>>>>>>> security-profile name FISPY-WiFi
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> vap-profile name FISPY-WiFi
>>>>>>>>>>>>>>>>>>>>>> service-vlan vlan-id 900
>>>>>>>>>>>>>>>>>>>>>> permit-vlan vlan-id 900
>>>>>>>>>>>>>>>>>>>>>> ssid-profile FISPY-WiFi
>>>>>>>>>>>>>>>>>>>>>> security-profile FISPY-WiFi
>>>>>>>>>>>>>>>>>>>>>> authentication-profile PacketFence
>>>>>>>>>>>>>>>>>>>>>> sta-network-detect disable
>>>>>>>>>>>>>>>>>>>>>> service-experience-analysis enable
>>>>>>>>>>>>>>>>>>>>>> mdns-snooping enable
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ###CISCO ISE CONFIG TO COMPARE###
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> url-template name CISCO-ISE
>>>>>>>>>>>>>>>>>>>>>> url
>>>>>>>>>>>>>>>>>>>>>> https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> <https://captive.fispy.mx:8443/portal/PortalSetup.action#portal=7cf5ac1d-5dbf-4b36-aeee-b9590fd24c02>
>>>>>>>>>>>>>>>>>>>>>> parameter start-mark #
>>>>>>>>>>>>>>>>>>>>>> url-parameter login-url switch_url
>>>>>>>>>>>>>>>>>>>>>> https://portal.fispy.mx:8443/login
>>>>>>>>>>>>>>>>>>>>>> <https://portal.fispy.mx:8443/login>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>> ####################################
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> On Feb 2, 2022, at 6:17 AM, Fabrice Durand
>>>>>>>>>>>>>>>>>>>>>>> <[email protected] <mailto:[email protected]>> wrote:
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Hello Jorge,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> do you have any Huawei documentation to implement that ?
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Regards
>>>>>>>>>>>>>>>>>>>>>>> Fabrice
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Le mer. 26 janv. 2022 à 15:59, Jorge Nolla via
>>>>>>>>>>>>>>>>>>>>>>> PacketFence-users
>>>>>>>>>>>>>>>>>>>>>>> <[email protected]
>>>>>>>>>>>>>>>>>>>>>>> <mailto:[email protected]>> a
>>>>>>>>>>>>>>>>>>>>>>> écrit :
>>>>>>>>>>>>>>>>>>>>>>> Hi Team,
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> We were wondering if anyone has had any success in
>>>>>>>>>>>>>>>>>>>>>>> configuring Web Auth for the Huawei AC? It’s somewhat
>>>>>>>>>>>>>>>>>>>>>>> critical for us to get this going.
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> Thank you!
>>>>>>>>>>>>>>>>>>>>>>> Jorge
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>>>>>>>>>>> PacketFence-users mailing list
>>>>>>>>>>>>>>>>>>>>>>> [email protected]
>>>>>>>>>>>>>>>>>>>>>>> <mailto:[email protected]>
>>>>>>>>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>> <https://lists.sourceforge.net/lists/listinfo/packetfence-users>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
