Le 20-07-28 à 05 h 33, Juraj Tobias a écrit :
thx, Fabrice, pls see replies in the text
------------------------------------------------------------------------
*From:* Durand fabrice via PacketFence-users
<packetfence-users@lists.sourceforge.net>
*Sent:* Tuesday, July 28, 2020 04:41
*To:* packetfence-users@lists.sourceforge.net
<packetfence-users@lists.sourceforge.net>
*Cc:* Durand fabrice <fdur...@inverse.ca>
*Subject:* Re: [PacketFence-users] EAP-TLS with integrated PKI -
"Unable to retrieve your profile file"
Hello Tobias,
Le 20-07-26 à 10 h 06, Juraj Tobias via PacketFence-users a écrit :
trying to get EAP-TLS with the new integrated PKI working, but run
into problems with actual provisioning on the client computer - on
registration wifi all works fine, user (after successfull auth)
gets the password and link for the windows agent, however, upon
clicking the "Configure" button, an error message appears: "Unable
to retrieve your profile file, please contact your local support".
I will need to see the logs.
I'd check myself, however, there are many, didn't see anything useful
in those I checked, so if I could get the name of the log files to
check, i'll gladly provide.
I have a hunch this has something to do with adding the PKI-generated
radius SSL cert to the RADIUS' configuration (not sure if/why this
doesn't happen automatically?), as suggested in the installation
manual, however, the steps described there are very unclear (actually,
there's just a mention not to forget to add it to the config, but the
steps how to do that are missing altogetger) - I tried to do it via
'System configuration -> RADIUS -> SSL certificates', however, the
"New SSL certificate" form requires me to provide an Intermediate CA,
which simply doesn't exist in the integrated PKI's generated CA.
https://mgmt:1443/admin/alt#/configuration/certificate/radius
<https://192.168.0.39:1443/admin/alt#/configuration/certificate/radius>
does anyone please know, if:
1. adding the CA's cert is actually needed?
Yes, it's not yet automatic but you need to copy the ca cert in
Configuration -> SSL -> Radius.
this one is a bit confusing. there are 2 nodes you might be referring
to: 1: System Configuration > SSL Certificates > RADIUS, OR 2: System
Configuration > RADIUS > SSL Certificates. which one do you have in mind?
System Configuration > RADIUS > SSL Certificates is the place where you
will define other certificates per example if you want to have another
one for a specific realm.
https://mgmt:1443/admin/alt#/configuration/certificate/radius is the
default radius certificate. If you check
https://mgmt:1443/admin/alt#/configuration/radius/tls/tls-common you can
see "Certificate Profile" who is defined to radius (wich is the default
certificate).
1. what does the error message mean?
wrong profile maybe or dns issue.
1. where on the server should I be looking for the generated XMLs?
from the laptop itself you can go to https://lost.com//profile.xml
<https://lost.com//profile.xml>
not sure the url didn't get scrambled - are there supposed to be 2x
slash, or it's just *https://<my-packetfence-host>/profile.xml* ?
1 slash.
or can anyone point me somewhere where I could find some more info?
thanks a lot!
j.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users