Hello Jochen,

If I read that right, you are trying to do EAP TLS certificate based 
authentication.

RADIUS authentication as a whole happens in two steps. The first step (RADIUS 
Authentication) will be to verify your certificate issuer and then step 2 
(RADIUS Authorization) where PF checks the available sources for that 
authentication where it will try to match a source rule to get a role applied 
to the connection.

Depending which PKI you are using, it depends how the certificate is created. 
PF won’t trust the username passed by the device (because it can be changed), 
so PF has a list of trusted certificate attributes that it will trust as 
username from inside the certificate.

PacketFence-UserNameAttribute
TLS-Client-Cert-Subject-Alt-Name-Upn
TLS-Client-Cert-Common-Name

Most of the time using the servicePrincipaleName won’t work because it’s not a 
EAP PEAP authentication.

You can decode the certificate attributes passed down by using the raddebug 
command:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t 3600 | tee raddebug.log

On PacketFence, you can create a EAP-TLS source that matches a TLS-Cert-Issuer 
= MyRootCA-NAME and assign a role and an access duration.

Thanks, 


Ludovic Zammit
Product Support Engineer Principal Lead

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:         <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On May 23, 2023, at 5:05 AM, Jochen Ackermann via PacketFence-users 
> <packetfence-users@lists.sourceforge.net> wrote:
> 
> Dear list,
> 
> We are currently evaluating packetfence for machine- as well as user- 
> authentication (but not on the same device). According to the installation 
> guide we set the Authentication Sources to use servicePrincipalName (together 
> with Search Attribute dNSHostName) for machine auth and sAMAccountName for 
> the users. The host is authenticated based on a machine cert issued to it's 
> hostname matching it's AD-record
> 
> The authentication works in both cases, but with machine auth hosts do not 
> register as nodes (as I would expect them to), instead they appear under the 
> users tab. The radius audit log shows the Node Information/User Name as 
> host/name.domain and the Users Tab shows name.domain and the correct 
> AuthSource for machine auth (The nodes tab shows the MAC address and 
> name.domain as owner).
> Am I maybe missing something?
> 
> Kind regards,
> 
> 
>     Jo
> 
> 
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!U9NRJgmYV7n5XVDq9X1SNU9CL2hKqEBn4kb9tpyO62SjFlVuyJ94_eTnhJwJN6C37hJHStaTV3YO5PMzdugWo-ii3jKeSFhdculXpw$
>  

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to