Hello Wifi Guy, Can you show me your profile.conf and authentication?
Hide personal information. Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Nov 30, 2018, at 11:00 AM, Wifi Guy via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > This is it not working for machine.... > > Node Information > <https://a3.skynet-home.co.uk:1443/admin/auditing#nodeInformation> > Device Information > <https://a3.skynet-home.co.uk:1443/admin/auditing#switchInformation> > RADIUS <https://a3.skynet-home.co.uk:1443/admin/auditing#radiusInformation> > MAC Address 8c:85:90:24:56:2a > Auth Status Accept > Auth Type eap > Auto Registration yes > Calling Station ID 8c:85:90:24:56:2a > Computer name PC1 > EAP Type TLS > Event Type Radius-Access-Request > IP Address > Is a Phone no > Node status reg > Domain > Profile Secure > Realm null > Reason > Role N/A > Source N/A > Stripped User Name host/PC1.skynet-home.co.uk > <http://pc1.skynet-home.co.uk/> > User Name host/PC1.skynet-home.co.uk <http://pc1.skynet-home.co.uk/> > Unique ID > Create at > 2018-11-30 15:59:47 > > > request_time 1 > RADIUS Request User-Name = "host/PC1.skynet-home.co.uk > <http://pc1.skynet-home.co.uk/>" NAS-IP-Address = 172.16.0.63 NAS-Port = 0 > Service-Type = Framed-User Framed-MTU = 1500 State = > 0x69a47a026f7477b337b5a73185ad654b Called-Station-Id = > "34:85:84:01:ad:e4:Secure" Calling-Station-Id = "8c:85:90:24:56:2a" > NAS-Identifier = "AP-Living Room" NAS-Port-Type = Wireless-802.11 > Acct-Session-Id = "97AE1E134BCDFF20" Acct-Multi-Session-Id = > "14EE5B922493DD46" Event-Timestamp = "Nov 30 2018 15:59:46 UTC" Connect-Info > = "11ac" EAP-Message = 0x02d000060d00 Message-Authenticator = > 0x5938ec0d8636f372977291ab5284b7c3 WLAN-Pairwise-Cipher = 1027076 > WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 EAP-Type = TLS > Stripped-User-Name = "host/PC1.skynet-home.co.uk > <http://pc1.skynet-home.co.uk/>" Realm = "null" FreeRADIUS-Client-IP-Address > = 172.16.0.63 Called-Station-SSID = "Secure" Tmp-String-1 = "8c859024562a" > TLS-Cert-Serial = "40ba1f957d9defac4bb5cb77b86c839d" TLS-Cert-Expiration = > "231116144940Z" TLS-Cert-Issuer = > "/DC=uk/DC=co/DC=skynet-home/CN=skynet-home-CA" TLS-Cert-Subject = > "/DC=uk/DC=co/DC=skynet-home/CN=skynet-home-CA" TLS-Cert-Common-Name = > "skynet-home-CA" TLS-Client-Cert-Serial = > "6000000039b80f00dd8d7f8258000000000039" TLS-Client-Cert-Expiration = > "191130094831Z" TLS-Client-Cert-Issuer = > "/DC=uk/DC=co/DC=skynet-home/CN=skynet-home-CA" > TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Client Authentication" > TLS-Client-Cert-X509v3-Subject-Key-Identifier = > "52:BD:9A:9B:D8:AD:71:57:DF:85:7D:45:CF:55:7D:21:1E:25:95:1B" > TLS-Client-Cert-X509v3-Authority-Key-Identifier = > "keyid:0B:28:C9:C3:08:39:78:F4:9B:F0:9A:0D:8E:E7:34:F0:65:B5:17:F7\n" > TLS-Client-Cert-Subject-Alt-Name-Dns = "PC1.skynet-home.co.uk > <http://pc1.skynet-home.co.uk/>" TLS-Client-Cert-Subject-Alt-Name-Upn = > "PC1$@skynet-home.co.uk <http://skynet-home.co.uk/>" > TLS-Client-Cert-X509v3-Extended-Key-Usage-OID = "1.3.6.1.5.5.7.3.2" > Attr-26.26928.1 = 0x00000000 Attr-26.26928.6 = 0x00000004 User-Password = > "******" SQL-User-Name = "host/PC1.skynet-home.co.uk > <http://pc1.skynet-home.co.uk/>" > RADIUS Reply MS-MPPE-Recv-Key = > 0x326817d7721fa00d316c92b6b5c3c7abce47e842d097cc69a097666c3069b501 > MS-MPPE-Send-Key = > 0x2ee8af1bcefb38b9d258e5d201bccfea1ad4deffd4d2eab456ea76113d2e265e EAP-MSK = > 0x326817d7721fa00d316c92b6b5c3c7abce47e842d097cc69a097666c3069b5012ee8af1bcefb38b9d258e5d201bccfea1ad4deffd4d2eab456ea76113d2e265e > EAP-EMSK = > 0x85fe135bbe618ec9a8982c8406095d81a3292de5f4fb74f7169a8bfa918939d3f06bf1db1c558ed02caf9fa3fa07b2d6af9c7188a2f7ef48252fb5ae82fcc747 > EAP-Session-Id = > 0x0d5c015d7e486efb06c2f3495018f9a0a2c18af148b5d31107a581ffa97d67d577a40013b29fc7c73e4afefe95cea7432dc0db0a4d445d498b160684c08f098211 > EAP-Message = 0x03d00004 Message-Authenticator = > 0x00000000000000000000000000000000 User-Name = "host/PC1.skynet-home.co.uk > <http://pc1.skynet-home.co.uk/>" > > This shows it working for user auth > > Node Information > <https://a3.skynet-home.co.uk:1443/admin/auditing#nodeInformation> > Device Information > <https://a3.skynet-home.co.uk:1443/admin/auditing#switchInformation> > RADIUS <https://a3.skynet-home.co.uk:1443/admin/auditing#radiusInformation> > MAC Address 8c:85:90:24:56:2a > Auth Status Accept > Auth Type eap > Auto Registration yes > Calling Station ID 8c:85:90:24:56:2a > Computer name PC1 > EAP Type TLS > Event Type Radius-Access-Request > IP Address > Is a Phone no > Node status reg > Domain > Profile Secure > Realm skynet-home.co.uk <http://skynet-home.co.uk/> > Reason > Role Corp > Source AD-Source > Stripped User Name Administrator > User Name administra...@skynet-home.co.uk > <mailto:administra...@skynet-home.co.uk> > Unique ID > Create at 2018-11-30 15:41:21 > > request_time 0 > RADIUS Request > RADIUS Reply MS-MPPE-Recv-Key = > 0xd2fb2f02da1a4880014f9aa15da91dbaf827b968eea350a9467cbaa384864e8b > MS-MPPE-Send-Key = > 0x3b9989e0b39d9a618ff68836eddde883b9374c7dc8734702ec2b6298f4acaded EAP-MSK = > 0xd2fb2f02da1a4880014f9aa15da91dbaf827b968eea350a9467cbaa384864e8b3b9989e0b39d9a618ff68836eddde883b9374c7dc8734702ec2b6298f4acaded > EAP-EMSK = > 0x152283637273fde4ce343bbd289615bfe1d235d7b016e632c596ba3afbc76b268d901ad0d03d74f4cc41d1bd0a7f9ff143fe907267bba73669d12bd3f8165770 > EAP-Session-Id = > 0x0d5c01592c4fc98e50464be9a2b6a20fc3644556096b63ea0d4d5ab60e63e7be99459699f3ba887243bfe5d4825a4b9c0f91a207b41fc7d926642e16af86e1a760 > EAP-Message = 0x03560004 Message-Authenticator = > 0x00000000000000000000000000000000 User-Name = > "administra...@skynet-home.co.uk <mailto:administra...@skynet-home.co.uk>" > Filter-Id = "Corp" > > Its seems that the role is not assigned for machine/computer auth??? > > The AD-source has the correct SPN applied as per the docs. > > Anyone got any tips? > > Thanks > Wi-Fi Guy > > > On Thu, 29 Nov 2018 at 18:30, Wifi Guy <wifisp...@gmail.com > <mailto:wifisp...@gmail.com>> wrote: > Thanks Bill. I had also thought this possible. Ideally all be one in one > place on one platform, we shall see where we get to. > > For anyone wanting to see the request, this is whats happening so far, > computer auth seems to not work.... > > RADIUS Request User-Name = "host/Comp2.skynet-home.co.uk > <http://comp2.skynet-home.co.uk/>" NAS-IP-Address = 172.16.0.63 NAS-Port = 0 > Service-Type = Framed-User Framed-MTU = 1500 State = > 0x4a59ea914ccce7c96fd408ff597208e6 Called-Station-Id = > "34:85:84:01:ad:e4:Secure" Calling-Station-Id = "8c:85:90:24:56:2a" > NAS-Identifier = "AP-Living Room" NAS-Port-Type = Wireless-802.11 > Acct-Session-Id = "8C377B2F5EC8C6E8" Acct-Multi-Session-Id = > "55DEB027006475D0" Event-Timestamp = "Nov 29 2018 18:26:02 UTC" Connect-Info > = "11ac" EAP-Message = 0x029500060d00 Message-Authenticator = > 0xf3d6630a0279319ddd21ec0038cb9fb2 WLAN-Pairwise-Cipher = 1027076 > WLAN-Group-Cipher = 1027076 WLAN-AKM-Suite = 1027073 EAP-Type = TLS > Stripped-User-Name = "host/Comp2.skynet-home.co.uk > <http://comp2.skynet-home.co.uk/>" Realm = "null" > FreeRADIUS-Client-IP-Address = 172.16.0.63 Called-Station-SSID = "Secure" > Tmp-String-1 = "8c859024562a" TLS-Cert-Serial = > "40ba1f957d9defac4bb5cb77b86c839d" TLS-Cert-Expiration = "231116144940Z" > TLS-Cert-Issuer = "/DC=uk/DC=co/DC=skynet-home/CN=skynet-home-CA" > TLS-Cert-Subject = "/DC=uk/DC=co/DC=skynet-home/CN=skynet-home-CA" > TLS-Cert-Common-Name = "skynet-home-CA" TLS-Client-Cert-Serial = > "600000002a559898304333138d00000000002a" TLS-Client-Cert-Expiration = > "191129095447Z" TLS-Client-Cert-Issuer = > "/DC=uk/DC=co/DC=skynet-home/CN=skynet-home-CA" > TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Client Authentication" > TLS-Client-Cert-X509v3-Subject-Key-Identifier = > "EB:D0:BA:71:7B:BC:9F:D4:B5:FA:0F:2F:6A:95:9F:C1:E5:BC:B8:28" > TLS-Client-Cert-X509v3-Authority-Key-Identifier = > "keyid:0B:28:C9:C3:08:39:78:F4:9B:F0:9A:0D:8E:E7:34:F0:65:B5:17:F7\n" > TLS-Client-Cert-Subject-Alt-Name-Dns = "Comp2.skynet-home.co.uk > <http://comp2.skynet-home.co.uk/>" TLS-Client-Cert-Subject-Alt-Name-Upn = > "COMP2$@skynet-home.co.uk <http://skynet-home.co.uk/>" > TLS-Client-Cert-X509v3-Extended-Key-Usage-OID = "1.3.6.1.5.5.7.3.2" > Attr-26.26928.1 = 0x00000000 Attr-26.26928.6 = 0x00000004 User-Password = > "******" SQL-User-Name = "host/Comp2.skynet-home.co.uk > <http://comp2.skynet-home.co.uk/>" > RADIUS Reply MS-MPPE-Recv-Key = > 0x2537ef4f41cf418e01bb08dc2d7d2805a6474a6385f6f3339ffdce5d3a27cc7b > MS-MPPE-Send-Key = > 0xa009111ab01003ef31da762261b75ad1de387d2b2d1947734667b2ac76a19945 EAP-MSK = > 0x2537ef4f41cf418e01bb08dc2d7d2805a6474a6385f6f3339ffdce5d3a27cc7ba009111ab01003ef31da762261b75ad1de387d2b2d1947734667b2ac76a19945 > EAP-EMSK = > 0x956f280f1fe7599572c8ad65a88f18f7b1dca087e2fa8ae49474301ba63d1a728f2c372b9edcb2474c7999d6b18b6f1d1eb1ca46b7e5e20bd0e4bbbe6fc512a9 > EAP-Session-Id = > 0x0d5c002e455258a0a13ea478d0252c9efdb0790555d37f5d27c5a4d2805bc89eb9182f7d037da2b3c163e44c9214c05d1a1659afc33651323e83856864a3009a3f > EAP-Message = 0x03950004 Message-Authenticator = > 0x00000000000000000000000000000000 User-Name = "host/Comp2.skynet-home.co.uk > <http://comp2.skynet-home.co.uk/>" > > > On Thu, 29 Nov 2018 at 13:37, Bill Rosenbaum <brose...@mc3.edu > <mailto:brose...@mc3.edu>> wrote: > We have considered something similar in our environment, but haven’t yet > spent the time that you have to evaluate and test. > > > > One thing that we considered to help with distinguishing college issued vs. > BYOD, was to leverage different CA’s for issuing certificates. Use Active > Directory Certificate Services for college issued devices, and a separate CA > (Packetfence PKI or 3rd party SecureW2…Cloudpath…etc). Then leverage the > difference in certificate issuer in the role assignment process. Again, all > theoretical and not sure if it would work or worth the overhead, but thought > I would share the thought in case it helps. > > > > If it doesn’t help, I appreciate any feedback that will help us to avoid > wasting time when we get further down this path. Thanks – Bill > > > > > > Bill Rosenbaum > > Director of IT Security > > Montgomery County Community College > > brose...@mc3.edu <mailto:brose...@mc3.edu> | (215) 641-6677 > > > > > > > > From: Wifi Guy via PacketFence-users <packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net>> > Sent: Thursday, November 29, 2018 6:03 AM > To: packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > Cc: Wifi Guy <wifisp...@gmail.com <mailto:wifisp...@gmail.com>> > Subject: [PacketFence-users] EAP-TLS Computer and User Auth > > > > Good Morning all, > > > > I have managed to get very far to date with my installation. > > > > Howver I am struggling with the last piece of the puzzle, how to handle BYOD > device that authenticate via EAP-TLS (onboarding process) and distinguishing > that with corp users. > > > > So I thought the best way to handle this is that for Corp users that > authenticate with EAP-TLS will use Machine Auth and be assigned into a > machine role and other users will be assigned into a BYOD policy. Is this the > best approach? > > > > So to the setup I managed to get a reg vlan setup. This allows users who are > not part of the domain to authenticate via a CWP. There are provisioners > setup to assign the device the TLS cert. This works great! :) > > > > For my corp machines, currently the GPO etc are setup. User and computer > certs are sent on domain join, so no issues with auto enrollment. Also the > machine has the SSID specified with TLS set and the option computer > authentication selected. In an ideal world I would be able to chain the > authentication (something like TEAP) where computer auth happens at login and > then user auth happens at login. But I cant see a way to do this without > breaking the BYOD issue? > > > > My question is what should the GUI setup look like? Currently I have two > internal AD sources, one for computer auth (servicePrincipalName) and one for > user auth. For the documentation its not clear how the connection profiles > should look? What order things should be in and if I am looking at this the > wrong way. > > > > Any advice, help etc would be much helpful. > > > > WiFiGuy > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
