Hello Eugene, thanks for the information, i will update the doc.
Regards Fabrice Le 2018-01-16 à 22:55, E.P. a écrit :
Well, it is in the guide on PKI ;) This is the picture from the page from section 3.4.3. PacketFence provider configuration PacketFence PKI configuration *From:*Fabrice Durand [mailto:[email protected]] *Sent:* Tuesday, January 16, 2018 6:21 AM *To:* E.P.; [email protected]*Subject:* Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOSI can't find in the doc where it's define to 9191 ?! Le 2018-01-16 à 01:00, E.P. a écrit : Great breakdown, thank you! What is the correct port number, Fabrice, in “pki_provider.conf” file ? You showed yours with 9393, but in the guide it is 9191 *From:*Fabrice Durand via PacketFence-users [mailto:[email protected]] *Sent:* Monday, January 15, 2018 6:01 AM *To:* [email protected] <mailto:[email protected]> *Cc:* Fabrice Durand *Subject:* Re: [PacketFence-users] PKI provisioning configuration for Apple OS/iOS Hello Eugene, Le 2018-01-13 à 02:59, E.P. via PacketFence-users a écrit : Folks, Our two big shots in the organization live their lives with Apple macbooks and we need to get them on the secure WiFi. Can someone explain me where and how to get the content of certificates that are trusted by Apple devices. First you need to configure a pki in PacketFence (What i use in pki_provider.conf): [PacketFencePKI] cn_format=%s profile=clientCrt revoke_on_unregistration=Y server_cert_path=/usr/local/pf/conf/ssl/tls_certs/YourCert.pem ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MYCA.pem state=Quebec password=p@ck3tf3nc3 organization=Inverse.inc country=CA proto=https port=9393 host=127.0.0.1 username=admin type=packetfence_pki cn_attribute=mac Next you need to configure the provisioner in order to provide certificate and wifi configuration (provisioning.conf): [AppleTLS] broadcast=0 oses= category= eap_type=13 can_sign_profile=0 security_type=WPA description=Apple Provisioning type=mobileconfig ssid=baguettesecure pki_provider=PacketFencePKI But in you case you need to sign the profile with another certificate , so in Signing tab use a certificate like the certificate you have with godaddy. In this form you need to put in certificate for signing profiles your public key (-----BEGIN CERTIFICATE-----), next your private key (-----BEGIN PRIVATE KEY-----) and in the last field the certificate chain of godaddy probably that one: -----BEGIN CERTIFICATE----- MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH /PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu 9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo 2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI 4uJEvlz36hz1 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3 MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv 9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz 91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2 RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11 GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB -----END CERTIFICATE----- The last part will be to create a connection profile like that (profiles.conf): [Provisioning] locale= root_module=Provisioning filter=ssid:baguettefence description=Provisioning provisioners=AppleTLS And have a portal module like this (portal_module.conf): [Provisioning] modules=ProvisioningChain type=Root description=Root Provisioning [AppleTLS] skipable=disabled actions= type=Provisioning description=Apple Provisioning [ProvisioningChain] modules=NullAuth,AppleTLS actions= type=Chained description=Provisioning Chain [NullAuth] source_id=null actions= custom_fields= description=Null Authentication with_aup=0 signup_template=signin.html aup_template=aup_text.html type=Authentication::Null So in this workflow, if a mac sonnect on the openssid (baguettefence) it will have a null auth and a provisioning portal, once the profile installed it will connect on the secure ssid baguettefence with EAP-TLS. I hope it will help. Regards Fabrice The guide on PKI says Verisign certificate could be an example. As far as I understand it I need to get the bundle from Verisign. Or it could be any well-known trusted CA, correct ? We recently bought SSL certificates from GoDaddy and downloaded the bundle from them. It contains three certificates but none of them seem to match for what it is said on PKI page, namely -The certificate for signing profiles -The private key for signing profiles -The certificate chain for the signer certificate Eugene ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org!http://sdm.link/slashdot _______________________________________________ PacketFence-users mailing list [email protected] <mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users--Fabrice Durand [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Fabrice Durand [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135) ::www.inverse.ca <http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
