Hi Fabrice, It looks like I didn't join the mailing list correctly (which I joined now), so I hope you get this response. Anyway thanks for your speedy reply, you're correct, I'd a typo in the extended key usage key. I can't believe I missed that. Anyway I can get through the agent process and it installs the cert on a windows 7 machine but then I can't connect to the 802.1x wireless network. From the radius debugging I enabled I think the client isn't responding to the radius challenge and/or I havent added a source to valid the user certificate. I may have missed a step somewhere. I am suppose to configure the packetfence-pki as a source somehow? Below are a couple of the debug messages I see root@pf:/home/jonathan# rad_recv: Access-Request packet from host 192.168.10.2 port 53584, id=50, length=205 User-Name = "denver" NAS-IP-Address = 192.168.10.2 NAS-Port = 0 NAS-Identifier = "192.168.10.2" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "a088b415ed6c" Called-Station-Id = "186472cb100c" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0201000b0164656e766572 Aruba-Essid-Name = "Secure@Denver-Lab" Aruba-Location-Id = "18:64:72:cb:10:0c" Aruba-AP-Group = "instant-CB:10:0C" Message-Authenticator = 0x9f539de6ac024e0335a46666ee4df8aa server packetfence { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence +group authorize { [suffix] No '@' in User-Name = "denver", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "denver", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] = noop ++[preprocess] = ok [eap] EAP packet type response id 1 length 11 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++update request { expand: %{Packet-Src-IP-Address} -> 192.168.10.2 ++} # update request = noop ++update control { ++} # update control = noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair Called-Station-Id = 186472cb100c rlm_perl: Added pair Message-Authenticator = 0x9f539de6ac024e0335a46666ee4df8aa rlm_perl: Added pair EAP-Type = Identity rlm_perl: Added pair NAS-IP-Address = 192.168.10.2 rlm_perl: Added pair Calling-Station-Id = a088b415ed6c rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2 rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C rlm_perl: Added pair User-Name = denver rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c rlm_perl: Added pair NAS-Identifier = 192.168.10.2 rlm_perl: Added pair EAP-Message = 0x0201000b0164656e766572 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Framed-MTU = 1100 rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair PacketFence-RPC-Port = 7070 ++[packetfence] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence +group authenticate { [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled } # server packetfence Sending Access-Challenge of id 50 to 192.168.10.2 port 53584 EAP-Message = 0x010200061920 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76980f77769a16aac51eb549dc9b5fc2 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.2 port 53584, id=51, length=218 User-Name = "denver" NAS-IP-Address = 192.168.10.2 NAS-Port = 0 NAS-Identifier = "192.168.10.2" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "a088b415ed6c" Called-Station-Id = "186472cb100c" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x02020006030d State = 0x76980f77769a16aac51eb549dc9b5fc2 Aruba-Essid-Name = "Secure@Denver-Lab" Aruba-Location-Id = "18:64:72:cb:10:0c" Aruba-AP-Group = "instant-CB:10:0C" Message-Authenticator = 0xe892eab9ce66b769d0d2e6ba8748895b server packetfence { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence +group authorize { [suffix] No '@' in User-Name = "denver", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "denver", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] = noop ++[preprocess] = ok [eap] EAP packet type response id 2 length 6 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++update request { expand: %{Packet-Src-IP-Address} -> 192.168.10.2 ++} # update request = noop ++update control { ++} # update control = noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair State = 0x76980f77769a16aac51eb549dc9b5fc2 rlm_perl: Added pair Called-Station-Id = 186472cb100c rlm_perl: Added pair Message-Authenticator = 0xe892eab9ce66b769d0d2e6ba8748895b rlm_perl: Added pair EAP-Type = NAK rlm_perl: Added pair NAS-IP-Address = 192.168.10.2 rlm_perl: Added pair Calling-Station-Id = a088b415ed6c rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2 rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C rlm_perl: Added pair User-Name = denver rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c rlm_perl: Added pair NAS-Identifier = 192.168.10.2 rlm_perl: Added pair EAP-Message = 0x02020006030d rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Framed-MTU = 1100 rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair PacketFence-RPC-Port = 7070 ++[packetfence] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence +group authenticate { [eap] Request found, released from the list [eap] EAP NAK [eap] EAP-NAK asked for EAP-Type/tls [eap] processing type tls [tls] Requiring client certificate [tls] Initiate [tls] Start returned 1 ++[eap] = handled +} # group authenticate = handled } # server packetfence Sending Access-Challenge of id 51 to 192.168.10.2 port 53584 EAP-Message = 0x010300060d20 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76980f77779b02aac51eb549dc9b5fc2 Finished request 1. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.10.2 port 53584, id=52, length=319 User-Name = "denver" NAS-IP-Address = 192.168.10.2 NAS-Port = 0 NAS-Identifier = "192.168.10.2" NAS-Port-Type = Wireless-802.11 Calling-Station-Id = "a088b415ed6c" Called-Station-Id = "186472cb100c" Service-Type = Login-User Framed-MTU = 1100 EAP-Message = 0x0203006b0d8000000061160301005c0100005803015642f1f41e1d3c925fda807015c5f64826540afff77553360e678b8bf9668021000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 State = 0x76980f77779b02aac51eb549dc9b5fc2 Aruba-Essid-Name = "Secure@Denver-Lab" Aruba-Location-Id = "18:64:72:cb:10:0c" Aruba-AP-Group = "instant-CB:10:0C" Message-Authenticator = 0x7a2dc547091d18f570b035dad945ef14 server packetfence { # Executing section authorize from file /usr/local/pf/raddb//sites-enabled/packetfence +group authorize { [suffix] No '@' in User-Name = "denver", skipping NULL due to config. ++[suffix] = noop [ntdomain] No '\' in User-Name = "denver", looking up realm NULL [ntdomain] No such realm "NULL" ++[ntdomain] = noop ++[preprocess] = ok [eap] EAP packet type response id 3 length 107 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] = updated ++[files] = noop ++[expiration] = noop ++[logintime] = noop ++update request { expand: %{Packet-Src-IP-Address} -> 192.168.10.2 ++} # update request = noop ++update control { ++} # update control = noop rlm_perl: Added pair NAS-Port-Type = Wireless-802.11 rlm_perl: Added pair Service-Type = Login-User rlm_perl: Added pair State = 0x76980f77779b02aac51eb549dc9b5fc2 rlm_perl: Added pair Called-Station-Id = 186472cb100c rlm_perl: Added pair Message-Authenticator = 0x7a2dc547091d18f570b035dad945ef14 rlm_perl: Added pair EAP-Type = EAP-TLS rlm_perl: Added pair NAS-IP-Address = 192.168.10.2 rlm_perl: Added pair Calling-Station-Id = a088b415ed6c rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2 rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C rlm_perl: Added pair User-Name = denver rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c rlm_perl: Added pair NAS-Identifier = 192.168.10.2 rlm_perl: Added pair EAP-Message = 0x0203006b0d8000000061160301005c0100005803015642f1f41e1d3c925fda807015c5f64826540afff77553360e678b8bf9668021000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100 rlm_perl: Added pair NAS-Port = 0 rlm_perl: Added pair Framed-MTU = 1100 rlm_perl: Added pair PacketFence-RPC-Pass = rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1 rlm_perl: Added pair PacketFence-RPC-Proto = http rlm_perl: Added pair PacketFence-RPC-User = rlm_perl: Added pair Auth-Type = EAP rlm_perl: Added pair PacketFence-RPC-Port = 7070 ++[packetfence] = noop +} # group authorize = updated Found Auth-Type = EAP # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence +group authenticate { [eap] Request found, released from the list [eap] EAP/tls [eap] processing type tls [tls] Authenticate [tls] processing EAP-TLS TLS Length 97 [tls] Length Included [tls] eaptls_verify returned 11 [tls] (other): before/accept initialization [tls] TLS_accept: before/accept initialization [tls] <<< TLS 1.0 Handshake [length 005c], ClientHello [tls] TLS_accept: SSLv3 read client hello A [tls] >>> TLS 1.0 Handshake [length 0039], ServerHello [tls] TLS_accept: SSLv3 write server hello A [tls] >>> TLS 1.0 Handshake [length 0370], Certificate [tls] TLS_accept: SSLv3 write certificate A [tls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange [tls] TLS_accept: SSLv3 write key exchange A [tls] >>> TLS 1.0 Handshake [length 000e], CertificateRequest [tls] TLS_accept: SSLv3 write certificate request A [tls] TLS_accept: SSLv3 flush data [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A [tls] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [tls] eaptls_process returned 13 ++[eap] = handled +} # group authenticate = handled } # server packetfence Sending Access-Challenge of id 52 to 192.168.10.2 port 53584 EAP-Message = 0x010404000dc00000051616030100390200003503015642f1f3d092678ea8ef861a068f6927e174e340ef1f41cbbbda9ecad3e09a7d00c01400000dff01000100000b00040300010216030103700b00036c000369000366308203623082024a020101300d06092a864886f70d01010505003069311630140603550403130d70662e64656e7665722d6c61623128302606092a864886f70d01090116196a6f6e617468616e2e6d616861647940676d61696c2e636f6d310b3009060355040813025741310b3009060355040a13024954310b3009060355040613024155301e170d3135313130353133323034385a170d3137313130343134323034385a30 EAP-Message = 0x69311630140603550403130d70662e64656e7665722d6c61623128302606092a864886f70d01090116196a6f6e617468616e2e6d616861647940676d61696c2e636f6d310b3009060355040813025741310b3009060355040a13024954310b300906035504061302415530820122300d06092a864886f70d01010105000382010f003082010a0282010100c1e22faed036c34274aaa466a9a522821fcdf13e619a90ba425c999c1d98fbb871bdb3170f4337402f7124d5307fa5f859cfaea00c09481c4ca85a681a002854386dd11885a6fa1ed68bb868bd881eef0bcc640ac191b8f0218c3acd69007c5ebf8f7d8676aaf9f73b83ba8d7dae8ea66fed EAP-Message = 0x41e7302078aeeaca4fb3a6c65df5a139796bcac6d5d2ea2d2d0f1493c285fb350d1a67ec55f661806d4aa1d99f50a18880acaa3a7d94f2eb17fac462fe5eeef9bceb3e6d7573797bc5be79272e48a5b63d132fde11927e035d5d9114676ecd3e8aa0a55622ad4879a527756c4d9c462b1054098dea7e8f4df33cca7d4fea0142df69bd69f861da49d9ecc1bcff970203010001a31a301830160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038201010039bd8c4cc22d86fa34101aa6abca8c21845ed551053bab1189cb9f5732db14185ae24d64feadd2b347f8e355ae7657f199b66943659dde0f6a41 EAP-Message = 0xc72bf035d1e926ffe281f828f7499c59e50e93421d451a4a3e425c8873502aaa442521f465d293ddce2e5b5c1596d63630d0b920144962a69998513e48a2bb1d2b1f200d7245eb345a9955adb965be11dc78abcf5b3f5124af5fde2d22f9e4105a50cad01ae2259d54dd59c7fae44377e5944cac48aebdff54fe706008d4dbee8a95fe3f94889ac8724fab844baa2b9c67714b267601e9b95127746279a745e8bec361af592c35ece9eaf93e7cb4975ced3f39dc645705920d4d642eeb4ab44f0f0999a17537160301014b0c00014703001741046f4c597f12b41ade82c994ab0527414163f76005b8da6348a1f8924830a15cae9cc09ffc81219754a6 EAP-Message = 0x32a3cb9cbb4f22347aaad9d4 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x76980f77749c02aac51eb549dc9b5fc2 Finished request 2. Going to the next request Waking up in 4.9 seconds.
Then at the end Waking up in 4.9 seconds. Cleaning up request 0 ID 50 with timestamp +46 Cleaning up request 1 ID 51 with timestamp +46 Cleaning up request 2 ID 52 with timestamp +46 Cleaning up request 3 ID 53 with timestamp +46 Cleaning up request 4 ID 54 with timestamp +46 WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! WARNING: !! EAP session for state 0x76980f77729e02aa did not finish! WARNING: !! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility WARNING: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Thanks for your help in advance. Jonathan On 10 November 2015 at 09:45, Jonathan Mahady <jonathan.mah...@gmail.com> wrote: > Hi, > > I'm having an issue with the assignment of certificates using the > packetfence PKI plugin. The plugin resides on the same box as Packetfence. > The distro is Debian Wheezy and the version of packetfence is 5.4. I've > configured the CA, the templates and a radius server cert. I've then added > the PKI details into packetfence but when I try to onboard a test user the > certificate assignment fails with the error that the certificate server > cannot be reach. I've trolled through the logs and this is a section of the > error its reporting: > > "<div id="summary"> > <h1>Error at /pki/cert/rest/get/denver/</h1> > <pre class="exception_value">[('asn1 encoding routines', > 'a2d_ASN1_OBJECT', 'first num too large'), ('X509 V3 > routines', 'V2I_EXTENDED_KEY_USAGE', 'invalid object > identifier'), ('X509 V3 routines', 'X509V3_EXT_nconf', > 'error in extension')]</pre> > <table class="meta"> > > <tr> > <th>Request Method:</th> > <td>POST</td> > </tr> > <tr> > <th>Request URL:</th> > <td>https://127.0.0.1:9393/pki/cert/rest/get/denver/</td> > </tr> > > <tr> > <th>Django Version:</th> > <td>1.7.1</td> > </tr> > > <tr> > <th>Exception Type:</th> > <td>Error</td> > </tr> > > > <tr> > <th>Exception Value:</th> > <td><pre>[('asn1 encoding routines', > 'a2d_ASN1_OBJECT', 'first num too large'), ('X509 V3 > routines', 'V2I_EXTENDED_KEY_USAGE', 'invalid object > identifier'), ('X509 V3 routines', 'X509V3_EXT_nconf', > 'error in extension')]</pre></td> > </tr> > > > <tr> > <th>Exception Location:</th> > <td>/usr/local/packetfence-pki/pki/models.py in sign, line 328</td> > </tr> > > <tr> > <th>Python Executable:</th> > <td>/usr/bin/python</td> > </tr> > <tr> > <th>Python Version:</th> > <td>2.7.3</td> > </tr> > <tr> > <th>Python Path:</th> > <td><pre>['/usr/lib/python2.7', > '/usr/lib/python2.7/plat-linux2', > '/usr/lib/python2.7/lib-tk', > '/usr/lib/python2.7/lib-old', > '/usr/lib/python2.7/lib-dynload', > '/usr/local/lib/python2.7/dist-packages', > '/usr/lib/python2.7/dist-packages', > '/usr/lib/python2.7/dist-packages/PIL', > " > > The cert does get generated as I can see it in the packetfence PKI gui but > it doesn't get assigned to the user. I'm not sure what the issue is as I'm > not great with this REST API/Python stuff. I would be extremely grateful > for any advice or pointers. > > Cheers, > > Jonathan >
------------------------------------------------------------------------------
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users