Hi Andi, The good practices of the RADIUS certificate are the following. In fact, you have two options :
- Build your own PKI (Self-Signed CA, Server Cert signed by your own CA). That implies that you install the self-signed CA on all your machines (Recommended for security). - Buy a server cert signed by an authorized CA. That way, you don't have to install the CA anywhere (it is already there), but it is less secure since someone can spoof a valid AP. By default, we use the PF self-signed certificate, so you need to unselect the validate server certificate check box in your clients. Otherwise, it will fail. Also, it is possible that some GPOs blocks the possibility to accept a self-signed certificate. Thanks. On 12-03-13 5:49 AM, Morris, Andi wrote: > I've solved the vlanning issue with the 5500. Francois, you were right. The > 4400 profile works fine with the 5500. > > I'm still curious about the server certificates though. Is self-signed ok > because freeradius is running on the same box as PF? > > Cheers, > Andi > > -----Original Message----- > From: Morris, Andi [mailto:[email protected]] > Sent: 12 March 2012 15:56 > To: [email protected] > Subject: Re: [Packetfence-users] Cisco Wireless Lan Controller 5500 > > AHA! (Sort of) solved it. > > By removing the option to validate server certificate on the client's wlan > connections it then authenticates the user with no problems. This is how I > have it setup for my wired network also. It's actually something I've been > meaning to ask for a while, does this box need to be checked for this to be > secure when using PF? > > Unfortunately, clients connected to the WLC5500 do not get successfully put > into the isolation vlan when they should be. I can see that in the PF logs > that it tries, but the change doesn't ever reflect does to the user. > > Cheers, > Andi > > -----Original Message----- > From: Morris, Andi [mailto:[email protected]] > Sent: 12 March 2012 15:38 > To: [email protected] > Subject: Re: [Packetfence-users] Cisco Wireless Lan Controller 5500 > > OK, I have successfully got the new controller talking to our Windows radius > servers in order to test, and can authenticate users. Switching over to the > PF server for authentication via freeradius I get the errors as below: > Waking up in 4.9 seconds. > rad_recv: Access-Request packet from host 10.1.1.13 port 32768, id=7, > length=211 > User-Name = "sm18818" > Calling-Station-Id = "00-26-b6-da-18-42" > Called-Station-Id = "b8-be-bf-ef-24-20:hallsnet-student" > NAS-Port = 13 > NAS-IP-Address = 10.1.1.13 > NAS-Identifier = "cywlc_halls" > Airespace-Wlan-Id = 1 > Service-Type = Framed-User > Framed-MTU = 1300 > NAS-Port-Type = Wireless-802.11 > Tunnel-Type:0 = VLAN > Tunnel-Medium-Type:0 = IEEE-802 > Tunnel-Private-Group-Id:0 = "710" > EAP-Message = 0x0205001119800000000715030100020230 > State = 0x4dff6b344ffa727124508253e356604b > Message-Authenticator = 0x28de35753ef6ab156d7e60261470a7b8 > server packetfence { > # Executing section authorize from file /etc/raddb/sites-enabled/packetfence > +- entering group authorize {...} > [suffix] No '@' in User-Name = "sm18818", looking up realm NULL [suffix] No > such realm "NULL" > ++[suffix] returns noop > ++[preprocess] returns ok > [eap] EAP packet type response id 5 length 17 [eap] Continuing tunnel setup. > ++[eap] returns ok > Found Auth-Type = EAP > # Executing group from file /etc/raddb/sites-enabled/packetfence > +- entering group authenticate {...} > [eap] Request found, released from the list [eap] EAP/peap [eap] processing > type peap [peap] processing EAP-TLS > TLS Length 7 > [peap] Length Included > [peap] eaptls_verify returned 11 > [peap]<<< TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert > read:fatal:unknown CA > TLS_accept: failed in SSLv3 read client certificate A > rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert > unknown ca > SSL: SSL_read failed inside of TLS (-1), TLS session fails. > TLS receive handshake failed during operation [peap] eaptls_process returned > 4 [peap] EAPTLS_OTHERS [eap] Handler failed in EAP/peap [eap] Failed in EAP > select > ++[eap] returns invalid > Failed to authenticate the user. > } # server packetfence > Using Post-Auth-Type Reject > # Executing group from file /etc/raddb/sites-enabled/packetfence > +- entering group REJECT {...} > [attr_filter.access_reject] expand: %{User-Name} -> sm18818 > attr_filter: Matched entry DEFAULT at line 11 > ++[attr_filter.access_reject] returns updated > Delaying reject of request 60 for 1 seconds Going to the next request Waking > up in 0.9 seconds. > Sending delayed reject for request 60 > Sending Access-Reject of id 7 to 10.1.1.13 port 32768 > EAP-Message = 0x04050004 > Message-Authenticator = 0x00000000000000000000000000000000 > Waking up in 3.9 seconds. > Cleaning up request 57 ID 4 with timestamp +18676 Cleaning up request 58 ID 5 > with timestamp +18676 Cleaning up request 59 ID 6 with timestamp +18676 > Waking up in 1.0 seconds. > Cleaning up request 60 ID 7 with timestamp +18676 Ready to process requests. > > PS, if this kind of support is covered under our current support contract > with inverse I'll happily raise this as an official ticket and take it off > the mailing list if you'd rather. Otherwise I'm hoping that other users who > have configured WLC4400s successfully can maybe offer some advice. > > Cheers, > Andi > > -----Original Message----- > From: Morris, Andi [mailto:[email protected]] > Sent: 12 March 2012 13:52 > To: [email protected] > Subject: Re: [Packetfence-users] Cisco Wireless Lan Controller 5500 > > Hi Francois, > I'll give that a go. Currently we're struggling to get it to authenticate > via radius anyway, even before Packetfence gets invoked. > > What is involved with sponsoring? > > Cheers, > Andi > > -----Original Message----- > From: Francois Gaudreault [mailto:[email protected]] > Sent: 12 March 2012 12:37 > To: [email protected] > Subject: Re: [Packetfence-users] Cisco Wireless Lan Controller 5500 > > Hi Andi, > > Try using the WLC_4400 module. It will probably behave the same way. > If not, let us know, if you are interested, you can probably sponsor the > module development. > > Thanks. > > On 12-03-12 7:08 AM, Morris, Andi wrote: >> Hi, >> >> Has anyone successfully setup a WLC 5500 in packetfence? I would very >> much like to get one working, but the documentation for the 4400 is >> “to be contributed”, and there is also no option to add the 5500 in >> the switches interface. Is this something that would be possible? >> >> Cheers, >> >> Andi >> >> --------------------------------------------------------------- >> Andi Morris >> Technical Security Analyst >> >> Systems and Communications Services >> Information Services Division >> Cardiff Metropolitan University >> Cardiff >> Wales >> CF5 2YB >> >> 02920 205720 >> >> -------------------------------------------------------------- >> >> ---------------------------------------------------------------------- >> -- >> >> > From 1st November 2011 UWIC changed its title to Cardiff >> Metropolitan University. From the 6th December 2011, as part of this >> change, all email addresses which included @uwic.ac.uk have changed to >> @cardiffmet.ac.uk. All emails sent from Cardiff Metropolitan >> University will now be sent from the new @cardiffmet.ac.uk address. >> *Please could you ensure that all of your contact records and >> databases are updated to reflect this change.* Further information can >> be found on the website here. >> <http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> >> >> Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan >> Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad >> e-bost sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr >> holl ebyst a ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu >> danfon o‘r cyfeiriad @cardiffmet.ac.uk newydd. *Gwnewch yn siwr eich >> bod yn diweddaru eich cofnodion cyswllt a'ch cronfeydd data i >> adlewyrchu >> hyn.* Gellir cael rhagor o wybodaeth ar y wefan yma. >> <http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> >> >> >> >> ---------------------------------------------------------------------- >> -------- Try before you buy = See our experts in action! >> The most comprehensive online learning library for Microsoft >> developers is just $99.99! Visual Studio, SharePoint, SQL - plus >> HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you >> subscribe now! >> http://p.sf.net/sfu/learndevnow-dev2 >> >> >> >> _______________________________________________ >> Packetfence-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/packetfence-users > > > -- > Francois Gaudreault, ing. jr > [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse > inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence > (www.packetfence.org) > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers is > just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ________________________________ > > From 1st November 2011 UWIC changed its title to Cardiff Metropolitan > University. From the 6th December 2011, as part of this change, all email > addresses which included @uwic.ac.uk have changed to @cardiffmet.ac.uk. All > emails sent from Cardiff Metropolitan University will now be sent from the > new @cardiffmet.ac.uk address. Please could you ensure that all of your > contact records and databases are updated to reflect this change. Further > information can be found on the website > here.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> > > Ar Dachwedd y 1af 2011 newidiodd UWIC ei henw i Brifysgol Fetropolitan > Caerdydd. O Ragfyr 6ed, fel rhan o'r newid yma, bydd pob cyfeiriad e-bost > sy'n cynnwys @uwic.ac.uk yn newid i @cardiffmet.ac.uk. Bydd yr holl ebyst a > ddanfonir o Brifysgol Fetropolitan Caerdydd yn cael eu danfon o‘r cyfeiriad > @cardiffmet.ac.uk newydd. Gwnewch yn siwr eich bod yn diweddaru eich > cofnodion cyswllt a'ch cronfeydd data i adlewyrchu hyn. Gellir cael rhagor o > wybodaeth ar y wefan > yma.<http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx> > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers is > just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers is > just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers is > just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro > Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ > Keep Your Developer Skills Current with LearnDevNow! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-d2d > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
