Hello Adrian, glad to know that it works for you. Btw I have no clue why the TPM module cannot be used.
I know that we got an issue with certificates provided by intune where Freeradius complained that it wasn´t able to decrypt too. There are also issues with Android and intune if the certificate contains a postal code. You probably need to ask Microsoft why this happens. Also for you AP connection issue, can you try first to run raddebug ? raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 and paste the output. For the MTU i have seen something like that in the past, i have to find it. Regards Fabrice Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek < adrian.damasc...@technicondesign.com> a écrit : > Hello Fabrice, > > So this works now, I can get the cert. > But it seems that I have some APs now that don’t want to connect. What > combines the APs that don’t want to use the RADIUS server they are all over > SiteToSite VPNs. > > Is this a InTune specific issue as well or possibly related to some MTU > problems that I read might cause problems ? > > Regards > Adrian > > > > From: Fabrice Durand <oeufd...@gmail.com> > Sent: Friday, 18 February 2022 14:21 > To: Adrian Damaschek <adrian.damasc...@technicondesign.com> > Cc: packetfence-users <packetfence-users@lists.sourceforge.net> > Subject: Re: [PacketFence-users] SCEP over Intune dose not work > > > You don't often get email from mailto:oeufd...@gmail.com. > http://aka.ms/LearnAboutSenderIdentification > > Hello Adrian, > the error is "err="crypto/rsa: decryption error"" > > We got multiple issues with intune because of the Key Storage Provider, > can you verify that it´s configured like that ? > > > > > Regards > Fabrice > > > Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek <mailto: > adrian.damasc...@technicondesign.com> a écrit : > Hello Fabrice, > > I have it set to http for now and just use the IP address to remove any > chance of a bad hostname or something, I just want it to work, then ill > work out how to make it secure and working over the internet so for now its > inside my network and testing > > As for the logs this is what I get > > Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58 > +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-" > "HAPROXY-load-balancing-check" > Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08 > +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-" > "HAPROXY-load-balancing-check" > Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info > msg="Got GET request from > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51464%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8FDw15S81om9BJFjNqzAqirLe0tHJWsw9%2BCPjJKAJHE%3D&reserved=0"; > pid=870 > Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info > msg="SCEP GET To: > /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default" > pid=870 > Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info > msg="Calling Unified API on uri: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=viVM0hGzW8BV7OwGbwo2%2B2JFGtd82RuaDq3Yw5HLmTk%3D&reserved=0"; > pid=907 > Feb 16 17:18:10 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - > [16/Feb/2022:17:18:10 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-" > "Go-http-client/1.1" > Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn > msg="Compile error '$.items[*].network, $.items[*].percentused' parse error > from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907 > Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn > msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907 > Feb 16 17:18:11 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:11.606591188Z caller=service_logging.go:22 > component=scep_service method=GetCACaps err=null took=710ns > Feb 16 17:18:11 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:11.607000502Z caller=endpoint.go:186 op=GetCACaps > error=null took=412.322µs > Feb 16 17:18:11 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:11.607165566Z caller=logutil.go:70 component=http > method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0 > (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)" > path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default" > Feb 16 17:18:11 testnac haproxy[983]: <clietn IP>:50394 > [16/Feb/2022:17:18:10.930] portal-http-<pf IP> pki/ > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ih5NLAgUsg2LFPpTknnSkwvMCT%2B5rTmGcFrG%2FLGIrr8%3D&reserved=0 > 0/0/1/676/677 200 181 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "GET > /scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default > HTTP/1.1" > Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info > msg="Got GET request from > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51470%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FaIe%2FJP0CMJGbUu6eUkPKYhlG%2B9VktlktJtxNS9FmWE%3D&reserved=0"; > pid=870 > Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info > msg="SCEP GET To: > /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default" > pid=870 > Feb 16 17:18:12 testnac pfstats[907]: t=2022-02-16T17:18:12+0100 lvl=info > msg="Calling Unified API on uri: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fqueues%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DhfgDY9ttKr1QqBkSSqdRkNBOcQ1bfjCa1I7sLXn5Sw%3D&reserved=0"; > pid=907 > Feb 16 17:18:12 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - > [16/Feb/2022:17:18:12 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978 > "-" "Go-http-client/1.1" > Feb 16 17:18:12 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:12.325002433Z caller=service_logging.go:34 > component=scep_service method=GetCACert message=default err=null took=962ns > Feb 16 17:18:12 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:12.325087335Z caller=endpoint.go:186 op=GetCACert > error=null took=88.807µs > Feb 16 17:18:12 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:12.325122193Z caller=logutil.go:70 component=http > method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0 > (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)" > path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default" > Feb 16 17:18:12 testnac haproxy[983]: <clietn IP>:50394 > [16/Feb/2022:17:18:11.643] portal-http-<pf IP> pki/ > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ih5NLAgUsg2LFPpTknnSkwvMCT%2B5rTmGcFrG%2FLGIrr8%3D&reserved=0 > 0/0/0/682/682 200 1147 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "GET > /scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default > HTTP/1.1" > Feb 16 17:18:18 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:18 > +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 59644 "-" > "HAPROXY-load-balancing-check" > Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info > msg="Got POST request from > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51504%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=M9QQ71xIMEa76TgdCg%2FGaAOcXc03bDjJdjvJGE%2BzADM%3D&reserved=0"; > pid=870 > Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info > msg="SCEP POST To: > /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation" > pid=870 > Feb 16 17:18:19 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:19.710087765Z caller=service_logging.go:47 > component=scep_service method=PKIOperation err="crypto/rsa: decryption > error" took=3.803844ms > Feb 16 17:18:19 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:19.710159057Z caller=endpoint.go:186 op=PKIOperation > error=null took=3.877015ms > Feb 16 17:18:19 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:19.710198081Z caller=logutil.go:70 component=http > method=POST status=500 proto=HTTP/1.1 host=127.0.0.1 > user_agent="Mozilla/4.0 (compatible; Win32; NDES client > 10.0.19041.1466/vb_release_svc_prod1)" > path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation" > Feb 16 17:18:19 testnac haproxy[983]: <clietn IP>:50394 > [16/Feb/2022:17:18:19.052] portal-http-<pf IP> pki/ > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ih5NLAgUsg2LFPpTknnSkwvMCT%2B5rTmGcFrG%2FLGIrr8%3D&reserved=0 > 0/0/0/658/658 500 213 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "POST > /scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation HTTP/1.1" > Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=info > msg="Calling Unified API on uri: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=viVM0hGzW8BV7OwGbwo2%2B2JFGtd82RuaDq3Yw5HLmTk%3D&reserved=0"; > pid=907 > Feb 16 17:18:24 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - > [16/Feb/2022:17:18:24 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-" > "Go-http-client/1.1" > Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn > msg="Compile error '$.items[*].network.free, $.items[*].free' parse error > from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907 > Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn > msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907 > Feb 16 17:18:26 testnac pfstats[907]: t=2022-02-16T17:18:26+0100 lvl=info > msg="Calling Unified API on uri: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fqueues%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DhfgDY9ttKr1QqBkSSqdRkNBOcQ1bfjCa1I7sLXn5Sw%3D&reserved=0"; > pid=907 > Feb 16 17:18:26 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - > [16/Feb/2022:17:18:26 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978 > "-" "Go-http-client/1.1" > > I don’t see anything really interesting in the log that is happening here > that would tell me other then what I would expect. > The CA is added as trusted root (I am using the build in PKI) and the > profile is enabled for SCEP and has the intune app on. > I checked in AzureAD the app can log in so it has access as I don’t see > any loging fails in the logs. > > I might try to setup package fence and follow along what the requestes are > that are send to the server, but I would have expected something on the PF > side, since it’s a 500 error > > /Adrian > > > From: Fabrice Durand <mailto:oeufd...@gmail.com> > Sent: Wednesday, 16 February 2022 16:58 > To: packetfence-users <mailto:packetfence-users@lists.sourceforge.net> > Cc: Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com> > Subject: Re: [PacketFence-users] SCEP over Intune dose not work > > > You don't often get email from mailto:mailto:oeufd...@gmail.com. > http://aka.ms/LearnAboutSenderIdentification > > Hello Adrian, > > welcome to the intune world ... > Do you see in the packetfence log when the 500 happens ? (journalctl > command) > Did you defined the scep url as http ? If it´s the case you can take a > network capture to see what happen exactly. > > > We also made change in the incoming PacketFence version for the pki and > scep, so you can test the devel version to see if it fix your issue. > > Regards > Fabrice > > > Le mar. 15 févr. 2022 à 11:42, Adrian Damaschek via PacketFence-users > <mailto:mailto:packetfence-users@lists.sourceforge.net> a écrit : > Hello Everyone, > > So I was using PF since some time turn run the NAC on my switches but now > I am trying to set up the PKI, with SCEP that would provide Intune certs so > users can use them for Radius WiF > > Sadly I got stuck and I don’t know what am I doing wrong > > I got a CA on PFPKI, a SCEP profile, I can run a request via SSCEP, that > one runs and pops out a cert. > I got the Intune integration setup with a app registered, the app has the > permissions as per documentation > > I added the CA as a RootCA via intune, this works correctly and now is the > part that I cant work out. > I cant make a SCEP request work. > > Only error I get in windows is SCEP: Certificate enroll failed. Result: > (Internal server error (500).). Event ID is 32. > > Would appreciate any help with this > > Regards > > > > _______________________________________________ > PacketFence-users mailing list > mailto:mailto:PacketFence-users@lists.sourceforge.net > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=CSQ3lSP5IO%2FIAO8yYrmx92RNQLYRogZnfTM6Frqtcfo%3D&reserved=0 >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
