And here comes the culmination of my saga with PKI ;)
Actually, I was slowly going towards it and really hoped I will jump through
this final hoop smoothly.
Alas… Anyways, to cut the long story short, I failed TLS authentication for
Windows 10 endpoint.
Here’s what I did so far. We want to issue certificates to users based on MAC
addresses of their devices.
Hence I added a new certificate and used MAC address in CN field in the format
70:1a:04:2c:52:ff
The profile I used while issuing this certificate was created exactly as it was
described in the admin guide for PKI, namely TLSClient. Then I downloaded this
certificate after it was signed and imported to Windows laptop.
The security properties of the wireless connection profile on the laptop was
configured to use TLS, i.e.
Microsoft: Smart card or other certificate
Trying to authenticate while running radius in debug mode and see a lot of
interesting stuff.
Pasting only relevant lines:
(5) eap_tls: Continuing EAP-TLS
(5) eap_tls: Got final TLS record fragment (46 bytes)
(5) eap_tls: [eaptls verify] = ok
(5) eap_tls: Done initial handshake
(5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate
(5) eap_tls: Creating attributes from certificate OIDs
(5) eap_tls: TLS-Client-Cert-Serial := "03"
(5) eap_tls: TLS-Client-Cert-Expiration := "200110080019Z"
(5) eap_tls: TLS-Client-Cert-Subject :=
"/CN=70:1a:04:2c:52:ff/[email protected]/ST=BC/O=Options
Community Services/C=CA"
(5) eap_tls: TLS-Client-Cert-Issuer :=
"/CN=Options-PF-CA/[email protected]/ST=British
Columbia/O=Options Community Services/C=CA"
(5) eap_tls: TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"
(5) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate
(5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
tls: TLS_accept: Error in error
(5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
(5) eap_tls: ERROR: System call (I/O) error (-1)
(5) eap_tls: ERROR: TLS receive handshake failed during operation
(5) eap_tls: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 213 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer
certificate): [70:1a:04:2c:52:ff] (from client 172.19.254.2 port 0 cli
70:1a:04:2c:52:ff)
(5) Using Post-Auth-Type Reject
Same happens if I issue the certificate to the user based on its name, not MAC
address
(5) eap_tls: TLS-Client-Cert-Serial := "04"
(5) eap_tls: TLS-Client-Cert-Expiration := "200110083931Z"
(5) eap_tls: TLS-Client-Cert-Subject :=
"/CN=it.tech/[email protected]/ST=BC/O=Options Community
Services/C=CA"
(5) eap_tls: TLS-Client-Cert-Issuer :=
"/CN=Options-PF-CA/[email protected]/ST=British
Columbia/O=Options Community Services/C=CA"
(5) eap_tls: TLS-Client-Cert-Common-Name := "it.tech"
(5) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate
Eugene
From: Durand fabrice [mailto:[email protected]]
Sent: Tuesday, January 09, 2018 2:46 PM
To: E.P.
Cc: [email protected]
Subject: Re: [PacketFence-users] PKI installation
The admin user is different between PacketFence and the PKI.
When i said "In configuration -> Users -> Edit admin -> Change User Password"
in was in the pki admin interface.
Fabrice
Le 2018-01-09 à 13:47, E.P. a écrit :
Sorry for being a pain in the lower part of the back, Fabrice ;)
I thought that the admin user in PF is different from PKI.
At least I know that I did change the password for admin in PF as you described
and this is how I login to the main GUI.
But I can’t login as admin with the same password to PKI.
Eugene
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
