*bump* - is there anything I can do to resolved this issue, please? ________________________________ From: Juraj Tobias via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Wednesday, July 29, 2020 12:05 To: Durand fabrice <fdur...@inverse.ca>; packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Cc: Juraj Tobias <j...@leaf.sk> Subject: Re: [PacketFence-users] EAP-TLS with integrated PKI - "Unable to retrieve your profile file"
here goes. the lines track the provisining process of a t...@leaf.sk user, from the moment the laptop connects to registration (open) wifi, till the moment the error message pops up on the screen: Jul 29 11:55:58 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jul 29 11:55:58 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found provisioner windows-eap-tls for A:D:D:R:E:S:S (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child) Jul 29 11:55:58 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:55:58 lfls08 packetfence_httpd.portal: httpd.portal(134890) WARN: [mac:A:D:D:R:E:S:S] Use of uninitialized value $args[0] in sprintf at /usr/local/pf/lib/pf/web.pm line 109. (pf::web::i18n_format) Jul 29 11:56:00 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jul 29 11:56:01 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jul 29 11:56:16 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found authentication source(s) : 'leaf-aadds' for realm 'leaf.sk' (pf::config::util::filter_authentication_sources) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Authenticating user using sources : leaf-aadds (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] LDAP testing connection (pf::LDAP::expire_if) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] [leaf-aadds] Authentication successful for t...@leaf.sk (pf::Authentication::Source::LDAPSource::authenticate) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Authentication successful for t...@leaf.sk in source leaf-aadds (AD) (pf::authentication::authenticate) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Successfully authenticated t...@leaf.sk (captiveportal::PacketFence::DynamicRouting::Module::Authentication::Login::authenticate) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:56:17 lfls08 pfqueue: pfqueue(137142) INFO: [mac:unknown] Already did a person lookup for t...@leaf.sk (pf::lookup::person::lookup_person) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) WARN: [mac:A:D:D:R:E:S:S] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Using sources leaf-aadds for matching (pf::authentication::match) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) WARN: [mac:A:D:D:R:E:S:S] [leaf-aadds catchall] Searching for (UserPrincipalName=t...@leaf.sk), from OU=Users,DC=ad,DC=leaf,DC=sk, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] LDAP testing connection (pf::LDAP::expire_if) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Matched rule (catchall) in source leaf-aadds, returning actions. (pf::Authentication::Source::match_rule) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Matched rule (catchall) in source leaf-aadds, returning actions. (pf::Authentication::Source::match) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) WARN: [mac:A:D:D:R:E:S:S] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Using sources leaf-aadds for matching (pf::authentication::match) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) WARN: [mac:A:D:D:R:E:S:S] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Using sources leaf-aadds for matching (pf::authentication::match) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) WARN: [mac:A:D:D:R:E:S:S] [leaf-aadds catchall] Searching for (UserPrincipalName=t...@leaf.sk), from OU=Users,DC=ad,DC=leaf,DC=sk, with scope sub (pf::Authentication::Source::LDAPSource::match_in_subclass) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] LDAP testing connection (pf::LDAP::expire_if) Jul 29 11:56:17 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Matched rule (catchall) in source leaf-aadds, returning actions. (pf::Authentication::Source::match_rule) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Matched rule (catchall) in source leaf-aadds, returning actions. (pf::Authentication::Source::match) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(134890) WARN: [mac:A:D:D:R:E:S:S] Calling match with empty/invalid rule class. Defaulting to 'authentication' (pf::authentication::match) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Using sources leaf-aadds for matching (pf::authentication::match) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(134890) INFO: [mac:A:D:D:R:E:S:S] Found source leaf-aadds in session. (Class::MOP::Class:::around) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(135667) INFO: [mac:A:D:D:R:E:S:S] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] Found provisioner windows-eap-tls for A:D:D:R:E:S:S (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:56:18 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:56:19 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] User: 't...@leaf.sk' found in the directory (pf::Authentication::Source::LDAPSource::search_attributes_in_subclass) Jul 29 11:56:22 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] Instantiate profile default (pf::Connection::ProfileFactory::_from_profile) Jul 29 11:56:22 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] Found provisioner windows-eap-tls for A:D:D:R:E:S:S (captiveportal::PacketFence::DynamicRouting::Module::Provisioning::execute_child) Jul 29 11:56:22 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) Jul 29 11:56:22 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] Request to /api/v1/pki/certs is unauthorized, will perform a login (pf::api::unifiedapiclient::call) Jul 29 11:56:23 lfls08 packetfence_httpd.portal: httpd.portal(138618) INFO: [mac:A:D:D:R:E:S:S] User t...@leaf.sk has authenticated on the portal. (Class::MOP::Class:::after) there's lot's of duplicate entries - not sure why, nor necessary. one of the last line seems important: Request to /api/v1/pki/certs is unauthorized, will perform a login (pf::api::unifiedapiclient::call) hope we'll figure this out together :) thx for taking a look j ________________________________ From: Durand fabrice <fdur...@inverse.ca> Sent: Wednesday, July 29, 2020 04:15 To: Juraj Tobias <j...@leaf.sk>; packetfence-users@lists.sourceforge.net <packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] EAP-TLS with integrated PKI - "Unable to retrieve your profile file" can you post the packetfence.log when you try to register/provision the device ? Le 20-07-28 à 10 h 21, Juraj Tobias a écrit : UPDATE: based on info from Fabrice, the following is happening: the profile.xml *does* exist at the path mentioned, HOWEVER, it only downloads if I manually visit the URL via browser. If I use the provisioning agent and click "Configure", it only downloads an empty file "profile.xml" of size 0b and gives the "Unable to retrieve your profile file, please contact your local support" error message. to me, this looks like a config error within the provisioning agent, but I don't know how to troubleshoot this, or where to look for its config? jt ________________________________ From: Juraj Tobias via PacketFence-users <packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net> Sent: Tuesday, July 28, 2020 14:05 To: Fabrice Durand <fdur...@inverse.ca><mailto:fdur...@inverse.ca>; packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> <packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net> Cc: Juraj Tobias <j...@leaf.sk><mailto:j...@leaf.sk> Subject: Re: [PacketFence-users] EAP-TLS with integrated PKI - "Unable to retrieve your profile file" thx for the clarification, will check. didn't see any info about the logs question - would be very helful, if you sent me the log file names that are supposed to hold the relevant info? thx! j ________________________________ From: Fabrice Durand <fdur...@inverse.ca><mailto:fdur...@inverse.ca> Sent: Tuesday, July 28, 2020 13:58 To: Juraj Tobias <j...@leaf.sk><mailto:j...@leaf.sk>; packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> <packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] EAP-TLS with integrated PKI - "Unable to retrieve your profile file" Le 20-07-28 à 05 h 33, Juraj Tobias a écrit : thx, Fabrice, pls see replies in the text ________________________________ From: Durand fabrice via PacketFence-users <packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net> Sent: Tuesday, July 28, 2020 04:41 To: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> <packetfence-users@lists.sourceforge.net><mailto:packetfence-users@lists.sourceforge.net> Cc: Durand fabrice <fdur...@inverse.ca><mailto:fdur...@inverse.ca> Subject: Re: [PacketFence-users] EAP-TLS with integrated PKI - "Unable to retrieve your profile file" Hello Tobias, Le 20-07-26 à 10 h 06, Juraj Tobias via PacketFence-users a écrit : trying to get EAP-TLS with the new integrated PKI working, but run into problems with actual provisioning on the client computer - on registration wifi all works fine, user (after successfull auth) gets the password and link for the windows agent, however, upon clicking the "Configure" button, an error message appears: "Unable to retrieve your profile file, please contact your local support". I will need to see the logs. I'd check myself, however, there are many, didn't see anything useful in those I checked, so if I could get the name of the log files to check, i'll gladly provide. I have a hunch this has something to do with adding the PKI-generated radius SSL cert to the RADIUS' configuration (not sure if/why this doesn't happen automatically?), as suggested in the installation manual, however, the steps described there are very unclear (actually, there's just a mention not to forget to add it to the config, but the steps how to do that are missing altogetger) - I tried to do it via 'System configuration -> RADIUS -> SSL certificates', however, the "New SSL certificate" form requires me to provide an Intermediate CA, which simply doesn't exist in the integrated PKI's generated CA. https://mgmt:1443/admin/alt#/configuration/certificate/radius<https://192.168.0.39:1443/admin/alt#/configuration/certificate/radius> does anyone please know, if: 1. adding the CA's cert is actually needed? Yes, it's not yet automatic but you need to copy the ca cert in Configuration -> SSL -> Radius. this one is a bit confusing. there are 2 nodes you might be referring to: 1: System Configuration > SSL Certificates > RADIUS, OR 2: System Configuration > RADIUS > SSL Certificates. which one do you have in mind? System Configuration > RADIUS > SSL Certificates is the place where you will define other certificates per example if you want to have another one for a specific realm. https://mgmt:1443/admin/alt#/configuration/certificate/radius is the default radius certificate. If you check https://mgmt:1443/admin/alt#/configuration/radius/tls/tls-common you can see "Certificate Profile" who is defined to radius (wich is the default certificate). 1. what does the error message mean? wrong profile maybe or dns issue. 1. where on the server should I be looking for the generated XMLs? from the laptop itself you can go to https://lost.com//profile.xml not sure the url didn't get scrambled - are there supposed to be 2x slash, or it's just https://<my-packetfence-host>/profile.xml ? 1 slash. or can anyone point me somewhere where I could find some more info? thanks a lot! j. _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fabrice Durand fdur...@inverse.ca<mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) :: www.inverse.ca<http://www.inverse.ca> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org)
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
