Morning, Ludovic, Is there any better document on the new PF PKI than this one
https://fossies.org/linux/packetfence/docs/installation/pki/packetfence.asciidoc As far as I understand, after I created a CA I need to create a template before generating a new certificate? Suppose I generated a certificate based on this template how would I import it to PF to be used for RADIUS to replace the example certificate I showed earlier. I want to make sure that nothing is broken and it will be fully accepted and PEAP sessions from Windows supplicants are not ended up with an error Eugene From: Zammit, Ludovic <[email protected]> Sent: Wednesday, November 3, 2021 7:18 AM To: [email protected] Cc: [email protected] Subject: Re: [PacketFence-users] Rejected users logging via Windows Hello EP, It’s under Configuration > Integration > PKI Thanks, Ludovic Zammit Product Support Engineer Principal <https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png> Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> On Nov 3, 2021, at 3:12 AM, E.P. <[email protected] <mailto:[email protected]> > wrote: Ludovic, You caught off guard with the question about PKI. After I upgraded to PF ver 11.0 iI was using PF native PKI. Hence its sample certificate, i.e. C=FR, ST=Radius, O=Example Inc., CN=Example Server Certificate, [email protected] <mailto:[email protected]> Of course we can’t use it. Hence I tried to upload the wild card certificate with the private key that was installed on many servers and network devices in our company without any issues. For some reason as I demonstrated it earlier Windows OS supplicant can’t use or rather doesn’t trust RADIUS server presenting this certificate for PEAP session . I downloaded this wildcard certificate using PF web interface by going to into Edit under RADIUS section. I don’t mind generating and using the certificate from within PF. As long as it uses the acceptable subject name and an issuer under our control we can live it with it. But I don’t see PF PKI anymore in the new version. I remember playing with PF CA earlier and was successful with configuring EAP-TLS Eugene From: Zammit, Ludovic <[email protected] <mailto:[email protected]> > Sent: Tuesday, November 02, 2021 1:49 PM To: [email protected] <mailto:[email protected]> Cc: [email protected] <mailto:[email protected]> Subject: Re: [PacketFence-users] Rejected users logging via Windows Hello, You an use the Web admin to install the RADIUS SSL cert. Make sure to restart radiusd on all servers to apply the cert. You can use the PF PKI and the PF PKI provisioner to install it on Windows for a Wireless interface. You could also download the cert from the PF web interface and install it manually on the device. What’s the PKI that you are using ? Thanks, Ludovic Zammit Product Support Engineer Principal <https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png> Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcN5r1d-yg$> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcNKJ82nTA$> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcPmzXiK2Q$> <https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcM1tFbzZg$> On Nov 2, 2021, at 2:18 PM, E.P. <[email protected] <mailto:[email protected]> > wrote: Yes, Ludovic, Apparently the certificate has some issues. RADIUS debug revealed this: (18) Tue Nov 2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading application data from OpenSSL: error:14094419:SSL routines:ssl3_read_bytes:tlsv1 alert access denied (18) Tue Nov 2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail (18) Tue Nov 2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) session. EAP sub-module failed (18) Tue Nov 2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID 215 length 4 (18) Tue Nov 2 11:06:07 2021: Debug: eap: Failed in EAP select (18) Tue Nov 2 11:06:07 2021: Debug: [eap] = invalid (18) Tue Nov 2 11:06:07 2021: Debug: } # authenticate = invalid So, all that I did was copying three files into /usr/local/pf/raddb/certs folder 1. Server.crt (the certificate issued by Godaddy CA) 2. Server.key (private key) 3. ca.pem (root CA) I just wanted to replace this example certificate that PF uses for EAP/TLS session <image001.png> Is there any instruction how to generate a different certificate on PF that will be accepted by Windows OS supplicant ? Eugene From: Zammit, Ludovic <[email protected] <mailto:[email protected]> > Sent: Tuesday, November 02, 2021 5:51 AM To: [email protected] Cc: E.P. <[email protected] <mailto:[email protected]> > Subject: Re: [PacketFence-users] Rejected users logging via Windows Hello EP, It looks like the certificate passed to PF was not correct. Use the command: raddebug -f /usr/local/pf/var/run/radiusd.sock Thanks, Ludovic Zammit Product Support Engineer Principal <https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png> Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNd3a-yo5g$> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNcYAR2ZcA$> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNdX7v2epA$> <https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfuFopyQg$> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users <[email protected] <mailto:[email protected]> > wrote: Hello, A while ago someone asked here this question and there was no reply. I hit it again and I have clue, out of the blue, all authentications attempts from Windows OS fail: Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32 Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert read:fatal:access denied Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected user: it.tech <https://urldefense.com/v3/__http:/it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS) Alert read:fatal:access denied): [it.tech <https://urldefense.com/v3/__http:/it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$> ] (from client 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03) No problem with mobile phones. Trying to run RADIUS in the debug mode using the old radiusd -X command but on ver 11 it can’t be found anymore. Any ideas ? Eugene _______________________________________________ PacketFence-users mailing list <mailto:[email protected]> [email protected] <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
