Hello Ludovic, Thanks for your reply.
It’s clear, there are no connections to domain controllers, RADIUS is signed with valid certificate from Microsoft PKI and EAPTLS authentication works well. But Authentication source defined to use EAPTLS is just ignored by authentication process, machines aren’t getting the role defined in authentication rule (even with no conditions, catch-all rule), they always get registration role. -- Andrey Chernyakov Senior Network and Security Engineer email: chernya...@npsconsult.com NPS Consult S.A. L-5687, Dalheim Luxembourg On 15 Feb 2024 at 15:11 +0100, Zammit, Ludovic <luza...@akamai.com>, wrote: > Hello Andrey, > > For EAP TLS you don’t need to join the PF servers to your domain. > > You will need to add the Root CA that signed the user/computer certs under > Configuration > System Configuration > SSL Certificates > RADIUS > RADIUS > Certification Authority Certificate(s). > > Thanks, > > > > Ludovic Zammit > Product Support Engineer Principal Lead > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: > > > On Feb 14, 2024, at 8:22 AM, Andrey Chernyakov via PacketFence-users > > <packetfence-users@lists.sourceforge.net> wrote: > > > > Hi, PacketFence community, > > > > Currently I’m evaluating EAPTLS authentication with machine certificates in > > my lab for wired network, but Authentication Source with EAPTLS doesn’t > > seem to be working. > > > > From my perspective, the configuration is good, EAP profile prefers TLS > > authentication, RADIUS has valid certificate signed by the same CA as > > machine certificates with I use for EAPTLS authentication. Connection > > profile allows auto-registration of devices. Authentication source should > > catch-all authentication attempts and assign devices to role (gaming, for > > example). > > > > The problem with such configuration is - devices are authenticated and > > auto-registered, but they aren’t matched with authentication source rules > > (last screenshot with log can prove it), and they are respectively > > registered with no role. But I need role in order to be able to assign > > devices with relevant profile. Below you can find screenshots from my lab, > > any ideas how to fix it? > > > > Appreciate your help in advance! > > > > <Screenshot 2024-02-12 at 16.04.15.png> > > <Screenshot 2024-02-12 at 16.04.48.png> > > <Screenshot 2024-02-12 at 16.05.35.png> > > <Attachment.png> > > > > -- > > Andrey Chernyakov > > Senior Network and Security Engineer > > > > email: chernya...@npsconsult.com > > > > NPS Consult S.A. > > L-5687, Dalheim > > Luxembourg > > _______________________________________________ > > PacketFence-users mailing list > > PacketFence-users@lists.sourceforge.net > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!V0y-cm6QtbaX3LNvCqTm9ryY2N_3aGEiu4ikb0nOrYFq0feBL78xaFufS1HdtCJqH2S1thqJ0SJep9YaqRkOwJLp6aDXvcSB4ve5CA$ >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
