I can add some suggestions to step 3 you listed, as we have worked through the same issues.
Make sure that you add the "radius" listening daemon to your network interface on the PacketFence appliance. This is done via Configuration > Network configuration > interfaces > select Eth0 (assuming this is your main NIC on the appliance) and select these under the "additional listening daemon(s)" dropdown. This will require a restart of the following services: • haproxy-portal • httpd.portal • iptables Your SCEP URL should be http://<ip of PF server>/scep/<template name> - looks like you have that right. Make sure your SCEP server is enabled under Configuration > Integration (PKI) > SCEP servers We use the "null" entry (127.0.0.1) and make sure the shared secret matches the secret entered into the SCEP template. On Fri, Jan 31, 2025 at 6:44 PM Benn, Davis via PacketFence-users < packetfence-users@lists.sourceforge.net> wrote: > Hello. > > > > I have been tinkering around with PacketFence and have some questions > relating to PKI and SCEP. For information, PacketFence is on version 14. > It is not inline and it only has one network port configured at the moment. > > > > 1. As per the documentation (23.1), I have configured NDES to work > with PacketFence. It seems like this only works for wireless networks? Is > there a way to do anything else with this or the MSPKI integration in > general? If not, I think for me it makes more sense to just make > PacketFence a subordinate CA of my Windows CA. > > > > 2. How does the SCEP proxy work mentioned in the documentation (right > before the SCEP test section of 23.2.2)? Is it for configuring a SCEP > server to proxy to PacketFence? What standalone SCEP servers exist that > could be used with this? > > > > 3. I signed a CSR from the PacketFence server using my Windows CA as > per (23.2.1). I was configuring a template named IP-Phone using this CA > and tried following the documentation (23.2.2), but there were a bunch of > options that did not match up such as requiring an email in the template. > In the template I enabled SCEP and configured a challenge password, but I > have no idea what the correct url should be. I tried > http://<ipaddress>/scep/IP-Phone > and that did not work. Do I need to enable something, or configure some > sort of responder on the packetfence network interface? I only have it set > to Management at the moment. > > > > Thank you. > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
