Hi Brad,
On 28/2/24 07:23, Brad White via PacketFence-users wrote:
As we’ve scaled out the deployment of our EAP-TLS network that uses
PacketFence, I noticed an issue affecting a small percentage of Apple
devices (macOS / iPadOS / iOS) relating to SCEP.
- We have Jamf Pro acting as a SCEP Proxy for configuration profiles
- We’re using PacketFence for PKI and as a SCEP Server
- We’re using Microsoft Entra as an Application Proxy to expose PF’s
SCEP URL to the internet. This app proxy URL is listed as the base URL
for the SCEP server in Jamf
- The Jamf Pro configuration profiles we’re using for macOS and
iPadOS/iOS are very similar and contain:
- PacketFence Root Certificate
- SCEP Payload specifying the CN subject to use for SCEP-issued machine
certificates, retry delay, etc.
- WiFi payload specifying SSID, auto-join, what username to use, etc.
The issue we are seeing with a fairly small number of devices (it’s
currently affecting less than 2% of macOS and a little over 4% of
iPadOS/iOS) are two Jamf Pro errors correlating with the configuration
profile failing to push:
- Unable to obtain certificate from SCEP server at “our_Jamf_URL”.
<MDM-SCEP:14006>
- The SCEP server returned an invalid response.
What is strange is that for these devices where the Jamf config profile
is failing, I can find active SCEP certificates in PacketFence
(Configuration > Integration > Certificates). They all show up in there
and SCEP shows a green circle.
I can manually revoke the SCEP machine certificate for a device that
failed in PacketFence, then re-push the Jamf config profile, and /then
/it will install fine.
So why are Jamf configuration profiles failing only on a small minority
of devices (with SCEP errors)? Probably related - why is PacketFence
provisioning a SCEP certificate for them that Jamf is failing to install?
I’m wondering if there is a setting we need to adjust somewhere since
that vast majority of devices are working fine.
I had issues with Jamf Pro giving that error with SCEPman. After talking
to support, they only allow a limited number of RDN types, specifically
C, L, ST, O, OU and CN, and will error if the subject contains other
types, even though it was issued successfully. They linked to
https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf
see page 80.
Although the fact that it can be re-issued and works fine indicates it's
probably not that. All I can suggest is you open a case with Jamf
support and see what they can pull from the logs. Actually, one other
possibility is one of the RDNs uses a variable that is empty during the
first attempt and filled in during the second. What is your certificate
subject?
Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
