v12 (Venom): GET http://IP_OF_PORTAL/captive-portal doesn't return captive portal webpage

inverse-inc / packetfence

PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) solution. Boasting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, powerful BYOD management options, 802.1X support, layer-2 isolation of problematic devices; PacketFence can be used to effectively secure networks small to very large heterogeneous networks.

https://packetfence.org

GNU General Public License v2.0

1.3k stars 276 forks source link

v12 (Venom): GET http://IP_OF_PORTAL/captive-portal doesn't return captive portal webpage #7129

Open nqb opened 2 years ago

nqb commented 2 years ago

Describe the bug I noticed a difference when reaching captive portal through IP address (not using name) in Venom tests.

Previously, in order to check locales on captive portal, I used following URL: https://172.18.201.2/captive-portal which returned directly captive portal webpage. Now, it seems that this URL returned:

<html>
    <head>
        <meta http-equiv="refresh" content="0; url=http://pf.example.lan/captive-portal?destination_url=https://172.18.201.2/captive-portal/">
        <script type="text/javascript">
            window.location.replace('http:\/\/pf.example.lan\/captive-portal?destination_url=https:\/\/172.18.201.2\/captive-portal\/');
        </script>
    </head>

If I reached directly https://pf.example.lan/captive-portal (with pf.example.lan configured as general domain and hostname in pf.conf) , I got captive portal webpage.

I just opened that issue to discuss about difference and potential impact it will have.

nqb commented 2 years ago

Additional notes:

I'm able to get captive portal webpage when using http://IP_OF_PORTAL/captive-portal on management interface with portal daemon enabled. I doesn't work when trying to reach captive portal on a registration interface (case described above).

haproxy-portal requests:

# on a registration interface
Aug 23 09:52:21 pfdeb11dev haproxy-portal-docker-wrapper[1131]: 172.18.201.115:46338 [23/Aug/2022:09:52:21.053] portal-http-172.18.200.12 proxy/proxy 0/0/0/5/5 200 602 - - ---- 2/1/0/0/0 0/0 {172.18.201.2} "GET /captive-portal HTTP/1.1"

# on management interface
Aug 23 09:52:27 pfdeb11dev haproxy-portal-docker-wrapper[1131]: 172.18.200.251:41690 [23/Aug/2022:09:52:27.534] portal-http-172.18.200.12 172.18.200.12-backend/containers-gateway.internal:8080 0/0/0/50/50 200 4916 - - ---- 2/1/0/0/0 0/0
{172.18.200.12} "GET /captive-portal HTTP/1.1"

nqb commented 2 years ago

I hit same issue while running inline tests.

Yass737 commented 1 year ago

Still unable to get the captive portal working with an Aruba2930M Series switch. Clients in the registration VLAN are redirected to msftconnecttest.com/redirect and after a while it redirects to the pfserver https://packetfence.nac/captive-portal?destination_url=http://www.msftconnecttest.com/redirect. my clients in registration can ping packetfence.nac or any other URL because it's redirected to the IP 66.70.255.147. They can also ping all the packetfence interfaces IP's.