Hello All, I have been stuck on the issue of getting EAP-TLS authentication to work for a few days now and have not really been able to get anywhere. Any help would be greatly appreciated in getting this setup.
I am testing with a Ethernet connected Windows 10 Laptop. The laptop has a trusted root CA, along with a client cert signed by the root CA. I have tested setting the laptop to EAP-TTLS on the network interface. Both the trusted Root CA and Client CA were issued by a server named PFPKI-Dev. Every time the device connects the following error is thrown: (Note: This error for some reason does not show up in the Auditing log, and I need to look at journalctl directly in order to see it.) (229) Login incorrect (Home Server says so): [host/d4:be:d9:84:b0:8a] (from client pf port 50115 cli d4:be:d9:84:b0:8a) [mac:d4:be:d9:84:b0:8a] Rejected user: host/d4:be:d9:84:b0:8a (229) Login incorrect (Failed retrieving values required to evaluate condition): [host/d4:be:d9:84:b0:8a] (from client pf port 50115 cli d4:be:d9:84:b0:8a) The authentication source is configured as follows: [EAP-TLS_Test rule Test_Rule] action0=set_role=employee condition0=TLS-Cert-Issuer,contains,PFPKI-Dev condition1=TLS-Client-Cert-Issuer,contains,PFPKI-Dev match=any class=authentication action1=set_access_duration=1D description=Test Rule The connection profile is configured as follows: [Wired] unreg_on_acct_stop=enabled locale= filter=switch_group:Cisco2960 description=Wired authentication autoregister=enabled dot1x_unset_on_unmatch=enabled sources=PFPKI-Dev The switch that the laptop is connected to is a Cisco 2960S with the following port configuration: (vlan 4 Is the mac detection vlan) interface GigabitEthernet1/0/15 description User/Phone Port switchport access vlan 4 switchport mode access switchport voice vlan 48 srr-queue bandwidth share 1 30 35 5 priority-queue out authentication event fail action next-method authentication order dot1x authentication priority dot1x authentication port-control auto authentication periodic authentication timer restart 10800 authentication timer reauthenticate 10800 snmp trap mac-notification change added snmp trap mac-notification change removed no snmp trap link-status mls qos trust device cisco-phone mls qos trust cos dot1x pae authenticator dot1x timeout quiet-period 2 dot1x timeout tx-period 3 spanning-tree portfast service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY end Thank you, Ben Our employees' reviews made us a Best Place to Work<https://www.glassdoor.com/survey/start_input.htm?showSurvey=REVIEWS&employerId=153924&contentOriginHook=PAGE_SRCH_COMPANIES> in 2018 &2019! Spread the word and earn a bonus by referring a friend.<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20signature&utm_medium=email&utm_campaign=Glassdoor%20Award> [Compassion, Excellence, Reliability]<http://bhhc.co/BAYemail_site> [Facebook]<http://bhhc.co/BAYemail_fb> [Twitter] <http://bhhc.co/BAYemail_tw> [LinkedIn] <http://bhhc.co/BAYemail_LI> [YouTube] <http://bhhc.co/BAYemail_yt> [Bayada] <http://bhhc.co/BAYemail_site> CONFIDENTIALITY NOTICE: This email may contain information belonging to BAYADA and is protected by law. Do not forward, copy, or otherwise disclose to anyone unless permitted by BAYADA or required by law. If you are not the intended recipient, please notify the sender immediately.
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
