Hello Dean,
Does the provisioning works on other platform, for instance windows or IOS?
Did you try with different android versions/devices?
Thanks
On 02/16/2017 08:42 PM, Dean Holland wrote:
I have tried again with 6.5 and the Android agent still only installs
a CA cert. I have verified the CA certificate in the profile is that
in the chain for FreeRADIUS and the client certificate.
I'm not sure what else I can do to help diagnose this, if I send an
XML profile to someone off-list would that help?
Dean
On Sun, 29 Jan 2017, 11:36 AM Dean Holland <[email protected]
<mailto:[email protected]>> wrote:
Thanks Fabrice.
One step closer now! It looks like the user certificate is in the
XML profile, but after entering the generated password the agent
only asks to install one CA certificate - it doesn't seem to find
the user certificate in the profile.
On Sun, 29 Jan 2017, 9:57 AM Durand fabrice <[email protected]
<mailto:[email protected]>> wrote:
Hello Dean,
i has been fixed in devel, it was because of an apache filter.
cd /usr/local/pf
wget
https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
And don't forget to rename apache_filters.conf.example to
apache_filters.conf and do a pfcmd configreload hard
Regards
Fabrice
Le 2017-01-28 à 20:45, Dean Holland a écrit :
So I changed the httpd.portal.tt <http://httpd.portal.tt>
file to use RSA ciphers for TLS, which allowed me to decrypt
a packet capture of the registration interface with
Wireshark, the agent is getting a 501 error from the portal.
HTTP trace follows.
GET /profile.xml HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7
Build/LMY47V)
Host: www.packetfence.org <http://www.packetfence.org>
Connection: Keep-Alive
Accept-Encoding: gzip
HTTP/1.1 501 Not Implemented
Date: Sun, 29 Jan 2017 01:34:52 GMT
Server: Apache
X-DNS-Prefetch-Control: off
Allow:
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Not Implemented</title>
</head><body>
<h1>Not Implemented</h1>
<p>GET to /profile.xml not supported.<br />
</p>
</body></html>
Dean
On Fri, Jan 6, 2017 at 9:27 AM Dean Holland
<[email protected] <mailto:[email protected]>> wrote:
Hi Fabrice,
Correct - nothing in that log file either.
On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice
<[email protected] <mailto:[email protected]>> wrote:
it's normal that it's an iphone profile since the
android app use the same format.
Nothing in httpd.portal.catalyst too ?
Le 2017-01-05 à 01:46, Dean Holland a écrit :
No errors in httpd.portal.error - in fact nothing
logged at all!
If I browse to www.packetfence.org/profile.xml
<http://www.packetfence.org/profile.xml> (which
resolves to the portal) I get what looks like an iOS
profile - it starts with
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<!-- Generated by the iPhone Configuration Utility /-->
<plist version="1.0">
On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice
<[email protected] <mailto:[email protected]>> wrote:
Hello Dean,
can you check all the log files to see if you
find the error. (probably in httpd.portal.error)
And can you try from a web browser to go
directly at www.packetfence.org/profile.xml
<http://www.packetfence.org/profile.xml> and
check if you can have the error.
Regards
Fabrice
Le 2017-01-04 à 03:14, Dean Holland a écrit :
Hello,
I have a PF 6.4 install on Debian Jessie and am
having issues provisioning Android devices.
When I get to the stage of installing the
wireless profile, opening the PF agent results
in an "Error fetching profile" message. This
has happened on two separate tablets - both of
which are identified as Android as the correct
provisioner is being displayed on the portal.
The certificate is being requested (I can see
it in the mspki console), and being transferred
from NDES (can see it in tcpdump) but it looks
as though the profile generation is
encountering a 501 error:
192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]
"www.packetfence.org
<http://www.packetfence.org>" "GET /profile.xml
HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U;
Android 5.1.1; Nexus 7 Build/LMY47V)" 897
This used to work, though I haven't had to
provision a device in a while so I'm not sure
when it stopped. I can request a user
certificate, manually install it on the device
with the CA certs and connect to the wireless
successfully using PF as the RADIUS server.
Anywhere I can start looking as to why the
profile isn't generated successfully?
profiles.conf:
[default]
locale=
autoregister=enabled
sources=Haveacry_AD
provisioners=android-haveacry,ios
provisioning.conf
[android-haveacry]
description=Haveacry Wireless
security_type=WPA
can_sign_profile=0
category=default
ssid=haveacry
pki_provider=Haveacry_SCEP
type=android
oses=
broadcast=1
eap_type=13
pki_providers.conf
[Haveacry_SCEP]
state=XXXXXX
cn_attribute=pid
url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
organization=Have a Cry
organizational_unit=Infrastructure
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
locality=XXXXXXXX
country=XX
type=scep
ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem
packetfence.log
Jan 04 16:07:58 httpd.portal(7755) INFO:
[mac:unknown] Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:07:58 httpd.portal(7755) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:07:58 httpd.portal(7755) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:unknown] Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Authenticating user
using sources : Haveacry_AD
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] [Haveacry_AD]
Authentication successful for dean
(pf::Authentication::Source::LDAPSource::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Authentication
successful for 'dean' in source Haveacry_AD
(AD) (pf::authentication::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] User dean has
authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Found source
Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Found source
Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Successfully
authenticated dean
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Found source
Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Found source
Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Found source
Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] User dean has
authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:09 httpd.portal(7756) WARN:
[mac:30:85:a9:4b:5b:e7] Calling match with
empty/invalid rule class. Defaulting to
'authentication' (pf::authentication::match)
Jan 04 16:08:09 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Using sources
Haveacry_AD for matching
(pf::authentication::match)
Jan 04 16:08:10 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Matched rule
(WiFi_Default) in source Haveacry_AD, returning
actions. (pf::Authentication::Source::match)
Jan 04 16:08:10 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Found source
Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:10 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] User dean has
authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:10 httpd.portal(7756) WARN:
[mac:30:85:a9:4b:5b:e7] Calling match with
empty/invalid rule class. Defaulting to
'authentication' (pf::authentication::match)
Jan 04 16:08:10 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Using sources
Haveacry_AD for matching
(pf::authentication::match)
Jan 04 16:08:10 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Matched rule
(WiFi_Default) in source Haveacry_AD, returning
actions. (pf::Authentication::Source::match)
Jan 04 16:08:10 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Found source
Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:10 httpd.portal(7756) INFO:
[mac:30:85:a9:4b:5b:e7] Found source
Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:10 httpd.portal(7754) INFO:
[mac:unknown] Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:10 httpd.portal(7754) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:10 httpd.portal(7754) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:10 httpd.portal(7754) INFO:
[mac:30:85:a9:4b:5b:e7] User dean has
authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:10 httpd.portal(7754) INFO:
[mac:30:85:a9:4b:5b:e7] Found provisioner
android-haveacry for 30:85:a9:4b:5b:e7
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Jan 04 16:08:10 httpd.portal(7754) INFO:
[mac:30:85:a9:4b:5b:e7] User dean has
authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:10 httpd.portal(7754) INFO:
[mac:30:85:a9:4b:5b:e7] User dean has
authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:10 httpd.portal(7754) INFO:
[mac:30:85:a9:4b:5b:e7] User: 'dean' found in
the directory
(pf::Authentication::Source::LDAPSource::search_attributes_in_subclass)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:unknown] Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:30:85:a9:4b:5b:e7] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:30:85:a9:4b:5b:e7] Found provisioner
android-haveacry for 30:85:a9:4b:5b:e7
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Jan 04 16:08:17 httpd.portal(7757) INFO:
[mac:30:85:a9:4b:5b:e7] User dean has
authenticated on the portal.
(Class::MOP::Class:::after)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's
most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of
the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
