Re: [PacketFence-users] mspki computer authentication

Wed, 05 Jul 2017 09:51:07 -0700 

Hello Will,
The certificate exchange looks fine, do you have an AD computer auth source? (using ServicePrincipalName as an attribute) 

Also is the CA in the radiusd/eap.conf, and is it installed on the client?

You could also try to run RADIUS in debug to have more infos:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t3600

Thanks


On 07/05/2017 11:13 AM, Will Halsall via PacketFence-users wrote:


Hi All,


I have tried to setup mspki to use ad computer authentication and have 
folloed the Qick instaolation guide but cannot get the clients to work.


The client is a windows 10 domain laptop

The server is PF 7.1.0

The CA is installed on windows2012R2


When I try to connect I get the following in the radius log. Could 
anyone advise on how to go about resolving this issue or if its even 
possible?


Willh

RADIUS Request

        

User-Name = "host/Stuart-PC.college.farnborough"

NAS-IP-Address = 172.16.36.30

NAS-Port = 0

Service-Type = Login-User

Framed-MTU = 1100

State = 0x7e1adcc07913d16fa3fa9452e2e3aa94

Called-Station-Id = "04:bd:88:c4:e2:60"

Calling-Station-Id = "00:24:2b:60:ff:79"

NAS-Identifier = "IAP Cluster FCOT"

NAS-Port-Type = Wireless-802.11

Event-Timestamp = "Jul  5 2017 16:00:37 BST"

EAP-Message = 0x020900060d00

Message-Authenticator = 0x5cf158a0b8216591e4a2125a9c68ee90

Aruba-Essid-Name = "test"

Aruba-Location-Id = "N2 - outside"

Aruba-AP-Group = "IAP Cluster"

EAP-Type = TLS

Stripped-User-Name = "host/Stuart-PC.college.farnborough"

Realm = "null"

FreeRADIUS-Client-IP-Address = 172.16.36.30

Called-Station-SSID = "test"

Tmp-String-1 = "00242b60ff79"

TLS-Cert-Serial = "72c5b6d2120648b44e26747040ed5949"

TLS-Cert-Expiration = "220701135414Z"

TLS-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"

TLS-Cert-Subject = "/DC=farnborough/DC=college/CN=azure"

TLS-Cert-Common-Name = "azure"

TLS-Client-Cert-Serial = "7d00000060dfebbdb604c4cc82000200000060"

TLS-Client-Cert-Expiration = "190705141544Z"

TLS-Client-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"

TLS-Client-Cert-Subject = "/CN=Stuart-PC.college.farnborough"

TLS-Client-Cert-Common-Name = "Stuart-PC.college.farnborough"

TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication

TLS Web Client Authentication"


TLS-Client-Cert-X509v3-Subject-Key-Identifier = 
"6D:D8:A4:E6:C5:9F:BC:58:D1:A9:89:AE:A6:D4:C1:60:F4:C2:DF:F2"



TLS-Client-Cert-X509v3-Authority-Key-Identifier = 
"keyid:81:0F:70:98:FB:13:46:81:60:6E:0C:46:EC:DA:B8:64:47:E9:6A:8C\n"


TLS-Client-Cert-Subject-Alt-Name-Dns = "Stuart-PC.college.farnborough"

Module-Failure-Message = "rest: Server returned:"


Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\"}"


User-Password = "******"

SQL-User-Name = "host/Stuart-PC.college.farnborough"

RADIUS Reply

        


MS-MPPE-Recv-Key = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d



MS-MPPE-Send-Key = 
0x5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a



EAP-MSK = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a



EAP-EMSK = 
0xc5bfd638609e0698282b0bf2de29ddf6b9fdf7139a9f904b7b3ad26fc2d15ea55533869cdd945115bb9ec75e0662627807100d8aae044f3232bd63f3c1f22282



EAP-Session-Id = 
0x0d595cff1448a9ab1b5f34620219363a29ba87e4f2ff3058941f15a081ef0de171595cff15d2572d184a352a5e88a3b0af21328a83b299dec4f4ca938c86f0941f


EAP-Message = 0x03090004

Message-Authenticator = 0x00000000000000000000000000000000

Stripped-User-Name = "host/Stuart-PC.college.farnborough"

<https://www.farn-ct.ac.uk/about/Events>

This message is intended only for the use of the person(s) to

whom it is addressed, and may contain privileged and confidential 
information.
If it has come to you in error, please contact the sender as soon as 
possible,
and note that you must take no action based on the content, nor must 
you copy,

distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
[email protected]  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users






















					Reply via email to