More to this issue, Fabrice,
I changed to PEAP method on the same Windows laptop and kept an option of
validating server certificate by pointing it directly the name as it shows in
CN of the PF RADIUS server. No problem at all, authentication goes through.
I checked for similar errors reported by PF enthusiasts earlier and found that
this is not the first time and you advised to concatenate the root certificate
in CA file. What did you mean by it, Fabrice ?
Eugene
From: E.P. [mailto:ype...@gmail.com]
Sent: Wednesday, January 10, 2018 11:14 AM
To: packetfence-users@lists.sourceforge.net
Cc: 'Fabrice Durand'
Subject: RE: [PacketFence-users] Device authentication with client TLS
certificate issued by PKI
Hi Fabrice,
I already dug it around.
The CA certificate (*.pem format) was imported into Windows without any problem
and I see it under “Trusted Root Certification Authorities” container. Just in
case placed the CA cert into “Third –party root certification authority”
On the client PC I have this certificate showing:
Also, tried it without validating server certificate, same results, reason -
eap_tls: SSL says error 20 : unable to get local issuer certificate
Eugene
From: Fabrice Durand via PacketFence-users
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Wednesday, January 10, 2018 6:07 AM
To: E.P. via PacketFence-users
Cc: Fabrice Durand
Subject: Re: [PacketFence-users] Device authentication with client TLS
certificate issued by PKI
Hello Eugene,
you probably need to import the CA certificate or uncheck verify server
certificate in your supplicant config.
Regards
Fabrice
Le 2018-01-10 à 03:57, E.P. via PacketFence-users a écrit :
And here comes the culmination of my saga with PKI ;)
Actually, I was slowly going towards it and really hoped I will jump through
this final hoop smoothly.
Alas… Anyways, to cut the long story short, I failed TLS authentication for
Windows 10 endpoint.
Here’s what I did so far. We want to issue certificates to users based on MAC
addresses of their devices.
Hence I added a new certificate and used MAC address in CN field in the format
70:1a:04:2c:52:ff
The profile I used while issuing this certificate was created exactly as it was
described in the admin guide for PKI, namely TLSClient. Then I downloaded this
certificate after it was signed and imported to Windows laptop.
The security properties of the wireless connection profile on the laptop was
configured to use TLS, i.e.
Microsoft: Smart card or other certificate
Trying to authenticate while running radius in debug mode and see a lot of
interesting stuff.
Pasting only relevant lines:
(5) eap_tls: Continuing EAP-TLS
(5) eap_tls: Got final TLS record fragment (46 bytes)
(5) eap_tls: [eaptls verify] = ok
(5) eap_tls: Done initial handshake
(5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate
(5) eap_tls: Creating attributes from certificate OIDs
(5) eap_tls: TLS-Client-Cert-Serial := "03"
(5) eap_tls: TLS-Client-Cert-Expiration := "200110080019Z"
(5) eap_tls: TLS-Client-Cert-Subject :=
<mailto:/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=OptionsCommunityServices/C=CA>
"/CN=70:1a:04:2c:52:ff/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options
Community Services/C=CA"
(5) eap_tls: TLS-Client-Cert-Issuer :=
<mailto:/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=BritishColumbia/O=OptionsCommunityServices/C=CA>
"/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British
Columbia/O=Options Community Services/C=CA"
(5) eap_tls: TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"
(5) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate
(5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
tls: TLS_accept: Error in error
(5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14089086:SSL
routines:ssl3_get_client_certificate:certificate verify failed
(5) eap_tls: ERROR: System call (I/O) error (-1)
(5) eap_tls: ERROR: TLS receive handshake failed during operation
(5) eap_tls: ERROR: [eaptls process] = fail
(5) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed
(5) eap: Sending EAP Failure (code 4) ID 213 length 4
(5) eap: Failed in EAP select
(5) [eap] = invalid
(5) } # authenticate = invalid
(5) Failed to authenticate the user
(5) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer
certificate): [70:1a:04:2c:52:ff] (from client 172.19.254.2 port 0 cli
70:1a:04:2c:52:ff)
(5) Using Post-Auth-Type Reject
Same happens if I issue the certificate to the user based on its name, not MAC
address
(5) eap_tls: TLS-Client-Cert-Serial := "04"
(5) eap_tls: TLS-Client-Cert-Expiration := "200110083931Z"
(5) eap_tls: TLS-Client-Cert-Subject :=
<mailto:/CN=it.tech/emailAddress=it.t...@options.bc.ca/ST=BC/O=OptionsCommunityServices/C=CA>
"/CN=it.tech/emailAddress=it.t...@options.bc.ca/ST=BC/O=Options Community
Services/C=CA"
(5) eap_tls: TLS-Client-Cert-Issuer :=
<mailto:/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=BritishColumbia/O=OptionsCommunityServices/C=CA>
"/CN=Options-PF-CA/emailAddress=it.t...@options.bc.ca/ST=British
Columbia/O=Options Community Services/C=CA"
(5) eap_tls: TLS-Client-Cert-Common-Name := "it.tech"
(5) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate
Eugene
From: Durand fabrice [mailto:fdur...@inverse.ca]
Sent: Tuesday, January 09, 2018 2:46 PM
To: E.P.
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] PKI installation
The admin user is different between PacketFence and the PKI.
When i said "In configuration -> Users -> Edit admin -> Change User Password"
in was in the pki admin interface.
Fabrice
Le 2018-01-09 à 13:47, E.P. a écrit :
Sorry for being a pain in the lower part of the back, Fabrice ;)
I thought that the admin user in PF is different from PKI.
At least I know that I did change the password for admin in PF as you described
and this is how I login to the main GUI.
But I can’t login as admin with the same password to PKI.
Eugene
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users