Hi Gents, We have the same question (well almost) and have been working with the identity team at MS (Been open for 4 weeks now with many meetings but we are like a dog with a bone wanting to know the why not just the fix). You will most likely find that it works fine with a TPM 2.0 and fails with a TPM 1.2. Our understanding so far is this is to do with “trust” and that the CA does not trust the TPM 1.2 but in the TPM 2.0 specification there was some work done that helps this issue. When intune helper places the cert in the store we are unsure if the keys actually gets placed in the TPM 1.2 hence even though the client cert looks good does not accept as safe hence the certificate is ignored.
As soon as we have squeezed a sensible the answer out of MS as to “why” not “just because it is like this” I will reply to my thread with Fabrice on the topic with a full write up so the mailing list also knows the answer. Hope that helps. Simon From: Fabrice Durand via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: 21 February 2022 14:50 To: Adrian Damaschek <adrian.damasc...@technicondesign.com> Cc: Fabrice Durand <oeufd...@gmail.com>; packetfence-users <packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] SCEP over Intune dose not work This message was sent from an e-mail domain unknown to Royal HaskoningDHV. Please be cautious. Hello Adrian, glad to know that it works for you. Btw I have no clue why the TPM module cannot be used. I know that we got an issue with certificates provided by intune where Freeradius complained that it wasn´t able to decrypt too. There are also issues with Android and intune if the certificate contains a postal code. You probably need to ask Microsoft why this happens. Also for you AP connection issue, can you try first to run raddebug ? raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 and paste the output. For the MTU i have seen something like that in the past, i have to find it. Regards Fabrice Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek <adrian.damasc...@technicondesign.com<mailto:adrian.damasc...@technicondesign.com>> a écrit : Hello Fabrice, So this works now, I can get the cert. But it seems that I have some APs now that don’t want to connect. What combines the APs that don’t want to use the RADIUS server they are all over SiteToSite VPNs. Is this a InTune specific issue as well or possibly related to some MTU problems that I read might cause problems ? Regards Adrian From: Fabrice Durand <oeufd...@gmail.com<mailto:oeufd...@gmail.com>> Sent: Friday, 18 February 2022 14:21 To: Adrian Damaschek <adrian.damasc...@technicondesign.com<mailto:adrian.damasc...@technicondesign.com>> Cc: packetfence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> Subject: Re: [PacketFence-users] SCEP over Intune dose not work You don't often get email from mailto:oeufd...@gmail.com<mailto:oeufd...@gmail.com>. http://aka.ms/LearnAboutSenderIdentification Hello Adrian, the error is "err="crypto/rsa: decryption error"" We got multiple issues with intune because of the Key Storage Provider, can you verify that it´s configured like that ? Regards Fabrice Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com<mailto:adrian.damasc...@technicondesign.com>> a écrit : Hello Fabrice, I have it set to http for now and just use the IP address to remove any chance of a bad hostname or something, I just want it to work, then ill work out how to make it secure and working over the internet so for now its inside my network and testing As for the logs this is what I get Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info msg="Got GET request from https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51464%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8FDw15S81om9BJFjNqzAqirLe0tHJWsw9%2BCPjJKAJHE%3D&reserved=0" pid=870 Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info msg="SCEP GET To: /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default" pid=870 Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info msg="Calling Unified API on uri: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=viVM0hGzW8BV7OwGbwo2%2B2JFGtd82RuaDq3Yw5HLmTk%3D&reserved=0" pid=907 Feb 16 17:18:10 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - [16/Feb/2022:17:18:10 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-" "Go-http-client/1.1" Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn msg="Compile error '$.items[*].network, $.items[*].percentused' parse error from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907 Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907 Feb 16 17:18:11 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:11.606591188Z caller=service_logging.go:22 component=scep_service method=GetCACaps err=null took=710ns Feb 16 17:18:11 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:11.607000502Z caller=endpoint.go:186 op=GetCACaps error=null took=412.322µs Feb 16 17:18:11 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:11.607165566Z caller=logutil.go:70 component=http method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)" path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default" Feb 16 17:18:11 testnac haproxy[983]: <clietn IP>:50394 [16/Feb/2022:17:18:10.930] portal-http-<pf IP> pki/https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ih5NLAgUsg2LFPpTknnSkwvMCT%2B5rTmGcFrG%2FLGIrr8%3D&reserved=0 0/0/1/676/677 200 181 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "GET /scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default HTTP/1.1" Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info msg="Got GET request from https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51470%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FaIe%2FJP0CMJGbUu6eUkPKYhlG%2B9VktlktJtxNS9FmWE%3D&reserved=0" pid=870 Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+0100 lvl=info msg="SCEP GET To: /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default" pid=870 Feb 16 17:18:12 testnac pfstats[907]: t=2022-02-16T17:18:12+0100 lvl=info msg="Calling Unified API on uri: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fqueues%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DhfgDY9ttKr1QqBkSSqdRkNBOcQ1bfjCa1I7sLXn5Sw%3D&reserved=0" pid=907 Feb 16 17:18:12 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - [16/Feb/2022:17:18:12 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978 "-" "Go-http-client/1.1" Feb 16 17:18:12 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:12.325002433Z caller=service_logging.go:34 component=scep_service method=GetCACert message=default err=null took=962ns Feb 16 17:18:12 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:12.325087335Z caller=endpoint.go:186 op=GetCACert error=null took=88.807µs Feb 16 17:18:12 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:12.325122193Z caller=logutil.go:70 component=http method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)" path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default" Feb 16 17:18:12 testnac haproxy[983]: <clietn IP>:50394 [16/Feb/2022:17:18:11.643] portal-http-<pf IP> pki/https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ih5NLAgUsg2LFPpTknnSkwvMCT%2B5rTmGcFrG%2FLGIrr8%3D&reserved=0 0/0/0/682/682 200 1147 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "GET /scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default HTTP/1.1" Feb 16 17:18:18 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:18 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 59644 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info msg="Got POST request from https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51504%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=M9QQ71xIMEa76TgdCg%2FGaAOcXc03bDjJdjvJGE%2BzADM%3D&reserved=0" pid=870 Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info msg="SCEP POST To: /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation" pid=870 Feb 16 17:18:19 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:19.710087765Z caller=service_logging.go:47 component=scep_service method=PKIOperation err="crypto/rsa: decryption error" took=3.803844ms Feb 16 17:18:19 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:19.710159057Z caller=endpoint.go:186 op=PKIOperation error=null took=3.877015ms Feb 16 17:18:19 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:19.710198081Z caller=logutil.go:70 component=http method=POST status=500 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)" path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation" Feb 16 17:18:19 testnac haproxy[983]: <clietn IP>:50394 [16/Feb/2022:17:18:19.052] portal-http-<pf IP> pki/https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ih5NLAgUsg2LFPpTknnSkwvMCT%2B5rTmGcFrG%2FLGIrr8%3D&reserved=0 0/0/0/658/658 500 213 - - ---- 2/1/0/0/0 0/0 {<pf IP>} "POST /scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation HTTP/1.1" Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=info msg="Calling Unified API on uri: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=viVM0hGzW8BV7OwGbwo2%2B2JFGtd82RuaDq3Yw5HLmTk%3D&reserved=0" pid=907 Feb 16 17:18:24 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - [16/Feb/2022:17:18:24 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-" "Go-http-client/1.1" Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn msg="Compile error '$.items[*].network.free, $.items[*].free' parse error from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907 Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907 Feb 16 17:18:26 testnac pfstats[907]: t=2022-02-16T17:18:26+0100 lvl=info msg="Calling Unified API on uri: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A9999%2Fapi%2Fv1%2Fqueues%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DhfgDY9ttKr1QqBkSSqdRkNBOcQ1bfjCa1I7sLXn5Sw%3D&reserved=0" pid=907 Feb 16 17:18:26 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - [16/Feb/2022:17:18:26 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978 "-" "Go-http-client/1.1" I don’t see anything really interesting in the log that is happening here that would tell me other then what I would expect. The CA is added as trusted root (I am using the build in PKI) and the profile is enabled for SCEP and has the intune app on. I checked in AzureAD the app can log in so it has access as I don’t see any loging fails in the logs. I might try to setup package fence and follow along what the requestes are that are send to the server, but I would have expected something on the PF side, since it’s a 500 error /Adrian From: Fabrice Durand <mailto:oeufd...@gmail.com<mailto:oeufd...@gmail.com>> Sent: Wednesday, 16 February 2022 16:58 To: packetfence-users <mailto:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> Cc: Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com<mailto:adrian.damasc...@technicondesign.com>> Subject: Re: [PacketFence-users] SCEP over Intune dose not work You don't often get email from mailto:mailto<mailto:mailto>:oeufd...@gmail.com<mailto:oeufd...@gmail.com>. http://aka.ms/LearnAboutSenderIdentification Hello Adrian, welcome to the intune world ... Do you see in the packetfence log when the 500 happens ? (journalctl command) Did you defined the scep url as http ? If it´s the case you can take a network capture to see what happen exactly. We also made change in the incoming PacketFence version for the pki and scep, so you can test the devel version to see if it fix your issue. Regards Fabrice Le mar. 15 févr. 2022 à 11:42, Adrian Damaschek via PacketFence-users <mailto:mailto<mailto:mailto>:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> a écrit : Hello Everyone, So I was using PF since some time turn run the NAC on my switches but now I am trying to set up the PKI, with SCEP that would provide Intune certs so users can use them for Radius WiF Sadly I got stuck and I don’t know what am I doing wrong I got a CA on PFPKI, a SCEP profile, I can run a request via SSCEP, that one runs and pops out a cert. I got the Intune integration setup with a app registered, the app has the permissions as per documentation I added the CA as a RootCA via intune, this works correctly and now is the part that I cant work out. I cant make a SCEP request work. Only error I get in windows is SCEP: Certificate enroll failed. Result: (Internal server error (500).). Event ID is 32. Would appreciate any help with this Regards _______________________________________________ PacketFence-users mailing list mailto:mailto<mailto:mailto>:PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=CSQ3lSP5IO%2FIAO8yYrmx92RNQLYRogZnfTM6Frqtcfo%3D&reserved=0 This email and any attachments are intended solely for the use of the addressee(s); disclosure or copying by others than the intended person(s) is strictly prohibited. If you have received this email in error, please treat this email as confidential, notify the sender and delete all copies of the email immediately
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users