Hello Stefan,
What is status of the node in PacketFence after he connect via EAP-TLS?
If the status is unreg, you could simply add a vlan filter that
AutoRegister nodes when they connect via EAP-TLS.
Examples are available in /usr/local/pf/conf/vlan_filters.conf, we could
provide some if necessary.
Thank you
On 10/05/2016 11:11 AM, Marold, Stefan wrote:
Hello all,
I’m using PacketFence ZEN 6.2.1 and want to authenticate clients with
our MSPKI. I followed the instructions in
https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html
up to ‘3.2.2 RADIUS EAP-TLS and MSPKI’ except enabling oscp.
However, the clients are always put into the registration vlan instead
of the default vlan:
[root@PacketFence-6_2_1 logs]# tail -f /usr/local/pf/logs/radius.log
Wed Oct 5 10:48:55 2016 : Warning: rlm_sql (sql_reject):
authorize_check_query is empty. Please delete it from the configuration
Wed Oct 5 10:48:55 2016 : Info: rlm_sql (sql_reject): Attempting to
connect to database "pf"
Wed Oct 5 10:48:55 2016 : Warning:
[raddb//mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay" found in filter list for realm "DEFAULT".
Wed Oct 5 10:48:55 2016 : Warning:
[raddb//mods-config/attr_filter/access_reject]:11 Check item
"FreeRADIUS-Response-Delay-USec" found in filter list for realm
"DEFAULT".
Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server <default>
Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server packetfence-tunnel
Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server packetfence-cli
Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server dynamic_clients
Wed Oct 5 10:48:55 2016 : Info: Loaded virtual server packetfence
Wed Oct 5 10:48:55 2016 : Info: Ready to process requests
Wed Oct 5 10:49:39 2016 : Error: (10) Ignoring duplicate packet from
client 172.20.10.118 port 1645 - ID: 133 due to unfinished request in
component post-auth module packetfence
Wed Oct 5 10:49:41 2016 : Error: (10) Ignoring duplicate packet from
client 172.20.10.118 port 1645 - ID: 133 due to unfinished request in
component post-auth module packetfence
Wed Oct 5 10:49:41 2016 : Auth: rlm_perl: Returning vlan 11 to
request from 74:2b:62:6d:47:d4 port 50101
Wed Oct 5 10:49:41 2016 : rlm_perl: PacketFence RESULT RESPONSE CODE:
2 (2 means OK)
Wed Oct 5 10:49:42 2016 : Info: rlm_sql (sql): Need 4 more
connections to reach 10 spares
Wed Oct 5 10:49:42 2016 : Info: rlm_sql (sql): Opening additional
connection (6), 1 of 58 pending slots used
Wed Oct 5 10:49:37 2016 : [mac:74:2b:62:6d:47:d4] Accepted user: and
returned VLAN 11
Wed Oct 5 10:49:42 2016 : Auth: (10) Login OK:
[host/D1527.dorsten.local] (from client 172.20.10.118 port 50101 cli
74:2b:62:6d:47:d4)
I don’t know how to debug the error ‘due to unfinished request in
component post-auth module packetfence‘.
However, openssl is able to verify the certificate:
[root@PacketFence-6_2_1 logs]# openssl verify -CAfile
/usr/local/pf/conf/ssl/tls_certs/ca.pem ~/d1527.cer
/root/d1527.cer: OK
[root@PacketFence-6_2_1 logs]# openssl verify -CApath
/usr/local/pf/conf/ssl/tls_certs ~/d1527.cer
/root/d1527.cer: OK
I’ve managed to get it working with PacketFence 5.1.0 but not with the
current version. Can anyone help?
Kind regards
Stefan
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Antoine Amacher
[email protected] :: www.inverse.ca
+1.514.447.4918 x130 :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
