Hi Fabrice,
It looks like I didn't join the mailing list correctly (which I joined
now), so I hope you get this response. Anyway thanks for your speedy
reply, you're correct, I'd a typo in the extended key usage key. I
can't believe I missed that. Anyway I can get through the agent
process and it installs the cert on a windows 7 machine but then I
can't connect to the 802.1x wireless network. From the radius
debugging I enabled I think the client isn't responding to the radius
challenge and/or I havent added a source to valid the user
certificate. I may have missed a step somewhere. I am suppose to
configure the packetfence-pki as a source somehow? Below are a couple
of the debug messages I see
root@pf:/home/jonathan# rad_recv: Access-Request packet from host
192.168.10.2 port 53584, id=50, length=205
User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x0201000b0164656e766572
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0x9f539de6ac024e0335a46666ee4df8aa
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "denver", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "denver", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] EAP packet type response id 1 length 11
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 192.168.10.2
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair Called-Station-Id = 186472cb100c
rlm_perl: Added pair Message-Authenticator =
0x9f539de6ac024e0335a46666ee4df8aa
rlm_perl: Added pair EAP-Type = Identity
rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
rlm_perl: Added pair User-Name = denver
rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
rlm_perl: Added pair NAS-Identifier = 192.168.10.2
rlm_perl: Added pair EAP-Message = 0x0201000b0164656e766572
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1100
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair PacketFence-RPC-Port = 7070
++[packetfence] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+group authenticate {
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server packetfence
Sending Access-Challenge of id 50 to 192.168.10.2 port 53584
EAP-Message = 0x010200061920
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76980f77769a16aac51eb549dc9b5fc2
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.2 port 53584,
id=51, length=218
User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message = 0x02020006030d
State = 0x76980f77769a16aac51eb549dc9b5fc2
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0xe892eab9ce66b769d0d2e6ba8748895b
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "denver", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "denver", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] EAP packet type response id 2 length 6
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 192.168.10.2
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair State = 0x76980f77769a16aac51eb549dc9b5fc2
rlm_perl: Added pair Called-Station-Id = 186472cb100c
rlm_perl: Added pair Message-Authenticator =
0xe892eab9ce66b769d0d2e6ba8748895b
rlm_perl: Added pair EAP-Type = NAK
rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
rlm_perl: Added pair User-Name = denver
rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
rlm_perl: Added pair NAS-Identifier = 192.168.10.2
rlm_perl: Added pair EAP-Message = 0x02020006030d
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1100
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair PacketFence-RPC-Port = 7070
++[packetfence] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+group authenticate {
[eap] Request found, released from the list
[eap] EAP NAK
[eap] EAP-NAK asked for EAP-Type/tls
[eap] processing type tls
[tls] Requiring client certificate
[tls] Initiate
[tls] Start returned 1
++[eap] = handled
+} # group authenticate = handled
} # server packetfence
Sending Access-Challenge of id 51 to 192.168.10.2 port 53584
EAP-Message = 0x010300060d20
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76980f77779b02aac51eb549dc9b5fc2
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 192.168.10.2 port 53584,
id=52, length=319
User-Name = "denver"
NAS-IP-Address = 192.168.10.2
NAS-Port = 0
NAS-Identifier = "192.168.10.2"
NAS-Port-Type = Wireless-802.11
Calling-Station-Id = "a088b415ed6c"
Called-Station-Id = "186472cb100c"
Service-Type = Login-User
Framed-MTU = 1100
EAP-Message =
0x0203006b0d8000000061160301005c0100005803015642f1f41e1d3c925fda807015c5f64826540afff77553360e678b8bf9668021000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
State = 0x76980f77779b02aac51eb549dc9b5fc2
Aruba-Essid-Name = "Secure@Denver-Lab"
Aruba-Location-Id = "18:64:72:cb:10:0c"
Aruba-AP-Group = "instant-CB:10:0C"
Message-Authenticator = 0x7a2dc547091d18f570b035dad945ef14
server packetfence {
# Executing section authorize from file
/usr/local/pf/raddb//sites-enabled/packetfence
+group authorize {
[suffix] No '@' in User-Name = "denver", skipping NULL due to config.
++[suffix] = noop
[ntdomain] No '\' in User-Name = "denver", looking up realm NULL
[ntdomain] No such realm "NULL"
++[ntdomain] = noop
++[preprocess] = ok
[eap] EAP packet type response id 3 length 107
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] = updated
++[files] = noop
++[expiration] = noop
++[logintime] = noop
++update request {
expand: %{Packet-Src-IP-Address} -> 192.168.10.2
++} # update request = noop
++update control {
++} # update control = noop
rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
rlm_perl: Added pair Service-Type = Login-User
rlm_perl: Added pair State = 0x76980f77779b02aac51eb549dc9b5fc2
rlm_perl: Added pair Called-Station-Id = 186472cb100c
rlm_perl: Added pair Message-Authenticator =
0x7a2dc547091d18f570b035dad945ef14
rlm_perl: Added pair EAP-Type = EAP-TLS
rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
rlm_perl: Added pair User-Name = denver
rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
rlm_perl: Added pair NAS-Identifier = 192.168.10.2
rlm_perl: Added pair EAP-Message =
0x0203006b0d8000000061160301005c0100005803015642f1f41e1d3c925fda807015c5f64826540afff77553360e678b8bf9668021000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
rlm_perl: Added pair NAS-Port = 0
rlm_perl: Added pair Framed-MTU = 1100
rlm_perl: Added pair PacketFence-RPC-Pass =
rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
rlm_perl: Added pair PacketFence-RPC-Proto = http
rlm_perl: Added pair PacketFence-RPC-User =
rlm_perl: Added pair Auth-Type = EAP
rlm_perl: Added pair PacketFence-RPC-Port = 7070
++[packetfence] = noop
+} # group authorize = updated
Found Auth-Type = EAP
# Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
+group authenticate {
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls] Authenticate
[tls] processing EAP-TLS
TLS Length 97
[tls] Length Included
[tls] eaptls_verify returned 11
[tls] (other): before/accept initialization
[tls] TLS_accept: before/accept initialization
[tls] <<< TLS 1.0 Handshake [length 005c], ClientHello
[tls] TLS_accept: SSLv3 read client hello A
[tls] >>> TLS 1.0 Handshake [length 0039], ServerHello
[tls] TLS_accept: SSLv3 write server hello A
[tls] >>> TLS 1.0 Handshake [length 0370], Certificate
[tls] TLS_accept: SSLv3 write certificate A
[tls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
[tls] TLS_accept: SSLv3 write key exchange A
[tls] >>> TLS 1.0 Handshake [length 000e], CertificateRequest
[tls] TLS_accept: SSLv3 write certificate request A
[tls] TLS_accept: SSLv3 flush data
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
[tls] TLS_accept: Need to read more data: SSLv3 read client
certificate A
In SSL Handshake Phase
In SSL Accept mode
[tls] eaptls_process returned 13
++[eap] = handled
+} # group authenticate = handled
} # server packetfence
Sending Access-Challenge of id 52 to 192.168.10.2 port 53584
EAP-Message =
0x010404000dc00000051616030100390200003503015642f1f3d092678ea8ef861a068f6927e174e340ef1f41cbbbda9ecad3e09a7d00c01400000dff01000100000b00040300010216030103700b00036c000369000366308203623082024a020101300d06092a864886f70d01010505003069311630140603550403130d70662e64656e7665722d6c61623128302606092a864886f70d01090116196a6f6e617468616e2e6d616861647940676d61696c2e636f6d310b3009060355040813025741310b3009060355040a13024954310b3009060355040613024155301e170d3135313130353133323034385a170d3137313130343134323034385a30
EAP-Message =
0x69311630140603550403130d70662e64656e7665722d6c61623128302606092a864886f70d01090116196a6f6e617468616e2e6d616861647940676d61696c2e636f6d310b3009060355040813025741310b3009060355040a13024954310b300906035504061302415530820122300d06092a864886f70d01010105000382010f003082010a0282010100c1e22faed036c34274aaa466a9a522821fcdf13e619a90ba425c999c1d98fbb871bdb3170f4337402f7124d5307fa5f859cfaea00c09481c4ca85a681a002854386dd11885a6fa1ed68bb868bd881eef0bcc640ac191b8f0218c3acd69007c5ebf8f7d8676aaf9f73b83ba8d7dae8ea66fed
EAP-Message =
0x41e7302078aeeaca4fb3a6c65df5a139796bcac6d5d2ea2d2d0f1493c285fb350d1a67ec55f661806d4aa1d99f50a18880acaa3a7d94f2eb17fac462fe5eeef9bceb3e6d7573797bc5be79272e48a5b63d132fde11927e035d5d9114676ecd3e8aa0a55622ad4879a527756c4d9c462b1054098dea7e8f4df33cca7d4fea0142df69bd69f861da49d9ecc1bcff970203010001a31a301830160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038201010039bd8c4cc22d86fa34101aa6abca8c21845ed551053bab1189cb9f5732db14185ae24d64feadd2b347f8e355ae7657f199b66943659dde0f6a41
EAP-Message =
0xc72bf035d1e926ffe281f828f7499c59e50e93421d451a4a3e425c8873502aaa442521f465d293ddce2e5b5c1596d63630d0b920144962a69998513e48a2bb1d2b1f200d7245eb345a9955adb965be11dc78abcf5b3f5124af5fde2d22f9e4105a50cad01ae2259d54dd59c7fae44377e5944cac48aebdff54fe706008d4dbee8a95fe3f94889ac8724fab844baa2b9c67714b267601e9b95127746279a745e8bec361af592c35ece9eaf93e7cb4975ced3f39dc645705920d4d642eeb4ab44f0f0999a17537160301014b0c00014703001741046f4c597f12b41ade82c994ab0527414163f76005b8da6348a1f8924830a15cae9cc09ffc81219754a6
EAP-Message = 0x32a3cb9cbb4f22347aaad9d4
Message-Authenticator = 0x00000000000000000000000000000000
State = 0x76980f77749c02aac51eb549dc9b5fc2
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Then at the end
Waking up in 4.9 seconds.
Cleaning up request 0 ID 50 with timestamp +46
Cleaning up request 1 ID 51 with timestamp +46
Cleaning up request 2 ID 52 with timestamp +46
Cleaning up request 3 ID 53 with timestamp +46
Cleaning up request 4 ID 54 with timestamp +46
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
WARNING: !! EAP session for state 0x76980f77729e02aa did not finish!
WARNING: !! Please read
http://wiki.freeradius.org/guide/Certificate_Compatibility
WARNING:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thanks for your help in advance.
Jonathan
On 10 November 2015 at 09:45, Jonathan Mahady
<jonathan.mah...@gmail.com <mailto:jonathan.mah...@gmail.com>> wrote:
Hi,
I'm having an issue with the assignment of certificates using the
packetfence PKI plugin. The plugin resides on the same box as
Packetfence. The distro is Debian Wheezy and the version of
packetfence is 5.4. I've configured the CA, the templates and a
radius server cert. I've then added the PKI details into
packetfence but when I try to onboard a test user the certificate
assignment fails with the error that the certificate server cannot
be reach. I've trolled through the logs and this is a section of
the error its reporting:
"<div id="summary">
<h1>Error at /pki/cert/rest/get/denver/</h1>
<pre class="exception_value">[('asn1 encoding routines',
'a2d_ASN1_OBJECT', 'first num too large'),
('X509 V3 routines', 'V2I_EXTENDED_KEY_USAGE',
'invalid object identifier'), ('X509 V3 routines',
'X509V3_EXT_nconf', 'error in extension')]</pre>
<table class="meta">
<tr>
<th>Request Method:</th>
<td>POST</td>
</tr>
<tr>
<th>Request URL:</th>
<td>https://127.0.0.1:9393/pki/cert/rest/get/denver/</td>
</tr>
<tr>
<th>Django Version:</th>
<td>1.7.1</td>
</tr>
<tr>
<th>Exception Type:</th>
<td>Error</td>
</tr>
<tr>
<th>Exception Value:</th>
<td><pre>[('asn1 encoding routines',
'a2d_ASN1_OBJECT', 'first num too large'),
('X509 V3 routines', 'V2I_EXTENDED_KEY_USAGE',
'invalid object identifier'), ('X509 V3 routines',
'X509V3_EXT_nconf', 'error in extension')]</pre></td>
</tr>
<tr>
<th>Exception Location:</th>
<td>/usr/local/packetfence-pki/pki/models.py in sign, line
328</td>
</tr>
<tr>
<th>Python Executable:</th>
<td>/usr/bin/python</td>
</tr>
<tr>
<th>Python Version:</th>
<td>2.7.3</td>
</tr>
<tr>
<th>Python Path:</th>
<td><pre>['/usr/lib/python2.7',
'/usr/lib/python2.7/plat-linux2',
'/usr/lib/python2.7/lib-tk',
'/usr/lib/python2.7/lib-old',
'/usr/lib/python2.7/lib-dynload',
'/usr/local/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages',
'/usr/lib/python2.7/dist-packages/PIL',
"
The cert does get generated as I can see it in the packetfence PKI
gui but it doesn't get assigned to the user. I'm not sure what the
issue is as I'm not great with this REST API/Python stuff. I would
be extremely grateful for any advice or pointers.
Cheers,
Jonathan
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
