Hi Fabrice,
It looks like I didn't join the mailing list correctly (which I joined
now), so I hope you get this response. Anyway thanks for your speedy reply,
you're correct, I'd a typo in the extended key usage key. I can't believe I
missed that. Anyway I can get through the agent process and it installs the
cert on a windows 7 machine but then I can't connect to the 802.1x wireless
network. From the radius debugging I enabled I think the client isn't
responding to the radius challenge and/or I havent added a source to valid
the user certificate. I may have missed a step somewhere. I am suppose to
configure the packetfence-pki as a source somehow? Below are a couple of
the debug messages I see
root@pf:/home/jonathan# rad_recv: Access-Request packet from host
192.168.10.2 port 53584, id=50, length=205
User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0201000b0164656e766572
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0x9f539de6ac024e0335a46666ee4df8aa
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "denver", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "denver", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 192.168.10.2
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Called-Station-Id = 186472cb100c
rlm_perl: Added pair Message-Authenticator =
0x9f539de6ac024e0335a46666ee4df8aa
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
rlm_perl: Added pair User-Name = denver
rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
rlm_perl: Added pair NAS-Identifier = 192.168.10.2
rlm_perl: Added pair EAP-Message = 0x0201000b0164656e766572
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1100
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair PacketFence-RPC-Port = 7070
++[packetfence] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server packetfence
Sending Access-Challenge of id 50 to 192.168.10.2 port 53584
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76980f77769a16aac51eb549dc9b5fc2
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.2 port 53584, id=51,
length=218
User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x02020006030d
State = 0x76980f77769a16aac51eb549dc9b5fc2
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0xe892eab9ce66b769d0d2e6ba8748895b
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "denver", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "denver", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 192.168.10.2
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair State = 0x76980f77769a16aac51eb549dc9b5fc2
rlm_perl: Added pair Called-Station-Id = 186472cb100c
rlm_perl: Added pair Message-Authenticator =
0xe892eab9ce66b769d0d2e6ba8748895b
rlm_perl: Added pair EAP-Type = NAK
rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
rlm_perl: Added pair User-Name = denver
rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
rlm_perl: Added pair NAS-Identifier = 192.168.10.2
rlm_perl: Added pair EAP-Message = 0x02020006030d
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1100
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair PacketFence-RPC-Port = 7070
++[packetfence] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server packetfence
Sending Access-Challenge of id 51 to 192.168.10.2 port 53584
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76980f77779b02aac51eb549dc9b5fc2
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.2 port 53584, id=52,
length=319
User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0203006b0d8000000061160301005c0100005803015642f1f41e1d3c925fda807015c5f64826540afff77553360e678b8bf9668021000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
State = 0x76980f77779b02aac51eb549dc9b5fc2
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0x7a2dc547091d18f570b035dad945ef14
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "denver", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "denver", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] EAP packet type response id 3 length 107
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 192.168.10.2
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair State = 0x76980f77779b02aac51eb549dc9b5fc2
rlm_perl: Added pair Called-Station-Id = 186472cb100c
rlm_perl: Added pair Message-Authenticator =
0x7a2dc547091d18f570b035dad945ef14
rlm_perl: Added pair EAP-Type = EAP-TLS
rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
rlm_perl: Added pair User-Name = denver
rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
rlm_perl: Added pair NAS-Identifier = 192.168.10.2
rlm_perl: Added pair EAP-Message =
0x0203006b0d8000000061160301005c0100005803015642f1f41e1d3c925fda807015c5f64826540afff77553360e678b8bf9668021000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1100
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair PacketFence-RPC-Port = 7070
++[packetfence] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 97
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005c], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0370], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 000e], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
[tls] TLS_accept: Need to read more data: SSLv3 read client certificate
A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
} # server packetfence
Sending Access-Challenge of id 52 to 192.168.10.2 port 53584
EAP-Message =
0x010404000dc00000051616030100390200003503015642f1f3d092678ea8ef861a068f6927e174e340ef1f41cbbbda9ecad3e09a7d00c01400000dff01000100000b00040300010216030103700b00036c000369000366308203623082024a020101300d06092a864886f70d01010505003069311630140603550403130d70662e64656e7665722d6c61623128302606092a864886f70d01090116196a6f6e617468616e2e6d616861647940676d61696c2e636f6d310b3009060355040813025741310b3009060355040a13024954310b3009060355040613024155301e170d3135313130353133323034385a170d3137313130343134323034385a30
EAP-Message =
0x69311630140603550403130d70662e64656e7665722d6c61623128302606092a864886f70d01090116196a6f6e617468616e2e6d616861647940676d61696c2e636f6d310b3009060355040813025741310b3009060355040a13024954310b300906035504061302415530820122300d06092a864886f70d01010105000382010f003082010a0282010100c1e22faed036c34274aaa466a9a522821fcdf13e619a90ba425c999c1d98fbb871bdb3170f4337402f7124d5307fa5f859cfaea00c09481c4ca85a681a002854386dd11885a6fa1ed68bb868bd881eef0bcc640ac191b8f0218c3acd69007c5ebf8f7d8676aaf9f73b83ba8d7dae8ea66fed
EAP-Message =
0x41e7302078aeeaca4fb3a6c65df5a139796bcac6d5d2ea2d2d0f1493c285fb350d1a67ec55f661806d4aa1d99f50a18880acaa3a7d94f2eb17fac462fe5eeef9bceb3e6d7573797bc5be79272e48a5b63d132fde11927e035d5d9114676ecd3e8aa0a55622ad4879a527756c4d9c462b1054098dea7e8f4df33cca7d4fea0142df69bd69f861da49d9ecc1bcff970203010001a31a301830160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038201010039bd8c4cc22d86fa34101aa6abca8c21845ed551053bab1189cb9f5732db14185ae24d64feadd2b347f8e355ae7657f199b66943659dde0f6a41
EAP-Message =
0xc72bf035d1e926ffe281f828f7499c59e50e93421d451a4a3e425c8873502aaa442521f465d293ddce2e5b5c1596d63630d0b920144962a69998513e48a2bb1d2b1f200d7245eb345a9955adb965be11dc78abcf5b3f5124af5fde2d22f9e4105a50cad01ae2259d54dd59c7fae44377e5944cac48aebdff54fe706008d4dbee8a95fe3f94889ac8724fab844baa2b9c67714b267601e9b95127746279a745e8bec361af592c35ece9eaf93e7cb4975ced3f39dc645705920d4d642eeb4ab44f0f0999a17537160301014b0c00014703001741046f4c597f12b41ade82c994ab0527414163f76005b8da6348a1f8924830a15cae9cc09ffc81219754a6
EAP-Message = 0x32a3cb9cbb4f22347aaad9d4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76980f77749c02aac51eb549dc9b5fc2
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Then at the end
Waking up in 4.9 seconds.
Cleaning up request 0 ID 50 with timestamp +46
Cleaning up request 1 ID 51 with timestamp +46
Cleaning up request 2 ID 52 with timestamp +46
Cleaning up request 3 ID 53 with timestamp +46
Cleaning up request 4 ID 54 with timestamp +46
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x76980f77729e02aa did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thanks for your help in advance.
Jonathan
On 10 November 2015 at 09:45, Jonathan Mahady <jonathan.mah...@gmail.com>
wrote:
> Hi,
>
> I'm having an issue with the assignment of certificates using the
> packetfence PKI plugin. The plugin resides on the same box as Packetfence.
> The distro is Debian Wheezy and the version of packetfence is 5.4. I've
> configured the CA, the templates and a radius server cert. I've then added
> the PKI details into packetfence but when I try to onboard a test user the
> certificate assignment fails with the error that the certificate server
> cannot be reach. I've trolled through the logs and this is a section of the
> error its reporting:
>
> "<div id="summary">
> <h1>Error at /pki/cert/rest/get/denver/</h1>
> <pre class="exception_value">[('asn1 encoding routines',
> 'a2d_ASN1_OBJECT', 'first num too large'), ('X509 V3
> routines', 'V2I_EXTENDED_KEY_USAGE', 'invalid object
> identifier'), ('X509 V3 routines', 'X509V3_EXT_nconf',
> 'error in extension')]</pre>
> <table class="meta">
>
> <tr>
> <th>Request Method:</th>
> <td>POST</td>
> </tr>
> <tr>
> <th>Request URL:</th>
> <td>https://127.0.0.1:9393/pki/cert/rest/get/denver/</td>
> </tr>
>
> <tr>
> <th>Django Version:</th>
> <td>1.7.1</td>
> </tr>
>
> <tr>
> <th>Exception Type:</th>
> <td>Error</td>
> </tr>
>
>
> <tr>
> <th>Exception Value:</th>
> <td><pre>[('asn1 encoding routines',
> 'a2d_ASN1_OBJECT', 'first num too large'), ('X509 V3
> routines', 'V2I_EXTENDED_KEY_USAGE', 'invalid object
> identifier'), ('X509 V3 routines', 'X509V3_EXT_nconf',
> 'error in extension')]</pre></td>
> </tr>
>
>
> <tr>
> <th>Exception Location:</th>
> <td>/usr/local/packetfence-pki/pki/models.py in sign, line 328</td>
> </tr>
>
> <tr>
> <th>Python Executable:</th>
> <td>/usr/bin/python</td>
> </tr>
> <tr>
> <th>Python Version:</th>
> <td>2.7.3</td>
> </tr>
> <tr>
> <th>Python Path:</th>
> <td><pre>['/usr/lib/python2.7',
> '/usr/lib/python2.7/plat-linux2',
> '/usr/lib/python2.7/lib-tk',
> '/usr/lib/python2.7/lib-old',
> '/usr/lib/python2.7/lib-dynload',
> '/usr/local/lib/python2.7/dist-packages',
> '/usr/lib/python2.7/dist-packages',
> '/usr/lib/python2.7/dist-packages/PIL',
> "
>
> The cert does get generated as I can see it in the packetfence PKI gui but
> it doesn't get assigned to the user. I'm not sure what the issue is as I'm
> not great with this REST API/Python stuff. I would be extremely grateful
> for any advice or pointers.
>
> Cheers,
>
> Jonathan
>
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
