Hi Fabrice,
Thanks for the link. I did follow these instructions but in case I made a
mistake the first time, I deleted the CA cert and started from scratch but
it still failing with the same debug output. Heres is the output of the
section from the eap.conf file:
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_file = %%install_dir%%/conf/ssl/tls_certs/RadServ.key
certificate_file = %%install_dir%%/conf/ssl/tls_certs/RadServ.pem
CA_file = %%install_dir%%/conf/ssl/tls_certs/pf.denver-lab.pem
# private_key_password = whatever
dh_file = ${certdir}/dh
random_file = /dev/urandom
cipher_list = "DEFAULT"
make_cert_command = "${certdir}/bootstrap"
cache {
enable = no
lifetime = 24 # hours
max_entries = 255
}
verify {
}
ocsp {
enable = yes
override_cert_url = yes
url = "http://127.0.0.1:9292/pki/ocsp/";
}
Do I need to set the private_key_password parameter? On the windows
machine, I can see the client cert in the user accounts personal cert
folder and server cert in the trusted list. I've uploaded some screenshots
of my packetfence and PKI conf to my google drive which you can access
here:
https://drive.google.com/folderview?id=0B3hRBeTEUkSbcW5uclBNcU9ueVE&usp=sharing
. On a final note, the server fqdn is pf.denver-lab which I've confirmed
(just in case there is a CN issue with the cert)
Thanks for your patience and support!
On 11 November 2015 at 20:39, Durand fabrice <[email protected]> wrote:
> Hello Jonathan,
>
> did you configured the certificate on the radius side ?
>
> https://github.com/inverse-inc/packetfence/blob/devel/docs/PacketFence_PKI_Quick_Install_Guide.asciidoc#step-3-configuring-packetfence
> Do you have the CA pub key on the client side ?
>
> Regards
> Fabrice
>
>
> Le 2015-11-11 03:21, Jonathan Mahady a écrit :
>
> Hi Fabrice,
>
> It looks like I didn't join the mailing list correctly (which I joined
> now), so I hope you get this response. Anyway thanks for your speedy reply,
> you're correct, I'd a typo in the extended key usage key. I can't believe I
> missed that. Anyway I can get through the agent process and it installs the
> cert on a windows 7 machine but then I can't connect to the 802.1x wireless
> network. From the radius debugging I enabled I think the client isn't
> responding to the radius challenge and/or I havent added a source to valid
> the user certificate. I may have missed a step somewhere. I am suppose to
> configure the packetfence-pki as a source somehow? Below are a couple of
> the debug messages I see
> root@pf:/home/jonathan# rad_recv: Access-Request packet from host
> 192.168.10.2 port 53584, id=50, length=205
> User-Name = "denver"
> NAS-IP-Address = 192.168.10.2
> NAS-Port = 0
> NAS-Identifier = "192.168.10.2"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "a088b415ed6c"
> Called-Station-Id = "186472cb100c"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x0201000b0164656e766572
> Aruba-Essid-Name = "Secure@Denver-Lab"
> Aruba-Location-Id = "18:64:72:cb:10:0c"
> Aruba-AP-Group = "instant-CB:10:0C"
> Message-Authenticator = 0x9f539de6ac024e0335a46666ee4df8aa
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +group authorize {
> [suffix] No '@' in User-Name = "denver", skipping NULL due to config.
> ++[suffix] = noop
> [ntdomain] No '\' in User-Name = "denver", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] = noop
> ++[preprocess] = ok
> [eap] EAP packet type response id 1 length 11
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> ++update request {
> expand: %{Packet-Src-IP-Address} -> 192.168.10.2
> ++} # update request = noop
> ++update control {
> ++} # update control = noop
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Login-User
> rlm_perl: Added pair Called-Station-Id = 186472cb100c
> rlm_perl: Added pair Message-Authenticator =
> 0x9f539de6ac024e0335a46666ee4df8aa
> rlm_perl: Added pair EAP-Type = Identity
> rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
> rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
> rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
> rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
> rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
> rlm_perl: Added pair User-Name = denver
> rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
> rlm_perl: Added pair NAS-Identifier = 192.168.10.2
> rlm_perl: Added pair EAP-Message = 0x0201000b0164656e766572
> rlm_perl: Added pair NAS-Port = 0
> rlm_perl: Added pair Framed-MTU = 1100
> rlm_perl: Added pair PacketFence-RPC-Pass =
> rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
> rlm_perl: Added pair PacketFence-RPC-Proto = http
> rlm_perl: Added pair PacketFence-RPC-User =
> rlm_perl: Added pair Auth-Type = EAP
> rlm_perl: Added pair PacketFence-RPC-Port = 7070
> ++[packetfence] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
> +group authenticate {
> [eap] EAP Identity
> [eap] processing type tls
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] = handled
> +} # group authenticate = handled
> } # server packetfence
> Sending Access-Challenge of id 50 to 192.168.10.2 port 53584
> EAP-Message = 0x010200061920
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x76980f77769a16aac51eb549dc9b5fc2
> Finished request 0.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.10.2 port 53584, id=51,
> length=218
> User-Name = "denver"
> NAS-IP-Address = 192.168.10.2
> NAS-Port = 0
> NAS-Identifier = "192.168.10.2"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "a088b415ed6c"
> Called-Station-Id = "186472cb100c"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message = 0x02020006030d
> State = 0x76980f77769a16aac51eb549dc9b5fc2
> Aruba-Essid-Name = "Secure@Denver-Lab"
> Aruba-Location-Id = "18:64:72:cb:10:0c"
> Aruba-AP-Group = "instant-CB:10:0C"
> Message-Authenticator = 0xe892eab9ce66b769d0d2e6ba8748895b
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +group authorize {
> [suffix] No '@' in User-Name = "denver", skipping NULL due to config.
> ++[suffix] = noop
> [ntdomain] No '\' in User-Name = "denver", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] = noop
> ++[preprocess] = ok
> [eap] EAP packet type response id 2 length 6
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> ++update request {
> expand: %{Packet-Src-IP-Address} -> 192.168.10.2
> ++} # update request = noop
> ++update control {
> ++} # update control = noop
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Login-User
> rlm_perl: Added pair State = 0x76980f77769a16aac51eb549dc9b5fc2
> rlm_perl: Added pair Called-Station-Id = 186472cb100c
> rlm_perl: Added pair Message-Authenticator =
> 0xe892eab9ce66b769d0d2e6ba8748895b
> rlm_perl: Added pair EAP-Type = NAK
> rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
> rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
> rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
> rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
> rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
> rlm_perl: Added pair User-Name = denver
> rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
> rlm_perl: Added pair NAS-Identifier = 192.168.10.2
> rlm_perl: Added pair EAP-Message = 0x02020006030d
> rlm_perl: Added pair NAS-Port = 0
> rlm_perl: Added pair Framed-MTU = 1100
> rlm_perl: Added pair PacketFence-RPC-Pass =
> rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
> rlm_perl: Added pair PacketFence-RPC-Proto = http
> rlm_perl: Added pair PacketFence-RPC-User =
> rlm_perl: Added pair Auth-Type = EAP
> rlm_perl: Added pair PacketFence-RPC-Port = 7070
> ++[packetfence] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP NAK
> [eap] EAP-NAK asked for EAP-Type/tls
> [eap] processing type tls
> [tls] Requiring client certificate
> [tls] Initiate
> [tls] Start returned 1
> ++[eap] = handled
> +} # group authenticate = handled
> } # server packetfence
> Sending Access-Challenge of id 51 to 192.168.10.2 port 53584
> EAP-Message = 0x010300060d20
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x76980f77779b02aac51eb549dc9b5fc2
> Finished request 1.
> Going to the next request
> Waking up in 4.9 seconds.
> rad_recv: Access-Request packet from host 192.168.10.2 port 53584, id=52,
> length=319
> User-Name = "denver"
> NAS-IP-Address = 192.168.10.2
> NAS-Port = 0
> NAS-Identifier = "192.168.10.2"
> NAS-Port-Type = Wireless-802.11
> Calling-Station-Id = "a088b415ed6c"
> Called-Station-Id = "186472cb100c"
> Service-Type = Login-User
> Framed-MTU = 1100
> EAP-Message =
> 0x0203006b0d8000000061160301005c0100005803015642f1f41e1d3c925fda807015c5f64826540afff77553360e678b8bf9668021000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
> State = 0x76980f77779b02aac51eb549dc9b5fc2
> Aruba-Essid-Name = "Secure@Denver-Lab"
> Aruba-Location-Id = "18:64:72:cb:10:0c"
> Aruba-AP-Group = "instant-CB:10:0C"
> Message-Authenticator = 0x7a2dc547091d18f570b035dad945ef14
> server packetfence {
> # Executing section authorize from file
> /usr/local/pf/raddb//sites-enabled/packetfence
> +group authorize {
> [suffix] No '@' in User-Name = "denver", skipping NULL due to config.
> ++[suffix] = noop
> [ntdomain] No '\' in User-Name = "denver", looking up realm NULL
> [ntdomain] No such realm "NULL"
> ++[ntdomain] = noop
> ++[preprocess] = ok
> [eap] EAP packet type response id 3 length 107
> [eap] No EAP Start, assuming it's an on-going EAP conversation
> ++[eap] = updated
> ++[files] = noop
> ++[expiration] = noop
> ++[logintime] = noop
> ++update request {
> expand: %{Packet-Src-IP-Address} -> 192.168.10.2
> ++} # update request = noop
> ++update control {
> ++} # update control = noop
> rlm_perl: Added pair NAS-Port-Type = Wireless-802.11
> rlm_perl: Added pair Service-Type = Login-User
> rlm_perl: Added pair State = 0x76980f77779b02aac51eb549dc9b5fc2
> rlm_perl: Added pair Called-Station-Id = 186472cb100c
> rlm_perl: Added pair Message-Authenticator =
> 0x7a2dc547091d18f570b035dad945ef14
> rlm_perl: Added pair EAP-Type = EAP-TLS
> rlm_perl: Added pair NAS-IP-Address = 192.168.10.2
> rlm_perl: Added pair Calling-Station-Id = a088b415ed6c
> rlm_perl: Added pair Aruba-Essid-Name = Secure@Denver-Lab
> rlm_perl: Added pair FreeRADIUS-Client-IP-Address = 192.168.10.2
> rlm_perl: Added pair Aruba-AP-Group = instant-CB:10:0C
> rlm_perl: Added pair User-Name = denver
> rlm_perl: Added pair Aruba-Location-Id = 18:64:72:cb:10:0c
> rlm_perl: Added pair NAS-Identifier = 192.168.10.2
> rlm_perl: Added pair EAP-Message =
> 0x0203006b0d8000000061160301005c0100005803015642f1f41e1d3c925fda807015c5f64826540afff77553360e678b8bf9668021000018c014c013c00ac0090035002f00380032000a00130005000401000017000a00080006001900170018000b00020100ff01000100
> rlm_perl: Added pair NAS-Port = 0
> rlm_perl: Added pair Framed-MTU = 1100
> rlm_perl: Added pair PacketFence-RPC-Pass =
> rlm_perl: Added pair PacketFence-RPC-Server = 127.0.0.1
> rlm_perl: Added pair PacketFence-RPC-Proto = http
> rlm_perl: Added pair PacketFence-RPC-User =
> rlm_perl: Added pair Auth-Type = EAP
> rlm_perl: Added pair PacketFence-RPC-Port = 7070
> ++[packetfence] = noop
> +} # group authorize = updated
> Found Auth-Type = EAP
> # Executing group from file /usr/local/pf/raddb//sites-enabled/packetfence
> +group authenticate {
> [eap] Request found, released from the list
> [eap] EAP/tls
> [eap] processing type tls
> [tls] Authenticate
> [tls] processing EAP-TLS
> TLS Length 97
> [tls] Length Included
> [tls] eaptls_verify returned 11
> [tls] (other): before/accept initialization
> [tls] TLS_accept: before/accept initialization
> [tls] <<< TLS 1.0 Handshake [length 005c], ClientHello
> [tls] TLS_accept: SSLv3 read client hello A
> [tls] >>> TLS 1.0 Handshake [length 0039], ServerHello
> [tls] TLS_accept: SSLv3 write server hello A
> [tls] >>> TLS 1.0 Handshake [length 0370], Certificate
> [tls] TLS_accept: SSLv3 write certificate A
> [tls] >>> TLS 1.0 Handshake [length 014b], ServerKeyExchange
> [tls] TLS_accept: SSLv3 write key exchange A
> [tls] >>> TLS 1.0 Handshake [length 000e], CertificateRequest
> [tls] TLS_accept: SSLv3 write certificate request A
> [tls] TLS_accept: SSLv3 flush data
> [tls] TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> [tls] TLS_accept: Need to read more data: SSLv3 read client
> certificate A
> In SSL Handshake Phase
> In SSL Accept mode
> [tls] eaptls_process returned 13
> ++[eap] = handled
> +} # group authenticate = handled
> } # server packetfence
> Sending Access-Challenge of id 52 to 192.168.10.2 port 53584
> EAP-Message =
> 0x010404000dc00000051616030100390200003503015642f1f3d092678ea8ef861a068f6927e174e340ef1f41cbbbda9ecad3e09a7d00c01400000dff01000100000b00040300010216030103700b00036c000369000366308203623082024a020101300d06092a864886f70d01010505003069311630140603550403130d70662e64656e7665722d6c61623128302606092a864886f70d01090116196a6f6e617468616e2e6d616861647940676d61696c2e636f6d310b3009060355040813025741310b3009060355040a13024954310b3009060355040613024155301e170d3135313130353133323034385a170d3137313130343134323034385a30
> EAP-Message =
> 0x69311630140603550403130d70662e64656e7665722d6c61623128302606092a864886f70d01090116196a6f6e617468616e2e6d616861647940676d61696c2e636f6d310b3009060355040813025741310b3009060355040a13024954310b300906035504061302415530820122300d06092a864886f70d01010105000382010f003082010a0282010100c1e22faed036c34274aaa466a9a522821fcdf13e619a90ba425c999c1d98fbb871bdb3170f4337402f7124d5307fa5f859cfaea00c09481c4ca85a681a002854386dd11885a6fa1ed68bb868bd881eef0bcc640ac191b8f0218c3acd69007c5ebf8f7d8676aaf9f73b83ba8d7dae8ea66fed
> EAP-Message =
> 0x41e7302078aeeaca4fb3a6c65df5a139796bcac6d5d2ea2d2d0f1493c285fb350d1a67ec55f661806d4aa1d99f50a18880acaa3a7d94f2eb17fac462fe5eeef9bceb3e6d7573797bc5be79272e48a5b63d132fde11927e035d5d9114676ecd3e8aa0a55622ad4879a527756c4d9c462b1054098dea7e8f4df33cca7d4fea0142df69bd69f861da49d9ecc1bcff970203010001a31a301830160603551d250101ff040c300a06082b06010505070301300d06092a864886f70d0101050500038201010039bd8c4cc22d86fa34101aa6abca8c21845ed551053bab1189cb9f5732db14185ae24d64feadd2b347f8e355ae7657f199b66943659dde0f6a41
> EAP-Message =
> 0xc72bf035d1e926ffe281f828f7499c59e50e93421d451a4a3e425c8873502aaa442521f465d293ddce2e5b5c1596d63630d0b920144962a69998513e48a2bb1d2b1f200d7245eb345a9955adb965be11dc78abcf5b3f5124af5fde2d22f9e4105a50cad01ae2259d54dd59c7fae44377e5944cac48aebdff54fe706008d4dbee8a95fe3f94889ac8724fab844baa2b9c67714b267601e9b95127746279a745e8bec361af592c35ece9eaf93e7cb4975ced3f39dc645705920d4d642eeb4ab44f0f0999a17537160301014b0c00014703001741046f4c597f12b41ade82c994ab0527414163f76005b8da6348a1f8924830a15cae9cc09ffc81219754a6
> EAP-Message = 0x32a3cb9cbb4f22347aaad9d4
> Message-Authenticator = 0x00000000000000000000000000000000
> State = 0x76980f77749c02aac51eb549dc9b5fc2
> Finished request 2.
> Going to the next request
> Waking up in 4.9 seconds.
>
> Then at the end
> Waking up in 4.9 seconds.
> Cleaning up request 0 ID 50 with timestamp +46
> Cleaning up request 1 ID 51 with timestamp +46
> Cleaning up request 2 ID 52 with timestamp +46
> Cleaning up request 3 ID 53 with timestamp +46
> Cleaning up request 4 ID 54 with timestamp +46
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> WARNING: !! EAP session for state 0x76980f77729e02aa did not finish!
> WARNING: !! Please read
> http://wiki.freeradius.org/guide/Certificate_Compatibility
> WARNING:
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
>
>
> Thanks for your help in advance.
>
> Jonathan
>
> On 10 November 2015 at 09:45, Jonathan Mahady <[email protected]>
> wrote:
>
>> Hi,
>>
>> I'm having an issue with the assignment of certificates using the
>> packetfence PKI plugin. The plugin resides on the same box as Packetfence.
>> The distro is Debian Wheezy and the version of packetfence is 5.4. I've
>> configured the CA, the templates and a radius server cert. I've then added
>> the PKI details into packetfence but when I try to onboard a test user the
>> certificate assignment fails with the error that the certificate server
>> cannot be reach. I've trolled through the logs and this is a section of the
>> error its reporting:
>>
>> "<div id="summary">
>> <h1>Error at /pki/cert/rest/get/denver/</h1>
>> <pre class="exception_value">[('asn1 encoding routines',
>> 'a2d_ASN1_OBJECT', 'first num too large'), ('X509 V3
>> routines', 'V2I_EXTENDED_KEY_USAGE', 'invalid object
>> identifier'), ('X509 V3 routines', 'X509V3_EXT_nconf',
>> 'error in extension')]</pre>
>> <table class="meta">
>>
>> <tr>
>> <th>Request Method:</th>
>> <td>POST</td>
>> </tr>
>> <tr>
>> <th>Request URL:</th>
>> <td>https://127.0.0.1:9393/pki/cert/rest/get/denver/</td>
>> </tr>
>>
>> <tr>
>> <th>Django Version:</th>
>> <td>1.7.1</td>
>> </tr>
>>
>> <tr>
>> <th>Exception Type:</th>
>> <td>Error</td>
>> </tr>
>>
>>
>> <tr>
>> <th>Exception Value:</th>
>> <td><pre>[('asn1 encoding routines',
>> 'a2d_ASN1_OBJECT', 'first num too large'), ('X509 V3
>> routines', 'V2I_EXTENDED_KEY_USAGE', 'invalid object
>> identifier'), ('X509 V3 routines', 'X509V3_EXT_nconf',
>> 'error in extension')]</pre></td>
>> </tr>
>>
>>
>> <tr>
>> <th>Exception Location:</th>
>> <td>/usr/local/packetfence-pki/pki/models.py in sign, line 328</td>
>> </tr>
>>
>> <tr>
>> <th>Python Executable:</th>
>> <td>/usr/bin/python</td>
>> </tr>
>> <tr>
>> <th>Python Version:</th>
>> <td>2.7.3</td>
>> </tr>
>> <tr>
>> <th>Python Path:</th>
>> <td><pre>['/usr/lib/python2.7',
>> '/usr/lib/python2.7/plat-linux2',
>> '/usr/lib/python2.7/lib-tk',
>> '/usr/lib/python2.7/lib-old',
>> '/usr/lib/python2.7/lib-dynload',
>> '/usr/local/lib/python2.7/dist-packages',
>> '/usr/lib/python2.7/dist-packages',
>> '/usr/lib/python2.7/dist-packages/PIL',
>> "
>>
>> The cert does get generated as I can see it in the packetfence PKI gui
>> but it doesn't get assigned to the user. I'm not sure what the issue is as
>> I'm not great with this REST API/Python stuff. I would be extremely
>> grateful for any advice or pointers.
>>
>> Cheers,
>>
>> Jonathan
>>
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> PacketFence-users mailing
> [email protected]https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
------------------------------------------------------------------------------
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
