Thanks Fabrice.
One step closer now! It looks like the user certificate is in the XML
profile, but after entering the generated password the agent only asks to
install one CA certificate - it doesn't seem to find the user certificate
in the profile.
On Sun, 29 Jan 2017, 9:57 AM Durand fabrice <[email protected]> wrote:
> Hello Dean,
>
> i has been fixed in devel, it was because of an apache filter.
>
> cd /usr/local/pf
>
> wget
> https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> And don't forget to rename apache_filters.conf.example to
> apache_filters.conf and do a pfcmd configreload hard
>
>
> Regards
>
> Fabrice
>
> Le 2017-01-28 à 20:45, Dean Holland a écrit :
>
> So I changed the httpd.portal.tt file to use RSA ciphers for TLS, which
> allowed me to decrypt a packet capture of the registration interface with
> Wireshark, the agent is getting a 501 error from the portal. HTTP trace
> follows.
>
> GET /profile.xml HTTP/1.1
>
> User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V)
>
> Host: www.packetfence.org
>
> Connection: Keep-Alive
>
> Accept-Encoding: gzip
>
>
> HTTP/1.1 501 Not Implemented
>
> Date: Sun, 29 Jan 2017 01:34:52 GMT
>
> Server: Apache
>
> X-DNS-Prefetch-Control: off
>
> Allow:
>
> Content-Length: 202
>
> Connection: close
>
> Content-Type: text/html; charset=iso-8859-1
>
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>
> <html><head>
>
> <title>501 Not Implemented</title>
>
> </head><body>
>
> <h1>Not Implemented</h1>
>
> <p>GET to /profile.xml not supported.<br />
>
> </p>
>
> </body></html>
>
>
> Dean
>
> On Fri, Jan 6, 2017 at 9:27 AM Dean Holland <[email protected]>
> wrote:
>
> Hi Fabrice,
>
> Correct - nothing in that log file either.
>
> On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice <[email protected]> wrote:
>
> it's normal that it's an iphone profile since the android app use the same
> format.
>
> Nothing in httpd.portal.catalyst too ?
>
>
>
> Le 2017-01-05 à 01:46, Dean Holland a écrit :
>
> No errors in httpd.portal.error - in fact nothing logged at all!
>
> If I browse to www.packetfence.org/profile.xml (which resolves to the
> portal) I get what looks like an iOS profile - it starts with
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
> http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
> <!-- Generated by the iPhone Configuration Utility /-->
> <plist version="1.0">
>
>
>
> On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice <[email protected]> wrote:
>
> Hello Dean,
>
> can you check all the log files to see if you find the error. (probably in
> httpd.portal.error)
>
> And can you try from a web browser to go directly at
> www.packetfence.org/profile.xml and check if you can have the error.
>
> Regards
>
> Fabrice
>
>
> Le 2017-01-04 à 03:14, Dean Holland a écrit :
>
> Hello,
>
> I have a PF 6.4 install on Debian Jessie and am having issues provisioning
> Android devices. When I get to the stage of installing the wireless
> profile, opening the PF agent results in an "Error fetching profile"
> message. This has happened on two separate tablets - both of which are
> identified as Android as the correct provisioner is being displayed on the
> portal.
>
> The certificate is being requested (I can see it in the mspki console),
> and being transferred from NDES (can see it in tcpdump) but it looks as
> though the profile generation is encountering a 501 error:
>
> 192.168.99.11 - - [04/Jan/2017:15:32:22 +0800] "www.packetfence.org"
> "GET /profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android
> 5.1.1; Nexus 7 Build/LMY47V)" 897
>
> This used to work, though I haven't had to provision a device in a while
> so I'm not sure when it stopped. I can request a user certificate, manually
> install it on the device with the CA certs and connect to the wireless
> successfully using PF as the RADIUS server. Anywhere I can start looking as
> to why the profile isn't generated successfully?
>
> profiles.conf:
>
> [default]
> locale=
> autoregister=enabled
> sources=Haveacry_AD
> provisioners=android-haveacry,ios
>
>
> provisioning.conf
>
> [android-haveacry]
> description=Haveacry Wireless
> security_type=WPA
> can_sign_profile=0
> category=default
> ssid=haveacry
> pki_provider=Haveacry_SCEP
> type=android
> oses=
> broadcast=1
> eap_type=13
>
>
> pki_providers.conf
>
> [Haveacry_SCEP]
> state=XXXXXX
> cn_attribute=pid
> url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
> organization=Have a Cry
> organizational_unit=Infrastructure
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
> locality=XXXXXXXX
> country=XX
> type=scep
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem
>
> packetfence.log
>
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authenticating user using sources : Haveacry_AD
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> [Haveacry_AD] Authentication successful for dean
> (pf::Authentication::Source::LDAPSource::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authentication successful for 'dean' in source Haveacry_AD (AD)
> (pf::authentication::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Successfully authenticated dean
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:09 httpd.portal(7756) WARN: [mac:30:85:a9:4b:5b:e7] Calling
> match with empty/invalid rule class. Defaulting to 'authentication'
> (pf::authentication::match)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Using
> sources Haveacry_AD for matching (pf::authentication::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Matched
> rule (WiFi_Default) in source Haveacry_AD, returning actions.
> (pf::Authentication::Source::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:10 httpd.portal(7756) WARN: [mac:30:85:a9:4b:5b:e7] Calling
> match with empty/invalid rule class. Defaulting to 'authentication'
> (pf::authentication::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Using
> sources Haveacry_AD for matching (pf::authentication::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Matched
> rule (WiFi_Default) in source Haveacry_AD, returning actions.
> (pf::Authentication::Source::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] Found
> provisioner android-haveacry for 30:85:a9:4b:5b:e7
> (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] User:
> 'dean' found in the directory
> (pf::Authentication::Source::LDAPSource::search_attributes_in_subclass)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7] Found
> provisioner android-haveacry for 30:85:a9:4b:5b:e7
> (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
