Hello, Yes, the official documentation:
https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki <https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki> Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Nov 4, 2021, at 2:55 AM, ype...@gmail.com wrote: > > Morning, Ludovic, > Is there any better document on the new PF PKI than this one > https://fossies.org/linux/packetfence/docs/installation/pki/packetfence.asciidoc > > <https://urldefense.com/v3/__https://fossies.org/linux/packetfence/docs/installation/pki/packetfence.asciidoc__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN82_qnb-QtA$> > > As far as I understand, after I created a CA I need to create a template > before generating a new certificate? Suppose I generated a certificate based > on this template how would I import it to PF to be used for RADIUS to replace > the example certificate I showed earlier. I want to make sure that nothing is > broken and it will be fully accepted and PEAP sessions from Windows > supplicants are not ended up with an error > > Eugene > > From: Zammit, Ludovic <luza...@akamai.com> > Sent: Wednesday, November 3, 2021 7:18 AM > To: ype...@gmail.com > Cc: packetfence-users@lists.sourceforge.net > Subject: Re: [PacketFence-users] Rejected users logging via Windows > > Hello EP, > > It’s under Configuration > Integration > PKI > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: > <https://community.akamai.com/> <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN828lBx7Yeg$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN82_4nB-YNw$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN829z5OHoRA$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN829lPKzkkA$> > > > >> On Nov 3, 2021, at 3:12 AM, E.P. <ype...@gmail.com >> <mailto:ype...@gmail.com>> wrote: >> >> Ludovic, >> You caught off guard with the question about PKI. >> After I upgraded to PF ver 11.0 iI was using PF native PKI. >> Hence its sample certificate, i.e. C=FR, ST=Radius, O=Example Inc., >> CN=Example Server Certificate, emailAddress=ad...@example.org >> <mailto:emailAddress=ad...@example.org> >> Of course we can’t use it. Hence I tried to upload the wild card certificate >> with the private key that was installed on many servers and network devices >> in our company without any issues. For some reason as I demonstrated it >> earlier Windows OS supplicant can’t use or rather doesn’t trust RADIUS >> server presenting this certificate for PEAP session . >> I downloaded this wildcard certificate using PF web interface by going to >> into Edit under RADIUS section. >> I don’t mind generating and using the certificate from within PF. As long as >> it uses the acceptable subject name and an issuer under our control we can >> live it with it. But I don’t see PF PKI anymore in the new version. I >> remember playing with PF CA earlier and was successful with configuring >> EAP-TLS >> >> Eugene >> >> From: Zammit, Ludovic <luza...@akamai.com <mailto:luza...@akamai.com>> >> Sent: Tuesday, November 02, 2021 1:49 PM >> To: ype...@gmail.com <mailto:ype...@gmail.com> >> Cc: packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net> >> Subject: Re: [PacketFence-users] Rejected users logging via Windows >> >> Hello, >> >> You an use the Web admin to install the RADIUS SSL cert. >> >> Make sure to restart radiusd on all servers to apply the cert. >> >> You can use the PF PKI and the PF PKI provisioner to install it on Windows >> for a Wireless interface. You could also download the cert from the PF web >> interface and install it manually on the device. >> >> What’s the PKI that you are using ? >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> Connect with Us: >> <https://community.akamai.com/> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcN5r1d-yg$> >> >> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcNKJ82nTA$> >> >> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcPmzXiK2Q$> >> >> <https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcM1tFbzZg$> >> >> >> >> >>> On Nov 2, 2021, at 2:18 PM, E.P. <ype...@gmail.com >>> <mailto:ype...@gmail.com>> wrote: >>> >>> Yes, Ludovic, >>> Apparently the certificate has some issues. RADIUS debug revealed this: >>> >>> (18) Tue Nov 2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading >>> application data from OpenSSL: error:14094419:SSL >>> routines:ssl3_read_bytes:tlsv1 alert access denied >>> (18) Tue Nov 2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail >>> (18) Tue Nov 2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) >>> session. EAP sub-module failed >>> (18) Tue Nov 2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID >>> 215 length 4 >>> (18) Tue Nov 2 11:06:07 2021: Debug: eap: Failed in EAP select >>> (18) Tue Nov 2 11:06:07 2021: Debug: [eap] = invalid >>> (18) Tue Nov 2 11:06:07 2021: Debug: } # authenticate = invalid >>> >>> So, all that I did was copying three files into /usr/local/pf/raddb/certs >>> folder >>> Server.crt (the certificate issued by Godaddy CA) >>> Server.key (private key) >>> ca.pem (root CA) >>> >>> I just wanted to replace this example certificate that PF uses for EAP/TLS >>> session >>> >>> <image001.png> >>> >>> Is there any instruction how to generate a different certificate on PF that >>> will be accepted by Windows OS supplicant ? >>> >>> Eugene >>> From: Zammit, Ludovic <luza...@akamai.com <mailto:luza...@akamai.com>> >>> Sent: Tuesday, November 02, 2021 5:51 AM >>> To: packetfence-users@lists.sourceforge.net >>> <mailto:packetfence-users@lists.sourceforge.net> >>> Cc: E.P. <ype...@gmail.com <mailto:ype...@gmail.com>> >>> Subject: Re: [PacketFence-users] Rejected users logging via Windows >>> >>> Hello EP, >>> >>> It looks like the certificate passed to PF was not correct. >>> >>> Use the command: >>> >>> raddebug -f /usr/local/pf/var/run/radiusd.sock >>> >>> Thanks, >>> >>> Ludovic Zammit >>> Product Support Engineer Principal >>> >>> Cell: +1.613.670.8432 >>> Akamai Technologies - Inverse >>> 145 Broadway >>> Cambridge, MA 02142 >>> Connect with Us: >>> <https://community.akamai.com/> <http://blogs.akamai.com/> >>> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNd3a-yo5g$> >>> >>> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNcYAR2ZcA$> >>> >>> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNdX7v2epA$> >>> >>> <https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfuFopyQg$> >>> >>> >>> >>> >>> >>>> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users >>>> <packetfence-users@lists.sourceforge.net >>>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>>> >>>> Hello, >>>> A while ago someone asked here this question and there was no reply. >>>> I hit it again and I have clue, out of the blue, all authentications >>>> attempts from Windows OS fail: >>>> >>>> Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32 >>>> Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert >>>> read:fatal:access denied >>>> Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected >>>> user: it.tech >>>> <https://urldefense.com/v3/__http:/it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$> >>>> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: >>>> (TLS) Alert read:fatal:access denied): [it.tech >>>> <https://urldefense.com/v3/__http:/it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$>] >>>> (from client 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03) >>>> >>>> No problem with mobile phones. >>>> Trying to run RADIUS in the debug mode using the old radiusd -X command >>>> but on ver 11 it can’t be found anymore. >>>> Any ideas ? >>>> >>>> Eugene >>>> _______________________________________________ >>>> PacketFence-users mailing list >>>> PacketFence-users@lists.sourceforge.net >>>> <mailto:PacketFence-users@lists.sourceforge.net> >>>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$ >>>> >>>> <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users