Hi Fabrice,
So I get a command not found, but radsniff was there. And I get the packages,
they show up,
2022-02-21 15:54:30.435928 (17) Access-Request Id 18 enp6s18:<ClientIP>:58613
-> <nacIP>:1812 +0.416
User-Name = "test2"
NAS-IP-Address = 10.100.90.106
Service-Type = Framed-User
Framed-MTU = 1400
State = 0xc7a76f0fc0c47689325319c17a81ab41
Called-Station-Id = "1E-E8-29-62-A4-DC:TEST_NAC"
Calling-Station-Id = "30-24-32-93-1A-8E"
NAS-Identifier = "1ee82962a4dc"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "60D23A6D993769B8"
Acct-Multi-Session-Id = "C7D2CF37B0AFCE34"
Connect-Info = "CONNECT 0Mbps 802.11b"
EAP-Message =
0x026300cb190017030300c00000000000000003f4a0bb92d0a0dcdab0b290eaa3123328c6c54a3f63eb436e00ad49c85c372c31ceed35386371283c0046a6566770221560f5a3a9d789d03f6b6347f257ff42447c9c8cd468e512731420b82c57d93c878316232c1f3426399ddfdb916c97e42e2a791ac45c3dad0120bd989a62f1256150f26032a03e634698324dd93e598faa55fce805b0cd288c6c84f63afc4930622db0095cc54ace06612fd2a1a22658e6cdb63e1996591580955c726879ea8f5e9c5f833d5908bc02
Message-Authenticator = 0x19c1e44542159c5d1e854d237da9d73b
WLAN-Pairwise-Cipher = 1027076
WLAN-Group-Cipher = 1027076
WLAN-AKM-Suite = 1027077
WLAN-Group-Mgmt-Cipher = 1027078
Authenticator-Field = 0x9faacd593cad6cdc503fce73431de630
I saw some people said that doing EAP over VPNs is a problem because of the
Framed-MTU, and suggested to change that, but I cant seem to find a way to
lower it.
Since the APs in the same site work, and its only remote APs that access the
radius server via VPN
Regards
Adrian
From: Fabrice Durand <[email protected]>
Sent: Monday, 21 February 2022 15:50
To: Adrian Damaschek <[email protected]>
Cc: packetfence-users <[email protected]>
Subject: Re: [PacketFence-users] SCEP over Intune dose not work
Hello Adrian,
glad to know that it works for you.
Btw I have no clue why the TPM module cannot be used.
I know that we got an issue with certificates provided by intune where
Freeradius complained that it wasn´t able to decrypt too.
There are also issues with Android and intune if the certificate contains a
postal code.
You probably need to ask Microsoft why this happens.
Also for you AP connection issue, can you try first to run raddebug ?
raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000
and paste the output.
For the MTU i have seen something like that in the past, i have to find it.
Regards
Fabrice
Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek
<mailto:[email protected]> a écrit :
Hello Fabrice,
So this works now, I can get the cert.
But it seems that I have some APs now that don’t want to connect. What combines
the APs that don’t want to use the RADIUS server they are all over SiteToSite
VPNs.
Is this a InTune specific issue as well or possibly related to some MTU
problems that I read might cause problems ?
Regards
Adrian
From: Fabrice Durand <mailto:[email protected]>
Sent: Friday, 18 February 2022 14:21
To: Adrian Damaschek <mailto:[email protected]>
Cc: packetfence-users <mailto:[email protected]>
Subject: Re: [PacketFence-users] SCEP over Intune dose not work
You don't often get email from mailto:mailto:[email protected].
http://aka.ms/LearnAboutSenderIdentification
Hello Adrian,
the error is "err="crypto/rsa: decryption error""
We got multiple issues with intune because of the Key Storage Provider, can you
verify that it´s configured like that ?
Regards
Fabrice
Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek
<mailto:mailto:[email protected]> a écrit :
Hello Fabrice,
I have it set to http for now and just use the IP address to remove any chance
of a bad hostname or something, I just want it to work, then ill work out how
to make it secure and working over the internet so for now its inside my
network and testing
As for the logs this is what I get
Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58 +0100]
"GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-"
"HAPROXY-load-balancing-check"
Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08 +0100]
"GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-"
"HAPROXY-load-balancing-check"
Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info
msg="Got GET request from
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51464%2F&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mrgA5w57o28LRD0Uyrtx72c6bq8wVD%2Fs56zvuQFVRgA%3D&reserved=0";
pid=870
Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info
msg="SCEP GET To:
/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default"
pid=870
Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info
msg="Calling Unified API on uri:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FR6b%2Fu5z5%2FpGodrzQyoorOyGCyNaOtWhq4QKJKkTdcY%3D&reserved=0";
pid=907
Feb 16 17:18:10 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - -
[16/Feb/2022:17:18:10 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-"
"Go-http-client/1.1"
Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn
msg="Compile error '$.items[*].network, $.items[*].percentused' parse error
from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907
Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn
msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907
Feb 16 17:18:11 testnac pfhttpd[870]: level=info
ts=2022-02-16T16:18:11.606591188Z caller=service_logging.go:22
component=scep_service method=GetCACaps err=null took=710ns
Feb 16 17:18:11 testnac pfhttpd[870]: level=info
ts=2022-02-16T16:18:11.607000502Z caller=endpoint.go:186 op=GetCACaps
error=null took=412.322µs
Feb 16 17:18:11 testnac pfhttpd[870]: level=info
ts=2022-02-16T16:18:11.607165566Z caller=logutil.go:70 component=http
method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0
(compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)"
path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default"
Feb 16 17:18:11 testnac haproxy[983]: <clietn IP>:50394
[16/Feb/2022:17:18:10.930] portal-http-<pf IP>
pki/https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sXrVRw8Rm%2FHeTOLFD0HJEVTrZfGr2G9VDqCzNiSIEsU%3D&reserved=0
0/0/1/676/677 200 181 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "GET
/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default
HTTP/1.1"
Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info
msg="Got GET request from
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51470%2F&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Bm0%2BpXfc3mQ260QMMWIwOqfyE4%2B2Md3HmuwywZzEkDM%3D&reserved=0";
pid=870
Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info
msg="SCEP GET To:
/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default"
pid=870
Feb 16 17:18:12 testnac pfstats[907]: t=2022-02-16T17:18:12+0100 lvl=info
msg="Calling Unified API on uri:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fqueues%2Fstats&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=orYC91bwjqex65%2FG6UgH%2BBcTK3u33RM8bfklnpmJLIQ%3D&reserved=0";
pid=907
Feb 16 17:18:12 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - -
[16/Feb/2022:17:18:12 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978 "-"
"Go-http-client/1.1"
Feb 16 17:18:12 testnac pfhttpd[870]: level=info
ts=2022-02-16T16:18:12.325002433Z caller=service_logging.go:34
component=scep_service method=GetCACert message=default err=null took=962ns
Feb 16 17:18:12 testnac pfhttpd[870]: level=info
ts=2022-02-16T16:18:12.325087335Z caller=endpoint.go:186 op=GetCACert
error=null took=88.807µs
Feb 16 17:18:12 testnac pfhttpd[870]: level=info
ts=2022-02-16T16:18:12.325122193Z caller=logutil.go:70 component=http
method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0
(compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)"
path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default"
Feb 16 17:18:12 testnac haproxy[983]: <clietn IP>:50394
[16/Feb/2022:17:18:11.643] portal-http-<pf IP>
pki/https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sXrVRw8Rm%2FHeTOLFD0HJEVTrZfGr2G9VDqCzNiSIEsU%3D&reserved=0
0/0/0/682/682 200 1147 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "GET
/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default
HTTP/1.1"
Feb 16 17:18:18 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:18 +0100]
"GET /captive-portal HTTP/1.0" 200 5112 116 59644 "-"
"HAPROXY-load-balancing-check"
Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info
msg="Got POST request from
https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51504%2F&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=p917CXC3E4GFWRSHDzRvHAiuyW2HOJjTnnC%2FNOnpnws%3D&reserved=0";
pid=870
Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info
msg="SCEP POST To:
/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation" pid=870
Feb 16 17:18:19 testnac pfhttpd[870]: level=info
ts=2022-02-16T16:18:19.710087765Z caller=service_logging.go:47
component=scep_service method=PKIOperation err="crypto/rsa: decryption error"
took=3.803844ms
Feb 16 17:18:19 testnac pfhttpd[870]: level=info
ts=2022-02-16T16:18:19.710159057Z caller=endpoint.go:186 op=PKIOperation
error=null took=3.877015ms
Feb 16 17:18:19 testnac pfhttpd[870]: level=info
ts=2022-02-16T16:18:19.710198081Z caller=logutil.go:70 component=http
method=POST status=500 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0
(compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)"
path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation"
Feb 16 17:18:19 testnac haproxy[983]: <clietn IP>:50394
[16/Feb/2022:17:18:19.052] portal-http-<pf IP>
pki/https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sXrVRw8Rm%2FHeTOLFD0HJEVTrZfGr2G9VDqCzNiSIEsU%3D&reserved=0
0/0/0/658/658 500 213 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "POST
/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation HTTP/1.1"
Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=info
msg="Calling Unified API on uri:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FR6b%2Fu5z5%2FpGodrzQyoorOyGCyNaOtWhq4QKJKkTdcY%3D&reserved=0";
pid=907
Feb 16 17:18:24 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - -
[16/Feb/2022:17:18:24 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-"
"Go-http-client/1.1"
Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn
msg="Compile error '$.items[*].network.free, $.items[*].free' parse error from
GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907
Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn
msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907
Feb 16 17:18:26 testnac pfstats[907]: t=2022-02-16T17:18:26+0100 lvl=info
msg="Calling Unified API on uri:
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fqueues%2Fstats&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=orYC91bwjqex65%2FG6UgH%2BBcTK3u33RM8bfklnpmJLIQ%3D&reserved=0";
pid=907
Feb 16 17:18:26 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - -
[16/Feb/2022:17:18:26 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978 "-"
"Go-http-client/1.1"
I don’t see anything really interesting in the log that is happening here that
would tell me other then what I would expect.
The CA is added as trusted root (I am using the build in PKI) and the profile
is enabled for SCEP and has the intune app on.
I checked in AzureAD the app can log in so it has access as I don’t see any
loging fails in the logs.
I might try to setup package fence and follow along what the requestes are that
are send to the server, but I would have expected something on the PF side,
since it’s a 500 error
/Adrian
From: Fabrice Durand <mailto:mailto:[email protected]>
Sent: Wednesday, 16 February 2022 16:58
To: packetfence-users <mailto:mailto:[email protected]>
Cc: Adrian Damaschek <mailto:mailto:[email protected]>
Subject: Re: [PacketFence-users] SCEP over Intune dose not work
You don't often get email from mailto:mailto:mailto:mailto:[email protected].
http://aka.ms/LearnAboutSenderIdentification
Hello Adrian,
welcome to the intune world ...
Do you see in the packetfence log when the 500 happens ? (journalctl command)
Did you defined the scep url as http ? If it´s the case you can take a network
capture to see what happen exactly.
We also made change in the incoming PacketFence version for the pki and scep,
so you can test the devel version to see if it fix your issue.
Regards
Fabrice
Le mar. 15 févr. 2022 à 11:42, Adrian Damaschek via PacketFence-users
<mailto:mailto:mailto:mailto:[email protected]> a écrit :
Hello Everyone,
So I was using PF since some time turn run the NAC on my switches but now I am
trying to set up the PKI, with SCEP that would provide Intune certs so users
can use them for Radius WiF
Sadly I got stuck and I don’t know what am I doing wrong
I got a CA on PFPKI, a SCEP profile, I can run a request via SSCEP, that one
runs and pops out a cert.
I got the Intune integration setup with a app registered, the app has the
permissions as per documentation
I added the CA as a RootCA via intune, this works correctly and now is the part
that I cant work out.
I cant make a SCEP request work.
Only error I get in windows is SCEP: Certificate enroll failed. Result:
(Internal server error (500).). Event ID is 32.
Would appreciate any help with this
Regards
_______________________________________________
PacketFence-users mailing list
mailto:mailto:mailto:mailto:[email protected]
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=3zMpV8Ttt5klXv8W%2B3W3BAEf%2BlBb%2BRWrLVO5PtflWWE%3D&reserved=0
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
