Re: [PacketFence-users] Android Provisioner profile error

[Antoine Amacher]

Hello Dean,

Just to let you know I tested it on my side and it works fine(using 
MSPKI), are you prompted for the user certificate password when the app 
is installing the profile?


The app does not 'tell' you the user certificate has been installed, 
even if it's still doing it.


What happen when you try to connect to the provisioned SSID after the 
profile was installed? Does it fail? Ask you for the user certificate? 
Others?


Thanks

On 02/25/2017 10:22 PM, Dean Holland wrote:


What's the next step now, send a copy of the XML profile to someone to 
test with?



On Sun, 19 Feb 2017, 7:31 PM Dean Holland > wrote:


Hi Antoine,

Yes - iOS works, I unregistered a device, cleared it's user and
role, deleted the existing wireless profile and was able to
register it again and install the wireless profile.

I've tried with three different Android tablets and OS versions -
5.1, 6.0 and 7.0. In all cases the agent only installs the CA
certificate.

Dean


On Sat, 18 Feb 2017, 2:25 AM Antoine Amacher > wrote:

Hello Dean,

Does the provisioning works on other platform, for instance
windows or IOS?

Did you try with different android versions/devices?

Thanks


On 02/16/2017 08:42 PM, Dean Holland wrote:


I have tried again with 6.5 and the Android agent still only
installs a CA cert. I have verified the CA certificate in the
profile is that in the chain for FreeRADIUS and the client
certificate.

I'm not sure what else I can do to help diagnose this, if I
send an XML profile to someone off-list would that help?

Dean


On Sun, 29 Jan 2017, 11:36 AM Dean Holland
> wrote:

Thanks Fabrice.

One step closer now! It looks like the user certificate
is in the XML profile, but after entering the generated
password the agent only asks to install one CA
certificate - it doesn't seem to find the user
certificate in the profile.


On Sun, 29 Jan 2017, 9:57 AM Durand fabrice
> wrote:

Hello Dean,

i has been fixed in devel, it was because of an
apache filter.

cd /usr/local/pf

wget

https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff

patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff

And don't forget to rename
apache_filters.conf.example to apache_filters.conf
and do a pfcmd configreload hard


Regards

Fabrice


Le 2017-01-28 à 20:45, Dean Holland a écrit :

So I changed the httpd.portal.tt
 file to use RSA ciphers for
TLS, which allowed me to decrypt a packet capture of
the registration interface with Wireshark, the agent
is getting a 501 error from the portal. HTTP trace
follows.

GET /profile.xml HTTP/1.1

User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1;
Nexus 7 Build/LMY47V)

Host: www.packetfence.org 

Connection: Keep-Alive

Accept-Encoding: gzip


HTTP/1.1 501 Not Implemented

Date: Sun, 29 Jan 2017 01:34:52 GMT

Server: Apache

X-DNS-Prefetch-Control: off

Allow:

Content-Length: 202

Connection: close

Content-Type: text/html; charset=iso-8859-1






501 Not Implemented



Not Implemented

GET to /profile.xml not supported.







Dean

On Fri, Jan 6, 2017 at 9:27 AM Dean Holland
> wrote:

Hi Fabrice,

Correct - nothing in that log file either.

On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice
>
wrote:

it's normal that it's an iphone profile
since the android app use the same format.

Nothing in httpd.portal.catalyst too ?



Le 2017-01-05 à 01:46, Dean Holland a écrit :

No errors in httpd.portal.error - in fact
  

Re: [PacketFence-users] Android Provisioner profile error

[Dean Holland]

What's the next step now, send a copy of the XML profile to someone to test
with?

On Sun, 19 Feb 2017, 7:31 PM Dean Holland  wrote:

> Hi Antoine,
>
> Yes - iOS works, I unregistered a device, cleared it's user and role,
> deleted the existing wireless profile and was able to register it again and
> install the wireless profile.
>
> I've tried with three different Android tablets and OS versions - 5.1, 6.0
> and 7.0. In all cases the agent only installs the CA certificate.
>
> Dean
>
> On Sat, 18 Feb 2017, 2:25 AM Antoine Amacher  wrote:
>
> Hello Dean,
>
> Does the provisioning works on other platform, for instance windows or IOS?
>
> Did you try with different android versions/devices?
>
> Thanks
>
> On 02/16/2017 08:42 PM, Dean Holland wrote:
>
> I have tried again with 6.5 and the Android agent still only installs a CA
> cert. I have verified the CA certificate in the profile is that in the
> chain for FreeRADIUS and the client certificate.
>
> I'm not sure what else I can do to help diagnose this, if I send an XML
> profile to someone off-list would that help?
>
> Dean
>
> On Sun, 29 Jan 2017, 11:36 AM Dean Holland  wrote:
>
> Thanks Fabrice.
>
> One step closer now! It looks like the user certificate is in the XML
> profile, but after entering the generated password the agent only asks to
> install one CA certificate - it doesn't seem to find the user certificate
> in the profile.
>
> On Sun, 29 Jan 2017, 9:57 AM Durand fabrice  wrote:
>
> Hello Dean,
>
> i has been fixed in devel, it was because of an apache filter.
>
> cd /usr/local/pf
>
> wget
> https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> And don't forget to rename apache_filters.conf.example to
> apache_filters.conf and do a pfcmd configreload hard
>
>
> Regards
>
> Fabrice
>
> Le 2017-01-28 à 20:45, Dean Holland a écrit :
>
> So I changed the httpd.portal.tt file to use RSA ciphers for TLS, which
> allowed me to decrypt a packet capture of the registration interface with
> Wireshark, the agent is getting a 501 error from the portal. HTTP trace
> follows.
>
> GET /profile.xml HTTP/1.1
>
> User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V)
>
> Host: www.packetfence.org
>
> Connection: Keep-Alive
>
> Accept-Encoding: gzip
>
>
> HTTP/1.1 501 Not Implemented
>
> Date: Sun, 29 Jan 2017 01:34:52 GMT
>
> Server: Apache
>
> X-DNS-Prefetch-Control: off
>
> Allow:
>
> Content-Length: 202
>
> Connection: close
>
> Content-Type: text/html; charset=iso-8859-1
>
>
> 
>
> 
>
> 501 Not Implemented
>
> 
>
> Not Implemented
>
> GET to /profile.xml not supported.
>
> 
>
> 
>
>
> Dean
>
> On Fri, Jan 6, 2017 at 9:27 AM Dean Holland 
> wrote:
>
> Hi Fabrice,
>
> Correct - nothing in that log file either.
>
> On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice  wrote:
>
> it's normal that it's an iphone profile since the android app use the same
> format.
>
> Nothing in httpd.portal.catalyst too ?
>
>
>
> Le 2017-01-05 à 01:46, Dean Holland a écrit :
>
> No errors in httpd.portal.error - in fact nothing logged at all!
>
> If I browse to www.packetfence.org/profile.xml (which resolves to the
> portal) I get what looks like an iOS profile - it starts with
>
> 
>  http://www.apple.com/DTDs/PropertyList-1.0.dtd;>
> 
> 
>
>
>
> On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice  wrote:
>
> Hello Dean,
>
> can you check all the log files to see if you find the error. (probably in
> httpd.portal.error)
>
> And can you try from a web browser to go directly at
> www.packetfence.org/profile.xml and check if you can have the error.
>
> Regards
>
> Fabrice
>
>
> Le 2017-01-04 à 03:14, Dean Holland a écrit :
>
> Hello,
>
> I have a PF 6.4 install on Debian Jessie and am having issues provisioning
> Android devices. When I get to the stage of installing the wireless
> profile, opening the PF agent results in an "Error fetching profile"
> message. This has happened on two separate tablets - both of which are
> identified as Android as the correct provisioner is being displayed on the
> portal.
>
> The certificate is being requested (I can see it in the mspki console),
> and being transferred from NDES (can see it in tcpdump) but it looks as
> though the profile generation is encountering a 501 error:
>
> 192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]  "www.packetfence.org"
> "GET /profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android
> 5.1.1; Nexus 7 Build/LMY47V)" 897
>
> This used to work, though I haven't had to provision a device in a while
> so I'm not sure when it stopped. I can request a user certificate, manually
> install it on the device with the CA certs and connect to the wireless
> successfully using PF as the RADIUS server. Anywhere I can start looking as
> to why the profile 

Re: [PacketFence-users] Android Provisioner profile error

[Dean Holland]

Hi Antoine,

Yes - iOS works, I unregistered a device, cleared it's user and role,
deleted the existing wireless profile and was able to register it again and
install the wireless profile.

I've tried with three different Android tablets and OS versions - 5.1, 6.0
and 7.0. In all cases the agent only installs the CA certificate.

Dean

On Sat, 18 Feb 2017, 2:25 AM Antoine Amacher  wrote:

> Hello Dean,
>
> Does the provisioning works on other platform, for instance windows or IOS?
>
> Did you try with different android versions/devices?
>
> Thanks
>
> On 02/16/2017 08:42 PM, Dean Holland wrote:
>
> I have tried again with 6.5 and the Android agent still only installs a CA
> cert. I have verified the CA certificate in the profile is that in the
> chain for FreeRADIUS and the client certificate.
>
> I'm not sure what else I can do to help diagnose this, if I send an XML
> profile to someone off-list would that help?
>
> Dean
>
> On Sun, 29 Jan 2017, 11:36 AM Dean Holland  wrote:
>
> Thanks Fabrice.
>
> One step closer now! It looks like the user certificate is in the XML
> profile, but after entering the generated password the agent only asks to
> install one CA certificate - it doesn't seem to find the user certificate
> in the profile.
>
> On Sun, 29 Jan 2017, 9:57 AM Durand fabrice  wrote:
>
> Hello Dean,
>
> i has been fixed in devel, it was because of an apache filter.
>
> cd /usr/local/pf
>
> wget
> https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> And don't forget to rename apache_filters.conf.example to
> apache_filters.conf and do a pfcmd configreload hard
>
>
> Regards
>
> Fabrice
>
> Le 2017-01-28 à 20:45, Dean Holland a écrit :
>
> So I changed the httpd.portal.tt file to use RSA ciphers for TLS, which
> allowed me to decrypt a packet capture of the registration interface with
> Wireshark, the agent is getting a 501 error from the portal. HTTP trace
> follows.
>
> GET /profile.xml HTTP/1.1
>
> User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V)
>
> Host: www.packetfence.org
>
> Connection: Keep-Alive
>
> Accept-Encoding: gzip
>
>
> HTTP/1.1 501 Not Implemented
>
> Date: Sun, 29 Jan 2017 01:34:52 GMT
>
> Server: Apache
>
> X-DNS-Prefetch-Control: off
>
> Allow:
>
> Content-Length: 202
>
> Connection: close
>
> Content-Type: text/html; charset=iso-8859-1
>
>
> 
>
> 
>
> 501 Not Implemented
>
> 
>
> Not Implemented
>
> GET to /profile.xml not supported.
>
> 
>
> 
>
>
> Dean
>
> On Fri, Jan 6, 2017 at 9:27 AM Dean Holland 
> wrote:
>
> Hi Fabrice,
>
> Correct - nothing in that log file either.
>
> On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice  wrote:
>
> it's normal that it's an iphone profile since the android app use the same
> format.
>
> Nothing in httpd.portal.catalyst too ?
>
>
>
> Le 2017-01-05 à 01:46, Dean Holland a écrit :
>
> No errors in httpd.portal.error - in fact nothing logged at all!
>
> If I browse to www.packetfence.org/profile.xml (which resolves to the
> portal) I get what looks like an iOS profile - it starts with
>
> 
>  http://www.apple.com/DTDs/PropertyList-1.0.dtd;>
> 
> 
>
>
>
> On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice  wrote:
>
> Hello Dean,
>
> can you check all the log files to see if you find the error. (probably in
> httpd.portal.error)
>
> And can you try from a web browser to go directly at
> www.packetfence.org/profile.xml and check if you can have the error.
>
> Regards
>
> Fabrice
>
>
> Le 2017-01-04 à 03:14, Dean Holland a écrit :
>
> Hello,
>
> I have a PF 6.4 install on Debian Jessie and am having issues provisioning
> Android devices. When I get to the stage of installing the wireless
> profile, opening the PF agent results in an "Error fetching profile"
> message. This has happened on two separate tablets - both of which are
> identified as Android as the correct provisioner is being displayed on the
> portal.
>
> The certificate is being requested (I can see it in the mspki console),
> and being transferred from NDES (can see it in tcpdump) but it looks as
> though the profile generation is encountering a 501 error:
>
> 192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]  "www.packetfence.org"
> "GET /profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android
> 5.1.1; Nexus 7 Build/LMY47V)" 897
>
> This used to work, though I haven't had to provision a device in a while
> so I'm not sure when it stopped. I can request a user certificate, manually
> install it on the device with the CA certs and connect to the wireless
> successfully using PF as the RADIUS server. Anywhere I can start looking as
> to why the profile isn't generated successfully?
>
> profiles.conf:
>
> [default]
> locale=
> autoregister=enabled
> sources=Haveacry_AD
> provisioners=android-haveacry,ios
>
>
> provisioning.conf
>

Re: [PacketFence-users] Android Provisioner profile error

[Antoine Amacher]

Hello Dean,

Does the provisioning works on other platform, for instance windows or IOS?

Did you try with different android versions/devices?

Thanks


On 02/16/2017 08:42 PM, Dean Holland wrote:


I have tried again with 6.5 and the Android agent still only installs 
a CA cert. I have verified the CA certificate in the profile is that 
in the chain for FreeRADIUS and the client certificate.


I'm not sure what else I can do to help diagnose this, if I send an 
XML profile to someone off-list would that help?


Dean


On Sun, 29 Jan 2017, 11:36 AM Dean Holland > wrote:


Thanks Fabrice.

One step closer now! It looks like the user certificate is in the
XML profile, but after entering the generated password the agent
only asks to install one CA certificate - it doesn't seem to find
the user certificate in the profile.


On Sun, 29 Jan 2017, 9:57 AM Durand fabrice > wrote:

Hello Dean,

i has been fixed in devel, it was because of an apache filter.

cd /usr/local/pf

wget

https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff

patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff

And don't forget to rename apache_filters.conf.example to
apache_filters.conf and do a pfcmd configreload hard


Regards

Fabrice


Le 2017-01-28 à 20:45, Dean Holland a écrit :

So I changed the httpd.portal.tt 
file to use RSA ciphers for TLS, which allowed me to decrypt
a packet capture of the registration interface with
Wireshark, the agent is getting a 501 error from the portal.
HTTP trace follows.

GET /profile.xml HTTP/1.1

User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7
Build/LMY47V)

Host: www.packetfence.org 

Connection: Keep-Alive

Accept-Encoding: gzip


HTTP/1.1 501 Not Implemented

Date: Sun, 29 Jan 2017 01:34:52 GMT

Server: Apache

X-DNS-Prefetch-Control: off

Allow:

Content-Length: 202

Connection: close

Content-Type: text/html; charset=iso-8859-1






501 Not Implemented



Not Implemented

GET to /profile.xml not supported.







Dean

On Fri, Jan 6, 2017 at 9:27 AM Dean Holland
> wrote:

Hi Fabrice,

Correct - nothing in that log file either.

On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice
> wrote:

it's normal that it's an iphone profile since the
android app use the same format.

Nothing in httpd.portal.catalyst too ?



Le 2017-01-05 à 01:46, Dean Holland a écrit :

No errors in httpd.portal.error - in fact nothing
logged at all!

If I browse to www.packetfence.org/profile.xml
 (which
resolves to the portal) I get what looks like an iOS
profile - it starts with


http://www.apple.com/DTDs/PropertyList-1.0.dtd;>





On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice
> wrote:

Hello Dean,

can you check all the log files to see if you
find the error. (probably in httpd.portal.error)

And can you try from a web browser to go
directly at www.packetfence.org/profile.xml
 and
check if you can have the error.

Regards

Fabrice


Le 2017-01-04 à 03:14, Dean Holland a écrit :

Hello,

I have a PF 6.4 install on Debian Jessie and am
having issues provisioning Android devices.
When I get to the stage of installing the
wireless profile, opening the PF agent results
in an "Error fetching profile" message. This
has happened on two separate tablets - both of
which are identified as Android as the correct
provisioner is being displayed on the portal.

The certificate is being requested (I can see
it in the mspki console), and being transferred
from NDES (can see it in tcpdump) but it looks

Re: [PacketFence-users] Android Provisioner profile error

[Dean Holland]

I have tried again with 6.5 and the Android agent still only installs a CA
cert. I have verified the CA certificate in the profile is that in the
chain for FreeRADIUS and the client certificate.

I'm not sure what else I can do to help diagnose this, if I send an XML
profile to someone off-list would that help?

Dean

On Sun, 29 Jan 2017, 11:36 AM Dean Holland  wrote:

> Thanks Fabrice.
>
> One step closer now! It looks like the user certificate is in the XML
> profile, but after entering the generated password the agent only asks to
> install one CA certificate - it doesn't seem to find the user certificate
> in the profile.
>
> On Sun, 29 Jan 2017, 9:57 AM Durand fabrice  wrote:
>
> Hello Dean,
>
> i has been fixed in devel, it was because of an apache filter.
>
> cd /usr/local/pf
>
> wget
> https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> And don't forget to rename apache_filters.conf.example to
> apache_filters.conf and do a pfcmd configreload hard
>
>
> Regards
>
> Fabrice
>
> Le 2017-01-28 à 20:45, Dean Holland a écrit :
>
> So I changed the httpd.portal.tt file to use RSA ciphers for TLS, which
> allowed me to decrypt a packet capture of the registration interface with
> Wireshark, the agent is getting a 501 error from the portal. HTTP trace
> follows.
>
> GET /profile.xml HTTP/1.1
>
> User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V)
>
> Host: www.packetfence.org
>
> Connection: Keep-Alive
>
> Accept-Encoding: gzip
>
>
> HTTP/1.1 501 Not Implemented
>
> Date: Sun, 29 Jan 2017 01:34:52 GMT
>
> Server: Apache
>
> X-DNS-Prefetch-Control: off
>
> Allow:
>
> Content-Length: 202
>
> Connection: close
>
> Content-Type: text/html; charset=iso-8859-1
>
>
> 
>
> 
>
> 501 Not Implemented
>
> 
>
> Not Implemented
>
> GET to /profile.xml not supported.
>
> 
>
> 
>
>
> Dean
>
> On Fri, Jan 6, 2017 at 9:27 AM Dean Holland 
> wrote:
>
> Hi Fabrice,
>
> Correct - nothing in that log file either.
>
> On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice  wrote:
>
> it's normal that it's an iphone profile since the android app use the same
> format.
>
> Nothing in httpd.portal.catalyst too ?
>
>
>
> Le 2017-01-05 à 01:46, Dean Holland a écrit :
>
> No errors in httpd.portal.error - in fact nothing logged at all!
>
> If I browse to www.packetfence.org/profile.xml (which resolves to the
> portal) I get what looks like an iOS profile - it starts with
>
> 
>  http://www.apple.com/DTDs/PropertyList-1.0.dtd;>
> 
> 
>
>
>
> On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice  wrote:
>
> Hello Dean,
>
> can you check all the log files to see if you find the error. (probably in
> httpd.portal.error)
>
> And can you try from a web browser to go directly at
> www.packetfence.org/profile.xml and check if you can have the error.
>
> Regards
>
> Fabrice
>
>
> Le 2017-01-04 à 03:14, Dean Holland a écrit :
>
> Hello,
>
> I have a PF 6.4 install on Debian Jessie and am having issues provisioning
> Android devices. When I get to the stage of installing the wireless
> profile, opening the PF agent results in an "Error fetching profile"
> message. This has happened on two separate tablets - both of which are
> identified as Android as the correct provisioner is being displayed on the
> portal.
>
> The certificate is being requested (I can see it in the mspki console),
> and being transferred from NDES (can see it in tcpdump) but it looks as
> though the profile generation is encountering a 501 error:
>
> 192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]  "www.packetfence.org"
> "GET /profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android
> 5.1.1; Nexus 7 Build/LMY47V)" 897
>
> This used to work, though I haven't had to provision a device in a while
> so I'm not sure when it stopped. I can request a user certificate, manually
> install it on the device with the CA certs and connect to the wireless
> successfully using PF as the RADIUS server. Anywhere I can start looking as
> to why the profile isn't generated successfully?
>
> profiles.conf:
>
> [default]
> locale=
> autoregister=enabled
> sources=Haveacry_AD
> provisioners=android-haveacry,ios
>
>
> provisioning.conf
>
> [android-haveacry]
> description=Haveacry Wireless
> security_type=WPA
> can_sign_profile=0
> category=default
> ssid=haveacry
> pki_provider=Haveacry_SCEP
> type=android
> oses=
> broadcast=1
> eap_type=13
>
>
> pki_providers.conf
>
> [Haveacry_SCEP]
> state=XX
> cn_attribute=pid
> url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
> organization=Have a Cry
> organizational_unit=Infrastructure
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
> locality=
> country=XX
> type=scep
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem
>
> packetfence.log
>
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:unknown] 

Re: [PacketFence-users] Android Provisioner profile error

[Dean Holland]

Thanks Fabrice.

One step closer now! It looks like the user certificate is in the XML
profile, but after entering the generated password the agent only asks to
install one CA certificate - it doesn't seem to find the user certificate
in the profile.

On Sun, 29 Jan 2017, 9:57 AM Durand fabrice  wrote:

> Hello Dean,
>
> i has been fixed in devel, it was because of an apache filter.
>
> cd /usr/local/pf
>
> wget
> https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff
>
> And don't forget to rename apache_filters.conf.example to
> apache_filters.conf and do a pfcmd configreload hard
>
>
> Regards
>
> Fabrice
>
> Le 2017-01-28 à 20:45, Dean Holland a écrit :
>
> So I changed the httpd.portal.tt file to use RSA ciphers for TLS, which
> allowed me to decrypt a packet capture of the registration interface with
> Wireshark, the agent is getting a 501 error from the portal. HTTP trace
> follows.
>
> GET /profile.xml HTTP/1.1
>
> User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V)
>
> Host: www.packetfence.org
>
> Connection: Keep-Alive
>
> Accept-Encoding: gzip
>
>
> HTTP/1.1 501 Not Implemented
>
> Date: Sun, 29 Jan 2017 01:34:52 GMT
>
> Server: Apache
>
> X-DNS-Prefetch-Control: off
>
> Allow:
>
> Content-Length: 202
>
> Connection: close
>
> Content-Type: text/html; charset=iso-8859-1
>
>
> 
>
> 
>
> 501 Not Implemented
>
> 
>
> Not Implemented
>
> GET to /profile.xml not supported.
>
> 
>
> 
>
>
> Dean
>
> On Fri, Jan 6, 2017 at 9:27 AM Dean Holland 
> wrote:
>
> Hi Fabrice,
>
> Correct - nothing in that log file either.
>
> On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice  wrote:
>
> it's normal that it's an iphone profile since the android app use the same
> format.
>
> Nothing in httpd.portal.catalyst too ?
>
>
>
> Le 2017-01-05 à 01:46, Dean Holland a écrit :
>
> No errors in httpd.portal.error - in fact nothing logged at all!
>
> If I browse to www.packetfence.org/profile.xml (which resolves to the
> portal) I get what looks like an iOS profile - it starts with
>
> 
>  http://www.apple.com/DTDs/PropertyList-1.0.dtd;>
> 
> 
>
>
>
> On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice  wrote:
>
> Hello Dean,
>
> can you check all the log files to see if you find the error. (probably in
> httpd.portal.error)
>
> And can you try from a web browser to go directly at
> www.packetfence.org/profile.xml and check if you can have the error.
>
> Regards
>
> Fabrice
>
>
> Le 2017-01-04 à 03:14, Dean Holland a écrit :
>
> Hello,
>
> I have a PF 6.4 install on Debian Jessie and am having issues provisioning
> Android devices. When I get to the stage of installing the wireless
> profile, opening the PF agent results in an "Error fetching profile"
> message. This has happened on two separate tablets - both of which are
> identified as Android as the correct provisioner is being displayed on the
> portal.
>
> The certificate is being requested (I can see it in the mspki console),
> and being transferred from NDES (can see it in tcpdump) but it looks as
> though the profile generation is encountering a 501 error:
>
> 192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]  "www.packetfence.org"
> "GET /profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android
> 5.1.1; Nexus 7 Build/LMY47V)" 897
>
> This used to work, though I haven't had to provision a device in a while
> so I'm not sure when it stopped. I can request a user certificate, manually
> install it on the device with the CA certs and connect to the wireless
> successfully using PF as the RADIUS server. Anywhere I can start looking as
> to why the profile isn't generated successfully?
>
> profiles.conf:
>
> [default]
> locale=
> autoregister=enabled
> sources=Haveacry_AD
> provisioners=android-haveacry,ios
>
>
> provisioning.conf
>
> [android-haveacry]
> description=Haveacry Wireless
> security_type=WPA
> can_sign_profile=0
> category=default
> ssid=haveacry
> pki_provider=Haveacry_SCEP
> type=android
> oses=
> broadcast=1
> eap_type=13
>
>
> pki_providers.conf
>
> [Haveacry_SCEP]
> state=XX
> cn_attribute=pid
> url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
> organization=Have a Cry
> organizational_unit=Infrastructure
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
> locality=
> country=XX
> type=scep
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem
>
> packetfence.log
>
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: 

Re: [PacketFence-users] Android Provisioner profile error

[Durand fabrice]

Hello Dean,

i has been fixed in devel, it was because of an apache filter.

cd /usr/local/pf

wget 
https://github.com/inverse-inc/packetfence/commit/1a84821125d197025f9cc12941d2aeb7ee6deb72.diff


patch -p1 < 1a84821125d197025f9cc12941d2aeb7ee6deb72.diff

And don't forget to rename apache_filters.conf.example to 
apache_filters.conf and do a pfcmd configreload hard



Regards

Fabrice


Le 2017-01-28 à 20:45, Dean Holland a écrit :
So I changed the httpd.portal.tt  file to use 
RSA ciphers for TLS, which allowed me to decrypt a packet capture of 
the registration interface with Wireshark, the agent is getting a 501 
error from the portal. HTTP trace follows.


GET /profile.xml HTTP/1.1

User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V)

Host: www.packetfence.org 

Connection: Keep-Alive

Accept-Encoding: gzip


HTTP/1.1 501 Not Implemented

Date: Sun, 29 Jan 2017 01:34:52 GMT

Server: Apache

X-DNS-Prefetch-Control: off

Allow:

Content-Length: 202

Connection: close

Content-Type: text/html; charset=iso-8859-1






501 Not Implemented



Not Implemented

GET to /profile.xml not supported.







Dean

On Fri, Jan 6, 2017 at 9:27 AM Dean Holland > wrote:


Hi Fabrice,

Correct - nothing in that log file either.

On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice > wrote:

it's normal that it's an iphone profile since the android app
use the same format.

Nothing in httpd.portal.catalyst too ?



Le 2017-01-05 à 01:46, Dean Holland a écrit :

No errors in httpd.portal.error - in fact nothing logged at all!

If I browse to www.packetfence.org/profile.xml
 (which resolves to
the portal) I get what looks like an iOS profile - it starts with


http://www.apple.com/DTDs/PropertyList-1.0.dtd;>





On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice
> wrote:

Hello Dean,

can you check all the log files to see if you find the
error. (probably in httpd.portal.error)

And can you try from a web browser to go directly at
www.packetfence.org/profile.xml
 and check if you
can have the error.

Regards

Fabrice


Le 2017-01-04 à 03:14, Dean Holland a écrit :

Hello,

I have a PF 6.4 install on Debian Jessie and am having
issues provisioning Android devices. When I get to the
stage of installing the wireless profile, opening the PF
agent results in an "Error fetching profile" message.
This has happened on two separate tablets - both of
which are identified as Android as the correct
provisioner is being displayed on the portal.

The certificate is being requested (I can see it in the
mspki console), and being transferred from NDES (can see
it in tcpdump) but it looks as though the profile
generation is encountering a 501 error:

192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]
 "www.packetfence.org " "GET
/profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux;
U; Android 5.1.1; Nexus 7 Build/LMY47V)" 897

This used to work, though I haven't had to provision a
device in a while so I'm not sure when it stopped. I can
request a user certificate, manually install it on the
device with the CA certs and connect to the wireless
successfully using PF as the RADIUS server. Anywhere I
can start looking as to why the profile isn't generated
successfully?

profiles.conf:

[default]
locale=
autoregister=enabled
sources=Haveacry_AD
provisioners=android-haveacry,ios


provisioning.conf

[android-haveacry]
description=Haveacry Wireless
security_type=WPA
can_sign_profile=0
category=default
ssid=haveacry
pki_provider=Haveacry_SCEP
type=android
oses=
broadcast=1
eap_type=13


pki_providers.conf

[Haveacry_SCEP]
state=XX
cn_attribute=pid
url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
organization=Have a Cry
organizational_unit=Infrastructure
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
locality=
country=XX
type=scep

Re: [PacketFence-users] Android Provisioner profile error

[Dean Holland]

So I changed the httpd.portal.tt file to use RSA ciphers for TLS, which
allowed me to decrypt a packet capture of the registration interface with
Wireshark, the agent is getting a 501 error from the portal. HTTP trace
follows.

GET /profile.xml HTTP/1.1

User-Agent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V)

Host: www.packetfence.org

Connection: Keep-Alive

Accept-Encoding: gzip


HTTP/1.1 501 Not Implemented

Date: Sun, 29 Jan 2017 01:34:52 GMT

Server: Apache

X-DNS-Prefetch-Control: off

Allow:

Content-Length: 202

Connection: close

Content-Type: text/html; charset=iso-8859-1






501 Not Implemented



Not Implemented

GET to /profile.xml not supported.






Dean

On Fri, Jan 6, 2017 at 9:27 AM Dean Holland  wrote:

> Hi Fabrice,
>
> Correct - nothing in that log file either.
>
> On Fri, Jan 6, 2017 at 8:12 AM Durand fabrice  wrote:
>
> it's normal that it's an iphone profile since the android app use the same
> format.
>
> Nothing in httpd.portal.catalyst too ?
>
>
>
> Le 2017-01-05 à 01:46, Dean Holland a écrit :
>
> No errors in httpd.portal.error - in fact nothing logged at all!
>
> If I browse to www.packetfence.org/profile.xml (which resolves to the
> portal) I get what looks like an iOS profile - it starts with
>
> 
>  http://www.apple.com/DTDs/PropertyList-1.0.dtd;>
> 
> 
>
>
>
> On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice  wrote:
>
> Hello Dean,
>
> can you check all the log files to see if you find the error. (probably in
> httpd.portal.error)
>
> And can you try from a web browser to go directly at
> www.packetfence.org/profile.xml and check if you can have the error.
>
> Regards
>
> Fabrice
>
>
> Le 2017-01-04 à 03:14, Dean Holland a écrit :
>
> Hello,
>
> I have a PF 6.4 install on Debian Jessie and am having issues provisioning
> Android devices. When I get to the stage of installing the wireless
> profile, opening the PF agent results in an "Error fetching profile"
> message. This has happened on two separate tablets - both of which are
> identified as Android as the correct provisioner is being displayed on the
> portal.
>
> The certificate is being requested (I can see it in the mspki console),
> and being transferred from NDES (can see it in tcpdump) but it looks as
> though the profile generation is encountering a 501 error:
>
> 192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]  "www.packetfence.org"
> "GET /profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android
> 5.1.1; Nexus 7 Build/LMY47V)" 897
>
> This used to work, though I haven't had to provision a device in a while
> so I'm not sure when it stopped. I can request a user certificate, manually
> install it on the device with the CA certs and connect to the wireless
> successfully using PF as the RADIUS server. Anywhere I can start looking as
> to why the profile isn't generated successfully?
>
> profiles.conf:
>
> [default]
> locale=
> autoregister=enabled
> sources=Haveacry_AD
> provisioners=android-haveacry,ios
>
>
> provisioning.conf
>
> [android-haveacry]
> description=Haveacry Wireless
> security_type=WPA
> can_sign_profile=0
> category=default
> ssid=haveacry
> pki_provider=Haveacry_SCEP
> type=android
> oses=
> broadcast=1
> eap_type=13
>
>
> pki_providers.conf
>
> [Haveacry_SCEP]
> state=XX
> cn_attribute=pid
> url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
> organization=Have a Cry
> organizational_unit=Infrastructure
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
> locality=
> country=XX
> type=scep
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem
>
> packetfence.log
>
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authenticating user using sources : Haveacry_AD
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> [Haveacry_AD] Authentication successful for dean
> (pf::Authentication::Source::LDAPSource::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authentication successful for 'dean' in source Haveacry_AD (AD)

Re: [PacketFence-users] Android Provisioner profile error

[Dean Holland]

No errors in httpd.portal.error - in fact nothing logged at all!

If I browse to www.packetfence.org/profile.xml (which resolves to the
portal) I get what looks like an iOS profile - it starts with


http://www.apple.com/DTDs/PropertyList-1.0.dtd;>





On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice  wrote:

> Hello Dean,
>
> can you check all the log files to see if you find the error. (probably in
> httpd.portal.error)
>
> And can you try from a web browser to go directly at
> www.packetfence.org/profile.xml and check if you can have the error.
>
> Regards
>
> Fabrice
>
>
> Le 2017-01-04 à 03:14, Dean Holland a écrit :
>
> Hello,
>
> I have a PF 6.4 install on Debian Jessie and am having issues provisioning
> Android devices. When I get to the stage of installing the wireless
> profile, opening the PF agent results in an "Error fetching profile"
> message. This has happened on two separate tablets - both of which are
> identified as Android as the correct provisioner is being displayed on the
> portal.
>
> The certificate is being requested (I can see it in the mspki console),
> and being transferred from NDES (can see it in tcpdump) but it looks as
> though the profile generation is encountering a 501 error:
>
> 192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]  "www.packetfence.org"
> "GET /profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android
> 5.1.1; Nexus 7 Build/LMY47V)" 897
>
> This used to work, though I haven't had to provision a device in a while
> so I'm not sure when it stopped. I can request a user certificate, manually
> install it on the device with the CA certs and connect to the wireless
> successfully using PF as the RADIUS server. Anywhere I can start looking as
> to why the profile isn't generated successfully?
>
> profiles.conf:
>
> [default]
> locale=
> autoregister=enabled
> sources=Haveacry_AD
> provisioners=android-haveacry,ios
>
>
> provisioning.conf
>
> [android-haveacry]
> description=Haveacry Wireless
> security_type=WPA
> can_sign_profile=0
> category=default
> ssid=haveacry
> pki_provider=Haveacry_SCEP
> type=android
> oses=
> broadcast=1
> eap_type=13
>
>
> pki_providers.conf
>
> [Haveacry_SCEP]
> state=XX
> cn_attribute=pid
> url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
> organization=Have a Cry
> organizational_unit=Infrastructure
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
> locality=
> country=XX
> type=scep
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem
>
> packetfence.log
>
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authenticating user using sources : Haveacry_AD
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> [Haveacry_AD] Authentication successful for dean
> (pf::Authentication::Source::LDAPSource::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authentication successful for 'dean' in source Haveacry_AD (AD)
> (pf::authentication::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Successfully authenticated dean
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has 

Re: [PacketFence-users] Android Provisioner profile error

[Durand fabrice]

Hello Dean,

can you check all the log files to see if you find the error. (probably 
in httpd.portal.error)


And can you try from a web browser to go directly at 
www.packetfence.org/profile.xml and check if you can have the error.


Regards

Fabrice


Le 2017-01-04 à 03:14, Dean Holland a écrit :

Hello,

I have a PF 6.4 install on Debian Jessie and am having issues 
provisioning Android devices. When I get to the stage of installing 
the wireless profile, opening the PF agent results in an "Error 
fetching profile" message. This has happened on two separate tablets - 
both of which are identified as Android as the correct provisioner is 
being displayed on the portal.


The certificate is being requested (I can see it in the mspki 
console), and being transferred from NDES (can see it in tcpdump) but 
it looks as though the profile generation is encountering a 501 error:


192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]  "www.packetfence.org 
" "GET /profile.xml HTTP/1.1" 501 202 "-" 
"Dalvik/2.1.0 (Linux; U; Android 5.1.1; Nexus 7 Build/LMY47V)" 897


This used to work, though I haven't had to provision a device in a 
while so I'm not sure when it stopped. I can request a user 
certificate, manually install it on the device with the CA certs and 
connect to the wireless successfully using PF as the RADIUS server. 
Anywhere I can start looking as to why the profile isn't generated 
successfully?


profiles.conf:

[default]
locale=
autoregister=enabled
sources=Haveacry_AD
provisioners=android-haveacry,ios


provisioning.conf

[android-haveacry]
description=Haveacry Wireless
security_type=WPA
can_sign_profile=0
category=default
ssid=haveacry
pki_provider=Haveacry_SCEP
type=android
oses=
broadcast=1
eap_type=13


pki_providers.conf

[Haveacry_SCEP]
state=XX
cn_attribute=pid
url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
organization=Have a Cry
organizational_unit=Infrastructure
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
locality=
country=XX
type=scep
ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem

packetfence.log

Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:unknown] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:unknown] Instantiate 
profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] 
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] 
Authenticating user using sources : Haveacry_AD 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] 
[Haveacry_AD] Authentication successful for dean 
(pf::Authentication::Source::LDAPSource::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] 
Authentication successful for 'dean' in source Haveacry_AD (AD) 
(pf::authentication::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User 
dean has authenticated on the portal. (Class::MOP::Class:::after)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found 
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found 
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] 
Successfully authenticated dean 
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found 
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found 
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found 
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User 
dean has authenticated on the portal. (Class::MOP::Class:::after)
Jan 04 16:08:09 httpd.portal(7756) WARN: [mac:30:85:a9:4b:5b:e7] 
Calling match with empty/invalid rule class. Defaulting to 
'authentication' (pf::authentication::match)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Using 
sources Haveacry_AD for matching (pf::authentication::match)
Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] 
Matched rule (WiFi_Default) in source 

[PacketFence-users] Android Provisioner profile error

[Dean Holland]

Hello,

I have a PF 6.4 install on Debian Jessie and am having issues provisioning
Android devices. When I get to the stage of installing the wireless
profile, opening the PF agent results in an "Error fetching profile"
message. This has happened on two separate tablets - both of which are
identified as Android as the correct provisioner is being displayed on the
portal.

The certificate is being requested (I can see it in the mspki console), and
being transferred from NDES (can see it in tcpdump) but it looks as though
the profile generation is encountering a 501 error:

192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]  "www.packetfence.org" "GET
/profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android 5.1.1;
Nexus 7 Build/LMY47V)" 897

This used to work, though I haven't had to provision a device in a while so
I'm not sure when it stopped. I can request a user certificate, manually
install it on the device with the CA certs and connect to the wireless
successfully using PF as the RADIUS server. Anywhere I can start looking as
to why the profile isn't generated successfully?

profiles.conf:

[default]
locale=
autoregister=enabled
sources=Haveacry_AD
provisioners=android-haveacry,ios


provisioning.conf

[android-haveacry]
description=Haveacry Wireless
security_type=WPA
can_sign_profile=0
category=default
ssid=haveacry
pki_provider=Haveacry_SCEP
type=android
oses=
broadcast=1
eap_type=13


pki_providers.conf

[Haveacry_SCEP]
state=XX
cn_attribute=pid
url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
organization=Have a Cry
organizational_unit=Infrastructure
server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
locality=
country=XX
type=scep
ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem

packetfence.log

Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:unknown] Instantiate profile
default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
Authenticating user using sources : Haveacry_AD
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
[Haveacry_AD] Authentication successful for dean
(pf::Authentication::Source::LDAPSource::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
Authentication successful for 'dean' in source Haveacry_AD (AD)
(pf::authentication::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
has authenticated on the portal. (Class::MOP::Class:::after)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
Successfully authenticated dean
(captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
has authenticated on the portal. (Class::MOP::Class:::after)
Jan 04 16:08:09 httpd.portal(7756) WARN: [mac:30:85:a9:4b:5b:e7] Calling
match with empty/invalid rule class. Defaulting to 'authentication'
(pf::authentication::match)
Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Using
sources Haveacry_AD for matching (pf::authentication::match)
Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Matched
rule (WiFi_Default) in source Haveacry_AD, returning actions.
(pf::Authentication::Source::match)
Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
source Haveacry_AD in session. (Class::MOP::Class:::around)
Jan 04 16:08:10 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
has authenticated on the portal. (Class::MOP::Class:::after)
Jan 04 16:08:10 httpd.portal(7756) WARN: