[Packetfence-users] Registration page doesn´t show up, certificate?

Discussion:

clf

2011-12-01 09:53:41 UTC

Hi All,

I just set up a new PF server yesterday, everything went fine and I could
start the service and access the GUI.

The server is set up in VLAN enforcement mode so when a new device is
connected to the switch, PF changes the VLAN (MAC detection) to the
registration VLAN and when the client opens the web browser it comes up the
classic "Certificate Error" in Internet Explorer but when I click the link
to ignore the message it just hangs and the reg page doesnŽt

I can see PF knows the client is trying to access to the Internet as I see
this in the access_log

192.168.2.10 - - [01/Dec/2011:10:50:30 +0100] "GET
/captive-portal?destination_url=http://www.google.com/ HTTP/1.1" 200 7093
"-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET
CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR
1.1.4322; InfoPath.2)"
Having a look at the logs I see nothing strange but this on the error_log

[Thu Dec 01 10:36:37 2011] [notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate CommonName (CN)
`packetfence' does NOT match server name!?
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate CommonName (CN)
`packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate CommonName (CN)
`packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate CommonName (CN)
`packetfence' does NOT match server name!?
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15
OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4 Perl/v5.10.1 configured --
resuming normal operations

Any advice?

Thanks in advance

clf

Francois Gaudreault

2011-12-01 14:13:49 UTC

Permalink

Hi,

What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

Post by clf
Hi All,
I just set up a new PF server yesterday, everything went fine and I
could start the service and access the GUI.
The server is set up in VLAN enforcement mode so when a new device is
connected to the switch, PF changes the VLAN (MAC detection) to the
registration VLAN and when the client opens the web browser it comes
up the classic "Certificate Error" in Internet Explorer but when I
click the link to ignore the message it just hangs and the reg page
doesnŽt
I can see PF knows the client is trying to access to the Internet as I
see this in the access_log
192.168.2.10 - - [01/Dec/2011:10:50:30 +0100] "GET
/captive-portal?destination_url=http://www.google.com/ HTTP/1.1" 200
7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
Having a look at the logs I see nothing strange but this on the error_log
[Thu Dec 01 10:36:37 2011] [notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate CommonName
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate CommonName
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate CommonName
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate CommonName
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix)
mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4
Perl/v5.10.1 configured -- resuming normal operations
Any advice?
Thanks in advance
clf
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
***@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

clf

2011-12-01 14:41:38 UTC

Permalink

Hi Francois,

thanks for your reply, IŽve tried both mozilla and explorer and IŽm still
not able to see the registration page...

IŽve solved those errors on the access_log creating new cert files with
openssl with the right server name and replacing the old ones. Now I only
get this on access_log:

[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15
OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4 Perl/v5.10.1 configured --
resuming normal operations
I realized that if i release the nslookup command on the client side I get
this output:

server: packetfence
address: 192.168.2.1

name: www.google.com.registration.mydomain.com
address: 192.168.2.1

is something wrong with dns?

thanks again

Hi,

What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

------------------------------------------------------------------------------

Post by clf
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
***@... :: +1.514.447.4918 (x130) :: http://www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)

Francois Gaudreault

2011-12-01 16:23:15 UTC

Permalink

Hi,

Well you are able to see the certificate exception page, so it means you
are hitting the server. Did you modify the html templates or it is stock?

Post by clf
Hi Francois,
thanks for your reply, IŽve tried both mozilla and explorer and
IŽm still not able to see the registration page...
IŽve solved those errors on the access_log creating new cert files
with openssl with the right server name and replacing the old ones.
[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix)
mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4
Perl/v5.10.1 configured -- resuming normal operations
I realized that if i release the nslookup command on the client side I
server: packetfence
address: 192.168.2.1
name: www.google.com.registration.mydomain.com
<http://www.google.com.registration.mydomain.com>
address: 192.168.2.1
is something wrong with dns?
thanks again
Hi,
What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

error_log

Post by clf
[Thu Dec 01 10:36:37 2011] [notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate CommonName
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate CommonName
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate CommonName
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate is a CA
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate CommonName
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix)
mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4
Perl/v5.10.1 configured -- resuming normal operations
Any advice?
Thanks in advance
clf

------------------------------------------------------------------------------

--
Francois Gaudreault, ing. jr
<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>)
and PacketFence (www.packetfence.org <http://www.packetfence.org>)
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
***@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

Damian Mendoza

2011-12-01 16:13:54 UTC

Permalink

If you start and stop the PF service does the registration page work?

Thats the problem Im having works one time after starting and stopping
the service

From: clf [mailto:***@gmail.com]
Sent: Thursday, December 01, 2011 6:42 AM
To: packetfence-***@lists.sourceforge.net
Subject: Re: [Packetfence-users] Registration page doesnŽt show up,
certificate?

Hi Francois,

thanks for your reply, IŽve tried both mozilla and explorer and IŽm still
not able to see the registration page...

IŽve solved those errors on the access_log creating new cert files with
openssl with the right server name and replacing the old ones. Now I only
get this on access_log:

[notice] caught SIGTERM, shutting down

[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15
OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4 Perl/v5.10.1 configured --
resuming normal operations

I realized that if i release the nslookup command on the client side I get
this output:

server: packetfence

address: 192.168.2.1

name: www.google.com.registration.mydomain.com

address: 192.168.2.1

is something wrong with dns?

thanks again

Hi,

What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

----------------------------------------------------------------------------
--

--
Francois Gaudreault, ing. jr
***@... :: +1.514.447.4918 (x130) :: http://www.inverse.ca
<http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)

clf

2011-12-01 19:14:19 UTC

Permalink

thanks again

François, I didn't change any of the templates, no html files were modified

Damian, restarting service doesn't help at this moment

can you tell me if the nslookup is correct? where should I have a look?

If you start and stop the PF service does the registration page work?****
** **
Thats the problem Im having works one time after starting and stopping
the service****
** **
*Sent:* Thursday, December 01, 2011 6:42 AM
*Subject:* Re: [Packetfence-users] Registration page doesnŽt show up,
certificate?****
** **
Hi Francois, ****
****
thanks for your reply, IŽve tried both mozilla and explorer and IŽm still
not able to see the registration page...****
****
IŽve solved those errors on the access_log creating new cert files with
openssl with the right server name and replacing the old ones. Now I only
get this on access_log:****
****
[notice] caught SIGTERM, shutting down****
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15
OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4 Perl/v5.10.1 configured --
resuming normal operations****
I realized that if i release the nslookup command on the client side I get
this output:****
****
server: packetfence****
address: 192.168.2.1****
****
name: www.google.com.registration.mydomain.com****
address: 192.168.2.1****
****
is something wrong with dns?****
****
thanks again****
****
****
Hi,
What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

------------------------------------------------------------------------------

--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)****
****
****
****
****
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Francois Gaudreault

2011-12-01 19:47:21 UTC

Permalink

Hi,

Yes the nslookup is fine, as long as the PC also have a 192.168.2.x IP
Address, and that you can ping 192.168.2.1.

Again, you are reaching the server if you get the SSL warning. Did you
test using another PC?

Post by clf
thanks again
François, I didn't change any of the templates, no html files were modified
Damian, restarting service doesn't help at this moment
can you tell me if the nslookup is correct? where should I have a look?
If you start and stop the PF service does the registration page work?
Thats the problem Im having works one time after starting and
stopping the service
*Sent:* Thursday, December 01, 2011 6:42 AM
*Subject:* Re: [Packetfence-users] Registration page doesnŽt show
up, certificate?
Hi Francois,
thanks for your reply, IŽve tried both mozilla and explorer and
IŽm still not able to see the registration page...
IŽve solved those errors on the access_log creating new cert files
with openssl with the right server name and replacing the old
[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix)
mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4
Perl/v5.10.1 configured -- resuming normal operations
I realized that if i release the nslookup command on the client
server: packetfence
address: 192.168.2.1
name: www.google.com.registration.mydomain.com
<http://www.google.com.registration.mydomain.com>
address: 192.168.2.1
is something wrong with dns?
thanks again
Hi,
What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

Post by clf
Hi All,
I just set up a new PF server yesterday, everything went fine and I
could start the service and access the GUI.
The server is set up in VLAN enforcement mode so when a new

device is

Post by clf
connected to the switch, PF changes the VLAN (MAC detection) to the
registration VLAN and when the client opens the web browser it

comes

Post by clf
up the classic "Certificate Error" in Internet Explorer but when I
click the link to ignore the message it just hangs and the reg page
doesnŽt
I can see PF knows the client is trying to access to the

Internet as I

Post by clf
see this in the access_log
192.168.2.10 - - [01/Dec/2011:10:50:30 +0100] "GET
/captive-portal?destination_url=http://www.google.com/ HTTP/1.1"

200

Post by clf
7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152

<tel:3.0.4506.2152>; .NET CLR

Post by clf
3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
Having a look at the logs I see nothing strange but this on the

error_log

------------------------------------------------------------------------------

--
Francois Gaudreault, ing. jr
:: http://www.inverse.ca <http://www.inverse.ca/>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu
<http://www.sogo.nu>) and PacketFence (www.packetfence.org
<http://www.packetfence.org>)
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
***@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

Raül González

2011-12-01 20:46:04 UTC

Permalink

yes, I tried two computers both with firefox and explorer

when I check the access_log I can see the attempts from explorer and
firefox, I can also see the attempts from the antivirus trying to update

something is wrong loading the certificate or the reg page

Post by Francois Gaudreault
Hi,
Yes the nslookup is fine, as long as the PC also have a 192.168.2.x
IP Address, and that you can ping 192.168.2.1.
Again, you are reaching the server if you get the SSL warning. Did
you test using another PC?

Post by clf
thanks again
FranÃ§ois, I didn't change any of the templates, no html files were
modified
Damian, restarting service doesn't help at this moment
can you tell me if the nslookup is correct? where should I have a look?
If you start and stop the PF service does the registration page work?
Thatâs the problem Iâm having â works one time after starting
and stopping the service
Sent: Thursday, December 01, 2011 6:42 AM
Subject: Re: [Packetfence-users] Registration page doesnÂŽt show up
, certificate?
Hi Francois,
thanks for your reply, IÂŽve tried both mozilla and explorer and IÂŽ
m still not able to see the registration page...
IÂŽve solved those errors on the access_log creating new cert files
with openssl with the right server name and replacing the old one
[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/
2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4 Perl/v5.10.1
configured -- resuming normal operations
I realized that if i release the nslookup command on the client
server: packetfence
address: 192.168.2.1
name: www.google.com.registration.mydomain.com
address: 192.168.2.1
is something wrong with dns?
thanks again
Hi,
What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

Post by clf
Hi All,
I just set up a new PF server yesterday, everything went fine and I
could start the service and access the GUI.
The server is set up in VLAN enforcement mode so when a new

device is

Post by clf
connected to the switch, PF changes the VLAN (MAC detection) to the
registration VLAN and when the client opens the web browser it

comes

Post by clf
up the classic "Certificate Error" in Internet Explorer but when I
click the link to ignore the message it just hangs and the reg page
doesnÂŽt
I can see PF knows the client is trying to access to the Internet

as I

Post by clf
see this in the access_log
192.168.2.10 - - [01/Dec/2011:10:50:30 +0100] "GET
/captive-portal?destination_url=http://www.google.com/ HTTP/1.1"

200

Post by clf
7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
Having a look at the logs I see nothing strange but this on the

error_log

---
---
---
---------------------------------------------------------------------

--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org
)
---
---
---
---------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
---
---
---
---------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

clf

2011-12-02 08:44:26 UTC

Permalink

I have to add something, the PF is a virtual machine running on Virtual
Box, this is configured with tho NICs and the NIC configured to use with PF
is a trunk with all VLANs needed, is set as follows

eth1management
eth1.10 normal vlan
eth1.2 registration
eth1.3 isolation
eth1.5 normal vlan guests

the other NIC is connected to a management switch

Post by RaÃ¼l GonzÃ¡lez
yes, I tried two computers both with firefox and explorer
when I check the access_log I can see the attempts from explorer and
firefox, I can also see the attempts from the antivirus trying to update
something is wrong loading the certificate or the reg page
Hi,
Yes the nslookup is fine, as long as the PC also have a 192.168.2.x IP
Address, and that you can ping 192.168.2.1.
Again, you are reaching the server if you get the SSL warning. Did you
test using another PC?
thanks again
François, I didn't change any of the templates, no html files were modified
Damian, restarting service doesn't help at this moment
can you tell me if the nslookup is correct? where should I have a look?

Post by Damian Mendoza
If you start and stop the PF service does the registration page work?
Thats the problem Im having works one time after starting and
stopping the service
*Sent:* Thursday, December 01, 2011 6:42 AM
*Subject:* Re: [Packetfence-users] Registration page doesnŽt show up,
certificate?
Hi Francois,
thanks for your reply, IŽve tried both mozilla and explorer and IŽm still
not able to see the registration page...
IŽve solved those errors on the access_log creating new cert files with
openssl with the right server name and replacing the old ones. Now I only
[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15
OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4 Perl/v5.10.1 configured --
resuming normal operations
I realized that if i release the nslookup command on the client side I
server: packetfence
address: 192.168.2.1
name: www.google.com.registration.mydomain.com
address: 192.168.2.1
is something wrong with dns?
thanks again
Hi,
What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

error_log

------------------------------------------------------------------------------

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
--
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Francois Gaudreault

2011-12-02 14:32:06 UTC

Permalink

OK try this. In pf/conf/httpd.conf.apache22, change :
RewriteRule ^.*$
https://%%hostname%%.%%domain%%/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI}
[R=307,L]
to
RewriteRule ^.*$
http://%%hostname%%.%%domain%%/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI}
[R=307,L]

You will need to change it two times. Next, restart packetfence and
retry. This will prevent the redirect to https, and will use plain
http. Let's see if it works that way.

My other question, do you have a proxy configured for your browser?

Post by clf
I have to add something, the PF is a virtual machine running on
Virtual Box, this is configured with tho NICs and the NIC configured
to use with PF is a trunk with all VLANs needed, is set as follows
eth1management
eth1.10 normal vlan
eth1.2 registration
eth1.3 isolation
eth1.5 normal vlan guests
the other NIC is connected to a management switch
yes, I tried two computers both with firefox and explorer
when I check the access_log I can see the attempts from explorer
and firefox, I can also see the attempts from the antivirus trying
to update
something is wrong loading the certificate or the reg page
Am 01/12/2011 um 20:47 schrieb Francois Gaudreault

Post by Francois Gaudreault
Hi,
Yes the nslookup is fine, as long as the PC also have a
192.168.2.x IP Address, and that you can ping 192.168.2.1.
Again, you are reaching the server if you get the SSL warning.
Did you test using another PC?

Post by clf
thanks again
François, I didn't change any of the templates, no html files were modified
Damian, restarting service doesn't help at this moment
can you tell me if the nslookup is correct? where should I have a look?
If you start and stop the PF service does the registration page work?
Thats the problem Im having works one time after
starting and stopping the service
*Sent:* Thursday, December 01, 2011 6:42 AM
*Subject:* Re: [Packetfence-users] Registration page doesnŽt
show up, certificate?
Hi Francois,
thanks for your reply, IŽve tried both mozilla and explorer
and IŽm still not able to see the registration page...
IŽve solved those errors on the access_log creating new cert
files with openssl with the right server name and replacing
[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix)
mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4
Perl/v5.10.1 configured -- resuming normal operations
I realized that if i release the nslookup command on the
server: packetfence
address: 192.168.2.1
name: www.google.com.registration.mydomain.com
<http://www.google.com.registration.mydomain.com>
address: 192.168.2.1
is something wrong with dns?
thanks again
Hi,
What if you try with another browser (ie. Chrome/Firefox)?
Do you have
the same thing?

Post by clf
Hi All,
I just set up a new PF server yesterday, everything went

fine and I

Post by clf
could start the service and access the GUI.
The server is set up in VLAN enforcement mode so when a

new device is

Post by clf
connected to the switch, PF changes the VLAN (MAC

detection) to the

Post by clf
registration VLAN and when the client opens the web

browser it comes

Post by clf
up the classic "Certificate Error" in Internet Explorer

but when I

Post by clf
click the link to ignore the message it just hangs and the

reg page

Post by clf
doesnŽt
I can see PF knows the client is trying to access to the

Internet as I

Post by clf
see this in the access_log
192.168.2.10 - - [01/Dec/2011:10:50:30 +0100] "GET
/captive-portal?destination_url=http://www.google.com/

HTTP/1.1" 200

Post by clf
7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152

<tel:3.0.4506.2152>; .NET CLR

Post by clf
3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
Having a look at the logs I see nothing strange but this

on the error_log

Post by clf
[Thu Dec 01 10:36:37 2011] [notice] caught SIGTERM,

shutting down

Post by clf
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate

is a CA

Post by clf
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate

CommonName

Post by clf
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate

is a CA

Post by clf
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server certificate

CommonName

Post by clf
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate

is a CA

Post by clf
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate

CommonName

Post by clf
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate

is a CA

Post by clf
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server certificate

CommonName

Post by clf
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix)
mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4
Perl/v5.10.1 configured -- resuming normal operations
Any advice?
Thanks in advance
clf

------------------------------------------------------------------------------

Post by clf
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application

performance,

Post by clf
security threats, fraudulent activity, and more. Splunk

takes this

Post by clf
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
(x130) :: http://www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu
<http://www.sogo.nu>) and PacketFence (www.packetfence.org
<http://www.packetfence.org>)
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
***@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

clf

2011-12-02 15:55:20 UTC

Permalink

Hi François,

that's a good tip, I won't be able to try this until monday since today I'm
out of office, but I will post the results as soon as I make this

thanks again and have a nice weekend

Post by Francois Gaudreault
**
RewriteRule ^.*$
https://%%hostname%%.%%domain%%/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI}
[R=307,L]
to
RewriteRule ^.*$
http://%%hostname%%.%%domain%%/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI}
[R=307,L]
You will need to change it two times. Next, restart packetfence and
retry. This will prevent the redirect to https, and will use plain http.
Let's see if it works that way.
My other question, do you have a proxy configured for your browser?
I have to add something, the PF is a virtual machine running on Virtual
Box, this is configured with tho NICs and the NIC configured to use with PF
is a trunk with all VLANs needed, is set as follows
eth1management
eth1.10 normal vlan
eth1.2 registration
eth1.3 isolation
eth1.5 normal vlan guests
the other NIC is connected to a management switch

Post by RaÃ¼l GonzÃ¡lez
yes, I tried two computers both with firefox and explorer
when I check the access_log I can see the attempts from explorer and
firefox, I can also see the attempts from the antivirus trying to update
something is wrong loading the certificate or the reg page
Am 01/12/2011 um 20:47 schrieb Francois Gaudreault <
Hi,
Yes the nslookup is fine, as long as the PC also have a 192.168.2.x IP
Address, and that you can ping 192.168.2.1.
Again, you are reaching the server if you get the SSL warning. Did you
test using another PC?
thanks again
François, I didn't change any of the templates, no html files were modified
Damian, restarting service doesn't help at this moment
can you tell me if the nslookup is correct? where should I have a look?

Post by Damian Mendoza
If you start and stop the PF service does the registration page work?
Thats the problem Im having works one time after starting and
stopping the service
*Sent:* Thursday, December 01, 2011 6:42 AM
*Subject:* Re: [Packetfence-users] Registration page doesnŽt show up,
certificate?
Hi Francois,
thanks for your reply, IŽve tried both mozilla and explorer and
IŽm still not able to see the registration page...
IŽve solved those errors on the access_log creating new cert files with
openssl with the right server name and replacing the old ones. Now I only
[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix) mod_ssl/2.2.15
OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4 Perl/v5.10.1 configured --
resuming normal operations
I realized that if i release the nslookup command on the client side I
server: packetfence
address: 192.168.2.1
name: www.google.com.registration.mydomain.com
address: 192.168.2.1
is something wrong with dns?
thanks again
Hi,
What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

error_log

------------------------------------------------------------------------------

clf

2011-12-05 13:43:34 UTC

Permalink

so I tried today editing those two lines but still no success

I tried then disabling the iptables service and still the same problem

then I released the tcpdump -i eth1.2 command (eth1.2 is the registration
interface) and got this output at the moment I opened the web browser on
the client side and IŽm supposed to hit the captive portal

14:39:24.171855 IP 192.168.2.10.59015 > 192.168.2.1.domain: 41910+ A?
www.google.com. (32)
14:39:24.176052 IP 192.168.2.1.domain > 192.168.2.10.59015: 41910* 1/1/1 A
192.168.2.1 (88)
14:39:24.176678 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[S], seq 3594596785, win 65535, options [mss 1460,nop,nop,sackOK], length 0
14:39:24.176896 IP 192.168.2.1.http > 192.168.2.10.objective-dbc: Flags
[S.], seq 4272748915, ack 3594596786, win 5840, options [mss
1460,nop,nop,sackOK], length 0
14:39:24.177381 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[.], ack 1, win 65535, length 0
14:39:24.177394 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[P.], seq 1:653, ack 1, win 65535, length 652
14:39:24.177532 IP 192.168.2.1.http > 192.168.2.10.objective-dbc: Flags
[.], ack 653, win 6520, length 0
14:39:24.183245 IP 192.168.2.1.http > 192.168.2.10.objective-dbc: Flags
[P.], seq 1:581, ack 653, win 6520, length 580
14:39:24.184161 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[F.], seq 653, ack 581, win 64955, length 0
14:39:24.184521 IP 192.168.2.10.iclpv-dm > 192.168.2.1.http: Flags [S], seq
289044139, win 65535, options [mss 1460,nop,nop,sackOK], length 0
14:39:24.184592 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [S.],
seq 4278928276, ack 289044140, win 5840, options [mss 1460,nop,nop,sackOK],
length 0
14:39:24.184922 IP 192.168.2.10.iclpv-dm > 192.168.2.1.http: Flags [.], ack
1, win 65535, length 0
14:39:24.185210 IP 192.168.2.10.iclpv-dm > 192.168.2.1.http: Flags [P.],
seq 1:623, ack 1, win 65535, length 622
14:39:24.185265 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.], ack
623, win 6842, length 0
14:39:24.190726 IP 192.168.2.1.http > 192.168.2.10.objective-dbc: Flags
[F.], seq 581, ack 654, win 6520, length 0
14:39:24.190946 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[.], ack 582, win 64955, length 0
14:39:24.453054 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.], seq
1:1461, ack 623, win 6842, length 1460
14:39:24.453363 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.], seq
1461:2921, ack 623, win 6842, length 1460
14:39:24.453504 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.], seq
2921:4381, ack 623, win 6842, length 1460
14:39:27.453316 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.], seq
1:1461, ack 623, win 6842, length 1460
14:39:33.453327 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.], seq
1:1461, ack 623, win 6842, length 1460
14:39:45.453211 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.], seq
1:1461, ack 623, win 6842, length 1460
14:39:47.654597 IP 192.168.2.10.netbios-dgm > 192.168.2.255.netbios-dgm:
NBT UDP PACKET(138)
14:39:50.624802 IP 192.168.2.10.bootpc > 192.168.2.1.bootps: BOOTP/DHCP,
Request from 00:14:22:fd:cd:5f (oui Unknown), length 319
14:39:50.632697 IP 192.168.2.1.bootps > 192.168.2.10.bootpc: BOOTP/DHCP,
Reply, length 300
14:40:09.453231 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.], seq
1:1461, ack 623, win 6842, length 1460

now it gets stuck there

do you find something there?

thanks again in advance

Post by clf
Hi François,
that's a good tip, I won't be able to try this until monday since today
I'm out of office, but I will post the results as soon as I make this
thanks again and have a nice weekend

Post by RaÃ¼l GonzÃ¡lez
yes, I tried two computers both with firefox and explorer
when I check the access_log I can see the attempts from explorer and
firefox, I can also see the attempts from the antivirus trying to update
something is wrong loading the certificate or the reg page
Am 01/12/2011 um 20:47 schrieb Francois Gaudreault <
Hi,
Yes the nslookup is fine, as long as the PC also have a 192.168.2.x IP
Address, and that you can ping 192.168.2.1.
Again, you are reaching the server if you get the SSL warning. Did you
test using another PC?
thanks again
François, I didn't change any of the templates, no html files were modified
Damian, restarting service doesn't help at this moment
can you tell me if the nslookup is correct? where should I have a look?

Post by Damian Mendoza
If you start and stop the PF service does the registration page work?
Thats the problem Im having works one time after starting and
stopping the service
*Sent:* Thursday, December 01, 2011 6:42 AM
*Subject:* Re: [Packetfence-users] Registration page doesnŽt show up,
certificate?
Hi Francois,
thanks for your reply, IŽve tried both mozilla and explorer and
IŽm still not able to see the registration page...
IŽve solved those errors on the access_log creating new cert files with
openssl with the right server name and replacing the old ones. Now I only
[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix)
mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4 Perl/v5.10.1
configured -- resuming normal operations
I realized that if i release the nslookup command on the client side I
server: packetfence
address: 192.168.2.1
name: www.google.com.registration.mydomain.com
address: 192.168.2.1
is something wrong with dns?
thanks again
Hi,
What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

Post by clf
see this in the access_log
192.168.2.10 - - [01/Dec/2011:10:50:30 +0100] "GET
/captive-portal?destination_url=http://www.google.com/ HTTP/1.1" 200
7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
Having a look at the logs I see nothing strange but this on the

error_log

------------------------------------------------------------------------------

Francois Gaudreault

2011-12-05 15:07:46 UTC

Permalink

That tcpdump indicates that you are hitting the portal. What you see in
the packetfence.log?

Post by clf
so I tried today editing those two lines but still no success
I tried then disabling the iptables service and still the same problem
then I released the tcpdump -i eth1.2 command (eth1.2 is the
registration interface) and got this output at the moment I opened the
web browser on the client side and IŽm supposed to hit the captive portal
14:39:24.171855 IP 192.168.2.10.59015 > 192.168.2.1.domain: 41910+ A?
www.google.com <http://www.google.com>. (32)
14:39:24.176052 IP 192.168.2.1.domain > 192.168.2.10.59015: 41910*
1/1/1 A 192.168.2.1 (88)
Flags [S], seq 3594596785, win 65535, options [mss
1460,nop,nop,sackOK], length 0
Flags [S.], seq 4272748915, ack 3594596786, win 5840, options [mss
1460,nop,nop,sackOK], length 0
Flags [.], ack 1, win 65535, length 0
Flags [P.], seq 1:653, ack 1, win 65535, length 652
Flags [.], ack 653, win 6520, length 0
Flags [P.], seq 1:581, ack 653, win 6520, length 580
Flags [F.], seq 653, ack 581, win 64955, length 0
14:39:24.184521 IP 192.168.2.10.iclpv-dm > 192.168.2.1.http: Flags
[S], seq 289044139, win 65535, options [mss 1460,nop,nop,sackOK], length 0
14:39:24.184592 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags
[S.], seq 4278928276, ack 289044140, win 5840, options [mss
1460,nop,nop,sackOK], length 0
14:39:24.184922 IP 192.168.2.10.iclpv-dm > 192.168.2.1.http: Flags
[.], ack 1, win 65535, length 0
14:39:24.185210 IP 192.168.2.10.iclpv-dm > 192.168.2.1.http: Flags
[P.], seq 1:623, ack 1, win 65535, length 622
14:39:24.185265 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags
[.], ack 623, win 6842, length 0
Flags [F.], seq 581, ack 654, win 6520, length 0
Flags [.], ack 582, win 64955, length 0
14:39:24.453054 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags
[.], seq 1:1461, ack 623, win 6842, length 1460
14:39:24.453363 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags
[.], seq 1461:2921, ack 623, win 6842, length 1460
14:39:24.453504 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags
[.], seq 2921:4381, ack 623, win 6842, length 1460
14:39:27.453316 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags
[.], seq 1:1461, ack 623, win 6842, length 1460
14:39:33.453327 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags
[.], seq 1:1461, ack 623, win 6842, length 1460
14:39:45.453211 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags
[.], seq 1:1461, ack 623, win 6842, length 1460
14:39:47.654597 IP 192.168.2.10.netbios-dgm >
192.168.2.255.netbios-dgm: NBT UDP PACKET(138)
BOOTP/DHCP, Request from 00:14:22:fd:cd:5f (oui Unknown), length 319
BOOTP/DHCP, Reply, length 300
14:40:09.453231 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags
[.], seq 1:1461, ack 623, win 6842, length 1460
now it gets stuck there
do you find something there?
thanks again in advance
Hi François,
that's a good tip, I won't be able to try this until monday since
today I'm out of office, but I will post the results as soon as I
make this
thanks again and have a nice weekend
RewriteRule ^.*$
https://%%hostname%%.%%domain%%/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI}
[R=307,L]
to
RewriteRule ^.*$
http://%%hostname%%.%%domain%%/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI}
[R=307,L]
You will need to change it two times. Next, restart
packetfence and retry. This will prevent the redirect to
https, and will use plain http. Let's see if it works that way.
My other question, do you have a proxy configured for your browser?

Post by clf
I have to add something, the PF is a virtual machine running
on Virtual Box, this is configured with tho NICs and the NIC
configured to use with PF is a trunk with all VLANs needed,
is set as follows
eth1management
eth1.10 normal vlan
eth1.2 registration
eth1.3 isolation
eth1.5 normal vlan guests
the other NIC is connected to a management switch
yes, I tried two computers both with firefox and explorer
when I check the access_log I can see the attempts from
explorer and firefox, I can also see the attempts from
the antivirus trying to update
something is wrong loading the certificate or the reg page
Am 01/12/2011 um 20:47 schrieb Francois Gaudreault

Post by Francois Gaudreault
Hi,
Yes the nslookup is fine, as long as the PC also have a
192.168.2.x IP Address, and that you can ping 192.168.2.1.
Again, you are reaching the server if you get the SSL
warning. Did you test using another PC?

Post by clf
thanks again
François, I didn't change any of the templates, no html
files were modified
Damian, restarting service doesn't help at this moment
can you tell me if the nslookup is correct? where
should I have a look?
If you start and stop the PF service does the
registration page work?
Thats the problem Im having works one time
after starting and stopping the service
*Sent:* Thursday, December 01, 2011 6:42 AM
*Subject:* Re: [Packetfence-users] Registration
page doesnŽt show up, certificate?
Hi Francois,
thanks for your reply, IŽve tried both mozilla and
explorer and IŽm still not able to see the
registration page...
IŽve solved those errors on the access_log creating
new cert files with openssl with the right server
name and replacing the old ones. Now I only get
[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15
(Unix) mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2
mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming
normal operations
I realized that if i release the nslookup command
server: packetfence
address: 192.168.2.1
name: www.google.com.registration.mydomain.com
<http://www.google.com.registration.mydomain.com>
address: 192.168.2.1
is something wrong with dns?
thanks again
Hi,
What if you try with another browser (ie.
Chrome/Firefox)? Do you have
the same thing?

Post by clf
Hi All,
I just set up a new PF server yesterday,

everything went fine and I

Post by clf
could start the service and access the GUI.
The server is set up in VLAN enforcement mode so

when a new device is

Post by clf
connected to the switch, PF changes the VLAN (MAC

detection) to the

Post by clf
registration VLAN and when the client opens the

web browser it comes

Post by clf
up the classic "Certificate Error" in Internet

Explorer but when I

Post by clf
click the link to ignore the message it just

hangs and the reg page

Post by clf
doesnŽt
I can see PF knows the client is trying to access

to the Internet as I

Post by clf
see this in the access_log
192.168.2.10 - - [01/Dec/2011:10:50:30 +0100] "GET

/captive-portal?destination_url=http://www.google.com/
HTTP/1.1" 200

Post by clf
7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0;

Windows NT 5.1;

Post by clf
Trident/4.0; .NET CLR 2.0.50727; .NET CLR

3.0.4506.2152 <tel:3.0.4506.2152>; .NET CLR

Post by clf
3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
Having a look at the logs I see nothing strange

but this on the error_log

Post by clf
[Thu Dec 01 10:36:37 2011] [notice] caught

SIGTERM, shutting down

Post by clf
[Thu Dec 01 10:38:12 2011] [warn] RSA server

certificate is a CA

Post by clf
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server

certificate CommonName

Post by clf
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:12 2011] [warn] RSA server

certificate is a CA

Post by clf
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:12 2011] [warn] RSA server

certificate CommonName

Post by clf
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server

certificate is a CA

Post by clf
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server

certificate CommonName

Post by clf
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:13 2011] [warn] RSA server

certificate is a CA

Post by clf
certificate (BasicConstraints: CA == TRUE !?)
[Thu Dec 01 10:38:13 2011] [warn] RSA server

certificate CommonName

Post by clf
(CN) `packetfence' does NOT match server name!?
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15

(Unix)

Post by clf
mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2

mod_perl/2.0.4

Post by clf
Perl/v5.10.1 configured -- resuming normal operations
Any advice?
Thanks in advance
clf

------------------------------------------------------------------------------

Post by clf
All the data continuously generated in your IT

infrastructure

Post by clf
contains a definitive record of customers,

application performance,

Post by clf
security threats, fraudulent activity, and more.

Splunk takes this

Post by clf
data and makes sense of it. IT sense. And common

sense.

Post by clf
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list

https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Francois Gaudreault, ing. jr
<tel:%2B1.514.447.4918> (x130) :: http://www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu
<http://www.sogo.nu>) and PacketFence
(www.packetfence.org <http://www.packetfence.org>)
------------------------------------------------------------------------------
All the data continuously generated in your IT
infrastructure
contains a definitive record of customers,
application performance,
security threats, fraudulent activity, and more.
Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and PacketFence (www.packetfence.org <http://www.packetfence.org>)
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application
performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure
contains a definitive record of customers, application performance,
security threats, fraudulent activity, and more. Splunk takes this
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
***@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

clf

2011-12-05 15:40:09 UTC

Permalink

packetfence.log, this is what I get from the DHCP request to the web
browser attempt

Dec 05 16:32:23 pfdhcplistener(4331) INFO: 00:14:22:fd:cd:5f requested
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node
with last_dhcp = 2011-12-05 16:32:23,computername =
testpc,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
(main::listen_dhcp)
Dec 05 16:32:24 pfdhcplistener(4331) INFO: DHCPOFFER from 192.168.2.1
(08:00:27:72:14:44) to host 00:14:22:fd:cd:5f (192.168.2.10)
(main::listen_dhcp)
Dec 05 16:32:24 pfdhcplistener(4331) INFO: DHCPREQUEST from
00:14:22:fd:cd:5f (192.168.2.10) (main::listen_dhcp)
Dec 05 16:32:24 pfdhcplistener(4331) INFO: could not resolve
192.168.2.10 to mac in ARP table (pf::iplog::ip2macinarp)
Dec 05 16:32:24 pfdhcplistener(4331) INFO: could not resolve
192.168.2.10 to mac in ARP table (pf::iplog::ip2macinarp)
Dec 05 16:32:24 pfdhcplistener(4331) WARN: could not resolve
192.168.2.10 to mac (pf::iplog::ip2mac)
Dec 05 16:32:24 pfdhcplistener(4331) WARN: unable to resolve
00:14:22:fd:cd:5f to ip (pf::iplog::mac2ip)
Dec 05 16:32:24 pfdhcplistener(4331) INFO: 00:14:22:fd:cd:5f requested
an IP. DHCP Fingerprint: OS::100 (Microsoft Windows XP). Modified node
with last_dhcp = 2011-12-05 16:32:24,computername =
testpc,dhcp_fingerprint = 1,15,3,6,44,46,47,31,33,249,43
(main::listen_dhcp)
Dec 05 16:32:24 pfdhcplistener(4331) INFO: DHCPACK from 192.168.2.1
(08:00:27:72:14:44) to host 00:14:22:fd:cd:5f (192.168.2.10) for 300
seconds (main::listen_dhcp)
Dec 05 16:32:26 pfdhcplistener(4331) INFO: DHCPACK CIADDR from
192.168.2.1 (08:00:27:72:14:44) to host 00:14:22:fd:cd:5f
(192.168.2.10) (main::listen_dhcp)
Dec 05 16:32:50 redir.cgi(0) INFO: 00:14:22:fd:cd:5f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Dec 05 16:32:50 redir.cgi(0) INFO: Updating node 00:14:22:fd:cd:5f
user_agent with useragent: 'Mozilla/4.0 (compatible; MSIE 8.0; Windows
NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET
CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.2)'
(pf::web::web_node_record_user_agent)
Dec 05 16:32:51 redir.cgi(0) INFO: Static User-Agent lookup data
initialized (pf::useragent::_init)
Dec 05 16:32:51 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to
authentication page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Dec 05 16:32:58 pfdhcplistener(4331) INFO: DHCPACK CIADDR from
192.168.2.1 (08:00:27:72:14:44) to host 00:14:22:fd:cd:5f
(192.168.2.10) (main::listen_dhcp)

Post by Francois Gaudreault
**
That tcpdump indicates that you are hitting the portal. What you see in
the packetfence.log?
so I tried today editing those two lines but still no success
I tried then disabling the iptables service and still the same problem
then I released the tcpdump -i eth1.2 command (eth1.2 is the registration
interface) and got this output at the moment I opened the web browser on
the client side and IŽm supposed to hit the captive portal
14:39:24.171855 IP 192.168.2.10.59015 > 192.168.2.1.domain: 41910+ A?
www.google.com. (32)
14:39:24.176052 IP 192.168.2.1.domain > 192.168.2.10.59015: 41910* 1/1/1 A
192.168.2.1 (88)
14:39:24.176678 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[S], seq 3594596785, win 65535, options [mss 1460,nop,nop,sackOK], length 0
14:39:24.176896 IP 192.168.2.1.http > 192.168.2.10.objective-dbc: Flags
[S.], seq 4272748915, ack 3594596786, win 5840, options [mss
1460,nop,nop,sackOK], length 0
14:39:24.177381 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[.], ack 1, win 65535, length 0
14:39:24.177394 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[P.], seq 1:653, ack 1, win 65535, length 652
14:39:24.177532 IP 192.168.2.1.http > 192.168.2.10.objective-dbc: Flags
[.], ack 653, win 6520, length 0
14:39:24.183245 IP 192.168.2.1.http > 192.168.2.10.objective-dbc: Flags
[P.], seq 1:581, ack 653, win 6520, length 580
14:39:24.184161 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[F.], seq 653, ack 581, win 64955, length 0
14:39:24.184521 IP 192.168.2.10.iclpv-dm > 192.168.2.1.http: Flags [S],
seq 289044139, win 65535, options [mss 1460,nop,nop,sackOK], length 0
14:39:24.184592 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [S.],
seq 4278928276, ack 289044140, win 5840, options [mss 1460,nop,nop,sackOK],
length 0
14:39:24.184922 IP 192.168.2.10.iclpv-dm > 192.168.2.1.http: Flags [.],
ack 1, win 65535, length 0
14:39:24.185210 IP 192.168.2.10.iclpv-dm > 192.168.2.1.http: Flags [P.],
seq 1:623, ack 1, win 65535, length 622
14:39:24.185265 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.],
ack 623, win 6842, length 0
14:39:24.190726 IP 192.168.2.1.http > 192.168.2.10.objective-dbc: Flags
[F.], seq 581, ack 654, win 6520, length 0
14:39:24.190946 IP 192.168.2.10.objective-dbc > 192.168.2.1.http: Flags
[.], ack 582, win 64955, length 0
14:39:24.453054 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.],
seq 1:1461, ack 623, win 6842, length 1460
14:39:24.453363 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.],
seq 1461:2921, ack 623, win 6842, length 1460
14:39:24.453504 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.],
seq 2921:4381, ack 623, win 6842, length 1460
14:39:27.453316 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.],
seq 1:1461, ack 623, win 6842, length 1460
14:39:33.453327 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.],
seq 1:1461, ack 623, win 6842, length 1460
14:39:45.453211 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.],
seq 1:1461, ack 623, win 6842, length 1460
NBT UDP PACKET(138)
14:39:50.624802 IP 192.168.2.10.bootpc > 192.168.2.1.bootps: BOOTP/DHCP,
Request from 00:14:22:fd:cd:5f (oui Unknown), length 319
14:39:50.632697 IP 192.168.2.1.bootps > 192.168.2.10.bootpc: BOOTP/DHCP,
Reply, length 300
14:40:09.453231 IP 192.168.2.1.http > 192.168.2.10.iclpv-dm: Flags [.],
seq 1:1461, ack 623, win 6842, length 1460
now it gets stuck there
do you find something there?
thanks again in advance

Post by Francois Gaudreault
RewriteRule ^.*$
https://%%hostname%%.%%domain%%/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI}
[R=307,L]
to
RewriteRule ^.*$
http://%%hostname%%.%%domain%%/captive-portal?destination_url=http://%{HTTP_HOST}%{REQUEST_URI}
[R=307,L]
You will need to change it two times. Next, restart packetfence and
retry. This will prevent the redirect to https, and will use plain http.
Let's see if it works that way.
My other question, do you have a proxy configured for your browser?
I have to add something, the PF is a virtual machine running on Virtual
Box, this is configured with tho NICs and the NIC configured to use with PF
is a trunk with all VLANs needed, is set as follows
eth1management
eth1.10 normal vlan
eth1.2 registration
eth1.3 isolation
eth1.5 normal vlan guests
the other NIC is connected to a management switch

Post by RaÃ¼l GonzÃ¡lez
yes, I tried two computers both with firefox and explorer
when I check the access_log I can see the attempts from explorer and
firefox, I can also see the attempts from the antivirus trying to update
something is wrong loading the certificate or the reg page
Am 01/12/2011 um 20:47 schrieb Francois Gaudreault <
Hi,
Yes the nslookup is fine, as long as the PC also have a 192.168.2.x IP
Address, and that you can ping 192.168.2.1.
Again, you are reaching the server if you get the SSL warning. Did you
test using another PC?
thanks again
François, I didn't change any of the templates, no html files were modified
Damian, restarting service doesn't help at this moment
can you tell me if the nslookup is correct? where should I have a look?

Post by Damian Mendoza
If you start and stop the PF service does the registration page work?
Thats the problem Im having works one time after starting and
stopping the service
*Sent:* Thursday, December 01, 2011 6:42 AM
*Subject:* Re: [Packetfence-users] Registration page doesnŽt show up,
certificate?
Hi Francois,
thanks for your reply, IŽve tried both mozilla and explorer and
IŽm still not able to see the registration page...
IŽve solved those errors on the access_log creating new cert files
with openssl with the right server name and replacing the old ones. Now I
[notice] caught SIGTERM, shutting down
[Thu Dec 01 10:38:18 2011] [notice] Apache/2.2.15 (Unix)
mod_ssl/2.2.15 OpenSSL/1.0.0-fips PHP/5.3.2 mod_perl/2.0.4 Perl/v5.10.1
configured -- resuming normal operations
I realized that if i release the nslookup command on the client side I
server: packetfence
address: 192.168.2.1
name: www.google.com.registration.mydomain.com
address: 192.168.2.1
is something wrong with dns?
thanks again
Hi,
What if you try with another browser (ie. Chrome/Firefox)? Do you have
the same thing?

Post by clf
connected to the switch, PF changes the VLAN (MAC detection) to the
registration VLAN and when the client opens the web browser it comes
up the classic "Certificate Error" in Internet Explorer but when I
click the link to ignore the message it just hangs and the reg page
doesnŽt
I can see PF knows the client is trying to access to the Internet as

Post by clf
see this in the access_log
192.168.2.10 - - [01/Dec/2011:10:50:30 +0100] "GET
/captive-portal?destination_url=http://www.google.com/ HTTP/1.1"

200

error_log

------------------------------------------------------------------------------

Francois Gaudreault

2011-12-06 21:53:54 UTC

Permalink

Hi,

Looking at the log, it tells me you are redirected properly. So it's
not a SSL issue. Can you access https://IP/cgi-bin/register.cgi
directly? You just see a blank page there?

Dec 05 16:32:51 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to authentication page (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)

--
Francois Gaudreault, ing. jr
***@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

clf

2011-12-07 09:02:04 UTC

Permalink

Hello again and thanks for your help,

weŽve already tried to access
https://192.168.2.1/cgi-bin/register.cgibefore but still the same
problem, sorry

looking at the tcpdump output weŽve seen that the client catches the GET
captive-portal order from apache and he sends the GET command to it asking
for the url, but then thereŽs an ACKnkowledge sent from the apcahe too many
times, it looks like this

09:35:59.319094 IP 192.168.2.1.http > 192.168.2.10.atc-appserver: Flags
[.], seq 1:1461, ack 623, win 6842, length 1460

after that nothing happens, only ARP requests again

weŽve set the log level to debug and weŽve got this new outputs at the
moment while the client opens the browser

==> error_log <==*[Wed Dec 07 09:04:59 2011] [debug]
mod_headers.c(768): headers: ap_headers_error_filter()*
==> access_log <==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET / HTTP/1.1" 307 288
"-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
.NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET
CLR 1.1.4322; InfoPath.2)"

==> packetfence.log <==
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f being redirected
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to
authentication page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)

==> error_log <==*[Wed Dec 07 09:04:59 2011] [debug]
mod_headers.c(743): headers: ap_headers_output_filter()*
==> access_log <==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET
/captive-portal?destination_url=http://www.google.com/ HTTP/1.1" 200
7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"

Post by Francois Gaudreault
Hi,
Looking at the log, it tells me you are redirected properly. So it's
not a SSL issue. Can you access https://IP/cgi-bin/register.cgi
directly? You just see a blank page there?

Post by clf
Dec 05 16:32:51 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to

authentication page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point
of
discussion for anyone considering optimizing the pricing and packaging
model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Francois Gaudreault

2011-12-07 13:06:44 UTC

Permalink

Hi,

Is SELinux disabled? (Just want to confirm)

Post by clf
Hello again and thanks for your help,
weŽve already tried to access https://192.168.2.1/cgi-bin/register.cgi
before but still the same problem, sorry
looking at the tcpdump output weŽve seen that the client catches the
GET captive-portal order from apache and he sends the GET command to
it asking for the url, but then thereŽs an ACKnkowledge sent from the
apcahe too many times, it looks like this
Flags [.], seq 1:1461, ack 623, win 6842, length 1460
after that nothing happens, only ARP requests again
weŽve set the log level to debug and weŽve got this new outputs at the
moment while the client opens the browser
==> error_log<==
*[Wed Dec 07 09:04:59 2011] [debug] mod_headers.c(768): headers: ap_headers_error_filter()
*
==> access_log<==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET / HTTP/1.1" 307 288 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
==> packetfence.log<==
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to authentication page (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
==> error_log<==
*[Wed Dec 07 09:04:59 2011] [debug] mod_headers.c(743): headers: ap_headers_output_filter()
*
==> access_log<==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET /captive-portal?destination_url=http://www.google.com/ HTTP/1.1" 200 7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
Hi,
Looking at the log, it tells me you are redirected properly. So it's
not a SSL issue. Can you access https://IP/cgi-bin/register.cgi
directly? You just see a blank page there?

Post by clf
Dec 05 16:32:51 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected

to authentication page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
--
Francois Gaudreault, ing. jr
+1.514.447.4918 <tel:%2B1.514.447.4918> (x130) :: www.inverse.ca
<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu
<http://www.sogo.nu>) and PacketFence (www.packetfence.org
<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist
and point of
discussion for anyone considering optimizing the pricing and
packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
***@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

clf

2011-12-08 06:53:08 UTC

Permalink

yes, selinux has been always disabled

Post by Francois Gaudreault
**
Hi,
Is SELinux disabled? (Just want to confirm)
Hello again and thanks for your help,
weŽve already tried to access https://192.168.2.1/cgi-bin/register.cgibefore but still the same problem, sorry
looking at the tcpdump output weŽve seen that the client catches the GET
captive-portal order from apache and he sends the GET command to it asking
for the url, but then thereŽs an ACKnkowledge sent from the apcahe too many
times, it looks like this
09:35:59.319094 IP 192.168.2.1.http > 192.168.2.10.atc-appserver: Flags
[.], seq 1:1461, ack 623, win 6842, length 1460
after that nothing happens, only ARP requests again
weŽve set the log level to debug and weŽve got this new outputs at the
moment while the client opens the browser
==> error_log <==*[Wed Dec 07 09:04:59 2011] [debug] mod_headers.c(768): headers: ap_headers_error_filter()*
==> access_log <==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET / HTTP/1.1" 307 288 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
==> packetfence.log <==
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to authentication page (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
==> error_log <==*[Wed Dec 07 09:04:59 2011] [debug] mod_headers.c(743): headers: ap_headers_output_filter()*
==> access_log <==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET /captive-portal?destination_url=http://www.google.com/ HTTP/1.1" 200 7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"

Post by clf
Dec 05 16:32:51 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to

authentication page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
--
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Francois Gaudreault

2011-12-08 14:22:07 UTC

Permalink

Another question, is there a pfdhcplistener process running on the
registration interface, and is trapping.registration is set to enabled
in pf.conf?

Post by clf
yes, selinux has been always disabled
Hi,
Is SELinux disabled? (Just want to confirm)

Post by clf
Hello again and thanks for your help,
weŽve already tried to access
https://192.168.2.1/cgi-bin/register.cgi before but still the
same problem, sorry
looking at the tcpdump output weŽve seen that the client catches
the GET captive-portal order from apache and he sends the GET
command to it asking for the url, but then thereŽs an
ACKnkowledge sent from the apcahe too many times, it looks like this
Flags [.], seq 1:1461, ack 623, win 6842, length 1460
after that nothing happens, only ARP requests again
weŽve set the log level to debug and weŽve got this new outputs
at the moment while the client opens the browser
==> error_log<==
*[Wed Dec 07 09:04:59 2011] [debug] mod_headers.c(768): headers: ap_headers_error_filter()
*
==> access_log<==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET / HTTP/1.1" 307 288 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152 <tel:3.0.4506.2152>; .NET CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
==> packetfence.log<==
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to authentication page (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
==> error_log<==
*[Wed Dec 07 09:04:59 2011] [debug] mod_headers.c(743): headers: ap_headers_output_filter()
*
==> access_log<==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET /captive-portal?destination_url=http://www.google.com/ HTTP/1.1" 200 7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR3.0.4506.2152 <tel:3.0.4506.2152>; .NET CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
Hi,
Looking at the log, it tells me you are redirected properly.
So it's
not a SSL issue. Can you access https://IP/cgi-bin/register.cgi
directly? You just see a blank page there?

Post by clf
Dec 05 16:32:51 redir.cgi(0) INFO: 00:14:22:fd:cd:5f

redirected to authentication page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
--
Francois Gaudreault, ing. jr
www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu
<http://www.sogo.nu>) and PacketFence (www.packetfence.org
<http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference,
checklist and point of
discussion for anyone considering optimizing the pricing and
packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and PacketFence (www.packetfence.org <http://www.packetfence.org>)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Francois Gaudreault, ing. jr
***@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org)

clf

2011-12-08 15:01:25 UTC

Permalink

trapping.registration is enabled in pf.conf

[trapping]
registration=enabled

pfdhcplistener should be running on the registration interface, if I check
the status of the pf service I see

pfdhcplistener|1|9571| 9515 9514 9513

in fact IŽm able to get ip from dhcp on the registration vlan and also on
the isolation vlan

Post by Francois Gaudreault
**
Another question, is there a pfdhcplistener process running on the
registration interface, and is trapping.registration is set to enabled in
pf.conf?
yes, selinux has been always disabled

Post by Francois Gaudreault
Hi,
Is SELinux disabled? (Just want to confirm)
Hello again and thanks for your help,
weŽve already tried to access https://192.168.2.1/cgi-bin/register.cgibefore but still the same problem, sorry
looking at the tcpdump output weŽve seen that the client catches the GET
captive-portal order from apache and he sends the GET command to it asking
for the url, but then thereŽs an ACKnkowledge sent from the apcahe too many
times, it looks like this
09:35:59.319094 IP 192.168.2.1.http > 192.168.2.10.atc-appserver: Flags
[.], seq 1:1461, ack 623, win 6842, length 1460
after that nothing happens, only ARP requests again
weŽve set the log level to debug and weŽve got this new outputs at the
moment while the client opens the browser
==> error_log <==*[Wed Dec 07 09:04:59 2011] [debug] mod_headers.c(768): headers: ap_headers_error_filter()*
==> access_log <==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET / HTTP/1.1" 307 288 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"
==> packetfence.log <==
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f being redirected (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
Dec 07 09:04:59 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to authentication page (ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
==> error_log <==*[Wed Dec 07 09:04:59 2011] [debug] mod_headers.c(743): headers: ap_headers_output_filter()*
==> access_log <==
192.168.2.10 - - [07/Dec/2011:09:04:59 +0100] "GET /captive-portal?destination_url=http://www.google.com/ HTTP/1.1" 200 7093 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322; InfoPath.2)"

Post by clf
Dec 05 16:32:51 redir.cgi(0) INFO: 00:14:22:fd:cd:5f redirected to

authentication page
(ModPerl::ROOT::ModPerl::PerlRun::usr_local_pf_html_captive_2dportal_redir_2ecgi::handler)
--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (
www.packetfence.org)
------------------------------------------------------------------------------
Cloud Services Checklist: Pricing and Packaging Optimization
This white paper is intended to serve as a reference, checklist and point of
discussion for anyone considering optimizing the pricing and packaging model
of a cloud services business. Read Now!
http://www.accelacomm.com/jaw/sfnl/114/51491232/
_______________________________________________
Packetfence-users mailing list
https://lists.sourceforge.net/lists/listinfo/packetfence-users