Hello Eugene,
you probably need to import the CA certificate or uncheck verify server
certificate in your supplicant config.
Regards
Fabrice
Le 2018-01-10 à 03:57, E.P. via PacketFence-users a écrit :
>
> And here comes the culmination of my saga with PKI ;)
>
> Actually, I was slowly going towards it and really hoped I will jump
> through this final hoop smoothly.
>
> Alas… Anyways, to cut the long story short, I failed TLS
> authentication for Windows 10 endpoint.
>
> Here’s what I did so far. We want to issue certificates to users based
> on MAC addresses of their devices.
>
> Hence I added a new certificate and used MAC address in CN field in
> the format 70:1a:04:2c:52:ff
>
> The profile I used while issuing this certificate was created exactly
> as it was described in the admin guide for PKI, namely TLSClient. Then
> I downloaded this certificate after it was signed and imported to
> Windows laptop.
>
> The security properties of the wireless connection profile on the
> laptop was configured to use TLS, i.e.
>
> Microsoft: Smart card or other certificate
>
> Trying to authenticate while running radius in debug mode and see a
> lot of interesting stuff.
>
> Pasting only relevant lines:
>
>
>
> (5) eap_tls: Continuing EAP-TLS
>
> (5) eap_tls: Got final TLS record fragment (46 bytes)
>
> (5) eap_tls: [eaptls verify] = ok
>
> (5) eap_tls: Done initial handshake
>
> (5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate
>
> (5) eap_tls: Creating attributes from certificate OIDs
>
> (5) eap_tls: TLS-Client-Cert-Serial := "03"
>
> (5) eap_tls: TLS-Client-Cert-Expiration := "200110080019Z"
>
> (5) eap_tls: TLS-Client-Cert-Subject :=
> "/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options
> Community Services/C=CA"
>
> (5) eap_tls: TLS-Client-Cert-Issuer :=
> "/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British
> Columbia/O=Options Community Services/C=CA"
>
> (5) eap_tls: TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"
>
> (5) eap_tls: ERROR: SSL says error 20 : unable to get local issuer
> certificate
>
>
>
> (5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
>
> tls: TLS_accept: Error in error
>
> (5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
> error:14089086:SSL routines:ssl3_get_client_certificate:certificate
> verify failed
>
> (5) eap_tls: ERROR: System call (I/O) error (-1)
>
> (5) eap_tls: ERROR: TLS receive handshake failed during operation
>
> (5) eap_tls: ERROR: [eaptls process] = fail
>
> (5) eap: ERROR: Failed continuing EAP TLS (13) session. EAP
> sub-module failed
>
> (5) eap: Sending EAP Failure (code 4) ID 213 length 4
>
> (5) eap: Failed in EAP select
>
> (5) [eap] = invalid
>
> (5) } # authenticate = invalid
>
> (5) Failed to authenticate the user
>
> (5) Login incorrect (eap_tls: SSL says error 20 : unable to get local
> issuer certificate): [70:1a:04:2c:52:ff] (from client 172.19.254.2
> port 0 cli 70:1a:04:2c:52:ff)
>
> (5) Using Post-Auth-Type Reject
>
>
>
> Same happens if I issue the certificate to the user based on its name,
> not MAC address
>
>
>
> (5) eap_tls: TLS-Client-Cert-Serial := "04"
>
> (5) eap_tls: TLS-Client-Cert-Expiration := "200110083931Z"
>
> (5) eap_tls: TLS-Client-Cert-Subject :=
> "/CN=it.tech/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options
> Community Services/C=CA"
>
> (5) eap_tls: TLS-Client-Cert-Issuer :=
> "/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British
> Columbia/O=Options Community Services/C=CA"
>
> (5) eap_tls: TLS-Client-Cert-Common-Name := "it.tech"
>
> (5) eap_tls: ERROR: SSL says error 20 : unable to get local issuer
> certificate
>
>
>
> Eugene
>
>
>
>
>
>
>
> *From:*Durand fabrice [mailto:fdur...@inverse.ca]
> *Sent:* Tuesday, January 09, 2018 2:46 PM
> *To:* E.P.
> *Cc:* packetfence-users@lists.sourceforge.net
> *Subject:* Re: [PacketFence-users] PKI installation
>
>
>
> The admin user is different between PacketFence and the PKI.
>
> When i said "In configuration -> Users -> Edit admin -> Change User
> Password" in was in the pki admin interface.
>
> Fabrice
>
>
>
>
>
> Le 2018-01-09 à 13:47, E.P. a écrit :
>
> Sorry for being a pain in the lower part of the back, Fabrice ;)
>
> I thought that the admin user in PF is different from PKI.
>
> At least I know that I did change the password for admin in PF as
> you described and this is how I login to the main GUI.
>
> But I can’t login as admin with the same password to PKI.
>
>
>
> Eugene
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
> _______________________________________________
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
