thx for the clarification, will check. didn't see any info about the logs question - would be very helful, if you sent me the log file names that are supposed to hold the relevant info? thx! j ________________________________ From: Fabrice Durand <fdur...@inverse.ca> Sent: Tuesday, July 28, 2020 13:58 To: Juraj Tobias <j...@leaf.sk>; packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] EAP-TLS with integrated PKI - "Unable to retrieve your profile file"
Le 20-07-28 à 05 h 33, Juraj Tobias a écrit : thx, Fabrice, pls see replies in the text ________________________________ From: Durand fabrice via PacketFence-users <packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net> Sent: Tuesday, July 28, 2020 04:41 To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> <packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net> Cc: Durand fabrice <fdur...@inverse.ca><mailto:fdur...@inverse.ca> Subject: Re: [PacketFence-users] EAP-TLS with integrated PKI - "Unable to retrieve your profile file" Hello Tobias, Le 20-07-26 à 10 h 06, Juraj Tobias via PacketFence-users a écrit : trying to get EAP-TLS with the new integrated PKI working, but run into problems with actual provisioning on the client computer - on registration wifi all works fine, user (after successfull auth) gets the password and link for the windows agent, however, upon clicking the "Configure" button, an error message appears: "Unable to retrieve your profile file, please contact your local support". I will need to see the logs. I'd check myself, however, there are many, didn't see anything useful in those I checked, so if I could get the name of the log files to check, i'll gladly provide. I have a hunch this has something to do with adding the PKI-generated radius SSL cert to the RADIUS' configuration (not sure if/why this doesn't happen automatically?), as suggested in the installation manual, however, the steps described there are very unclear (actually, there's just a mention not to forget to add it to the config, but the steps how to do that are missing altogetger) - I tried to do it via 'System configuration -> RADIUS -> SSL certificates', however, the "New SSL certificate" form requires me to provide an Intermediate CA, which simply doesn't exist in the integrated PKI's generated CA. https://mgmt:1443/admin/alt#/configuration/certificate/radius<https://192.168.0.39:1443/admin/alt#/configuration/certificate/radius> does anyone please know, if: 1. adding the CA's cert is actually needed? Yes, it's not yet automatic but you need to copy the ca cert in Configuration -> SSL -> Radius. this one is a bit confusing. there are 2 nodes you might be referring to: 1: System Configuration > SSL Certificates > RADIUS, OR 2: System Configuration > RADIUS > SSL Certificates. which one do you have in mind? System Configuration > RADIUS > SSL Certificates is the place where you will define other certificates per example if you want to have another one for a specific realm. https://mgmt:1443/admin/alt#/configuration/certificate/radius is the default radius certificate. If you check https://mgmt:1443/admin/alt#/configuration/radius/tls/tls-common you can see "Certificate Profile" who is defined to radius (wich is the default certificate). 1. what does the error message mean? wrong profile maybe or dns issue. 1. where on the server should I be looking for the generated XMLs? from the laptop itself you can go to https://lost.com//profile.xml not sure the url didn't get scrambled - are there supposed to be 2x slash, or it's just https://<my-packetfence-host>/profile.xml ? 1 slash. or can anyone point me somewhere where I could find some more info? thanks a lot! j. _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca<mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
