Hello Jochen, If I read that right, you are trying to do EAP TLS certificate based authentication.
RADIUS authentication as a whole happens in two steps. The first step (RADIUS Authentication) will be to verify your certificate issuer and then step 2 (RADIUS Authorization) where PF checks the available sources for that authentication where it will try to match a source rule to get a role applied to the connection. Depending which PKI you are using, it depends how the certificate is created. PF won’t trust the username passed by the device (because it can be changed), so PF has a list of trusted certificate attributes that it will trust as username from inside the certificate. PacketFence-UserNameAttribute TLS-Client-Cert-Subject-Alt-Name-Upn TLS-Client-Cert-Common-Name Most of the time using the servicePrincipaleName won’t work because it’s not a EAP PEAP authentication. You can decode the certificate attributes passed down by using the raddebug command: raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600 | tee raddebug.log On PacketFence, you can create a EAP-TLS source that matches a TLS-Cert-Issuer = MyRootCA-NAME and assign a role and an access duration. Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On May 23, 2023, at 5:05 AM, Jochen Ackermann via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Dear list, > > We are currently evaluating packetfence for machine- as well as user- > authentication (but not on the same device). According to the installation > guide we set the Authentication Sources to use servicePrincipalName (together > with Search Attribute dNSHostName) for machine auth and sAMAccountName for > the users. The host is authenticated based on a machine cert issued to it's > hostname matching it's AD-record > > The authentication works in both cases, but with machine auth hosts do not > register as nodes (as I would expect them to), instead they appear under the > users tab. The radius audit log shows the Node Information/User Name as > host/name.domain and the Users Tab shows name.domain and the correct > AuthSource for machine auth (The nodes tab shows the MAC address and > name.domain as owner). > Am I maybe missing something? > > Kind regards, > > > Jo > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!U9NRJgmYV7n5XVDq9X1SNU9CL2hKqEBn4kb9tpyO62SjFlVuyJ94_eTnhJwJN6C37hJHStaTV3YO5PMzdugWo-ii3jKeSFhdculXpw$ >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users