Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

2017-11-22 Thread Fabrice Durand via PacketFence-users 
Hello Jason,


Le 2017-11-21 à 23:40, Jason Sloan a écrit :
> Fabrice,
>
> Totally understand being busy. Thanks for the reply. I was actually
> able to get this working a few hours ago, and hadn't had time to post
> a reply. I'm not sure what did it, perhaps adding "strip" to the realm
> options because the radius stripped name for hosts is host/ -
> this likely accomplishes the same thing that you suggested but in a
> different manner. To be completely clear I couldn't find a normalize
> option but I did see: "RADIUS machine auth with username - Use the
> RADIUS username instead of the TLS certificate common name when doing
> machine authentication." Just to verify, this is the option you are
> suggesting, correct?
>
Yes this is the option, it will use the attribute User-Name
(host/DESKTOP-6U152VD.mydomain.local) instead of the attribute
TLS-Client-Cert-Common-Name  (DESKTOP-6U152VD.mydomain.local) , so
User-Name will match with the AD attribute servicePrincipalName.

Also / is not considered as a separator of a REALM in Freeradius so i am
not sure that strip fixed the issue.
 
> One other thing I noticed in the authentication  request is the REALM
> is coming up as "NULL." Is this normal for RADIUS authenticated EAP-TLS?
For machine authentication, yes this is normal but i think it should be
possible to do a hack like we did in PacketFence Multidomain.
When the username is host/DESKTOP-6U152VD.mydomain.local then set the
realm as mydomain.local and try to authenticate on the sources where
mydomain.local is defined.
>
> Much of the info I was reading from the listserv also had included
> adding source or sources to the realm, this is not available in the
> GUI, is this a .conf feature only or a feature of PF 6.x that was
> deprecated?
Now in PacketFence you defined in the source the realm associated,
before it was in the realm configuration where you defined the only
source associated.
>
> Thanks,
> -Jason
Regards
Fabrice


-- 
Fabrice Durand
fdur...@inverse.ca ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

2017-11-22 Thread Jason Sloan via PacketFence-users 
Fabrice,

Totally understand being busy. Thanks for the reply. I was actually able to
get this working a few hours ago, and hadn't had time to post a reply. I'm
not sure what did it, perhaps adding "strip" to the realm options because
the radius stripped name for hosts is host/ - this likely
accomplishes the same thing that you suggested but in a different manner.
To be completely clear I couldn't find a normalize option but I did see:
"RADIUS machine auth with username - Use the RADIUS username instead of the
TLS certificate common name when doing machine authentication." Just to
verify, this is the option you are suggesting, correct?

One other thing I noticed in the authentication  request is the REALM is
coming up as "NULL." Is this normal for RADIUS authenticated EAP-TLS?

Much of the info I was reading from the listserv also had included adding
source or sources to the realm, this is not available in the GUI, is this a
.conf feature only or a feature of PF 6.x that was deprecated?

Thanks,
-Jason
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

2017-11-21 Thread Durand fabrice via PacketFence-users 

Hello Jason,

sorry for the delay to answer, i was a little bit busy these last days.

Can you enable normalize_radius_machine_auth_username in advanced 
section and retry ?


Because as you say, the username is stripped and it's probably because 
PacketFence use the TLS-Client-Cert-Common-Name attribute instead of the 
User-Name.



Regards

Fabrice



Le 2017-11-21 à 04:41, Jason Sloan via PacketFence-users a écrit :

I may have been too quick to call this good.
The devices are now self registering which I thougth was going to sole 
all my problems but the approprite role is still not getting returned. 
What appears to be the problem is the realm is coming up null. I've 
followed the setup guide and configured realms that match both the 
netbios domain name as well as the AD domain name and tied them back 
to the AD source. In the portal profile I have allowed 
auto-registration and filtered on EAP (Wired & Wireless) and set the 
source to machineAuth, the AD source I defined. I bound machine auth 
to both the realms defined above + default. The rule at the end of 
machine auth is to set the role to corp-machine (assigns vlan 10).


The radius info from the audit page looks great except the 
authentication is coming through as realm "null" and the response is 
not setting a role as configured in the rules of machineAuth.


The Profile being hit is the EAP-Test profile i built, which I've 
tried with reusing dot1x credentials and without. The only source is 
the machineAuth - I think I might be missing something to force a 
realm or proper detection of the realm? Thoughts on how to test or 
further troubleshoot?






--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

2017-11-21 Thread Jason Sloan via PacketFence-users 
I manually changed the "unregistered" VLAN for the switch, to return the
vlan for "corp-machines" (10 instead of 91) and this worked as expected so
the dynamic vlan assignment configuration and subsequent DHCP are working
as expected. The question remains, how do I get the 802.1x EAP-TLS requests
(Post Authentication?) processed by Packetfence to get the appropriate
VLANs assigned to the responses? The AD source I defined in the GUI is not
getting hit, from what I can see I don't think it is even being attempted.
Do I need to make changes to specific conf files to also (post?) process
EAP-TLS? I tried searching through the list serv archive, but I was
unsuccessful. Forgive my ignorance, I'm not used to dealing with
FreeRADIUS, so adding another layer on top of it has me a bit out of sorts.
Once I get this working I'll be glad to WIKI it up for posterity.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

2017-11-21 Thread Jason Sloan via PacketFence-users 
I may have been too quick to call this good.
The devices are now self registering which I thougth was going to sole all
my problems but the approprite role is still not getting returned. What
appears to be the problem is the realm is coming up null. I've followed the
setup guide and configured realms that match both the netbios domain name
as well as the AD domain name and tied them back to the AD source. In the
portal profile I have allowed auto-registration and filtered on EAP (Wired
& Wireless) and set the source to machineAuth, the AD source I defined. I
bound machine auth to both the realms defined above + default. The rule at
the end of machine auth is to set the role to corp-machine (assigns vlan
10).

The radius info from the audit page looks great except the authentication
is coming through as realm "null" and the response is not setting a role as
configured in the rules of machineAuth.

The Profile being hit is the EAP-Test profile i built, which I've tried
with reusing dot1x credentials and without. The only source is the
machineAuth - I think I might be missing something to force a realm or
proper detection of the realm? Thoughts on how to test or further
troubleshoot?
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

2017-11-21 Thread Jason Sloan via PacketFence-users 
I found this lovely little nugget here:
https://sourceforge.net/p/packetfence/mailman/message/33699954/ which
pointed me in the right direction. Looks like I needed auto-register ticked
on my profile and all was right in the world.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

2017-11-20 Thread Jason Sloan via PacketFence-users 
packetfence.log:

According to packetfence.log it doesn't look like it's keeping the "host/"
portion of the service principal name.

Nov 19 23:38:42 pfence packetfence_httpd.aaa: httpd.aaa(6630) INFO: [mac:
bc:85:56:61:d4:0b] handling radius autz request: from switch_ip =>
(x.x.x.3), connection_type => Wireless-802.11-EAP,switch_mac => (
3a:5b:0e:2e:be:90), mac => [bc:85:56:61:d4:0b], port => external, username
=> "DESKTOP-6U152VD.mydomain.local", ssid => corp-wlan
(pf::radius::authorize)


On Sun, Nov 19, 2017 at 8:34 PM, Jason Sloan 
wrote:

> First time setup - having some trouble with 802.1x EAP-TLS and AD
> Authentication.
> Audit Information Returning VLAN 91 (Unregistered VLAN)
> Corporate-Machine (or Corporate-User) should return VLAN 10.
>
> Am I not supposed to chain 802.1x together with PF Authentication?
>
> It's quite possible I'm not doing this right, but I setup an Auth rule and
> assigned the appropriate roles and vlans to those roles...
>
> Here's some additional info...somewhat sanitized.
>
>
> RADIUS Request User-Name = "host/DESKTOP-6U152VD.mydomain.local"
> NAS-IP-Address = x.x.x.3
> NAS-Port = 1
> Framed-IP-Address = 169.254.131.196
> Framed-MTU = 1400
> State = 0x55d311af5ecd1c12b3dbfec11ed99383
> Called-Station-Id = "3a:5b:0e:2e:be:90:corp-wlan"
> Calling-Station-Id = "bc:85:56:61:d4:0b"
> NAS-Identifier = "x.x.x.21/5246-corp-wlan"
> NAS-Port-Type = Wireless-802.11
> Acct-Session-Id = "5A010398-00026452"
> Event-Timestamp = "Nov 19 2017 20:00:03 EST"
> Connect-Info = "CONNECT 0Mbps 11N_5G"
> EAP-Message = 0x021e00060d00
> Message-Authenticator = 0xb2c94b69d3ea063856c1ed222f2d2865
> EAP-Type = TLS
> Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local"
> Realm = "null"
> FreeRADIUS-Client-IP-Address = x.x.x.3
> Called-Station-SSID = "corp-wlan"
> Tmp-String-1 = "bc855661d40b"
> TLS-Cert-Serial = "440003c77f32429e20e6ed0003"
> TLS-Cert-Expiration = "270306042911Z"
> TLS-Cert-Issuer = "/C=US/O=mydomain/OU=PKI/CN=mydomain Corporate Root CA
> G1"
> TLS-Cert-Subject = "/DC=local/DC=mydomain/CN=mydomain Corporate
> Autoenrollment CA G1 S01"
> TLS-Cert-Common-Name = "mydomain Corporate Autoenrollment CA G1 S01"
> TLS-Client-Cert-Serial = "6a158bac2d3df1436f4baf0001158b"
> TLS-Client-Cert-Expiration = "191116204434Z"
> TLS-Client-Cert-Issuer = "/DC=local/DC=mydomain/CN=mydomain Corporate
> Autoenrollment CA G1 S01"
> TLS-Client-Cert-Subject = "/CN=DESKTOP-6U152VD.mydomain.local"
> TLS-Client-Cert-Common-Name = "DESKTOP-6U152VD.mydomain.local"
> TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication
> TLS Web Client Authentication"
> TLS-Client-Cert-X509v3-Subject-Key-Identifier =
> "04:44:15:39:14:EE:0E:A9:69:59:37:16:CD:DA:94:14:3A:68:87:26"
> TLS-Client-Cert-X509v3-Authority-Key-Identifier =
> "keyid:A6:E1:0D:92:EE:22:E3:27:58:02:E7:56:33:BE:44:53:9A:CD:A7:8D\n"
> TLS-Client-Cert-Subject-Alt-Name-Dns = "DESKTOP-6U152VD.mydomain.local"
> User-Password = "**"
> SQL-User-Name = "host/DESKTOP-6U152VD.mydomain.local"
>
>
>
> RADIUS Reply MS-MPPE-Recv-Key = 0x5a12d15c537cb9548201bdc6787a
> cc5d171b95fc685c728a730cd65b2b5ff784
> MS-MPPE-Send-Key = 0x57866b78adf7dee2f09cbc263339
> 4fb022e08f2f4bc47b26a60138092e702665
> EAP-MSK = 0x5a12d15c537cb9548201bdc6787acc5d171b95fc685c728a730cd65b2b
> 5ff78457866b78adf7dee2f09cbc2633394fb022e08f2f4bc47b26a60138092e702665
> EAP-EMSK = 0xc4b2f601caf22a037196ae1a52c1d132be343648e032933617ef1106bf
> de65b5b9527a7be716677be6ae654a36e75b9896301388b50be6d2aa945275e34d78f5
> EAP-Session-Id = 0x0d5a1229135ec4c3c0df3ea2b164
> c83df98e81808b00e4f3acbeb20407bfd3581cbd25466430f9e2e15d2b76
> e649b86ccf550701a919848ad832d580be99283a0c
> EAP-Message = 0x031e0004
> Message-Authenticator = 0x
> Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local"
> Tunnel-Type = VLAN
> Tunnel-Private-Group-Id = "91"
> Tunnel-Medium-Type = IEEE-802
>
>
>
> pftest authentication with the hostname returns the appropriate response
> (Bad password though)
>
> Authenticating against machineAuth
>   Authentication FAILED against machineAuth (Invalid login or password)
>   Matched against machineAuth for 'authentication' rules
> set_role : corporate-machine
> set_unreg_date : 2038-01-01
>   Did not match against machineAuth for 'administration' rules
>
>
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] RADIUS 802.1x EAP-TLS + Machine Auth

2017-11-19 Thread Jason Sloan via PacketFence-users 
First time setup - having some trouble with 802.1x EAP-TLS and AD
Authentication.
Audit Information Returning VLAN 91 (Unregistered VLAN)
Corporate-Machine (or Corporate-User) should return VLAN 10.

Am I not supposed to chain 802.1x together with PF Authentication?

It's quite possible I'm not doing this right, but I setup an Auth rule and
assigned the appropriate roles and vlans to those roles...

Here's some additional info...somewhat sanitized.


RADIUS Request User-Name = "host/DESKTOP-6U152VD.mydomain.local"
NAS-IP-Address = x.x.x.3
NAS-Port = 1
Framed-IP-Address = 169.254.131.196
Framed-MTU = 1400
State = 0x55d311af5ecd1c12b3dbfec11ed99383
Called-Station-Id = "3a:5b:0e:2e:be:90:corp-wlan"
Calling-Station-Id = "bc:85:56:61:d4:0b"
NAS-Identifier = "x.x.x.21/5246-corp-wlan"
NAS-Port-Type = Wireless-802.11
Acct-Session-Id = "5A010398-00026452"
Event-Timestamp = "Nov 19 2017 20:00:03 EST"
Connect-Info = "CONNECT 0Mbps 11N_5G"
EAP-Message = 0x021e00060d00
Message-Authenticator = 0xb2c94b69d3ea063856c1ed222f2d2865
EAP-Type = TLS
Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local"
Realm = "null"
FreeRADIUS-Client-IP-Address = x.x.x.3
Called-Station-SSID = "corp-wlan"
Tmp-String-1 = "bc855661d40b"
TLS-Cert-Serial = "440003c77f32429e20e6ed0003"
TLS-Cert-Expiration = "270306042911Z"
TLS-Cert-Issuer = "/C=US/O=mydomain/OU=PKI/CN=mydomain Corporate Root CA G1"
TLS-Cert-Subject = "/DC=local/DC=mydomain/CN=mydomain Corporate
Autoenrollment CA G1 S01"
TLS-Cert-Common-Name = "mydomain Corporate Autoenrollment CA G1 S01"
TLS-Client-Cert-Serial = "6a158bac2d3df1436f4baf0001158b"
TLS-Client-Cert-Expiration = "191116204434Z"
TLS-Client-Cert-Issuer = "/DC=local/DC=mydomain/CN=mydomain Corporate
Autoenrollment CA G1 S01"
TLS-Client-Cert-Subject = "/CN=DESKTOP-6U152VD.mydomain.local"
TLS-Client-Cert-Common-Name = "DESKTOP-6U152VD.mydomain.local"
TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication
TLS Web Client Authentication"
TLS-Client-Cert-X509v3-Subject-Key-Identifier =
"04:44:15:39:14:EE:0E:A9:69:59:37:16:CD:DA:94:14:3A:68:87:26"
TLS-Client-Cert-X509v3-Authority-Key-Identifier =
"keyid:A6:E1:0D:92:EE:22:E3:27:58:02:E7:56:33:BE:44:53:9A:CD:A7:8D\n"
TLS-Client-Cert-Subject-Alt-Name-Dns = "DESKTOP-6U152VD.mydomain.local"
User-Password = "**"
SQL-User-Name = "host/DESKTOP-6U152VD.mydomain.local"



RADIUS Reply MS-MPPE-Recv-Key =
0x5a12d15c537cb9548201bdc6787acc5d171b95fc685c728a730cd65b2b5ff784
MS-MPPE-Send-Key =
0x57866b78adf7dee2f09cbc2633394fb022e08f2f4bc47b26a60138092e702665
EAP-MSK =
0x5a12d15c537cb9548201bdc6787acc5d171b95fc685c728a730cd65b2b5ff78457866b78adf7dee2f09cbc2633394fb022e08f2f4bc47b26a60138092e702665
EAP-EMSK =
0xc4b2f601caf22a037196ae1a52c1d132be343648e032933617ef1106bfde65b5b9527a7be716677be6ae654a36e75b9896301388b50be6d2aa945275e34d78f5
EAP-Session-Id =
0x0d5a1229135ec4c3c0df3ea2b164c83df98e81808b00e4f3acbeb20407bfd3581cbd25466430f9e2e15d2b76e649b86ccf550701a919848ad832d580be99283a0c
EAP-Message = 0x031e0004
Message-Authenticator = 0x
Stripped-User-Name = "host/DESKTOP-6U152VD.mydomain.local"
Tunnel-Type = VLAN
Tunnel-Private-Group-Id = "91"
Tunnel-Medium-Type = IEEE-802



pftest authentication with the hostname returns the appropriate response
(Bad password though)

Authenticating against machineAuth
  Authentication FAILED against machineAuth (Invalid login or password)
  Matched against machineAuth for 'authentication' rules
set_role : corporate-machine
set_unreg_date : 2038-01-01
  Did not match against machineAuth for 'administration' rules
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users