Sorry, I got pulled away.
I have a very short attention span you know.
Think Dory in finding Nemo...
So, we need to clarify a few things here.
Are you trying to authenticate windows clients using PEAP or EAP-TLS?
They are different things altogether.
PEAP is the default authentication method for windows on Active-Directory
backed 802.1x SSIDs.
You don't need to do any PKI integration for that to work.
You do need to join the domain and get winbind to work properly though.
The error you see in the logs below is the windows supplicant rejecting the
FreeRADIUS server certificate because it's not configured to trust the CA that
issued it.
Start by configuring windows to ignore the server cert.
Work on fixing your authentication issue first.
You can reenable that once you have authentication working.
Do a 'pkill radiusd' before you run radius in debug mode.
Otherwise other processes will prevent yours from grabbing the ports.
Finally, radtest (and radclient) are useless at testing PEAP and EAP-TLS.
You need eapol_test: http://deployingradius.com/scripts/eapol_test/
<http://deployingradius.com/scripts/eapol_test/>
Nothing else will do.
> On Aug 12, 2016, at 11:21 AM, Vianney Amador <[email protected]> wrote:
>
> Anyone, please?
>
> From: [email protected] <mailto:[email protected]>
> To: [email protected]
> <mailto:[email protected]>
> Date: Thu, 11 Aug 2016 16:17:35 +0000
> Subject: Re: [PacketFence-users] Microsoft PKI (MSPKI) + Cisco Wireles
> Controller
>
> Hi Louis,
>
> I got the the winbind to work by rejoining my PF server to my domain, now I
> am able to validate the domain blind by running (lists all of my domain
> users):
>
> chroot /chroots/domain-ad wbinfo -u
>
> PEAP did not work after that, I got the same logs on radius.log
>
>
>
> I set my supplicant (Windows 10 PC) to authenticate with EAP-TLS, but it not
> work either:
>
> Thu Aug 11 11:59:34 2016 : ERROR: (88) eap_tls: ERROR: SSL says error 20 :
> unable to get local issuer certificate
> Thu Aug 11 11:59:34 2016 : ERROR: (88) eap_tls: ERROR: TLS Alert
> write:fatal:unknown CA
> Thu Aug 11 11:59:34 2016 : Error: tls: TLS_accept: Error in SSLv3 read client
> certificate B
> Thu Aug 11 11:59:34 2016 : Auth: (88) Login incorrect (eap_tls: SSL says
> error 20 : unable to get local issuer certificate):
> [host/PC0001.intranet.local] (from client 192.168.1.28 port 1 cli
> f8:16:54:1a:14:13)
> Thu Aug 11 11:59:34 2016 : Info: rlm_sql (sql): Closing connection (102): Hit
> idle_timeout, was idle for 165 seconds
> Thu Aug 11 11:59:34 2016 : Info: rlm_sql (sql): Closing connection (103): Hit
> idle_timeout, was idle for 165 seconds
> Thu Aug 11 11:59:34 2016 : Info: rlm_sql (sql): Opening additional connection
> (104), 1 of 64 pending slots used
> Thu Aug 11 11:59:34 2016 : Info: rlm_sql (sql): Need 2 more connections to
> reach 10 spares
> Thu Aug 11 11:59:34 2016 : Info: rlm_sql (sql): Opening additional connection
> (105), 1 of 63 pending slots used
> Thu Aug 11 11:59:34 2016 : [mac:f8:16:54:1a:14:13] Rejected user:
> host/PC0001.intranet.local
> Thu Aug 11 11:59:35 2016 : Info: rlm_perl: MAC address 0 is empty or invalid
> in this request. It could be normal on certain radius calls
> Thu Aug 11 11:59:35 2016 : Info: rlm_sql (sql): Need 1 more connections to
> reach 10 spares
> Thu Aug 11 11:59:35 2016 : Info: rlm_sql (sql): Opening additional connection
> (106), 1 of 62 pending slots used
> Thu Aug 11 11:59:35 2016 : [mac:] Accepted user: and returned VLAN
> Thu Aug 11 11:59:35 2016 : Auth: (89) Login OK: [dummy] (from client
> 192.168.1.59 port 0)
> Thu Aug 11 11:59:40 2016 : ERROR: (96) eap_tls: ERROR: SSL says error 20 :
> unable to get local issuer certificate
> Thu Aug 11 11:59:40 2016 : ERROR: (96) eap_tls: ERROR: TLS Alert
> write:fatal:unknown CA
> Thu Aug 11 11:59:40 2016 : Error: tls: TLS_accept: Error in SSLv3 read client
> certificate B
> Thu Aug 11 11:59:40 2016 : Auth: (96) Login incorrect (eap_tls: SSL says
> error 20 : unable to get local issuer certificate): [[email protected]
> <mailto:[email protected]>] (from client 192.168.1.28 port 1 cli
> f8:16:54:1a:14:13)
> Thu Aug 11 11:59:40 2016 : [mac:f8:16:54:1a:14:13] Rejected user:
> [email protected] <mailto:[email protected]>
>
>
>
>
> I enabled FreeRADIUS in debug mode (radiusd -d /usr/local/pf/raddb -n auth -X
> ) as you suggested, but I got this error at the end of the CLI:
>
> auth: #### Opening IP addresses and Ports ####
> listen {
> type = "auth"
> virtual_server = "packetfence"
> ipaddr = 127.0.0.1
> port = 18120
> Failed binding to auth address 127.0.0.1 port 18120 bound to server
> packetfence: Address already in use
> /usr/local/pf/raddb/auth.conf[9]: Error binding to port for 127.0.0.1 port
> 18120
>
>
>
>
> Radtest:
>
> # radtest dd9999 Abcd1234 localhost:18120 12 testing123
> Sent Access-Request Id 64 from 0.0.0.0:35042 to 127.0.0.1:18120 length 76
> User-Name = "dd9999"
> User-Password = "Abcd1234"
> NAS-IP-Address = 169.254.0.1
> NAS-Port = 12
> Message-Authenticator = 0x00
> Cleartext-Password = "Abcd1234"
> Received Access-Accept Id 64 from 127.0.0.1:18120 to 0.0.0.0:0 length 20
>
>
Best regards,
--
Louis Munro
[email protected] <mailto:[email protected]> :: www.inverse.ca
<http://www.inverse.ca/>
+1.514.447.4918 x125 :: +1 (866) 353-6153 x125
Inverse inc. :: Leaders behind SOGo (www.sogo.nu <http://www.sogo.nu/>) and
PacketFence (www.packetfence.org <http://www.packetfence.org/>)
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
