Hello Benjamin,
can you run this command and try to reconnect ?
raddebug -f /usr/local/pf/var/run/radiusd.sock -t 300
Then paste the result.
Regards
Fabrice
Le 19-07-23 à 10 h 29, Brenek, Benjamin via PacketFence-users a écrit :
Hello All,
I have been stuck on the issue of getting EAP-TLS authentication to
work for a few days now and have not really been able to get anywhere.
Any help would be greatly appreciated in getting this setup.
I am testing with a Ethernet connected Windows 10 Laptop. The laptop
has a trusted root CA, along with a client cert signed by the root CA.
I have tested setting the laptop to EAP-TTLS on the network interface.
Both the trusted Root CA and Client CA were issued by a server named
PFPKI-Dev.
Every time the device connects the following error is thrown:
(Note: This error for some reason does not show up in the Auditing
log, and I need to look at journalctl directly in order to see it.)
(229) Login incorrect (Home Server says so): [host/d4:be:d9:84:b0:8a]
(from client pf port 50115 cli d4:be:d9:84:b0:8a)
[mac:d4:be:d9:84:b0:8a] Rejected user: host/d4:be:d9:84:b0:8a
(229) Login incorrect (Failed retrieving values required to evaluate
condition): [host/d4:be:d9:84:b0:8a] (from client pf port 50115 cli
d4:be:d9:84:b0:8a)
The authentication source is configured as follows:
[EAP-TLS_Test rule Test_Rule]
action0=set_role=employee
condition0=TLS-Cert-Issuer,contains,PFPKI-Dev
condition1=TLS-Client-Cert-Issuer,contains,PFPKI-Dev
match=any
class=authentication
action1=set_access_duration=1D
description=Test Rule
The connection profile is configured as follows:
[Wired]
unreg_on_acct_stop=enabled
locale=
filter=switch_group:Cisco2960
description=Wired authentication
autoregister=enabled
dot1x_unset_on_unmatch=enabled
sources=PFPKI-Dev
The switch that the laptop is connected to is a Cisco 2960S with the
following port configuration:
(vlan 4 Is the mac detection vlan)
interface GigabitEthernet1/0/15
description User/Phone Port
switchport access vlan 4
switchport mode access
switchport voice vlan 48
srr-queue bandwidth share 1 30 35 5
priority-queue out
authentication event fail action next-method
authentication order dot1x
authentication priority dot1x
authentication port-control auto
authentication periodic
authentication timer restart 10800
authentication timer reauthenticate 10800
snmp trap mac-notification change added
snmp trap mac-notification change removed
no snmp trap link-status
mls qos trust device cisco-phone
mls qos trust cos
dot1x pae authenticator
dot1x timeout quiet-period 2
dot1x timeout tx-period 3
spanning-tree portfast
service-policy input AUTOQOS-SRND4-CISCOPHONE-POLICY
end
Thank you,
*Ben*
/Our employees' reviews made us a Best Place to Work
<https://www.glassdoor.com/survey/start_input.htm?showSurvey=REVIEWS&employerId=153924&contentOriginHook=PAGE_SRCH_COMPANIES>
in 2018 &2019!
Spread the word and earn a *bonus* by referring a friend.
<http://hs.bayada.com/talent-scout-ilwid?utm_source=email%20signature&utm_medium=email&utm_campaign=Glassdoor%20Award>/
Compassion, Excellence, Reliability <http://bhhc.co/BAYemail_site>
Facebook <http://bhhc.co/BAYemail_fb> Twitter
<http://bhhc.co/BAYemail_tw> LinkedIn <http://bhhc.co/BAYemail_LI>
YouTube <http://bhhc.co/BAYemail_yt> Bayada
<http://bhhc.co/BAYemail_site>
*CONFIDENTIALITY NOTICE:* This email may contain information belonging
to BAYADA and is protected by law. Do not forward, copy, or otherwise
disclose to anyone unless permitted by BAYADA or required by law. If
you are not the intended recipient, please notify the sender immediately.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
