Sorry a typo

raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000

For the MTU i think that it needs to be done on the AP (to match the VPN
value) and maybe on the vpn server too.

Le lun. 21 févr. 2022 à 09:58, Adrian Damaschek <> a écrit :

> Hi Fabrice,
> So I get a command not found, but radsniff was there. And I get the
> packages, they show up,
> 2022-02-21 15:54:30.435928 (17) Access-Request Id 18
> enp6s18:<ClientIP>:58613 -> <nacIP>:1812 +0.416
>         User-Name = "test2"
>         NAS-IP-Address =
>         Service-Type = Framed-User
>         Framed-MTU = 1400
>         State = 0xc7a76f0fc0c47689325319c17a81ab41
>         Called-Station-Id = "1E-E8-29-62-A4-DC:TEST_NAC"
>         Calling-Station-Id = "30-24-32-93-1A-8E"
>         NAS-Identifier = "1ee82962a4dc"
>         NAS-Port-Type = Wireless-802.11
>         Acct-Session-Id = "60D23A6D993769B8"
>         Acct-Multi-Session-Id = "C7D2CF37B0AFCE34"
>         Connect-Info = "CONNECT 0Mbps 802.11b"
>         EAP-Message =
> 0x026300cb190017030300c00000000000000003f4a0bb92d0a0dcdab0b290eaa3123328c6c54a3f63eb436e00ad49c85c372c31ceed35386371283c0046a6566770221560f5a3a9d789d03f6b6347f257ff42447c9c8cd468e512731420b82c57d93c878316232c1f3426399ddfdb916c97e42e2a791ac45c3dad0120bd989a62f1256150f26032a03e634698324dd93e598faa55fce805b0cd288c6c84f63afc4930622db0095cc54ace06612fd2a1a22658e6cdb63e1996591580955c726879ea8f5e9c5f833d5908bc02
>         Message-Authenticator = 0x19c1e44542159c5d1e854d237da9d73b
>         WLAN-Pairwise-Cipher = 1027076
>         WLAN-Group-Cipher = 1027076
>         WLAN-AKM-Suite = 1027077
>         WLAN-Group-Mgmt-Cipher = 1027078
>         Authenticator-Field = 0x9faacd593cad6cdc503fce73431de630
> I saw some people said that doing EAP over VPNs is a problem because of
> the Framed-MTU, and suggested to change that, but I cant seem to find a way
> to lower it.
> Since the APs in the same site work, and its only remote APs that access
> the radius server via VPN
> Regards
> Adrian
> From: Fabrice Durand <>
> Sent: Monday, 21 February 2022 15:50
> To: Adrian Damaschek <>
> Cc: packetfence-users <>
> Subject: Re: [PacketFence-users] SCEP over Intune dose not work
> Hello Adrian,
> glad to know that it works for you.
> Btw I have no clue why the TPM module cannot be used.
> I know that we got an issue with certificates provided by intune where
> Freeradius complained that it wasn´t able to decrypt too.
> There are also issues with Android and intune if the certificate contains
> a postal code.
> You probably need to ask Microsoft why this happens.
> Also for you AP connection issue, can you try first to run raddebug ?
> raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000
> and paste the output.
> For the MTU i have seen something like that in the past, i have to find it.
> Regards
> Fabrice
> Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek <mailto:
>> a écrit :
> Hello Fabrice,
> So this works now, I can get the cert.
> But it seems that I have some APs now that don’t want to connect. What
> combines the APs that don’t want to use the RADIUS server they are all over
> SiteToSite VPNs.
> Is this a InTune specific issue as well or possibly related to some MTU
> problems that I read might cause problems ?
> Regards
> Adrian
> From: Fabrice Durand <>
> Sent: Friday, 18 February 2022 14:21
> To: Adrian Damaschek <>
> Cc: packetfence-users <>
> Subject: Re: [PacketFence-users] SCEP over Intune dose not work
> You don't often get email from
> Hello Adrian,
> the error is "err="crypto/rsa: decryption error""
> We got multiple issues with intune because of the Key Storage Provider,
> can you verify that it´s configured like that ?
> Regards
> Fabrice
> Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek <mailto:mailto:
>> a écrit :
> Hello Fabrice,
> I have it set to http for now and just use the IP address to remove any
> chance of a bad hostname or something, I just want it to work, then ill
> work out how to make it secure and working over the internet so for now its
> inside my network and testing
> As for the logs this is what I get
> Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="Got GET request from
> pid=870
> Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="SCEP GET To:
> /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default"
> pid=870
> Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info
> msg="Calling Unified API on uri:
> pid=907
> Feb 16 17:18:10 testnac pfhttpd[856]: api-frontend-access - -
> [16/Feb/2022:17:18:10 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-"
> "Go-http-client/1.1"
> Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn
> msg="Compile error '$.items[*].network, $.items[*].percentused' parse error
> from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907
> Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn
> msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907
> Feb 16 17:18:11 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:11.606591188Z caller=service_logging.go:22
> component=scep_service method=GetCACaps err=null took=710ns
> Feb 16 17:18:11 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:11.607000502Z caller=endpoint.go:186 op=GetCACaps
> error=null took=412.322µs
> Feb 16 17:18:11 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:11.607165566Z caller=logutil.go:70 component=http
> method=GET status=200 proto=HTTP/1.1 host= user_agent="Mozilla/4.0
> (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)"
> path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default"
> Feb 16 17:18:11 testnac haproxy[983]: <clietn IP>:50394
> [16/Feb/2022:17:18:10.930] portal-http-<pf IP> pki/
> 0/0/1/676/677 200 181 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "GET
> /scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default
> HTTP/1.1"
> Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info
> msg="Got GET request from
> pid=870
> Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info
> msg="SCEP GET To:
> /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default"
> pid=870
> Feb 16 17:18:12 testnac pfstats[907]: t=2022-02-16T17:18:12+0100 lvl=info
> msg="Calling Unified API on uri:
> pid=907
> Feb 16 17:18:12 testnac pfhttpd[856]: api-frontend-access - -
> [16/Feb/2022:17:18:12 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978
> "-" "Go-http-client/1.1"
> Feb 16 17:18:12 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:12.325002433Z caller=service_logging.go:34
> component=scep_service method=GetCACert message=default err=null took=962ns
> Feb 16 17:18:12 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:12.325087335Z caller=endpoint.go:186 op=GetCACert
> error=null took=88.807µs
> Feb 16 17:18:12 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:12.325122193Z caller=logutil.go:70 component=http
> method=GET status=200 proto=HTTP/1.1 host= user_agent="Mozilla/4.0
> (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)"
> path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default"
> Feb 16 17:18:12 testnac haproxy[983]: <clietn IP>:50394
> [16/Feb/2022:17:18:11.643] portal-http-<pf IP> pki/
> 0/0/0/682/682 200 1147 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "GET
> /scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default
> HTTP/1.1"
> Feb 16 17:18:18 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:18
> +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 59644 "-"
> "HAPROXY-load-balancing-check"
> Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info
> msg="Got POST request from
> pid=870
> Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info
> msg="SCEP POST To:
> /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation"
> pid=870
> Feb 16 17:18:19 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:19.710087765Z caller=service_logging.go:47
> component=scep_service method=PKIOperation err="crypto/rsa: decryption
> error" took=3.803844ms
> Feb 16 17:18:19 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:19.710159057Z caller=endpoint.go:186 op=PKIOperation
> error=null took=3.877015ms
> Feb 16 17:18:19 testnac pfhttpd[870]: level=info
> ts=2022-02-16T16:18:19.710198081Z caller=logutil.go:70 component=http
> method=POST status=500 proto=HTTP/1.1 host=
> user_agent="Mozilla/4.0 (compatible; Win32; NDES client
> 10.0.19041.1466/vb_release_svc_prod1)"
> path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation"
> Feb 16 17:18:19 testnac haproxy[983]: <clietn IP>:50394
> [16/Feb/2022:17:18:19.052] portal-http-<pf IP> pki/
> 0/0/0/658/658 500 213 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "POST
> /scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation HTTP/1.1"
> Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=info
> msg="Calling Unified API on uri:
> pid=907
> Feb 16 17:18:24 testnac pfhttpd[856]: api-frontend-access - -
> [16/Feb/2022:17:18:24 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-"
> "Go-http-client/1.1"
> Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn
> msg="Compile error '$.items[*], $.items[*].free' parse error
> from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907
> Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn
> msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907
> Feb 16 17:18:26 testnac pfstats[907]: t=2022-02-16T17:18:26+0100 lvl=info
> msg="Calling Unified API on uri:
> pid=907
> Feb 16 17:18:26 testnac pfhttpd[856]: api-frontend-access - -
> [16/Feb/2022:17:18:26 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978
> "-" "Go-http-client/1.1"
> I don’t see anything really interesting in the log that is happening here
> that would tell me other then what I would expect.
> The CA is added as trusted root (I am using the build in PKI) and the
> profile is enabled for SCEP and has the intune app on.
> I checked in AzureAD the app can log in so it has access as I don’t see
> any loging fails in the logs.
> I might try to setup package fence and follow along what the requestes are
> that are send to the server, but I would have expected something on the PF
> side, since it’s a 500 error
> /Adrian
> From: Fabrice Durand <>
> Sent: Wednesday, 16 February 2022 16:58
> To: packetfence-users <mailto:mailto:
> Cc: Adrian Damaschek <>
> Subject: Re: [PacketFence-users] SCEP over Intune dose not work
> You don't often get email from mailto:mailto:mailto:mailto:
> Hello Adrian,
> welcome to the intune world ...
> Do you see in the packetfence log when the 500 happens ? (journalctl
> command)
> Did you defined the scep url as http ? If it´s the case you can take a
> network capture to see what happen exactly.
> We also made change in the incoming PacketFence version for the pki and
> scep, so you can test the devel version to see if it fix your issue.
> Regards
> Fabrice
> Le mar. 15 févr. 2022 à 11:42, Adrian Damaschek via PacketFence-users
> <> a
> écrit :
> Hello Everyone,
> So I was using PF since some time turn run the NAC on my switches but now
> I am trying to set up the PKI, with SCEP that would provide Intune certs so
> users can use them for Radius WiF
> Sadly I got stuck and I don’t know what am I doing wrong
> I got a CA on PFPKI, a SCEP profile, I can run a request via SSCEP, that
> one runs and pops out a cert.
> I got the Intune integration setup with a app registered, the app has the
> permissions as per documentation
> I added the CA as a RootCA via intune, this works correctly and now is the
> part that I cant work out.
> I cant make a SCEP request work.
> Only error I get in windows is SCEP: Certificate enroll failed. Result:
> (Internal server error (500).). Event ID is 32.
> Would appreciate any help with this
> Regards
> _______________________________________________
> PacketFence-users mailing list
PacketFence-users mailing list

Reply via email to