Tank you Fabrice
Now it works. I have copied more certificates to the CA File. The "wired
Phones" certificate was needed.
The only thing im wondering is, that the connection type for the phones is
"Wired MAC Auth" and not "Wired 802.1x" like the Win 10 Clients.
Von: Fabrice Durand <[email protected]>
An: [email protected]
Gesendet: 20:04 Mittwoch, 31.Mai 2017
Betreff: Re: [PacketFence-users] EAP-TLS with IP-PHones
You probably miss some certificates, here what i used:
Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=Alcatel Enterprise
Solutions
X509v3 Subject Key Identifier:
B7:1F:4E:45:B5:00:DD:F3:C7:9A:97:62:04:08:D1:9A:4C:BA:4A:0D
Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 1
X509v3 Subject Key Identifier:
78:7A:40:06:A1:79:56:85:BC:05:9B:D5:9A:D3:B0:16:4F:16:CB:E2
Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 2
X509v3 Subject Key Identifier:
88:3E:CC:2D:90:29:C9:FE:14:FC:D3:30:A6:55:06:58:68:3F:A8:41
Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 3
X509v3 Subject Key Identifier:
92:D7:26:7D:FD:3F:00:B9:4D:B3:19:89:0A:8D:03:60:ED:AC:DD:0A
Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 4
X509v3 Subject Key Identifier:
F2:4A:85:BA:64:98:68:45:21:BD:38:4B:BB:98:88:35:50:65:61:71
Subject: C=FR, O=Alcatel-Lucent, OU=PKI Authority, CN=Wired Phones
X509v3 Subject Key Identifier:
D2:05:A3:38:E6:56:67:AC:85:3C:A4:21:5C:64:CF:D2:49:DB:CC:02
Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=Alcatel IP Touch
X509v3 Subject Key Identifier:
56:92:08:12:EE:43:D4:AF:B5:20:11:C0:92:A8:E0:62:C1:1E:7F:7C
Le 2017-05-31 à 11:37, Christian Gfeller a écrit :
Hello Fabrice Thank you for your reply. I have copied the Alcatel CA Cert
to my existing CA Certificate: -----BEGIN CERTIFICATE----- MS CA -----END
CERTIFICATE----- -----BEGIN CERTIFICATE----- Alcatel CA -----END
CERTIFICATE----- The I restarted radiusd service. When the phone will try
to authenticate (EAP-TLS), this message ist in radius.log: May 31 17:28:03
nac2 auth[4563]: (24) eap_tls: ERROR: SSL says error 20 : unable to get local
issuer certificate May 31 17:28:03 nac2 auth[4563]: (24) eap_tls: ERROR: TLS
Alert write:fatal:unknown CA May 31 17:28:03 nac2 auth[4563]: tls: TLS_accept:
Error in error May 31 17:28:03 nac2 auth[4563]: (24) Login incorrect (eap_tls:
SSL says error 20 : unable to get local issuer certificate): [ALCIPT] (from
client 192.168.1.46 port 20 cli 00:80:9f:dd:33:b0) What ist missing? Thank
you Chris
Von: Fabrice Durand <[email protected]>
An: [email protected]
Gesendet: 19:09 Dienstag, 23.Mai 2017
Betreff: Re: [PacketFence-users] EAP-TLS with IP-PHones
Hello Chtis, in fact you have to concatenate the root certificate in your CA
file. (ca_file in eap.conf). Regards Fabrice
Le 2017-05-23 à 11:16, Christian Gfeller a écrit :
Hello packetfence users I have a installation of Packetfence 7.0. MSPKI is
integrated
(https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html) and
EAP-TLS with Windows clients (802.1x) works fine. We have Alcatel Lucent wired
IP Phones which supports 802.1x (MD5 and TLS) too. There is a certificate from
Alcatel preinstalled on the phone. (Issued by “Alactel Enterprise Solutions”).
I have downloaded the “Alcatel Enterprise Solutions” root certificate. Which
is the right way to authenticate the IP-phones with the built in certificate?
How can i install the root certificate with already installed MSPKI? Thank
you Chris
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org!
http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
