Re: [PacketFence-users] EAP-TLS with IP-PHones

Wed, 31 May 2017 11:05:45 -0700 

You probably miss some certificates, here what i used:
        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=Alcatel
Enterprise Solutions
            X509v3 Subject Key Identifier:
                B7:1F:4E:45:B5:00:DD:F3:C7:9A:97:62:04:08:D1:9A:4C:BA:4A:0D

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 1
            X509v3 Subject Key Identifier:
                78:7A:40:06:A1:79:56:85:BC:05:9B:D5:9A:D3:B0:16:4F:16:CB:E2

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 2
            X509v3 Subject Key Identifier:
                88:3E:CC:2D:90:29:C9:FE:14:FC:D3:30:A6:55:06:58:68:3F:A8:41

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 3
            X509v3 Subject Key Identifier:
                92:D7:26:7D:FD:3F:00:B9:4D:B3:19:89:0A:8D:03:60:ED:AC:DD:0A

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 4
            X509v3 Subject Key Identifier:
                F2:4A:85:BA:64:98:68:45:21:BD:38:4B:BB:98:88:35:50:65:61:71

        Subject: C=FR, O=Alcatel-Lucent, OU=PKI Authority, CN=Wired Phones
            X509v3 Subject Key Identifier:
                D2:05:A3:38:E6:56:67:AC:85:3C:A4:21:5C:64:CF:D2:49:DB:CC:02

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=Alcatel IP Touch
            X509v3 Subject Key Identifier:
                56:92:08:12:EE:43:D4:AF:B5:20:11:C0:92:A8:E0:62:C1:1E:7F:7C




Le 2017-05-31 à 11:37, Christian Gfeller a écrit :
> Hello Fabrice
>  
> Thank you for your reply.
>  
> I have copied the Alcatel CA Cert to my existing CA Certificate:
>  
> -----BEGIN CERTIFICATE-----
> MS CA
> -----END CERTIFICATE-----
> -----BEGIN CERTIFICATE-----
> Alcatel CA
> -----END CERTIFICATE-----
>  
> The I restarted radiusd service.
>  
> When the phone will try to authenticate (EAP-TLS), this message ist in
> radius.log:
>  
> May 31 17:28:03 nac2 auth[4563]: (24) eap_tls:   ERROR: SSL says error
> 20 : unable to get local issuer certificate
> May 31 17:28:03 nac2 auth[4563]: (24) eap_tls: ERROR: TLS Alert
> write:fatal:unknown CA
> May 31 17:28:03 nac2 auth[4563]: tls: TLS_accept: Error in error
> May 31 17:28:03 nac2 auth[4563]: (24) Login incorrect (eap_tls: SSL
> says error 20 : unable to get local issuer certificate): [ALCIPT]
> (from client 192.168.1.46 port 20 cli 00:80:9f:dd:33:b0)
>  
> What ist missing?
>  
> Thank you
> Chris
>
>
> ------------------------------------------------------------------------
> *Von:* Fabrice Durand <[email protected]>
> *An:* [email protected]
> *Gesendet:* 19:09 Dienstag, 23.Mai 2017
> *Betreff:* Re: [PacketFence-users] EAP-TLS with IP-PHones
>
> Hello Chtis,
> in fact you have to concatenate the root certificate in your CA file.
> (ca_file in eap.conf).
> Regards
> Fabrice
>
>
>
> Le 2017-05-23 à 11:16, Christian Gfeller a écrit :
>> Hello packetfence users
>>  
>> I have a installation of Packetfence 7.0. MSPKI is integrated
>> (https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html)
>> and EAP-TLS with Windows clients (802.1x) works fine.
>> We have Alcatel Lucent wired IP Phones which supports 802.1x (MD5 and
>> TLS) too. There is a certificate from Alcatel preinstalled on the
>> phone. (Issued by “Alactel Enterprise Solutions”). I have downloaded
>> the “Alcatel Enterprise Solutions” root certificate.
>>  
>> Which is the right way to authenticate the IP-phones with the built
>> in certificate? How can i install the root certificate with already
>> installed MSPKI?
>>  
>> Thank you
>> Chris
>>
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>
>>
>> _______________________________________________
>> PacketFence-users mailing list
>> [email protected]
>> <mailto:[email protected]>
>> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
> -- 
> Fabrice Durand
> [email protected] <mailto:[email protected]> ::  +1.514.447.4918 (x135) ::  
> www.inverse.ca <http://www.inverse.ca/>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu 
> <http://www.sogo.nu/>) and PacketFence (http://packetfence.org 
> <http://packetfence.org/>) 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> <mailto:[email protected]>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/packetfence-users

-- 
Fabrice Durand
[email protected] ::  +1.514.447.4918 (x135) ::  www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence 
(http://packetfence.org) 


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to