I still cant get this set up, radius is giving me rather unhelpful information,
Says its rejected, no reason given. Reason rest: Server returned: (yes the part is just blank) Radius replay also shows. REST-HTTP-Status-Code = "401", To test it, I tried running this against a older server i had with 11.2... It worked without issues. Was there any change to the radius part that could have caused this behaviour ? To stay informed about exciting job opportunities around the globe, install our official Jobs Board App! - https://www.technicondesign.com/jobs -----Original Message----- From: Adrian Damaschek via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Friday, 17 May 2024 09:11 To: packetfence-users@lists.sourceforge.net Cc: Adrian Damaschek <adrian.damasc...@technicondesign.com> Subject: Re: [PacketFence-users] Radius Issues with EAP TLS WiFi This message was sent from an external sender. Exercise strict caution when interacting with links or file attachments! I set up a wifi profile via Intune and pushed it out to the machine And made a SCEP Profile that manages to get a cert form the Packetfence CA This part works The machine sends host/\<<Computer NAME>> as the user name for the auth. I tired to put that in the Cert even, gets rejected (even if i register the node) and gets a 401 in the Radius Reply. It works ok with user certificates (when i trust the CA and register the node manually) but i need to have it work on machine certs as some machines dont have a fixed user. I think it might not like the / in the user name, hence why i wanted to get rid of it with filter engine. Regards From: Fabrice Durand via PacketFence-users <packetfence-users@lists.sourceforge.net> Sent: Friday, 17 May 2024 03:08 To: packetfence-users@lists.sourceforge.net Cc: Fabrice Durand <oeufd...@gmail.com> Subject: Re: [PacketFence-users] Radius Issues with EAP TLS WiFi This message was sent from an external sender. Exercise strict caution when interacting with links or file attachments! I don´t think you can query Azure AD with the machine name, like https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgraph.microsoft.com%2Fv1.0%2Fusers%2Fmachine_xyz%2FmemberOf&data=05%7C02%7Cadrian.damaschek%40technicondesign.com%7Ca2dd8cb0b6b348d88ad108dc7a5e0a0e%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C638519791522101043%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=Q%2Blf4V4Zm%2Bx%2FfS4tsPgwqP9LpT99Qy60MYbHroRD1bw%3D&reserved=0 (because it ties to the users not the devices, maybe i am wrong). But what you can do is the following: https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.packetfence.org%2Fdoc%2FPacketFence_Installation_Guide.html%23_using_azure_ad_eap_tls_machine_authentication&data=05%7C02%7Cadrian.damaschek%40technicondesign.com%7Ca2dd8cb0b6b348d88ad108dc7a5e0a0e%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C638519791522118452%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=BJJvK%2Bh%2Fg8QCuGCzpbreUA3mt2GFoDiINlH%2BmhZdD78%3D&reserved=0 Btw you will have to change the certificate to have the AAD_Device_ID as the CN. And last resort if it's not possible to recreate a cert then you can use a EAPTLS source and check to see if the device certificate has been signed by the correct CA. Le jeu. 16 mai 2024 à 20:41, Adrian Damaschek via PacketFence-users <mailto:packetfence-users@lists.sourceforge.net> a écrit : Dose this also apply to using it with AzureAD, since i run a domainless setup, and it would be enough if it just went standalone where it validates via the certificate, And its not the domain name it gives there, its just the word "host/" Currently i cant manually even approve the device to connect as its returning a empty error with 401 on the radius reply. Regards From: Fabrice Durand via PacketFence-users <mailto:packetfence-users@lists.sourceforge.net> Sent: Wednesday, 15 May 2024 19:48 To: mailto:packetfence-users@lists.sourceforge.net Cc: Fabrice Durand <mailto:oeufd...@gmail.com> Subject: Re: [PacketFence-users] Radius Issues with EAP TLS WiFi This message was sent from an external sender. Exercise strict caution when interacting with links or file attachments! Normally you shouldn't have to strip the host\ since you are able to search this attribute in the AD via the servicePrincipalName attribute. https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.packetfence.org%2Fdoc%2FPacketFence_Installation_Guide.html%23_using_the_corporate_machine_role&data=05%7C02%7Cadrian.damaschek%40technicondesign.com%7Ca2dd8cb0b6b348d88ad108dc7a5e0a0e%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C638519791522132934%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=CueP0bwvGf6cLC%2BBY9R%2BpyavLiZfSnfhLvvdZnerclY%3D&reserved=0 Le mer. 15 mai 2024 à 13:24, Adrian Damaschek via PacketFence-users <mailto:mailto:packetfence-users@lists.sourceforge.net> a écrit : Im trying to set up the NAC to provide certs over SCEP and then use that to allow Device Access to my WiFi network. It has to be Device level auth as they are used by multiple users and it’s the machine that should determine the access to the network. So there are two problems I am struggling with. One is that windows insist on adding host/ in front of the computer and I cant seem to be able to strip it with a filter but maybe I did the wrong thing with it My attempt was ${replace($radius_request.User-Name,"host\/","")} Scope was set to preprocess, for testing I set the value to be always TRUE, and I did try with and without merging the answer. Also when I try to log on package fence dose process it and rejects it, giving Module-Failure-Message = "rest: Server returned:", Also noticed in the reply that I get REST-HTTP-Status-Code = "401", Not sure if this is related to the host/ that windows puts in username of the initial request. Any tip on how to deal with this would be appreciated. Regards Adrian _______________________________________________ PacketFence-users mailing list mailto:mailto:PacketFence-users@lists.sourceforge.net https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=05%7C02%7Cadrian.damaschek%40technicondesign.com%7Ca2dd8cb0b6b348d88ad108dc7a5e0a0e%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C638519791522145979%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=FrLm08CU8OBGHiNIGsUAIy04EtdIGLe35Pp9ezqwOCI%3D&reserved=0 _______________________________________________ PacketFence-users mailing list mailto:PacketFence-users@lists.sourceforge.net https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=05%7C02%7Cadrian.damaschek%40technicondesign.com%7Ca2dd8cb0b6b348d88ad108dc7a5e0a0e%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C638519791522157266%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=y3d6Md%2BqRhLIbWCr%2BXKTKF3zztWGyz%2BB0XlcLPCOQvY%3D&reserved=0 _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.sourceforge.net%2Flists%2Flistinfo%2Fpacketfence-users&data=05%7C02%7Cadrian.damaschek%40technicondesign.com%7Ca2dd8cb0b6b348d88ad108dc7a5e0a0e%7Cd62d5a24155947988cd246c204b1ab0c%7C1%7C0%7C638519791522167184%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=rnYCcykhjZl43TtbDQ%2FaV97udtjDOTSHMoywX9ynqW4%3D&reserved=0
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
