Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth
Hello Jason, Le 2017-11-21 à 23:40, Jason Sloan a écrit : > Fabrice, > > Totally understand being busy. Thanks for the reply. I was actually > able to get this working a few hours ago, and hadn't had time to post > a reply. I'm not sure what did it, perhaps adding "strip" to the realm > options because the radius stripped name for hosts is host/ - > this likely accomplishes the same thing that you suggested but in a > different manner. To be completely clear I couldn't find a normalize > option but I did see: "RADIUS machine auth with username - Use the > RADIUS username instead of the TLS certificate common name when doing > machine authentication." Just to verify, this is the option you are > suggesting, correct? > Yes this is the option, it will use the attribute User-Name (host/DESKTOP-6U152VD.mydomain.local) instead of the attribute TLS-Client-Cert-Common-Name (DESKTOP-6U152VD.mydomain.local) , so User-Name will match with the AD attribute servicePrincipalName. Also / is not considered as a separator of a REALM in Freeradius so i am not sure that strip fixed the issue. > One other thing I noticed in the authentication request is the REALM > is coming up as "NULL." Is this normal for RADIUS authenticated EAP-TLS? For machine authentication, yes this is normal but i think it should be possible to do a hack like we did in PacketFence Multidomain. When the username is host/DESKTOP-6U152VD.mydomain.local then set the realm as mydomain.local and try to authenticate on the sources where mydomain.local is defined. > > Much of the info I was reading from the listserv also had included > adding source or sources to the realm, this is not available in the > GUI, is this a .conf feature only or a feature of PF 6.x that was > deprecated? Now in PacketFence you defined in the source the realm associated, before it was in the realm configuration where you defined the only source associated. > > Thanks, > -Jason Regards Fabrice -- Fabrice Durand fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth
Fabrice, Totally understand being busy. Thanks for the reply. I was actually able to get this working a few hours ago, and hadn't had time to post a reply. I'm not sure what did it, perhaps adding "strip" to the realm options because the radius stripped name for hosts is host/ - this likely accomplishes the same thing that you suggested but in a different manner. To be completely clear I couldn't find a normalize option but I did see: "RADIUS machine auth with username - Use the RADIUS username instead of the TLS certificate common name when doing machine authentication." Just to verify, this is the option you are suggesting, correct? One other thing I noticed in the authentication request is the REALM is coming up as "NULL." Is this normal for RADIUS authenticated EAP-TLS? Much of the info I was reading from the listserv also had included adding source or sources to the realm, this is not available in the GUI, is this a .conf feature only or a feature of PF 6.x that was deprecated? Thanks, -Jason -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth
Hello Jason, sorry for the delay to answer, i was a little bit busy these last days. Can you enable normalize_radius_machine_auth_username in advanced section and retry ? Because as you say, the username is stripped and it's probably because PacketFence use the TLS-Client-Cert-Common-Name attribute instead of the User-Name. Regards Fabrice Le 2017-11-21 à 04:41, Jason Sloan via PacketFence-users a écrit : I may have been too quick to call this good. The devices are now self registering which I thougth was going to sole all my problems but the approprite role is still not getting returned. What appears to be the problem is the realm is coming up null. I've followed the setup guide and configured realms that match both the netbios domain name as well as the AD domain name and tied them back to the AD source. In the portal profile I have allowed auto-registration and filtered on EAP (Wired & Wireless) and set the source to machineAuth, the AD source I defined. I bound machine auth to both the realms defined above + default. The rule at the end of machine auth is to set the role to corp-machine (assigns vlan 10). The radius info from the audit page looks great except the authentication is coming through as realm "null" and the response is not setting a role as configured in the rules of machineAuth. The Profile being hit is the EAP-Test profile i built, which I've tried with reusing dot1x credentials and without. The only source is the machineAuth - I think I might be missing something to force a realm or proper detection of the realm? Thoughts on how to test or further troubleshoot? -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot ___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth
I manually changed the "unregistered" VLAN for the switch, to return the vlan for "corp-machines" (10 instead of 91) and this worked as expected so the dynamic vlan assignment configuration and subsequent DHCP are working as expected. The question remains, how do I get the 802.1x EAP-TLS requests (Post Authentication?) processed by Packetfence to get the appropriate VLANs assigned to the responses? The AD source I defined in the GUI is not getting hit, from what I can see I don't think it is even being attempted. Do I need to make changes to specific conf files to also (post?) process EAP-TLS? I tried searching through the list serv archive, but I was unsuccessful. Forgive my ignorance, I'm not used to dealing with FreeRADIUS, so adding another layer on top of it has me a bit out of sorts. Once I get this working I'll be glad to WIKI it up for posterity. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth
I may have been too quick to call this good. The devices are now self registering which I thougth was going to sole all my problems but the approprite role is still not getting returned. What appears to be the problem is the realm is coming up null. I've followed the setup guide and configured realms that match both the netbios domain name as well as the AD domain name and tied them back to the AD source. In the portal profile I have allowed auto-registration and filtered on EAP (Wired & Wireless) and set the source to machineAuth, the AD source I defined. I bound machine auth to both the realms defined above + default. The rule at the end of machine auth is to set the role to corp-machine (assigns vlan 10). The radius info from the audit page looks great except the authentication is coming through as realm "null" and the response is not setting a role as configured in the rules of machineAuth. The Profile being hit is the EAP-Test profile i built, which I've tried with reusing dot1x credentials and without. The only source is the machineAuth - I think I might be missing something to force a realm or proper detection of the realm? Thoughts on how to test or further troubleshoot? -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth
I found this lovely little nugget here: https://sourceforge.net/p/packetfence/mailman/message/33699954/ which pointed me in the right direction. Looks like I needed auto-register ticked on my profile and all was right in the world. -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth
packetfence.log: According to packetfence.log it doesn't look like it's keeping the "host/" portion of the service principal name. Nov 19 23:38:42 pfence packetfence_httpd.aaa: httpd.aaa(6630) INFO: [mac: bc:85:56:61:d4:0b] handling radius autz request: from switch_ip => (x.x.x.3), connection_type => Wireless-802.11-EAP,switch_mac => ( 3a:5b:0e:2e:be:90), mac => [bc:85:56:61:d4:0b], port => external, username => "DESKTOP-6U152VD.mydomain.local", ssid => corp-wlan (pf::radius::authorize) On Sun, Nov 19, 2017 at 8:34 PM, Jason Sloanwrote: > First time setup - having some trouble with 802.1x EAP-TLS and AD > Authentication. > Audit Information Returning VLAN 91 (Unregistered VLAN) > Corporate-Machine (or Corporate-User) should return VLAN 10. > > Am I not supposed to chain 802.1x together with PF Authentication? > > It's quite possible I'm not doing this right, but I setup an Auth rule and > assigned the appropriate roles and vlans to those roles... > > Here's some additional info...somewhat sanitized. > > > RADIUS Request User-Name = "host/DESKTOP-6U152VD.mydomain.local" > NAS-IP-Address = x.x.x.3 > NAS-Port = 1 > Framed-IP-Address = 169.254.131.196 > Framed-MTU = 1400 > State = 0x55d311af5ecd1c12b3dbfec11ed99383 > Called-Station-Id = "3a:5b:0e:2e:be:90:corp-wlan" > Calling-Station-Id = "bc:85:56:61:d4:0b" > NAS-Identifier = "x.x.x.21/5246-corp-wlan" > NAS-Port-Type = Wireless-802.11 > Acct-Session-Id = "5A010398-00026452" > Event-Timestamp = "Nov 19 2017 20:00:03 EST" > Connect-Info = "CONNECT 0Mbps 11N_5G" > EAP-Message = 0x021e00060d00 > Message-Authenticator = 0xb2c94b69d3ea063856c1ed222f2d2865 > EAP-Type = TLS > Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local" > Realm = "null" > FreeRADIUS-Client-IP-Address = x.x.x.3 > Called-Station-SSID = "corp-wlan" > Tmp-String-1 = "bc855661d40b" > TLS-Cert-Serial = "440003c77f32429e20e6ed0003" > TLS-Cert-Expiration = "270306042911Z" > TLS-Cert-Issuer = "/C=US/O=mydomain/OU=PKI/CN=mydomain Corporate Root CA > G1" > TLS-Cert-Subject = "/DC=local/DC=mydomain/CN=mydomain Corporate > Autoenrollment CA G1 S01" > TLS-Cert-Common-Name = "mydomain Corporate Autoenrollment CA G1 S01" > TLS-Client-Cert-Serial = "6a158bac2d3df1436f4baf0001158b" > TLS-Client-Cert-Expiration = "191116204434Z" > TLS-Client-Cert-Issuer = "/DC=local/DC=mydomain/CN=mydomain Corporate > Autoenrollment CA G1 S01" > TLS-Client-Cert-Subject = "/CN=DESKTOP-6U152VD.mydomain.local" > TLS-Client-Cert-Common-Name = "DESKTOP-6U152VD.mydomain.local" > TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication > TLS Web Client Authentication" > TLS-Client-Cert-X509v3-Subject-Key-Identifier = > "04:44:15:39:14:EE:0E:A9:69:59:37:16:CD:DA:94:14:3A:68:87:26" > TLS-Client-Cert-X509v3-Authority-Key-Identifier = > "keyid:A6:E1:0D:92:EE:22:E3:27:58:02:E7:56:33:BE:44:53:9A:CD:A7:8D\n" > TLS-Client-Cert-Subject-Alt-Name-Dns = "DESKTOP-6U152VD.mydomain.local" > User-Password = "**" > SQL-User-Name = "host/DESKTOP-6U152VD.mydomain.local" > > > > RADIUS Reply MS-MPPE-Recv-Key = 0x5a12d15c537cb9548201bdc6787a > cc5d171b95fc685c728a730cd65b2b5ff784 > MS-MPPE-Send-Key = 0x57866b78adf7dee2f09cbc263339 > 4fb022e08f2f4bc47b26a60138092e702665 > EAP-MSK = 0x5a12d15c537cb9548201bdc6787acc5d171b95fc685c728a730cd65b2b > 5ff78457866b78adf7dee2f09cbc2633394fb022e08f2f4bc47b26a60138092e702665 > EAP-EMSK = 0xc4b2f601caf22a037196ae1a52c1d132be343648e032933617ef1106bf > de65b5b9527a7be716677be6ae654a36e75b9896301388b50be6d2aa945275e34d78f5 > EAP-Session-Id = 0x0d5a1229135ec4c3c0df3ea2b164 > c83df98e81808b00e4f3acbeb20407bfd3581cbd25466430f9e2e15d2b76 > e649b86ccf550701a919848ad832d580be99283a0c > EAP-Message = 0x031e0004 > Message-Authenticator = 0x > Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local" > Tunnel-Type = VLAN > Tunnel-Private-Group-Id = "91" > Tunnel-Medium-Type = IEEE-802 > > > > pftest authentication with the hostname returns the appropriate response > (Bad password though) > > Authenticating against machineAuth > Authentication FAILED against machineAuth (Invalid login or password) > Matched against machineAuth for 'authentication' rules > set_role : corporate-machine > set_unreg_date : 2038-01-01 > Did not match against machineAuth for 'administration' rules > > -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
[PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth
First time setup - having some trouble with 802.1x EAP-TLS and AD Authentication. Audit Information Returning VLAN 91 (Unregistered VLAN) Corporate-Machine (or Corporate-User) should return VLAN 10. Am I not supposed to chain 802.1x together with PF Authentication? It's quite possible I'm not doing this right, but I setup an Auth rule and assigned the appropriate roles and vlans to those roles... Here's some additional info...somewhat sanitized. RADIUS Request User-Name = "host/DESKTOP-6U152VD.mydomain.local" NAS-IP-Address = x.x.x.3 NAS-Port = 1 Framed-IP-Address = 169.254.131.196 Framed-MTU = 1400 State = 0x55d311af5ecd1c12b3dbfec11ed99383 Called-Station-Id = "3a:5b:0e:2e:be:90:corp-wlan" Calling-Station-Id = "bc:85:56:61:d4:0b" NAS-Identifier = "x.x.x.21/5246-corp-wlan" NAS-Port-Type = Wireless-802.11 Acct-Session-Id = "5A010398-00026452" Event-Timestamp = "Nov 19 2017 20:00:03 EST" Connect-Info = "CONNECT 0Mbps 11N_5G" EAP-Message = 0x021e00060d00 Message-Authenticator = 0xb2c94b69d3ea063856c1ed222f2d2865 EAP-Type = TLS Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local" Realm = "null" FreeRADIUS-Client-IP-Address = x.x.x.3 Called-Station-SSID = "corp-wlan" Tmp-String-1 = "bc855661d40b" TLS-Cert-Serial = "440003c77f32429e20e6ed0003" TLS-Cert-Expiration = "270306042911Z" TLS-Cert-Issuer = "/C=US/O=mydomain/OU=PKI/CN=mydomain Corporate Root CA G1" TLS-Cert-Subject = "/DC=local/DC=mydomain/CN=mydomain Corporate Autoenrollment CA G1 S01" TLS-Cert-Common-Name = "mydomain Corporate Autoenrollment CA G1 S01" TLS-Client-Cert-Serial = "6a158bac2d3df1436f4baf0001158b" TLS-Client-Cert-Expiration = "191116204434Z" TLS-Client-Cert-Issuer = "/DC=local/DC=mydomain/CN=mydomain Corporate Autoenrollment CA G1 S01" TLS-Client-Cert-Subject = "/CN=DESKTOP-6U152VD.mydomain.local" TLS-Client-Cert-Common-Name = "DESKTOP-6U152VD.mydomain.local" TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication TLS Web Client Authentication" TLS-Client-Cert-X509v3-Subject-Key-Identifier = "04:44:15:39:14:EE:0E:A9:69:59:37:16:CD:DA:94:14:3A:68:87:26" TLS-Client-Cert-X509v3-Authority-Key-Identifier = "keyid:A6:E1:0D:92:EE:22:E3:27:58:02:E7:56:33:BE:44:53:9A:CD:A7:8D\n" TLS-Client-Cert-Subject-Alt-Name-Dns = "DESKTOP-6U152VD.mydomain.local" User-Password = "**" SQL-User-Name = "host/DESKTOP-6U152VD.mydomain.local" RADIUS Reply MS-MPPE-Recv-Key = 0x5a12d15c537cb9548201bdc6787acc5d171b95fc685c728a730cd65b2b5ff784 MS-MPPE-Send-Key = 0x57866b78adf7dee2f09cbc2633394fb022e08f2f4bc47b26a60138092e702665 EAP-MSK = 0x5a12d15c537cb9548201bdc6787acc5d171b95fc685c728a730cd65b2b5ff78457866b78adf7dee2f09cbc2633394fb022e08f2f4bc47b26a60138092e702665 EAP-EMSK = 0xc4b2f601caf22a037196ae1a52c1d132be343648e032933617ef1106bfde65b5b9527a7be716677be6ae654a36e75b9896301388b50be6d2aa945275e34d78f5 EAP-Session-Id = 0x0d5a1229135ec4c3c0df3ea2b164c83df98e81808b00e4f3acbeb20407bfd3581cbd25466430f9e2e15d2b76e649b86ccf550701a919848ad832d580be99283a0c EAP-Message = 0x031e0004 Message-Authenticator = 0x Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local" Tunnel-Type = VLAN Tunnel-Private-Group-Id = "91" Tunnel-Medium-Type = IEEE-802 pftest authentication with the hostname returns the appropriate response (Bad password though) Authenticating against machineAuth Authentication FAILED against machineAuth (Invalid login or password) Matched against machineAuth for 'authentication' rules set_role : corporate-machine set_unreg_date : 2038-01-01 Did not match against machineAuth for 'administration' rules -- Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot___ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users