I can't find in the doc where it's define to 9191 ?!
Le 2018-01-16 à 01:00, E.P. a écrit :
>
> Great breakdown, thank you!
>
> What is the correct port number, Fabrice, in “pki_provider.conf” file ?
>
> You showed yours with 9393, but in the guide it is 9191
>
>
>
>
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:packetfence-users@lists.sourceforge.net]
> *Sent:* Monday, January 15, 2018 6:01 AM
> *To:* packetfence-users@lists.sourceforge.net
> *Cc:* Fabrice Durand
> *Subject:* Re: [PacketFence-users] PKI provisioning configuration for
> Apple OS/iOS
>
>
>
> Hello Eugene,
>
>
>
> Le 2018-01-13 à 02:59, E.P. via PacketFence-users a écrit :
>
> Folks,
>
> Our two big shots in the organization live their lives with Apple
> macbooks and we need to get them on the secure WiFi.
>
> Can someone explain me where and how to get the content of
> certificates that are trusted by Apple devices.
>
> First you need to configure a pki in PacketFence (What i use in
> pki_provider.conf):
>
> [PacketFencePKI]
> cn_format=%s
> profile=clientCrt
> revoke_on_unregistration=Y
> server_cert_path=/usr/local/pf/conf/ssl/tls_certs/YourCert.pem
> ca_cert_path=/usr/local/pf/conf/ssl/tls_certs/MYCA.pem
> state=Quebec
> password=p@ck3tf3nc3
> organization=Inverse.inc
> country=CA
> proto=https
> port=9393
> host=127.0.0.1
> username=admin
> type=packetfence_pki
> cn_attribute=mac
>
> Next you need to configure the provisioner in order to provide
> certificate and wifi configuration (provisioning.conf):
>
> [AppleTLS]
> broadcast=0
> oses=
> category=
> eap_type=13
> can_sign_profile=0
> security_type=WPA
> description=Apple Provisioning
> type=mobileconfig
> ssid=baguettesecure
> pki_provider=PacketFencePKI
>
> But in you case you need to sign the profile with another certificate
> , so in Signing tab use a certificate like the certificate you have
> with godaddy.
>
>
> In this form you need to put in certificate for signing profiles your
> public key (-----BEGIN CERTIFICATE-----), next your private key
> (-----BEGIN PRIVATE KEY-----) and in the last field the certificate
> chain of godaddy probably that one:
> -----BEGIN CERTIFICATE-----
> MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
> EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
> EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
> ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
> NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
> EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
> AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
> DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
> E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
> /PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
> DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
> GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
> tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
> AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
> FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
> WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
> 9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
> gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
> 2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
> LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
> 4uJEvlz36hz1
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
> EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
> EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
> ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
> MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
> EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
> CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
> EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
> MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
> BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
> K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
> cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
> pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
> eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
> AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
> HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
> 9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
> b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
> b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
> CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
> MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
> 91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
> RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
> DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
> GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
> LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
> -----END CERTIFICATE-----
>
>
> The last part will be to create a connection profile like that
> (profiles.conf):
>
> [Provisioning]
> locale=
> root_module=Provisioning
> filter=ssid:baguettefence
> description=Provisioning
> provisioners=AppleTLS
>
> And have a portal module like this (portal_module.conf):
>
> [Provisioning]
> modules=ProvisioningChain
> type=Root
> description=Root Provisioning
>
> [AppleTLS]
> skipable=disabled
> actions=
> type=Provisioning
> description=Apple Provisioning
>
> [ProvisioningChain]
> modules=NullAuth,AppleTLS
> actions=
> type=Chained
> description=Provisioning Chain
>
> [NullAuth]
> source_id=null
> actions=
> custom_fields=
> description=Null Authentication
> with_aup=0
> signup_template=signin.html
> aup_template=aup_text.html
> type=Authentication::Null
>
> So in this workflow, if a mac sonnect on the openssid (baguettefence)
> it will have a null auth and a provisioning portal, once the profile
> installed it will connect on the secure ssid baguettefence with EAP-TLS.
>
> I hope it will help.
> Regards
> Fabrice
>
>
> The guide on PKI says Verisign certificate could be an example. As far
> as I understand it I need to get the bundle from Verisign.
>
> Or it could be any well-known trusted CA, correct ? We recently bought
> SSL certificates from GoDaddy and downloaded the bundle from them. It
> contains three certificates but none of them seem to match for what it
> is said on PKI page, namely
>
> - The certificate for signing profiles
>
> - The private key for signing profiles
>
> - The certificate chain for the signer certificate
>
>
>
> Eugene
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> <mailto:PacketFence-users@lists.sourceforge.net>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice Durand
> fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) ::
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
