Tomasz,

Sorry I'm really new to Linux and packetfence. I still have some questions, please bear with me.

1. Do we need to change radius to 172.17.254.254 as well or we only need to change the captive portal address? Is there a way that we can keep the captive portal to 10.1.254.126 but solve the issue?

2. If we're going to change the captive portal address to 172.17.254.254, should I have registration interface listen to portal daemon instead of management?

3. If we want to use web auth, which is we want to only change ACL instead of VLAN, is there a way to achieve it?

4. What is the root cause for this "Your network should be enabled within a minute or two. If it is not reboot your computer" ?

Thank you so much for the help,

---

Helen
From: Tomasz Karczewski [mailto:***@man.olsztyn.pl]
Sent: Friday, April 7, 2017 4:43 PM
To: packetfence-***@lists.sourceforge.net
Subject: Re: [PacketFence-users] Captive Portal Redirection not working


This message was identified as a phishing<http://aka.ms/LearnAboutPhishing> scam.

Feedback<http://aka.ms/SafetyTipsFeedback>

Use 172.17.254.254 ip as your captive portal ip and at your web redirect url (of course allow traffic at acls to this ip not to 10.1.254.126) for registration.
Another thing, I suggest not to use Authorize_any for default role (set the same as in registration role).
If you want to assign vlans for specific roles you have to create those vlans (on your network and add interfaces to your wlc)
and setup in pf (i.e. vlan 10 for registration vlan 20 for isolation 30 normal vlan for regular users etc.).
Packetfence will assign those specific vlans depends on the role and force to the wlc.
Right now you're not assigning any vlans. You're using static one binded to your wlan (you're forcing only which one acls to use).

From: Helen Chen [mailto:***@resourcepro.com.cn]
Sent: Friday, April 7, 2017 10:19 AM
To: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Captive Portal Redirection not working

Hi Tomasz,

Thank you so much on getting back to me.

Our registration interface ip address is 172.17.254.254. Management\portal adedress is 10.1.254.126. As we want to do out-of-band mode, I set the captive portal ip address the same one with the management\portal address, which is 10.1.254.126. From 172.17.0.0/16 is able to communicate with 10.1.254.126. Just in case you missed the other email. Please see more details below and attached.

Hi Tomasz,

I tweak the iptables (iptables -I INPUT -i <registration interface#> -j input-portal-if) and solved the production mode captive portal redirecting issue. However, the problem "Your network should be enabled within a minute or two. If it is not reboot your computer" issue still exist after I passed the authentication phase. I tried to disconnect the WLAN and join again, the error will still stay there, it looks like it got stuck in registration mode. Can you please shed some lights on this one?

In addition, to answer your questions:

Did you setup acls authorize_any on the controller? - yes, we did. And per the show client detail on WLC, we can see the ACL Authorize_any is applied.

Policy Manager State............................. RUN
AAA Override ACL Name............................ none
AAA Override ACL Applied Status.................. Unavailable
AAA Override Flex ACL Name....................... none

--More or (q)uit current module or <ctrl-z> to abort
AAA Override Flex ACL Applied Status............. Unavailable
AAA URL redirect................................. none
Audit Session ID................................. 0a0105320000cc6858e738ae
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... Authorize_any
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Yes
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
No. of mDNS Services Advertised.................. 0
Policy Type...................................... N/A
Encryption Cipher................................ None
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ guest
VLAN............................................. 51
Quarantine VLAN.................................. 0
Access VLAN...................................... 51
Local Bridging VLAN.............................. 51
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 20
Fast BSS Transition........................ Not implemented
11v BSS Transition......................... Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 0
Number of Bytes Sent....................... 0
Total Number of Bytes Sent................. 0
Total Number of Bytes Recv................. 0
Number of Bytes Sent (last 90s)............ 0

--More or (q)uit current module or <ctrl-z> to abort
Number of Bytes Recv (last 90s)............ 0
Number of Packets Received................. 0
Number of Packets Sent..................... 0
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 0
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 0
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ Unavailable
Signal to Noise Ratio...................... Unavailable
Client Rate Limiting Statistics:
Number of Data Packets Received............ 0
Number of Data Rx Packets Dropped.......... 0

--More or (q)uit current module or <ctrl-z> to abort
Number of Data Bytes Received.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Received........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Received.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
Tech_TestAP(slot 0)
antenna0: 7 secs ago..................... -66 dBm
antenna1: 7 secs ago..................... -74 dBm
Tech_TestAP(slot 1)
antenna0: 6 secs ago..................... -71 dBm
antenna1: 6 secs ago..................... -77 dBm
QD-G5-2702-4F-B3(slot 0)
antenna0: 7 secs ago..................... -75 dBm

--More or (q)uit current module or <ctrl-z> to abort
antenna1: 7 secs ago..................... -75 dBm
DNS Server details:
DNS server IP ............................. 0.0.0.0
DNS server IP ............................. 0.0.0.0
Assisted Roaming Prediction List details:

Did you check NAC State Radius NAC? - Yes, we set the NAC state to ISE NAC. On WLC2500, it only has ISE NAC, SNMP NAC and none.
Did you set acl authorize_any to this role? - yes, we did. Please see the switch.conf below. The problem is I set the registration vlan and default vlan both to 51. Is this ok? As I remember in the administration guide, for web auth mode, device VLAN ID never change but only the ACL associated gonna change. How can we accomplish this? The reason is we only want to enable one SSID. Please see related screenshots attached.

[10.1.5.50]
deauthMethod=RADIUS
description=QD-G5-2504-3F-1
type=Cisco::WLC_2500
mode=production
SNMPCommunityRead=xxxxx
registrationVlan=51
SNMPCommunityWrite=xxxxx
isolationVlan=52
radiusSecret=xxxxx
SNMPVersion=2c
defaultVlan=51
coaPort=1700
RoleMap=Y
AdminITRole=Authorize_any
registrationUrl=http://10.1.254.126/Cisco::WLC
RSPEmployeeRole=Authorize_any
UrlMap=Y
guestVlan=51
defaultRole=Authorize_any
registrationRole=Pre-Auth-For-WebRedirect
guestRole=Authorize_any
controllerIp=10.1.5.50
ExternalPortalEnforcement=Y
VlanMap=N

Thank you so much for your help,


---

Helen

From: Tomasz Karczewski [mailto:***@man.olsztyn.pl]
Sent: Friday, April 7, 2017 3:41 PM
To: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Captive Portal Redirection not working


This message was identified as a phishing<http://aka.ms/LearnAboutPhishing> scam.

Feedback<http://aka.ms/SafetyTipsFeedback>

Did you allow traffic to your captive portal ip? Configuration > captive portal > ip (here is your ip) and of course enable network detection.
Set your ip or fqdn with one from registration interface.

From: Helen Chen [mailto:***@resourcepro.com.cn]
Sent: Friday, April 7, 2017 8:44 AM
To: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Subject: Re: [PacketFence-users] Captive Portal Redirection not working

Hi All,

I tweak the iptables and solved the production mode not redirecting issue. However, the problem "Your network should be enabled within a minute or two. If it is not reboot your computer" issue still exist after I passed the authentication phase. We're doing out-of-band mode. Anyone can help me out here?

Thank you very much.


---

Helen

From: Helen Chen [mailto:***@resourcepro.com.cn]
Sent: Thursday, April 6, 2017 4:14 PM
To: packetfence-***@lists.sourceforge.net<mailto:packetfence-***@lists.sourceforge.net>
Subject: [PacketFence-users] Captive Portal Redirection not working


This message was identified as a phishing<http://aka.ms/LearnAboutPhishing> scam.

Feedback<http://aka.ms/SafetyTipsFeedback>

Hi All,

Lately I've been struggling one problem for weeks now. Any of your help would really be appreciated.

We have one Cisco WLC 2504 here. I put the switch mode to registration, then the captive portal is redirected fine. However, after I passed the credential authentication, the ACL failed to redirect. The error says "Your network should be enabled within a minute or two. If it is not reboot your computer". I checked the log and notice the reason I cannot achieve reassignment is because I was not on a production mode so pf cannot perform deauthentiation. So I change the switch mode to production. The problem will be the captive portal will jump to "captive. Apple.com" instead of packetfence. If I cancel it and open a browser it will say could not open the page because the server stopped responding. I disabled pfsetvlan and snmptrapd as it's wireless traffic, it's not necessary to enable it,right? Please see related logs below. Any suggestions?

(Cisco Controller) >show client detail 7c:01:91:25:f9:eb
Client MAC Address............................... 7c:01:91:25:f9:eb
Client Username ................................. N/A
AP MAC Address................................... 5c:83:8f:9f:1b:90
AP Name.......................................... Tech_TestAP
AP radio slot Id................................. 0
Client State..................................... Associated
Client User Group................................
Client NAC OOB State............................. Access
Wireless LAN Id.................................. 4
Wireless LAN Network Name (SSID)................. Guest
Wireless LAN Profile Name........................ Guest_Test
Hotspot (802.11u)................................ Not Supported
BSSID............................................ 5c:83:8f:9f:1b:93
Connected For ................................... 97 secs
Channel.......................................... 1
IP Address....................................... 172.17.0.10
Gateway Address.................................. Unknown
Netmask.......................................... Unknown
Association Id................................... 169
Authentication Algorithm......................... Open System
Reason Code...................................... 1
Status Code...................................... 0
Session Timeout.................................. 1800
Client CCX version............................... No CCX support
QoS Level........................................ Silver
Avg data Rate.................................... 0
Burst data Rate.................................. 0
Avg Real time data Rate.......................... 0
Burst Real Time data Rate........................ 0
802.1P Priority Tag.............................. disabled
CTS Security Group Tag........................... Not Applicable
KTS CAC Capability............................... No
Qos Map Capability............................... No
WMM Support...................................... Enabled
APSD ACs....................................... BK BE VI VO
Current Rate..................................... m12
Supported Rates.................................. 1.0,2.0,5.5,11.0,6.0,9.0,
............................................. 12.0,18.0,24.0,36.0,48.0,
............................................. 54.0
Mobility State................................... Local
Mobility Move Count.............................. 0
Security Policy Completed........................ No
Policy Manager State............................. WEBAUTH_REQD
AAA Override ACL Name............................ Pre-Auth-For-WebRedirect
AAA Override ACL Applied Status.................. Yes
AAA Override Flex ACL Name....................... none
AAA Override Flex ACL Applied Status............. Unavailable
AAA URL redirect................................. http://10.1.254.126/Cisco::WLC/sid189bef
Audit Session ID................................. 0a0105320000bdd258e5e518
AAA Role Type.................................... none
Local Policy Applied............................. none
IPv4 ACL Name.................................... none
FlexConnect ACL Applied Status................... Unavailable
IPv4 ACL Applied Status.......................... Unavailable
IPv6 ACL Name.................................... none
IPv6 ACL Applied Status.......................... Unavailable
Layer2 ACL Name.................................. none
Layer2 ACL Applied Status........................ Unavailable
mDNS Status...................................... Enabled
mDNS Profile Name................................ default-mdns-profile
No. of mDNS Services Advertised.................. 0
Policy Type...................................... N/A
Encryption Cipher................................ None
Protected Management Frame ...................... No
Management Frame Protection...................... No
EAP Type......................................... Unknown
Interface........................................ guest
VLAN............................................. 51
Quarantine VLAN.................................. 0
Access VLAN...................................... 51
Local Bridging VLAN.............................. 51
Client Capabilities:
CF Pollable................................ Not implemented
CF Poll Request............................ Not implemented
Short Preamble............................. Implemented
PBCC....................................... Not implemented
Channel Agility............................ Not implemented
Listen Interval............................ 20
Fast BSS Transition........................ Not implemented
11v BSS Transition......................... Not implemented
Client Wifi Direct Capabilities:
WFD capable................................ No
Manged WFD capable......................... No
Cross Connection Capable................... No
Support Concurrent Operation............... No
Fast BSS Transition Details:
Client Statistics:
Number of Bytes Received................... 14034
Number of Bytes Sent....................... 9976
Total Number of Bytes Sent................. 9976
Total Number of Bytes Recv................. 14034
Number of Bytes Sent (last 90s)............ 2256
Number of Bytes Recv (last 90s)............ 4646
Number of Packets Received................. 145
Number of Packets Sent..................... 71
Number of Interim-Update Sent.............. 0
Number of EAP Id Request Msg Timeouts...... 0
Number of EAP Id Request Msg Failures...... 0
Number of EAP Request Msg Timeouts......... 0
Number of EAP Request Msg Failures......... 0
Number of EAP Key Msg Timeouts............. 0
Number of EAP Key Msg Failures............. 0
Number of Data Retries..................... 119
Number of RTS Retries...................... 0
Number of Duplicate Received Packets....... 44
Number of Decrypt Failed Packets........... 0
Number of Mic Failured Packets............. 0
Number of Mic Missing Packets.............. 0
Number of RA Packets Dropped............... 0
Number of Policy Errors.................... 0
Radio Signal Strength Indicator............ -66 dBm
Signal to Noise Ratio...................... 22 dB
Client Rate Limiting Statistics:
Number of Data Packets Received............ 0
Number of Data Rx Packets Dropped.......... 0
Number of Data Bytes Received.............. 0
Number of Data Rx Bytes Dropped............ 0
Number of Realtime Packets Received........ 0
Number of Realtime Rx Packets Dropped...... 0
Number of Realtime Bytes Received.......... 0
Number of Realtime Rx Bytes Dropped........ 0
Number of Data Packets Sent................ 0
Number of Data Tx Packets Dropped.......... 0
Number of Data Bytes Sent.................. 0
Number of Data Tx Bytes Dropped............ 0
Number of Realtime Packets Sent............ 0
Number of Realtime Tx Packets Dropped...... 0
Number of Realtime Bytes Sent.............. 0
Number of Realtime Tx Bytes Dropped........ 0
Nearby AP Statistics:
Tech_TestAP(slot 0)
antenna0: 7 secs ago..................... -63 dBm
antenna1: 7 secs ago..................... -70 dBm
Tech_TestAP(slot 1)
antenna0: 7 secs ago..................... -76 dBm
antenna1: 7 secs ago..................... -74 dBm
QD-G5-2702-4F-B3(slot 0)
antenna0: 7 secs ago..................... -83 dBm
antenna1: 7 secs ago..................... -82 dBm
QD-G5-2702-4F-B3(slot 1)
antenna0: 7 secs ago..................... -95 dBm
antenna1: 7 secs ago..................... -91 dBm
DNS Server details:
DNS server IP ............................. 0.0.0.0
DNS server IP ............................. 0.0.0.

[10.1.5.50]
deauthMethod=RADIUS
description=QD-G5-2504-1
type=Cisco::WLC_2500
SNMPCommunityRead=xxxx
registrationVlan=51
SNMPCommunityWrite=xxxx
isolationVlan=52
radiusSecret=xxxxx
SNMPVersion=2c
defaultVlan=51
coaPort=1700
RoleMap=Y
registrationUrl=http://10.1.254.126/Cisco::WLC
UrlMap=Y
guestVlan=51
RSPEmployeeVlan=51
defaultRole=Authorize_any
registrationRole=Pre-Auth-For-WebRedirect
controllerIp=10.1.5.50
ExternalPortalEnforcement=Y
VlanMap=N
mode=production

[172.17.0.0]
dns=172.17.254.254
dhcp_start=172.17.0.10
gateway=172.17.254.254
domain-name=vlan-registration.resourcepro0.resourcepro.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=enabled
dhcp_end=172.17.255.246
type=vlan-registration
netmask=255.255.0.0
dhcp_default_lease_time=30

[172.18.0.0]
dns=172.18.254.254
dhcp_start=172.18.0.10
gateway=172.18.254.254
domain-name=vlan-isolation.resourcepro0.resourcepro.com
nat_enabled=disabled
named=enabled
dhcp_max_lease_time=30
fake_mac_enabled=disabled
dhcpd=disabled
dhcp_end=172.18.255.246
type=vlan-isolation
netmask=255.255.0.0
dhcp_default_lease_time=30


---


Helen