Hello Javier,
Le 19-10-13 à 15 h 42, Javier Pobeda a écrit :
Hi,
Thanks for the replies.
1.- I chose Radius
2.- I've joined PF to the Domain.
3.- I've added the AD as Authentication Source
4.- I've created authentication rules
5.- I've configured the switch as device in PF and also the switch to
talk to PF as Radius as I can see on the logs *"(30212) eap_peap:
ERROR: TLS Alert read:fatal:unknown CA"*
It mean that the supplicant doesn't recognize the CA who sign the radius
certificate, so uncheck "verify server certificate in the supplicant"
Now my question is, Is there a place through the GUI to add CA certs
to PF or we do it manually by SCP to somewhere around here?
/usr/local/pf/conf/ssl/tls_certs/
@Durand fabrice <mailto:[email protected]> can you point to the right
place? I'd like to auth wired 802.1x machines with certificates from
our own Microsoft CA. Is it under PKI Providers?
In fact you just need to edit the file eap.conf (conf/radiusd/) and set
the path to your CA cert
(https://github.com/inverse-inc/packetfence/blob/devel/conf/radiusd/eap.conf.example#L204)
The pki provider is when you want to generate certificates on the fly
with a provisioner.
Regards
Fabrice
Thanks
------------------------------------------------------------------------
*From:* Durand fabrice via PacketFence-users
<[email protected]>
*Sent:* Saturday, 12 October 2019 2:06 PM
*To:* [email protected]
<[email protected]>
*Cc:* Durand fabrice <[email protected]>
*Subject:* Re: [PacketFence-users] Setup questions
Le 19-10-08 à 21 h 14, Javier Pobeda via PacketFence-users a écrit :
Hi folks,
I'm struggling to understand basic design stuff.
I want to run my PF server to authenticate remote users (wired
802.1x) and also provide AAA to access network gear assigning role
privilege levels, etc.
Remote offices use different VLAN configuration so I have to be able
to allocate different VLAN IDs with Radius.
What mode should I choose during the setup? just VLAN? or VLAN AND
Radius.
Vlan enforcement if you want to use the portal, Radius if you just
want to do radius.
Does this allow for putting a user that fails auth into a
"remediation" LAN?
It depend what you need , if the 802.1x authentication fail then the
radius request will be rejected. It belong to the switch to decide
what to do with a reject.
*VLAN enforcement*
PacketFence is the server that assigns the VLAN (or roles) to the
devices. This is the prefered enforcement mechanism for manageable
equipment.
*WebAuth enforcement*
PacketFence is the server that assigns the Role (or ACL) to the
devices. This mode is for web authentication.
*RADIUS enforcement*
PacketFence is the server that validates the RADIUS authentication
and returns the VLAN (or roles) to the devices. This mode does not
have a registration option, it is either accept or deny with the
final VLAN.
If I choose VLAN and RADIUS It requires to add new interfaces but
they MUST be on separate networks which I'm not sure why if what I
want is to have a remote radius server to do the job. I can't quite
get the purpose.
Choose radius in that case.
Regards
Fabrice
Anyone able to shed some light?
Thanks
_______________________________________________
PacketFence-users mailing list
[email protected]
<mailto:[email protected]>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
