Re: [PacketFence-users] SSL cert problem with mobile devices

[Durand fabrice]

Hi Jake, happy new year too.

as i remember comodo change there root ca so if you can fetch a device 
with the issue to be sure that the comodo root ca is up to date.

Regards

Fabrice



Le 2017-01-05 à 16:05, Sallee, Jake a écrit :
> Fabrice!  I hope all is well for you, happy new year!
>
>> does these devices have the ca public certificate ?
> Yes, and it is signed by comodo.
>
> IIRC comodo offers a chain cert to us, I wonder if I could just use that one.
>
> The cert is our domain wildcard so even though haproxy is terminating the SSL 
> connection it should still work ... should being the operative term.
>
>
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> 
> From: Durand fabrice 
> Sent: Wednesday, January 4, 2017 8:47 PM
> To: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] SSL cert problem with mobile devices
>
> Hello Jake,
>
> does these devices have the ca public certificate ?
>
> Also in cluster config keep in mind that haproxy terminate the ssl
> tunnel so do :
>
> cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key
>   > /usr/local/pf/conf/ssl/server.pem (with your own files)
>
> and restart haproxy
>
> Regards
>
> Fabrice
>
>
>
> Le 2017-01-04 à 18:06, Sallee, Jake a écrit :
>> Hello All!
>>
>> 
>> PF v6.4.0
>> 2 node cluster
>> <\quick info>
>>
>> This is happening only on mobile devices, phones, tablets, etc.
>>
>> Mobile device users are getting a security warning about our SSL cert we are 
>> using on our registration portal.
>>
>> Desktop users and laptop users do not have this issue.
>>
>> Mobile users did not have this issue until we moved to using a cluster and 
>> we are using the exact same certs as before.  In the cluster setup 
>> instructions there are some steps that have you alter the certs, combining 
>> them into a new cert.  I think this is what is causing the mobile devices to 
>> flip their proverbial lid.
>>
>> However, I haven't the foggiest idea on how to fix this issue.
>>
>> Any help would be greatly appreciated.
>>
>> Jake Sallee
>> Godfather of Bandwidth
>> System Engineer
>> University of Mary Hardin-Baylor
>> WWW.UMHB.EDU
>>
>> 900 College St.
>> Belton, Texas
>> 76513
>>
>> Fone: 254-295-4658
>> Phax: 254-295-4221
>>
>> --
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>> ___
>> PacketFence-users mailing list
>> PacketFence-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] SSL cert problem with mobile devices

[Sallee, Jake]

Fabrice!  I hope all is well for you, happy new year!

> does these devices have the ca public certificate ?
Yes, and it is signed by comodo.  

IIRC comodo offers a chain cert to us, I wonder if I could just use that one.  

The cert is our domain wildcard so even though haproxy is terminating the SSL 
connection it should still work ... should being the operative term.



Jake Sallee
Godfather of Bandwidth
System Engineer
University of Mary Hardin-Baylor
WWW.UMHB.EDU

900 College St.
Belton, Texas
76513

Fone: 254-295-4658
Phax: 254-295-4221


From: Durand fabrice 
Sent: Wednesday, January 4, 2017 8:47 PM
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] SSL cert problem with mobile devices

Hello Jake,

does these devices have the ca public certificate ?

Also in cluster config keep in mind that haproxy terminate the ssl
tunnel so do :

cat /usr/local/pf/conf/ssl/server.crt /usr/local/pf/conf/ssl/server.key
 > /usr/local/pf/conf/ssl/server.pem (with your own files)

and restart haproxy

Regards

Fabrice



Le 2017-01-04 à 18:06, Sallee, Jake a écrit :
> Hello All!
>
> 
> PF v6.4.0
> 2 node cluster
> <\quick info>
>
> This is happening only on mobile devices, phones, tablets, etc.
>
> Mobile device users are getting a security warning about our SSL cert we are 
> using on our registration portal.
>
> Desktop users and laptop users do not have this issue.
>
> Mobile users did not have this issue until we moved to using a cluster and we 
> are using the exact same certs as before.  In the cluster setup instructions 
> there are some steps that have you alter the certs, combining them into a new 
> cert.  I think this is what is causing the mobile devices to flip their 
> proverbial lid.
>
> However, I haven't the foggiest idea on how to fix this issue.
>
> Any help would be greatly appreciated.
>
> Jake Sallee
> Godfather of Bandwidth
> System Engineer
> University of Mary Hardin-Baylor
> WWW.UMHB.EDU
>
> 900 College St.
> Belton, Texas
> 76513
>
> Fone: 254-295-4658
> Phax: 254-295-4221
>
> --
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Android Provisioner profile error

[Dean Holland]

No errors in httpd.portal.error - in fact nothing logged at all!

If I browse to www.packetfence.org/profile.xml (which resolves to the
portal) I get what looks like an iOS profile - it starts with


http://www.apple.com/DTDs/PropertyList-1.0.dtd;>





On Thu, Jan 5, 2017 at 10:40 AM Durand fabrice  wrote:

> Hello Dean,
>
> can you check all the log files to see if you find the error. (probably in
> httpd.portal.error)
>
> And can you try from a web browser to go directly at
> www.packetfence.org/profile.xml and check if you can have the error.
>
> Regards
>
> Fabrice
>
>
> Le 2017-01-04 à 03:14, Dean Holland a écrit :
>
> Hello,
>
> I have a PF 6.4 install on Debian Jessie and am having issues provisioning
> Android devices. When I get to the stage of installing the wireless
> profile, opening the PF agent results in an "Error fetching profile"
> message. This has happened on two separate tablets - both of which are
> identified as Android as the correct provisioner is being displayed on the
> portal.
>
> The certificate is being requested (I can see it in the mspki console),
> and being transferred from NDES (can see it in tcpdump) but it looks as
> though the profile generation is encountering a 501 error:
>
> 192.168.99.11 - - [04/Jan/2017:15:32:22 +0800]  "www.packetfence.org"
> "GET /profile.xml HTTP/1.1" 501 202 "-" "Dalvik/2.1.0 (Linux; U; Android
> 5.1.1; Nexus 7 Build/LMY47V)" 897
>
> This used to work, though I haven't had to provision a device in a while
> so I'm not sure when it stopped. I can request a user certificate, manually
> install it on the device with the CA certs and connect to the wireless
> successfully using PF as the RADIUS server. Anywhere I can start looking as
> to why the profile isn't generated successfully?
>
> profiles.conf:
>
> [default]
> locale=
> autoregister=enabled
> sources=Haveacry_AD
> provisioners=android-haveacry,ios
>
>
> provisioning.conf
>
> [android-haveacry]
> description=Haveacry Wireless
> security_type=WPA
> can_sign_profile=0
> category=default
> ssid=haveacry
> pki_provider=Haveacry_SCEP
> type=android
> oses=
> broadcast=1
> eap_type=13
>
>
> pki_providers.conf
>
> [Haveacry_SCEP]
> state=XX
> cn_attribute=pid
> url=http://ndes01.xxx.xxx.xxx/CertSrv/mscep/
> organization=Have a Cry
> organizational_unit=Infrastructure
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/server.pem
> locality=
> country=XX
> type=scep
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MyCA.pem
>
> packetfence.log
>
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:07:58 httpd.portal(7755) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:unknown] Instantiate profile
> default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Instantiate profile default (pf::Portal::ProfileFactory::_from_profile)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authenticating user using sources : Haveacry_AD
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> [Haveacry_AD] Authentication successful for dean
> (pf::Authentication::Source::LDAPSource::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Authentication successful for 'dean' in source Haveacry_AD (AD)
> (pf::authentication::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has authenticated on the portal. (Class::MOP::Class:::after)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7]
> Successfully authenticated dean
> (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] Found
> source Haveacry_AD in session. (Class::MOP::Class:::around)
> Jan 04 16:08:09 httpd.portal(7756) INFO: [mac:30:85:a9:4b:5b:e7] User dean
> has 

Re: [PacketFence-users] upgrade 6.2.1-6.4 - radius no longer starting

[Morris, Andi]

Thanks Julien,
I tried that yesterday and it did resolve the issue. Thanks for confirming.

Cheers,
Andi

From: Julien Semaan [mailto:jsem...@inverse.ca]
Sent: 04 January 2017 19:17
To: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] upgrade 6.2.1-6.4 - radius no longer starting

Hi Andi,

These realms are coming from conf/realm.conf.defaults and they are now built-in 
realms.

Any options you had for the realms in that file need to be ported into the 
PacketFence configuration (editing it from the admin takes care of handling 
what comes from the defaults and what is specific to your setup)

In your case, just add the following to the default realm options:
auth_pool = eduroam
nostrip

Cheers

- Julien
On 2017-01-03 11:26 AM, Morris, Andi wrote:
Hi all,
upgrading my 6.2.1 to 6.4 running CentOS 7.3.1611 release today has resulted in 
my radiusd and radiusd-acct services not starting.

Firstly I was getting the following error:
service|command
httpd.admin|already started
Checking configuration sanity...
WARNING - Cannot open the following certificate 
%%install_dir%%/raddb/certs/pfenceha.crt
radiusd-acct|not started
radiusd|not started

so I found the line in eap.conf and edited so it showed:
certificate_file = [% install_dir %]/raddb/certs/pfenceha.crt

after reloading the config and restarting the pf services I no longer see the 
error, however the radius services will still not start.

Running radiusd -X -d /usr/local/pf/raddb I could see the debug bombing out 
because the default realm was being declared twice:

snip-
   mrc = 5
mrd = 30
  }
}
WARNING: Ignoring "response_window = 30.00", forcing to "response_window = 
10.00"
home_server_pool my_auth_failover {
type = fail-over
home_server = localhost
}
realm example.com {
auth_pool = my_auth_failover
}
realm default {
}
realm local {
}
realm null {
}
realm cardiffmet.ac.uk {
authhost = LOCAL
accthost = LOCAL
}
realm uwic.ac.uk {
authhost = LOCAL
accthost = LOCAL
}
home_server_pool eduroam {
type = client-balance
home_server = orps03.cardiffmet.ac.uk
home_server = orps04.cardiffmet.ac.uk
}
realm DEFAULT {
auth_pool = eduroam
nostrip
} # realm DEFAULT
snip

Further investigating showed that this is being pulled from 
raddb/proxy.conf.inc:

# This file is generated from a template at 
/usr/local/pf/conf/radiusd/proxy.conf.inc
# Any changes made to this file will be lost on restart

# Eduroam integration is not configured

realm default {

}
realm local {

}
realm null {

}

home_server orps03.cardiffmet.ac.uk {
type = auth
ipaddr = 193.62.96.44
port = 1812
secret = *
require_message_authenticator = yes
}

home_server orps04.cardiffmet.ac.uk {
type = auth
ipaddr = 193.62.96.45
port = 1812
secret = **
require_message_authenticator = yes
}



home_server_pool eduroam {
type = client-balance
home_server = orps03.cardiffmet.ac.uk
home_server = orps04.cardiffmet.ac.uk
}

realm cardiffmet.ac.uk {
authhost=LOCAL
accthost=LOCAL
}

realm uwic.ac.uk {
authhost=LOCAL
accthost=LOCAL
}

realm DEFAULT {
auth_pool = eduroam
nostrip
}

However, as this file is generated on the fly, I don't know where these initial 
realm declarations are coming from! I've tried removing the reference to those 
three domains in the admin GUI under config/radius/realms, but they still 
reappear after reloading the config and restarting the services.

It's probably worth noting that this is an eduroam config, but not using the 
packetfence built in eduroam config (yet).

Cheers,
Andi


[Cardiff Metropolitan University - Queens AnniversaryPrizes 
2015]



--

Check out the vibrant tech community on one of the world's most

engaging tech sites, SlashDot.org! http://sdm.link/slashdot




___

PacketFence-users mailing list

PacketFence-users@lists.sourceforge.net

https://lists.sourceforge.net/lists/listinfo/packetfence-users

--
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users