Re: [PacketFence-users] SCEP over Intune dose not work
Hi Gents, We have the same question (well almost) and have been working with the identity team at MS (Been open for 4 weeks now with many meetings but we are like a dog with a bone wanting to know the why not just the fix). You will most likely find that it works fine with a TPM 2.0 and fails with a TPM 1.2. Our understanding so far is this is to do with “trust” and that the CA does not trust the TPM 1.2 but in the TPM 2.0 specification there was some work done that helps this issue. When intune helper places the cert in the store we are unsure if the keys actually gets placed in the TPM 1.2 hence even though the client cert looks good does not accept as safe hence the certificate is ignored. As soon as we have squeezed a sensible the answer out of MS as to “why” not “just because it is like this” I will reply to my thread with Fabrice on the topic with a full write up so the mailing list also knows the answer. Hope that helps. Simon From: Fabrice Durand via PacketFence-users Sent: 21 February 2022 14:50 To: Adrian Damaschek Cc: Fabrice Durand ; packetfence-users Subject: Re: [PacketFence-users] SCEP over Intune dose not work This message was sent from an e-mail domain unknown to Royal HaskoningDHV. Please be cautious. Hello Adrian, glad to know that it works for you. Btw I have no clue why the TPM module cannot be used. I know that we got an issue with certificates provided by intune where Freeradius complained that it wasn´t able to decrypt too. There are also issues with Android and intune if the certificate contains a postal code. You probably need to ask Microsoft why this happens. Also for you AP connection issue, can you try first to run raddebug ? raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 and paste the output. For the MTU i have seen something like that in the past, i have to find it. Regards Fabrice Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek mailto:adrian.damasc...@technicondesign.com>> a écrit : Hello Fabrice, So this works now, I can get the cert. But it seems that I have some APs now that don’t want to connect. What combines the APs that don’t want to use the RADIUS server they are all over SiteToSite VPNs. Is this a InTune specific issue as well or possibly related to some MTU problems that I read might cause problems ? Regards Adrian From: Fabrice Durand mailto:oeufd...@gmail.com>> Sent: Friday, 18 February 2022 14:21 To: Adrian Damaschek mailto:adrian.damasc...@technicondesign.com>> Cc: packetfence-users mailto:packetfence-users@lists.sourceforge.net>> Subject: Re: [PacketFence-users] SCEP over Intune dose not work You don't often get email from mailto:oeufd...@gmail.com<mailto:oeufd...@gmail.com>. http://aka.ms/LearnAboutSenderIdentification Hello Adrian, the error is "err="crypto/rsa: decryption error"" We got multiple issues with intune because of the Key Storage Provider, can you verify that it´s configured like that ? Regards Fabrice Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com<mailto:adrian.damasc...@technicondesign.com>> a écrit : Hello Fabrice, I have it set to http for now and just use the IP address to remove any chance of a bad hostname or something, I just want it to work, then ill work out how to make it secure and working over the internet so for now its inside my network and testing As for the logs this is what I get Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info msg="Got GET request from https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51464%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8FDw15S81om9BJFjNqzAqirLe0tHJWsw9%2BCPjJKAJHE%3D&reserved=0"; pid=870 Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info msg="SCEP GET To: /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default" pid=870 Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info msg="Calling Unified API on uri: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C
Re: [PacketFence-users] SCEP over Intune dose not work
I have a debian cluster running on my side wit the raddebug command here: /usr/sbin/raddebug and it´s coming from the freeradius package. root@cluster3:/usr/local/pf# apt-file search raddebug freeradius: /usr/sbin/raddebug Le lun. 21 févr. 2022 à 10:27, Adrian Damaschek < adrian.damasc...@technicondesign.com> a écrit : > Still no I don’t have any commands starting with radd > I am using packetfence 11 on Debian if that makes a difference where the > debug commands are > > Regards > Adrian > > > From: Fabrice Durand > Sent: Monday, 21 February 2022 16:16 > To: Adrian Damaschek > Cc: packetfence-users > Subject: Re: [PacketFence-users] SCEP over Intune dose not work > > Sorry a typo > > raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 > > For the MTU i think that it needs to be done on the AP (to match the VPN > value) and maybe on the vpn server too. > > Le lun. 21 févr. 2022 à 09:58, Adrian Damaschek adrian.damasc...@technicondesign.com> a écrit : > Hi Fabrice, > > So I get a command not found, but radsniff was there. And I get the > packages, they show up, > > 2022-02-21 15:54:30.435928 (17) Access-Request Id 18 > enp6s18::58613 -> :1812 +0.416 > User-Name = "test2" > NAS-IP-Address = 10.100.90.106 > Service-Type = Framed-User > Framed-MTU = 1400 > State = 0xc7a76f0fc0c47689325319c17a81ab41 > Called-Station-Id = "1E-E8-29-62-A4-DC:TEST_NAC" > Calling-Station-Id = "30-24-32-93-1A-8E" > NAS-Identifier = "1ee82962a4dc" > NAS-Port-Type = Wireless-802.11 > Acct-Session-Id = "60D23A6D993769B8" > Acct-Multi-Session-Id = "C7D2CF37B0AFCE34" > Connect-Info = "CONNECT 0Mbps 802.11b" > EAP-Message = > 0x026300cb190017030300c3f4a0bb92d0a0dcdab0b290eaa3123328c6c54a3f63eb436e00ad49c85c372c31ceed35386371283c0046a6566770221560f5a3a9d789d03f6b6347f257ff42447c9c8cd468e512731420b82c57d93c878316232c1f3426399ddfdb916c97e42e2a791ac45c3dad0120bd989a62f1256150f26032a03e634698324dd93e598faa55fce805b0cd288c6c84f63afc4930622db0095cc54ace06612fd2a1a22658e6cdb63e1996591580955c726879ea8f5e9c5f833d5908bc02 > Message-Authenticator = 0x19c1e44542159c5d1e854d237da9d73b > WLAN-Pairwise-Cipher = 1027076 > WLAN-Group-Cipher = 1027076 > WLAN-AKM-Suite = 1027077 > WLAN-Group-Mgmt-Cipher = 1027078 > Authenticator-Field = 0x9faacd593cad6cdc503fce73431de630 > > I saw some people said that doing EAP over VPNs is a problem because of > the Framed-MTU, and suggested to change that, but I cant seem to find a way > to lower it. > > Since the APs in the same site work, and its only remote APs that access > the radius server via VPN > > Regards > Adrian > > > From: Fabrice Durand <mailto:oeufd...@gmail.com> > Sent: Monday, 21 February 2022 15:50 > To: Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com> > Cc: packetfence-users <mailto:packetfence-users@lists.sourceforge.net> > Subject: Re: [PacketFence-users] SCEP over Intune dose not work > > Hello Adrian, > > glad to know that it works for you. > Btw I have no clue why the TPM module cannot be used. > > I know that we got an issue with certificates provided by intune where > Freeradius complained that it wasn´t able to decrypt too. > There are also issues with Android and intune if the certificate contains > a postal code. > > You probably need to ask Microsoft why this happens. > > Also for you AP connection issue, can you try first to run raddebug ? > > raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 > > and paste the output. > > For the MTU i have seen something like that in the past, i have to find it. > > Regards > Fabrice > > > Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek <mailto:mailto: > adrian.damasc...@technicondesign.com> a écrit : > Hello Fabrice, > > So this works now, I can get the cert. > But it seems that I have some APs now that don’t want to connect. What > combines the APs that don’t want to use the RADIUS server they are all over > SiteToSite VPNs. > > Is this a InTune specific issue as well or possibly related to some MTU > problems that I read might cause problems ? > > Regards > Adrian > > > > From: Fabrice Durand <mailto:mailto:oeufd...@gmail.com> > Sent: Friday, 18 February 2022 14:21 > To: Adrian Damaschek <mailto:mailto:adrian.damasc...@technicondesign.com> > Cc: packetfence-users <mailto:mailto: > packetfence-users@lists.sourceforge.net> > Subject: Re: [PacketFence-users] SCEP over Intune dose not work > > > Y
Re: [PacketFence-users] SCEP over Intune dose not work
Still no I don’t have any commands starting with radd I am using packetfence 11 on Debian if that makes a difference where the debug commands are Regards Adrian From: Fabrice Durand Sent: Monday, 21 February 2022 16:16 To: Adrian Damaschek Cc: packetfence-users Subject: Re: [PacketFence-users] SCEP over Intune dose not work Sorry a typo raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 For the MTU i think that it needs to be done on the AP (to match the VPN value) and maybe on the vpn server too. Le lun. 21 févr. 2022 à 09:58, Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com> a écrit : Hi Fabrice, So I get a command not found, but radsniff was there. And I get the packages, they show up, 2022-02-21 15:54:30.435928 (17) Access-Request Id 18 enp6s18::58613 -> :1812 +0.416 User-Name = "test2" NAS-IP-Address = 10.100.90.106 Service-Type = Framed-User Framed-MTU = 1400 State = 0xc7a76f0fc0c47689325319c17a81ab41 Called-Station-Id = "1E-E8-29-62-A4-DC:TEST_NAC" Calling-Station-Id = "30-24-32-93-1A-8E" NAS-Identifier = "1ee82962a4dc" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "60D23A6D993769B8" Acct-Multi-Session-Id = "C7D2CF37B0AFCE34" Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026300cb190017030300c3f4a0bb92d0a0dcdab0b290eaa3123328c6c54a3f63eb436e00ad49c85c372c31ceed35386371283c0046a6566770221560f5a3a9d789d03f6b6347f257ff42447c9c8cd468e512731420b82c57d93c878316232c1f3426399ddfdb916c97e42e2a791ac45c3dad0120bd989a62f1256150f26032a03e634698324dd93e598faa55fce805b0cd288c6c84f63afc4930622db0095cc54ace06612fd2a1a22658e6cdb63e1996591580955c726879ea8f5e9c5f833d5908bc02 Message-Authenticator = 0x19c1e44542159c5d1e854d237da9d73b WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027077 WLAN-Group-Mgmt-Cipher = 1027078 Authenticator-Field = 0x9faacd593cad6cdc503fce73431de630 I saw some people said that doing EAP over VPNs is a problem because of the Framed-MTU, and suggested to change that, but I cant seem to find a way to lower it. Since the APs in the same site work, and its only remote APs that access the radius server via VPN Regards Adrian From: Fabrice Durand <mailto:oeufd...@gmail.com> Sent: Monday, 21 February 2022 15:50 To: Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com> Cc: packetfence-users <mailto:packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] SCEP over Intune dose not work Hello Adrian, glad to know that it works for you. Btw I have no clue why the TPM module cannot be used. I know that we got an issue with certificates provided by intune where Freeradius complained that it wasn´t able to decrypt too. There are also issues with Android and intune if the certificate contains a postal code. You probably need to ask Microsoft why this happens. Also for you AP connection issue, can you try first to run raddebug ? raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 and paste the output. For the MTU i have seen something like that in the past, i have to find it. Regards Fabrice Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek <mailto:mailto:adrian.damasc...@technicondesign.com> a écrit : Hello Fabrice, So this works now, I can get the cert. But it seems that I have some APs now that don’t want to connect. What combines the APs that don’t want to use the RADIUS server they are all over SiteToSite VPNs. Is this a InTune specific issue as well or possibly related to some MTU problems that I read might cause problems ? Regards Adrian From: Fabrice Durand <mailto:mailto:oeufd...@gmail.com> Sent: Friday, 18 February 2022 14:21 To: Adrian Damaschek <mailto:mailto:adrian.damasc...@technicondesign.com> Cc: packetfence-users <mailto:mailto:packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] SCEP over Intune dose not work You don't often get email from mailto:mailto:mailto:mailto:oeufd...@gmail.com. http://aka.ms/LearnAboutSenderIdentification Hello Adrian, the error is "err="crypto/rsa: decryption error"" We got multiple issues with intune because of the Key Storage Provider, can you verify that it´s configured like that ? Regards Fabrice Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek <mailto:mailto:mailto:mailto:adrian.damasc...@technicondesign.com> a écrit : Hello Fabrice, I have it set to http for now and just use the IP address to remove any chance of a bad hostname or something, I just want it to work, then ill work out how to make it secure and working over the internet so for now its inside my network and testing As for the logs this is what I get Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/F
Re: [PacketFence-users] SCEP over Intune dose not work
Sorry a typo raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 For the MTU i think that it needs to be done on the AP (to match the VPN value) and maybe on the vpn server too. Le lun. 21 févr. 2022 à 09:58, Adrian Damaschek < adrian.damasc...@technicondesign.com> a écrit : > Hi Fabrice, > > So I get a command not found, but radsniff was there. And I get the > packages, they show up, > > 2022-02-21 15:54:30.435928 (17) Access-Request Id 18 > enp6s18::58613 -> :1812 +0.416 > User-Name = "test2" > NAS-IP-Address = 10.100.90.106 > Service-Type = Framed-User > Framed-MTU = 1400 > State = 0xc7a76f0fc0c47689325319c17a81ab41 > Called-Station-Id = "1E-E8-29-62-A4-DC:TEST_NAC" > Calling-Station-Id = "30-24-32-93-1A-8E" > NAS-Identifier = "1ee82962a4dc" > NAS-Port-Type = Wireless-802.11 > Acct-Session-Id = "60D23A6D993769B8" > Acct-Multi-Session-Id = "C7D2CF37B0AFCE34" > Connect-Info = "CONNECT 0Mbps 802.11b" > EAP-Message = > 0x026300cb190017030300c3f4a0bb92d0a0dcdab0b290eaa3123328c6c54a3f63eb436e00ad49c85c372c31ceed35386371283c0046a6566770221560f5a3a9d789d03f6b6347f257ff42447c9c8cd468e512731420b82c57d93c878316232c1f3426399ddfdb916c97e42e2a791ac45c3dad0120bd989a62f1256150f26032a03e634698324dd93e598faa55fce805b0cd288c6c84f63afc4930622db0095cc54ace06612fd2a1a22658e6cdb63e1996591580955c726879ea8f5e9c5f833d5908bc02 > Message-Authenticator = 0x19c1e44542159c5d1e854d237da9d73b > WLAN-Pairwise-Cipher = 1027076 > WLAN-Group-Cipher = 1027076 > WLAN-AKM-Suite = 1027077 > WLAN-Group-Mgmt-Cipher = 1027078 > Authenticator-Field = 0x9faacd593cad6cdc503fce73431de630 > > I saw some people said that doing EAP over VPNs is a problem because of > the Framed-MTU, and suggested to change that, but I cant seem to find a way > to lower it. > > Since the APs in the same site work, and its only remote APs that access > the radius server via VPN > > Regards > Adrian > > > From: Fabrice Durand > Sent: Monday, 21 February 2022 15:50 > To: Adrian Damaschek > Cc: packetfence-users > Subject: Re: [PacketFence-users] SCEP over Intune dose not work > > Hello Adrian, > > glad to know that it works for you. > Btw I have no clue why the TPM module cannot be used. > > I know that we got an issue with certificates provided by intune where > Freeradius complained that it wasn´t able to decrypt too. > There are also issues with Android and intune if the certificate contains > a postal code. > > You probably need to ask Microsoft why this happens. > > Also for you AP connection issue, can you try first to run raddebug ? > > raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 > > and paste the output. > > For the MTU i have seen something like that in the past, i have to find it. > > Regards > Fabrice > > > Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek adrian.damasc...@technicondesign.com> a écrit : > Hello Fabrice, > > So this works now, I can get the cert. > But it seems that I have some APs now that don’t want to connect. What > combines the APs that don’t want to use the RADIUS server they are all over > SiteToSite VPNs. > > Is this a InTune specific issue as well or possibly related to some MTU > problems that I read might cause problems ? > > Regards > Adrian > > > > From: Fabrice Durand <mailto:oeufd...@gmail.com> > Sent: Friday, 18 February 2022 14:21 > To: Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com> > Cc: packetfence-users <mailto:packetfence-users@lists.sourceforge.net> > Subject: Re: [PacketFence-users] SCEP over Intune dose not work > > > You don't often get email from mailto:mailto:oeufd...@gmail.com. > http://aka.ms/LearnAboutSenderIdentification > > Hello Adrian, > the error is "err="crypto/rsa: decryption error"" > > We got multiple issues with intune because of the Key Storage Provider, > can you verify that it´s configured like that ? > > > > > Regards > Fabrice > > > Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek <mailto:mailto: > adrian.damasc...@technicondesign.com> a écrit : > Hello Fabrice, > > I have it set to http for now and just use the IP address to remove any > chance of a bad hostname or something, I just want it to work, then ill > work out how to make it secure and working over the internet so for now its > inside my network and testing > > As for the logs this is what I get > > Feb 16 17:17:58 testnac httpd_portal[1793]: - - -
Re: [PacketFence-users] SCEP over Intune dose not work
Hi Fabrice, So I get a command not found, but radsniff was there. And I get the packages, they show up, 2022-02-21 15:54:30.435928 (17) Access-Request Id 18 enp6s18::58613 -> :1812 +0.416 User-Name = "test2" NAS-IP-Address = 10.100.90.106 Service-Type = Framed-User Framed-MTU = 1400 State = 0xc7a76f0fc0c47689325319c17a81ab41 Called-Station-Id = "1E-E8-29-62-A4-DC:TEST_NAC" Calling-Station-Id = "30-24-32-93-1A-8E" NAS-Identifier = "1ee82962a4dc" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "60D23A6D993769B8" Acct-Multi-Session-Id = "C7D2CF37B0AFCE34" Connect-Info = "CONNECT 0Mbps 802.11b" EAP-Message = 0x026300cb190017030300c3f4a0bb92d0a0dcdab0b290eaa3123328c6c54a3f63eb436e00ad49c85c372c31ceed35386371283c0046a6566770221560f5a3a9d789d03f6b6347f257ff42447c9c8cd468e512731420b82c57d93c878316232c1f3426399ddfdb916c97e42e2a791ac45c3dad0120bd989a62f1256150f26032a03e634698324dd93e598faa55fce805b0cd288c6c84f63afc4930622db0095cc54ace06612fd2a1a22658e6cdb63e1996591580955c726879ea8f5e9c5f833d5908bc02 Message-Authenticator = 0x19c1e44542159c5d1e854d237da9d73b WLAN-Pairwise-Cipher = 1027076 WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027077 WLAN-Group-Mgmt-Cipher = 1027078 Authenticator-Field = 0x9faacd593cad6cdc503fce73431de630 I saw some people said that doing EAP over VPNs is a problem because of the Framed-MTU, and suggested to change that, but I cant seem to find a way to lower it. Since the APs in the same site work, and its only remote APs that access the radius server via VPN Regards Adrian From: Fabrice Durand Sent: Monday, 21 February 2022 15:50 To: Adrian Damaschek Cc: packetfence-users Subject: Re: [PacketFence-users] SCEP over Intune dose not work Hello Adrian, glad to know that it works for you. Btw I have no clue why the TPM module cannot be used. I know that we got an issue with certificates provided by intune where Freeradius complained that it wasn´t able to decrypt too. There are also issues with Android and intune if the certificate contains a postal code. You probably need to ask Microsoft why this happens. Also for you AP connection issue, can you try first to run raddebug ? raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 and paste the output. For the MTU i have seen something like that in the past, i have to find it. Regards Fabrice Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com> a écrit : Hello Fabrice, So this works now, I can get the cert. But it seems that I have some APs now that don’t want to connect. What combines the APs that don’t want to use the RADIUS server they are all over SiteToSite VPNs. Is this a InTune specific issue as well or possibly related to some MTU problems that I read might cause problems ? Regards Adrian From: Fabrice Durand <mailto:oeufd...@gmail.com> Sent: Friday, 18 February 2022 14:21 To: Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com> Cc: packetfence-users <mailto:packetfence-users@lists.sourceforge.net> Subject: Re: [PacketFence-users] SCEP over Intune dose not work You don't often get email from mailto:mailto:oeufd...@gmail.com. http://aka.ms/LearnAboutSenderIdentification Hello Adrian, the error is "err="crypto/rsa: decryption error"" We got multiple issues with intune because of the Key Storage Provider, can you verify that it´s configured like that ? Regards Fabrice Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek <mailto:mailto:adrian.damasc...@technicondesign.com> a écrit : Hello Fabrice, I have it set to http for now and just use the IP address to remove any chance of a bad hostname or something, I just want it to work, then ill work out how to make it secure and working over the internet so for now its inside my network and testing As for the logs this is what I get Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info msg="Got GET request from https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51464%2F&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C210e5e05253a40bd1cc208d9f54975ba%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810518133406297%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=mrgA5w57o28LRD0Uyrtx72c6bq8wVD%2Fs5
Re: [PacketFence-users] SCEP over Intune dose not work
Hello Adrian, glad to know that it works for you. Btw I have no clue why the TPM module cannot be used. I know that we got an issue with certificates provided by intune where Freeradius complained that it wasn´t able to decrypt too. There are also issues with Android and intune if the certificate contains a postal code. You probably need to ask Microsoft why this happens. Also for you AP connection issue, can you try first to run raddebug ? raddebug -f /usr/local/pf/var/run/radiusd.sock -d 3000 and paste the output. For the MTU i have seen something like that in the past, i have to find it. Regards Fabrice Le lun. 21 févr. 2022 à 08:38, Adrian Damaschek < adrian.damasc...@technicondesign.com> a écrit : > Hello Fabrice, > > So this works now, I can get the cert. > But it seems that I have some APs now that don’t want to connect. What > combines the APs that don’t want to use the RADIUS server they are all over > SiteToSite VPNs. > > Is this a InTune specific issue as well or possibly related to some MTU > problems that I read might cause problems ? > > Regards > Adrian > > > > From: Fabrice Durand > Sent: Friday, 18 February 2022 14:21 > To: Adrian Damaschek > Cc: packetfence-users > Subject: Re: [PacketFence-users] SCEP over Intune dose not work > > > You don't often get email from mailto:oeufd...@gmail.com. > http://aka.ms/LearnAboutSenderIdentification > > Hello Adrian, > the error is "err="crypto/rsa: decryption error"" > > We got multiple issues with intune because of the Key Storage Provider, > can you verify that it´s configured like that ? > > > > > Regards > Fabrice > > > Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek adrian.damasc...@technicondesign.com> a écrit : > Hello Fabrice, > > I have it set to http for now and just use the IP address to remove any > chance of a bad hostname or something, I just want it to work, then ill > work out how to make it secure and working over the internet so for now its > inside my network and testing > > As for the logs this is what I get > > Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58 > +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-" > "HAPROXY-load-balancing-check" > Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08 > +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-" > "HAPROXY-load-balancing-check" > Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info > msg="Got GET request from > https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51464%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8FDw15S81om9BJFjNqzAqirLe0tHJWsw9%2BCPjJKAJHE%3D&reserved=0"; > pid=870 > Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info > msg="SCEP GET To: > /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default" > pid=870 > Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info > msg="Calling Unified API on uri: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=viVM0hGzW8BV7OwGbwo2%2B2JFGtd82RuaDq3Yw5HLmTk%3D&reserved=0"; > pid=907 > Feb 16 17:18:10 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - > [16/Feb/2022:17:18:10 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-" > "Go-http-client/1.1" > Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn > msg="Compile error '$.items[*].network, $.items[*].percentused' parse error > from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907 > Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn > msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907 > Feb 16 17:18:11 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:11.606591188Z caller=service_logging.go:22 > component=scep_service method=GetCACaps err=null took=710ns > Feb 16 17:18:11 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:11.607000502Z caller=endpoint.go:186 op=GetCACaps > error=null took=412.322µs > Feb 16 17:18:11 t
Re: [PacketFence-users] SCEP over Intune dose not work
Hello Fabrice, So this works now, I can get the cert. But it seems that I have some APs now that don’t want to connect. What combines the APs that don’t want to use the RADIUS server they are all over SiteToSite VPNs. Is this a InTune specific issue as well or possibly related to some MTU problems that I read might cause problems ? Regards Adrian From: Fabrice Durand Sent: Friday, 18 February 2022 14:21 To: Adrian Damaschek Cc: packetfence-users Subject: Re: [PacketFence-users] SCEP over Intune dose not work You don't often get email from mailto:oeufd...@gmail.com. http://aka.ms/LearnAboutSenderIdentification Hello Adrian, the error is "err="crypto/rsa: decryption error"" We got multiple issues with intune because of the Key Storage Provider, can you verify that it´s configured like that ? Regards Fabrice Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek <mailto:adrian.damasc...@technicondesign.com> a écrit : Hello Fabrice, I have it set to http for now and just use the IP address to remove any chance of a bad hostname or something, I just want it to work, then ill work out how to make it secure and working over the internet so for now its inside my network and testing As for the logs this is what I get Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info msg="Got GET request from https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51464%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8FDw15S81om9BJFjNqzAqirLe0tHJWsw9%2BCPjJKAJHE%3D&reserved=0"; pid=870 Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info msg="SCEP GET To: /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default" pid=870 Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info msg="Calling Unified API on uri: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=viVM0hGzW8BV7OwGbwo2%2B2JFGtd82RuaDq3Yw5HLmTk%3D&reserved=0"; pid=907 Feb 16 17:18:10 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - [16/Feb/2022:17:18:10 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-" "Go-http-client/1.1" Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn msg="Compile error '$.items[*].network, $.items[*].percentused' parse error from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907 Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=warn msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907 Feb 16 17:18:11 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:11.606591188Z caller=service_logging.go:22 component=scep_service method=GetCACaps err=null took=710ns Feb 16 17:18:11 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:11.607000502Z caller=endpoint.go:186 op=GetCACaps error=null took=412.322µs Feb 16 17:18:11 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:11.607165566Z caller=logutil.go:70 component=http method=GET status=200 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)" path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default" Feb 16 17:18:11 testnac haproxy[983]: :50394 [16/Feb/2022:17:18:10.930] portal-http- pki/https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Ih5NLAgUsg2LFPpTknnSkwvMCT%2B5rTmGcFrG%2FLGIrr8%3D&reserved=0 0/0/1/676/677 200 181 - - 2/1/0/0/0 0/0 {} "GET /scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default HTTP/1.1" Feb 16 17:18:11 testnac pfpki[870]: t=2022-02-16T17:18:11+
Re: [PacketFence-users] SCEP over Intune dose not work
Hello Fabrice, Well, you just made my week. I was using the TPM if present, Software if not, AND because it was a 500 error, I was thinking this was server sided. Hence I did not even play around with the client settings. I just got the system to enroll me a cert. now off to make it work with wifi. Do you know why this is a problem that it cant use the TPM module ? Regards Adrian [https://www.technicondesign.com/wp-content/uploads/LOGO-TechniconDesign-segula-2021-03-final-ROUGE.png]<https://www.technicondesign.com/> Adrian Damaschek IT Manager Technicon Design Deutschland GmbH Hufelandstrasse 7 80939 München Germany Amtsgericht München HRB 246414 USt-IdNr. DE815804180 Geschäftsführer: Federico Vigano, Michael Schwerdtfeger [Facebook]<https://www.facebook.com/technicondesign> [Twitter]<https://twitter.com/TechniconDesign> [LinkedIn]<https://www.linkedin.com/company/technicon-design/> www.technicondesign.com<https://www.technicondesign.com> www.segulatechnologies.com<https://www.segulatechnologies.com> Tel: +49 (0) 89 890 63 66 88 Mobile: +49 (0) 151 17 56 70 98 E-mail: adrian.damasc...@technicondesign.com<mailto:adrian.damasc...@technicondesign.com> Diese Nachricht ist ausschliesslich für den oben bezeichneten Adressaten bestimmt und enthält möglicherweise vertrauliche Informationen. Sollten Sie nicht der oben bezeichnete Adressat sein oder diese Nachricht irrtümlich erhalten haben, ersuchen wir Sie, diese Nachricht nicht weiterzugeben, zu kopieren oder im Vertrauen darauf zu handeln, sondern den Absender zu verständigen und diese Nachricht samt allfälliger Anlagen sofort zu löschen. Vielen Dank. To stay informed about exciting job opportunities around the globe, install our official Jobs Board App! [Get it on the App Store!]<https://apps.apple.com/us/app/jobs-board/id563188921> [Get it on Google Play!]<https://play.google.com/store/apps/details?id=com.technicondesign.jobsboard> From: Fabrice Durand Sent: Friday, 18 February 2022 14:21 To: Adrian Damaschek Cc: packetfence-users Subject: Re: [PacketFence-users] SCEP over Intune dose not work You don't often get email from oeufd...@gmail.com<mailto:oeufd...@gmail.com>. Learn why this is important<http://aka.ms/LearnAboutSenderIdentification> Hello Adrian, the error is "err="crypto/rsa: decryption error"" We got multiple issues with intune because of the Key Storage Provider, can you verify that it´s configured like that ? [cid:image001.png@01D8270C.F19E64D0] Regards Fabrice Le mer. 16 févr. 2022 à 11:24, Adrian Damaschek mailto:adrian.damasc...@technicondesign.com>> a écrit : Hello Fabrice, I have it set to http for now and just use the IP address to remove any chance of a bad hostname or something, I just want it to work, then ill work out how to make it secure and working over the internet so for now its inside my network and testing As for the logs this is what I get Feb 16 17:17:58 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:17:58 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 78487 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:08 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:08 +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 91712 "-" "HAPROXY-load-balancing-check" Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info msg="Got GET request from 127.0.0.1:51464<https://eur01.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A51464%2F&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=8FDw15S81om9BJFjNqzAqirLe0tHJWsw9%2BCPjJKAJHE%3D&reserved=0>" pid=870 Feb 16 17:18:10 testnac pfpki[870]: t=2022-02-16T17:18:10+0100 lvl=info msg="SCEP GET To: /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=GetCACaps&message=default" pid=870 Feb 16 17:18:10 testnac pfstats[907]: t=2022-02-16T17:18:10+0100 lvl=info msg="Calling Unified API on uri: https://127.0.0.1:/api/v1/dhcp/stats<https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2F127.0.0.1%3A%2Fapi%2Fv1%2Fdhcp%2Fstats&data=04%7C01%7Cadrian.damaschek%40technicondesign.com%7Cf07fb80754d2430750dc08d9f2e193ee%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637810301606138809%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=viVM0hGzW8BV7OwGbwo2%2B2JFGtd82RuaDq3Yw5HLmTk%3D&reserved=0>" pid=907 Feb 16 17:18:10 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - [16/Feb/2022:17:18:10 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-" "Go-http-client/1.1" Feb 16 17:18:10 testnac pfstats[9
Re: [PacketFence-users] SCEP over Intune dose not work
0/0 {} "GET > /scep/scep_user_wificert/pkiclient.exe?operation=GetCACert&message=default > HTTP/1.1" > Feb 16 17:18:18 testnac httpd_portal[1793]: - - - [16/Feb/2022:17:18:18 > +0100] "GET /captive-portal HTTP/1.0" 200 5112 116 59644 "-" > "HAPROXY-load-balancing-check" > Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info > msg="Got POST request from 127.0.0.1:51504" pid=870 > Feb 16 17:18:19 testnac pfpki[870]: t=2022-02-16T17:18:19+0100 lvl=info > msg="SCEP POST To: > /api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation" > pid=870 > Feb 16 17:18:19 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:19.710087765Z caller=service_logging.go:47 > component=scep_service method=PKIOperation err="crypto/rsa: decryption > error" took=3.803844ms > Feb 16 17:18:19 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:19.710159057Z caller=endpoint.go:186 op=PKIOperation > error=null took=3.877015ms > Feb 16 17:18:19 testnac pfhttpd[870]: level=info > ts=2022-02-16T16:18:19.710198081Z caller=logutil.go:70 component=http > method=POST status=500 proto=HTTP/1.1 host=127.0.0.1 > user_agent="Mozilla/4.0 (compatible; Win32; NDES client > 10.0.19041.1466/vb_release_svc_prod1)" > path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation" > Feb 16 17:18:19 testnac haproxy[983]: :50394 > [16/Feb/2022:17:18:19.052] portal-http- pki/127.0.0.1 > 0/0/0/658/658 500 213 - - 2/1/0/0/0 0/0 {} "POST > /scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation HTTP/1.1" > Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=info > msg="Calling Unified API on uri: https://127.0.0.1:/api/v1/dhcp/stats"; > pid=907 > Feb 16 17:18:24 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - > [16/Feb/2022:17:18:24 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-" > "Go-http-client/1.1" > Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn > msg="Compile error '$.items[*].network.free, $.items[*].free' parse error > from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907 > Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn > msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907 > Feb 16 17:18:26 testnac pfstats[907]: t=2022-02-16T17:18:26+0100 lvl=info > msg="Calling Unified API on uri: > https://127.0.0.1:/api/v1/queues/stats"; pid=907 > Feb 16 17:18:26 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - > [16/Feb/2022:17:18:26 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978 > "-" "Go-http-client/1.1" > > I don’t see anything really interesting in the log that is happening here > that would tell me other then what I would expect. > The CA is added as trusted root (I am using the build in PKI) and the > profile is enabled for SCEP and has the intune app on. > I checked in AzureAD the app can log in so it has access as I don’t see > any loging fails in the logs. > > I might try to setup package fence and follow along what the requestes are > that are send to the server, but I would have expected something on the PF > side, since it’s a 500 error > > /Adrian > > > From: Fabrice Durand > Sent: Wednesday, 16 February 2022 16:58 > To: packetfence-users > Cc: Adrian Damaschek > Subject: Re: [PacketFence-users] SCEP over Intune dose not work > > > You don't often get email from mailto:oeufd...@gmail.com. > http://aka.ms/LearnAboutSenderIdentification > > Hello Adrian, > > welcome to the intune world ... > Do you see in the packetfence log when the 500 happens ? (journalctl > command) > Did you defined the scep url as http ? If it´s the case you can take a > network capture to see what happen exactly. > > > We also made change in the incoming PacketFence version for the pki and > scep, so you can test the devel version to see if it fix your issue. > > Regards > Fabrice > > > Le mar. 15 févr. 2022 à 11:42, Adrian Damaschek via PacketFence-users > <mailto:packetfence-users@lists.sourceforge.net> a écrit : > Hello Everyone, > > So I was using PF since some time turn run the NAC on my switches but now > I am trying to set up the PKI, with SCEP that would provide Intune certs so > users can use them for Radius WiF > > Sadly I got stuck and I don’t know what am I doing wrong > > I got a CA on PFPKI, a SCEP profile, I can run a request via SSCEP, that > one runs and pops out a cert. > I got the Intune integration setup with a app registered, the app has the > permissions
Re: [PacketFence-users] SCEP over Intune dose not work
s=2022-02-16T16:18:19.710087765Z caller=service_logging.go:47 component=scep_service method=PKIOperation err="crypto/rsa: decryption error" took=3.803844ms Feb 16 17:18:19 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:19.710159057Z caller=endpoint.go:186 op=PKIOperation error=null took=3.877015ms Feb 16 17:18:19 testnac pfhttpd[870]: level=info ts=2022-02-16T16:18:19.710198081Z caller=logutil.go:70 component=http method=POST status=500 proto=HTTP/1.1 host=127.0.0.1 user_agent="Mozilla/4.0 (compatible; Win32; NDES client 10.0.19041.1466/vb_release_svc_prod1)" path="/api/v1/scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation" Feb 16 17:18:19 testnac haproxy[983]: :50394 [16/Feb/2022:17:18:19.052] portal-http- pki/127.0.0.1 0/0/0/658/658 500 213 - - 2/1/0/0/0 0/0 {} "POST /scep/scep_user_wificert/pkiclient.exe?operation=PKIOperation HTTP/1.1" Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=info msg="Calling Unified API on uri: https://127.0.0.1:/api/v1/dhcp/stats"; pid=907 Feb 16 17:18:24 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - [16/Feb/2022:17:18:24 +0100] "GET /api/v1/dhcp/stats HTTP/1.1" 200 29 "-" "Go-http-client/1.1" Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn msg="Compile error '$.items[*].network.free, $.items[*].free' parse error from GET /api/v1/dhcp/stats: Expected Type to be a Map." pid=907 Feb 16 17:18:24 testnac pfstats[907]: t=2022-02-16T17:18:24+0100 lvl=warn msg="Unhandled response type from GET /api/v1/dhcp/stats" pid=907 Feb 16 17:18:26 testnac pfstats[907]: t=2022-02-16T17:18:26+0100 lvl=info msg="Calling Unified API on uri: https://127.0.0.1:/api/v1/queues/stats"; pid=907 Feb 16 17:18:26 testnac pfhttpd[856]: api-frontend-access 127.0.0.1 - - [16/Feb/2022:17:18:26 +0100] "GET /api/v1/queues/stats HTTP/1.1" 200 978 "-" "Go-http-client/1.1" I don’t see anything really interesting in the log that is happening here that would tell me other then what I would expect. The CA is added as trusted root (I am using the build in PKI) and the profile is enabled for SCEP and has the intune app on. I checked in AzureAD the app can log in so it has access as I don’t see any loging fails in the logs. I might try to setup package fence and follow along what the requestes are that are send to the server, but I would have expected something on the PF side, since it’s a 500 error /Adrian From: Fabrice Durand Sent: Wednesday, 16 February 2022 16:58 To: packetfence-users Cc: Adrian Damaschek Subject: Re: [PacketFence-users] SCEP over Intune dose not work You don't often get email from mailto:oeufd...@gmail.com. http://aka.ms/LearnAboutSenderIdentification Hello Adrian, welcome to the intune world ... Do you see in the packetfence log when the 500 happens ? (journalctl command) Did you defined the scep url as http ? If it´s the case you can take a network capture to see what happen exactly. We also made change in the incoming PacketFence version for the pki and scep, so you can test the devel version to see if it fix your issue. Regards Fabrice Le mar. 15 févr. 2022 à 11:42, Adrian Damaschek via PacketFence-users <mailto:packetfence-users@lists.sourceforge.net> a écrit : Hello Everyone, So I was using PF since some time turn run the NAC on my switches but now I am trying to set up the PKI, with SCEP that would provide Intune certs so users can use them for Radius WiF Sadly I got stuck and I don’t know what am I doing wrong I got a CA on PFPKI, a SCEP profile, I can run a request via SSCEP, that one runs and pops out a cert. I got the Intune integration setup with a app registered, the app has the permissions as per documentation I added the CA as a RootCA via intune, this works correctly and now is the part that I cant work out. I cant make a SCEP request work. Only error I get in windows is SCEP: Certificate enroll failed. Result: (Internal server error (500).). Event ID is 32. Would appreciate any help with this Regards ___ PacketFence-users mailing list mailto:PacketFence-users@lists.sourceforge.net https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=04%7C01%7CAdrian.Damaschek%40technicondesign.com%7C1e7201e50b184bb2070608d9f1652e88%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C637806239700820448%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=E2QFqqeLOXF6pQkad6cDjlVhi9NGNfvo3Rh5Uk4KLF0%3D&reserved=0 ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] SCEP over Intune dose not work
Hello Adrian, welcome to the intune world ... Do you see in the packetfence log when the 500 happens ? (journalctl command) Did you defined the scep url as http ? If it´s the case you can take a network capture to see what happen exactly. We also made change in the incoming PacketFence version for the pki and scep, so you can test the devel version to see if it fix your issue. Regards Fabrice Le mar. 15 févr. 2022 à 11:42, Adrian Damaschek via PacketFence-users < packetfence-users@lists.sourceforge.net> a écrit : > Hello Everyone, > > So I was using PF since some time turn run the NAC on my switches but now > I am trying to set up the PKI, with SCEP that would provide Intune certs so > users can use them for Radius WiF > > Sadly I got stuck and I don’t know what am I doing wrong > > I got a CA on PFPKI, a SCEP profile, I can run a request via SSCEP, that > one runs and pops out a cert. > I got the Intune integration setup with a app registered, the app has the > permissions as per documentation > > I added the CA as a RootCA via intune, this works correctly and now is the > part that I cant work out. > I cant make a SCEP request work. > > Only error I get in windows is SCEP: Certificate enroll failed. Result: > (Internal server error (500).). Event ID is 32. > > Would appreciate any help with this > > Regards > > > > ___ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users