I have tried again with 6.5 and the Android agent still only installs a CA
cert. I have verified the CA certificate in the profile is that in the
chain for FreeRADIUS and the client certificate.
I'm not sure what else I can do to help diagnose this, if I send an XML
profile to someone off-list would that help?
Dean
On Sun, 29 Jan 2017, 11:36 AM Dean Holland <[email protected]> wrote:
> Thanks Fabrice.
>
> One step closer now! It looks like the user certificate is in the XML
> profile, but after entering the generated password the agent only asks to
> install one CA certificate - it doesn't seem to find the user certificate
> in the profile.
>
> On Sun, 29 Jan 2017, 9:57 AM Durand fabrice <[email protected]> wrote:
>
> Hello Dean,
>
> i has been fixed in devel, it was because of an apache filter.
>
> cd /usr/local/pf
>
> wget
> https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> And don't forget to rename apache_filters.conf.example to
> apache_filters.conf and do a pfcmd configreload hard
>
>
> Regards
>
> Fabrice
>
> Le 2017-01-28 à 20:45, Dean Holland a écrit :
>
> So I changed the httpd.portal.tt file to use RSA ciphers for TLS, which
> allowed me to decrypt a packet capture of the registration interface with
> Wireshark, the agent is getting a 501 error from the portal. HTTP trace
> follows.
>
> GET /profile.xml HTTP/1.1
>
> User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V)
>
> Host: www.packetfence.org
>
> Connection: Keep-Alive
>
> Accept-Encoding: gzip
>
>
> HTTP/1.1 501 Not Implemented
>
> Date: Sun, 29 Jan 2017 01:34:52 GMT
>
> Server: Apache
>
> X-DNS-Prefetch-Control: off
>
> Allow:
>
> Content-Length: 202
>
> Connection: close
>
> Content-Type: text/html; charset=iso-8859-1
>
>
> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
>
> <html><head>
>
> <title>501 Not Implemented</title>
>
> </head><body>
>
> <h1>Not Implemented</h1>
>
> <p>GET to /profile.xml not supported.<br />
>
> </p>
>
> </body></html>
>
>
> Dean
>
> On Fri, Jan 6, 2017 at 9:27 AM Dean Holland <[email protected]>
> wrote:
>
> Hi Fabrice,
>
> Correct - nothing in that log file either.
>
> On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice <[email protected]> wrote:
>
> it's normal that it's an iphone profile since the android app use the same
> format.
>
> Nothing in httpd.portal.catalyst too ?
>
>
>
> Le 2017-01-05 à 01:46, Dean Holland a écrit :
>
> No errors in httpd.portal.error - in fact nothing logged at all!
>
> If I browse to www.packetfence.org/profile.xml (which resolves to the
> portal) I get what looks like an iOS profile - it starts with
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
> http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
> <!-- Generated by the iPhone Configuration Utility /-->
> <plist version="1.0">
>
>
>
> On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice <[email protected]> wrote:
>
> Hello Dean,
>
> can you check all the log files to see if you find the error. (probably in
> httpd.portal.error)
>
> And can you try from a web browser to go directly at
> www.packetfence.org/profile.xml and check if you can have the error.
>
> Regards
>
> Fabrice
>
>
> Le 2017-01-04 à 03:14, Dean Holland a écrit :
>
> Hello,
>
> I have a PF 6.4 install on Debian Jessie and am having issues provisioning
> Android devices. When I get to the stage of installing the wireless
> profile, opening the PF agent results in an "Error fetching profile"
> message. This has happened on two separate tablets - both of which are
> identified as Android as the correct provisioner is being displayed on the
> portal.
>
> The certificate is being requested (I can see it in the mspki console),
> and being transferred from NDES (can see it in tcpdump) but it looks as
> though the profile generation is encountering a 501 error:
>
> 192.168.99.11 - - [04/Jan/2017:15:32:22 +0800] "www.packetfence.org"
> "GET /profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android
> 5.1.1; Nexus 7 Build/LMY47V)" 897
>
> This used to work, though I haven't had to provision a device in a while
> so I'm not sure when it stopped. I can request a user certificate, manually
> install it on the device with the CA certs and connect to the wireless
> successfully using PF as the RADIUS server. Anywhere I can start looking as
> to why the profile isn't generated successfully?
>
> profiles.conf:
>
> [default]
> locale=
> autoregister=enabled
> sources=Haveacry_AD
> provisioners=android-haveacry,ios
>
>
> provisioning.conf
>
> [android-haveacry]
> description=Haveacry Wireless
> security_type=WPA
> can_sign_profile=0
> category=default
> ssid=haveacry
> pki_provider=Haveacry_SCEP
> type=android
> oses=
> broadcast=1
> eap_type=13
>
>
> pki_providers.conf
>
> [Haveacry_SCEP]
> state=XXXXXX
> cn_attribute=pid
> url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
> organization=Have a Cry
> organizational_unit=Infrastructure
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
> locality=XXXXXXXX
> country=XX
> type=scep
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem
>
> packetfence.log
>
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authenticating user using sources : Haveacry_AD
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> [Haveacry_AD] Authentication successful for dean
> (pf::Authentication::Source::LDAPSource::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authentication successful for 'dean' in source Haveacry_AD (AD)
> (pf::authentication::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Successfully authenticated dean
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:09 httpd.portal(7756) WARN: [mac:30:85:a9:4b:5b:e7] Calling
> match with empty/invalid rule class. Defaulting to 'authentication'
> (pf::authentication::match)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Using
> sources Haveacry_AD for matching (pf::authentication::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Matched
> rule (WiFi_Default) in source Haveacry_AD, returning actions.
> (pf::Authentication::Source::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:10 httpd.portal(7756) WARN: [mac:30:85:a9:4b:5b:e7] Calling
> match with empty/invalid rule class. Defaulting to 'authentication'
> (pf::authentication::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Using
> sources Haveacry_AD for matching (pf::authentication::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Matched
> rule (WiFi_Default) in source Haveacry_AD, returning actions.
> (pf::Authentication::Source::match)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] Found
> provisioner android-haveacry for 30:85:a9:4b:5b:e7
> (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:10 httpd.portal(7754) INFO: [mac:30:85:a9:4b:5b:e7] User:
> 'dean' found in the directory
> (pf::Authentication::Source::LDAPSource::search_attributes_in_subclass)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7] Found
> provisioner android-haveacry for 30:85:a9:4b:5b:e7
> (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
> Jan 04 16:08:17 httpd.portal(7757) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
