Hello Dean,
Just to let you know I tested it on my side and it works fine(using
MSPKI), are you prompted for the user certificate password when the app
is installing the profile?
The app does not 'tell' you the user certificate has been installed,
even if it's still doing it.
What happen when you try to connect to the provisioned SSID after the
profile was installed? Does it fail? Ask you for the user certificate?
Others?
Thanks
On 02/25/2017 10:22 PM, Dean Holland wrote:
What's the next step now, send a copy of the XML profile to someone to
test with?
On Sun, 19 Feb 2017, 7:31 PM Dean Holland <[email protected]
<mailto:[email protected]>> wrote:
Hi Antoine,
Yes - iOS works, I unregistered a device, cleared it's user and
role, deleted the existing wireless profile and was able to
register it again and install the wireless profile.
I've tried with three different Android tablets and OS versions -
5.1, 6.0 and 7.0. In all cases the agent only installs the CA
certificate.
Dean
On Sat, 18 Feb 2017, 2:25 AM Antoine Amacher <[email protected]
<mailto:[email protected]>> wrote:
Hello Dean,
Does the provisioning works on other platform, for instance
windows or IOS?
Did you try with different android versions/devices?
Thanks
On 02/16/2017 08:42 PM, Dean Holland wrote:
I have tried again with 6.5 and the Android agent still only
installs a CA cert. I have verified the CA certificate in the
profile is that in the chain for FreeRADIUS and the client
certificate.
I'm not sure what else I can do to help diagnose this, if I
send an XML profile to someone off-list would that help?
Dean
On Sun, 29 Jan 2017, 11:36 AM Dean Holland
<[email protected] <mailto:[email protected]>> wrote:
Thanks Fabrice.
One step closer now! It looks like the user certificate
is in the XML profile, but after entering the generated
password the agent only asks to install one CA
certificate - it doesn't seem to find the user
certificate in the profile.
On Sun, 29 Jan 2017, 9:57 AM Durand fabrice
<[email protected] <mailto:[email protected]>> wrote:
Hello Dean,
i has been fixed in devel, it was because of an
apache filter.
cd /usr/local/pf
wget
https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
And don't forget to rename
apache_filters.conf.example to apache_filters.conf
and do a pfcmd configreload hard
Regards
Fabrice
Le 2017-01-28 à 20:45, Dean Holland a écrit :
So I changed the httpd.portal.tt
<http://httpd.portal.tt> file to use RSA ciphers for
TLS, which allowed me to decrypt a packet capture of
the registration interface with Wireshark, the agent
is getting a 501 error from the portal. HTTP trace
follows.
GET /profile.xml HTTP/1.1
User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1;
Nexus 7 Build/LMY47V)
Host: www.packetfence.org <http://www.packetfence.org>
Connection: Keep-Alive
Accept-Encoding: gzip
HTTP/1.1 501 Not Implemented
Date: Sun, 29 Jan 2017 01:34:52 GMT
Server: Apache
X-DNS-Prefetch-Control: off
Allow:
Content-Length: 202
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>501 Not Implemented</title>
</head><body>
<h1>Not Implemented</h1>
<p>GET to /profile.xml not supported.<br />
</p>
</body></html>
Dean
On Fri, Jan 6, 2017 at 9:27 AM Dean Holland
<[email protected]
<mailto:[email protected]>> wrote:
Hi Fabrice,
Correct - nothing in that log file either.
On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice
<[email protected] <mailto:[email protected]>>
wrote:
it's normal that it's an iphone profile
since the android app use the same format.
Nothing in httpd.portal.catalyst too ?
Le 2017-01-05 à 01:46, Dean Holland a écrit :
No errors in httpd.portal.error - in fact
nothing logged at all!
If I browse to
www.packetfence.org/profile.xml
<http://www.packetfence.org/profile.xml> (which
resolves to the portal) I get what looks
like an iOS profile - it starts with
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST
1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd";>
<!-- Generated by the iPhone Configuration
Utility /-->
<plist version="1.0">
On Thu, Jan 5, 2017 at 10:40 AM Durand
fabrice <[email protected]
<mailto:[email protected]>> wrote:
Hello Dean,
can you check all the log files to see
if you find the error. (probably in
httpd.portal.error)
And can you try from a web browser to
go directly at
www.packetfence.org/profile.xml
<http://www.packetfence.org/profile.xml>
and check if you can have the error.
Regards
Fabrice
Le 2017-01-04 à 03:14, Dean Holland a
écrit :
Hello,
I have a PF 6.4 install on Debian
Jessie and am having issues
provisioning Android devices. When I
get to the stage of installing the
wireless profile, opening the PF agent
results in an "Error fetching profile"
message. This has happened on two
separate tablets - both of which are
identified as Android as the correct
provisioner is being displayed on the
portal.
The certificate is being requested (I
can see it in the mspki console), and
being transferred from NDES (can see
it in tcpdump) but it looks as though
the profile generation is encountering
a 501 error:
192.168.99.11 - -
[04/Jan/2017:15:32:22 +0800]
"www.packetfence.org
<http://www.packetfence.org>" "GET
/profile.xml HTTP/1.1" 501 202 "-"
"Dalvik/2.1.0 (Linux; U; Android
5.1.1; Nexus 7 Build/LMY47V)" 897
This used to work, though I haven't
had to provision a device in a while
so I'm not sure when it stopped. I can
request a user certificate, manually
install it on the device with the CA
certs and connect to the wireless
successfully using PF as the RADIUS
server. Anywhere I can start looking
as to why the profile isn't generated
successfully?
profiles.conf:
[default]
locale=
autoregister=enabled
sources=Haveacry_AD
provisioners=android-haveacry,ios
provisioning.conf
[android-haveacry]
description=Haveacry Wireless
security_type=WPA
can_sign_profile=0
category=default
ssid=haveacry
pki_provider=Haveacry_SCEP
type=android
oses=
broadcast=1
eap_type=13
pki_providers.conf
[Haveacry_SCEP]
state=XXXXXX
cn_attribute=pid
url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
organization=Have a Cry
organizational_unit=Infrastructure
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
locality=XXXXXXXX
country=XX
type=scep
ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem
packetfence.log
Jan 04 16:07:58 httpd.portal(7755)
INFO: [mac:unknown] Instantiate
profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:07:58 httpd.portal(7755)
INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:07:58 httpd.portal(7755)
INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:unknown] Instantiate
profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7]
Authenticating user using sources :
Haveacry_AD
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7]
[Haveacry_AD] Authentication
successful for dean
(pf::Authentication::Source::LDAPSource::authenticate)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7]
Authentication successful for 'dean'
in source Haveacry_AD (AD)
(pf::authentication::authenticate)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] User
dean has authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7]
Successfully authenticated dean
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] User
dean has authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:09 httpd.portal(7756)
WARN: [mac:30:85:a9:4b:5b:e7] Calling
match with empty/invalid rule class.
Defaulting to 'authentication'
(pf::authentication::match)
Jan 04 16:08:09 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Using
sources Haveacry_AD for matching
(pf::authentication::match)
Jan 04 16:08:10 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Matched
rule (WiFi_Default) in source
Haveacry_AD, returning actions.
(pf::Authentication::Source::match)
Jan 04 16:08:10 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:10 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] User
dean has authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:10 httpd.portal(7756)
WARN: [mac:30:85:a9:4b:5b:e7] Calling
match with empty/invalid rule class.
Defaulting to 'authentication'
(pf::authentication::match)
Jan 04 16:08:10 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Using
sources Haveacry_AD for matching
(pf::authentication::match)
Jan 04 16:08:10 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Matched
rule (WiFi_Default) in source
Haveacry_AD, returning actions.
(pf::Authentication::Source::match)
Jan 04 16:08:10 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:10 httpd.portal(7756)
INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session.
(Class::MOP::Class:::around)
Jan 04 16:08:10 httpd.portal(7754)
INFO: [mac:unknown] Instantiate
profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:10 httpd.portal(7754)
INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:10 httpd.portal(7754)
INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:10 httpd.portal(7754)
INFO: [mac:30:85:a9:4b:5b:e7] User
dean has authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:10 httpd.portal(7754)
INFO: [mac:30:85:a9:4b:5b:e7] Found
provisioner android-haveacry for
30:85:a9:4b:5b:e7
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Jan 04 16:08:10 httpd.portal(7754)
INFO: [mac:30:85:a9:4b:5b:e7] User
dean has authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:10 httpd.portal(7754)
INFO: [mac:30:85:a9:4b:5b:e7] User
dean has authenticated on the portal.
(Class::MOP::Class:::after)
Jan 04 16:08:10 httpd.portal(7754)
INFO: [mac:30:85:a9:4b:5b:e7] User:
'dean' found in the directory
(pf::Authentication::Source::LDAPSource::search_attributes_in_subclass)
Jan 04 16:08:17 httpd.portal(7757)
INFO: [mac:unknown] Instantiate
profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:17 httpd.portal(7757)
INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:17 httpd.portal(7757)
INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default
(pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:17 httpd.portal(7757)
INFO: [mac:30:85:a9:4b:5b:e7] Found
provisioner android-haveacry for
30:85:a9:4b:5b:e7
(captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child)
Jan 04 16:08:17 httpd.portal(7757)
INFO: [mac:30:85:a9:4b:5b:e7] User
dean has authenticated on the portal.
(Class::MOP::Class:::after)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most
engaging tech sites,
SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on
one of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most
engaging tech sites,
SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one
of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the
world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] <mailto:[email protected]> ::www.inverse.ca <http://www.inverse.ca>
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu>) and
PacketFence (www.packetfence.org <http://www.packetfence.org>)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
