Did you set ca_file = [% install_dir %]/conf/ssl/tls_certs/MYCA.pem in
conf/radiusd/eap.conf ? (MYCA.pem is the CA public key of of your PKI)
Le 2018-01-10 à 15:43, E.P. a écrit :
>
> More to this issue, Fabrice,
>
> I changed to PEAP method on the same Windows laptop and kept an option
> of validating server certificate by pointing it directly the name as
> it shows in CN of the PF RADIUS server. No problem at all,
> authentication goes through.
>
>
>
> I checked for similar errors reported by PF enthusiasts earlier and
> found that this is not the first time and you advised to concatenate
> the root certificate in CA file. What did you mean by it, Fabrice ?
>
>
>
> Eugene
>
>
>
> *From:*E.P. [mailto:[email protected]]
> *Sent:* Wednesday, January 10, 2018 11:14 AM
> *To:* [email protected]
> *Cc:* 'Fabrice Durand'
> *Subject:* RE: [PacketFence-users] Device authentication with client
> TLS certificate issued by PKI
>
>
>
> Hi Fabrice,
>
> I already dug it around.
>
> The CA certificate (*.pem format) was imported into Windows without
> any problem and I see it under “Trusted Root Certification
> Authorities” container. Just in case placed the CA cert into “Third
> –party root certification authority”
>
> On the client PC I have this certificate showing:
>
>
>
>
>
>
>
> Also, tried it without validating server certificate, same results,
> reason - eap_tls: SSL says error 20 : unable to get local issuer
> certificate
>
>
>
> Eugene
>
>
>
> *From:*Fabrice Durand via PacketFence-users
> [mailto:[email protected]]
> *Sent:* Wednesday, January 10, 2018 6:07 AM
> *To:* E.P. via PacketFence-users
> *Cc:* Fabrice Durand
> *Subject:* Re: [PacketFence-users] Device authentication with client
> TLS certificate issued by PKI
>
>
>
> Hello Eugene,
>
> you probably need to import the CA certificate or uncheck verify
> server certificate in your supplicant config.
>
> Regards
>
> Fabrice
>
>
>
>
>
> Le 2018-01-10 à 03:57, E.P. via PacketFence-users a écrit :
>
> And here comes the culmination of my saga with PKI ;)
>
> Actually, I was slowly going towards it and really hoped I will
> jump through this final hoop smoothly.
>
> Alas… Anyways, to cut the long story short, I failed TLS
> authentication for Windows 10 endpoint.
>
> Here’s what I did so far. We want to issue certificates to users
> based on MAC addresses of their devices.
>
> Hence I added a new certificate and used MAC address in CN field
> in the format 70:1a:04:2c:52:ff
>
> The profile I used while issuing this certificate was created
> exactly as it was described in the admin guide for PKI, namely
> TLSClient. Then I downloaded this certificate after it was signed
> and imported to Windows laptop.
>
> The security properties of the wireless connection profile on the
> laptop was configured to use TLS, i.e.
>
> Microsoft: Smart card or other certificate
>
> Trying to authenticate while running radius in debug mode and see
> a lot of interesting stuff.
>
> Pasting only relevant lines:
>
>
>
> (5) eap_tls: Continuing EAP-TLS
>
> (5) eap_tls: Got final TLS record fragment (46 bytes)
>
> (5) eap_tls: [eaptls verify] = ok
>
> (5) eap_tls: Done initial handshake
>
> (5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate
>
> (5) eap_tls: Creating attributes from certificate OIDs
>
> (5) eap_tls: TLS-Client-Cert-Serial := "03"
>
> (5) eap_tls: TLS-Client-Cert-Expiration := "200110080019Z"
>
> (5) eap_tls: TLS-Client-Cert-Subject :=
> "/CN=70:1a:04:2c:52:ff/[email protected]/ST=BC/O=Options
> Community Services/C=CA"
>
> <mailto:/CN=70:1a:04:2c:52:ff/[email protected]/ST=BC/O=OptionsCommunityServices/C=CA>
>
> (5) eap_tls: TLS-Client-Cert-Issuer :=
> "/CN=Options-PF-CA/[email protected]/ST=British
> Columbia/O=Options Community Services/C=CA"
>
> <mailto:/CN=Options-PF-CA/[email protected]/ST=BritishColumbia/O=OptionsCommunityServices/C=CA>
>
> (5) eap_tls: TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff"
>
> (5) eap_tls: ERROR: SSL says error 20 : unable to get local
> issuer certificate
>
>
>
> (5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA
>
> tls: TLS_accept: Error in error
>
> (5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read):
> error:14089086:SSL
> routines:ssl3_get_client_certificate:certificate verify failed
>
> (5) eap_tls: ERROR: System call (I/O) error (-1)
>
> (5) eap_tls: ERROR: TLS receive handshake failed during operation
>
> (5) eap_tls: ERROR: [eaptls process] = fail
>
> (5) eap: ERROR: Failed continuing EAP TLS (13) session. EAP
> sub-module failed
>
> (5) eap: Sending EAP Failure (code 4) ID 213 length 4
>
> (5) eap: Failed in EAP select
>
> (5) [eap] = invalid
>
> (5) } # authenticate = invalid
>
> (5) Failed to authenticate the user
>
> (5) Login incorrect (eap_tls: SSL says error 20 : unable to get
> local issuer certificate): [70:1a:04:2c:52:ff] (from client
> 172.19.254.2 port 0 cli 70:1a:04:2c:52:ff)
>
> (5) Using Post-Auth-Type Reject
>
>
>
> Same happens if I issue the certificate to the user based on its
> name, not MAC address
>
>
>
> (5) eap_tls: TLS-Client-Cert-Serial := "04"
>
> (5) eap_tls: TLS-Client-Cert-Expiration := "200110083931Z"
>
> (5) eap_tls: TLS-Client-Cert-Subject :=
> "/CN=it.tech/[email protected]/ST=BC/O=Options
> Community Services/C=CA"
>
> <mailto:/CN=it.tech/[email protected]/ST=BC/O=OptionsCommunityServices/C=CA>
>
> (5) eap_tls: TLS-Client-Cert-Issuer :=
> "/CN=Options-PF-CA/[email protected]/ST=British
> Columbia/O=Options Community Services/C=CA"
>
> <mailto:/CN=Options-PF-CA/[email protected]/ST=BritishColumbia/O=OptionsCommunityServices/C=CA>
>
> (5) eap_tls: TLS-Client-Cert-Common-Name := "it.tech"
>
> (5) eap_tls: ERROR: SSL says error 20 : unable to get local
> issuer certificate
>
>
>
> Eugene
>
>
>
>
>
>
>
> *From:*Durand fabrice [mailto:[email protected]]
> *Sent:* Tuesday, January 09, 2018 2:46 PM
> *To:* E.P.
> *Cc:* [email protected]
> <mailto:[email protected]>
> *Subject:* Re: [PacketFence-users] PKI installation
>
>
>
> The admin user is different between PacketFence and the PKI.
>
> When i said "In configuration -> Users -> Edit admin -> Change
> User Password" in was in the pki admin interface.
>
> Fabrice
>
>
>
>
>
> Le 2018-01-09 à 13:47, E.P. a écrit :
>
> Sorry for being a pain in the lower part of the back, Fabrice ;)
>
> I thought that the admin user in PF is different from PKI.
>
> At least I know that I did change the password for admin in PF
> as you described and this is how I login to the main GUI.
>
> But I can’t login as admin with the same password to PKI.
>
>
>
> Eugene
>
>
>
>
> ------------------------------------------------------------------------------
>
> Check out the vibrant tech community on one of the world's most
>
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
>
> PacketFence-users mailing list
>
> [email protected]
> <mailto:[email protected]>
>
> https://lists.sourceforge.net/lists/listinfo/packetfence-users
>
>
>
> --
> Fabrice Durand
> [email protected] <mailto:[email protected]> :: +1.514.447.4918 (x135) ::
> www.inverse.ca <http://www.inverse.ca>
> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
> (http://packetfence.org)
--
Fabrice Durand
[email protected] :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
