Hello EP, It’s under Configuration > Integration > PKI
Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Nov 3, 2021, at 3:12 AM, E.P. <ype...@gmail.com> wrote: > > Ludovic, > You caught off guard with the question about PKI. > After I upgraded to PF ver 11.0 iI was using PF native PKI. > Hence its sample certificate, i.e. C=FR, ST=Radius, O=Example Inc., > CN=Example Server Certificate, emailAddress=ad...@example.org > <mailto:emailAddress=ad...@example.org> > Of course we can’t use it. Hence I tried to upload the wild card certificate > with the private key that was installed on many servers and network devices > in our company without any issues. For some reason as I demonstrated it > earlier Windows OS supplicant can’t use or rather doesn’t trust RADIUS server > presenting this certificate for PEAP session . > I downloaded this wildcard certificate using PF web interface by going to > into Edit under RADIUS section. > I don’t mind generating and using the certificate from within PF. As long as > it uses the acceptable subject name and an issuer under our control we can > live it with it. But I don’t see PF PKI anymore in the new version. I > remember playing with PF CA earlier and was successful with configuring > EAP-TLS > > Eugene > > From: Zammit, Ludovic <luza...@akamai.com> > Sent: Tuesday, November 02, 2021 1:49 PM > To: ype...@gmail.com > Cc: packetfence-users@lists.sourceforge.net > Subject: Re: [PacketFence-users] Rejected users logging via Windows > > Hello, > > You an use the Web admin to install the RADIUS SSL cert. > > Make sure to restart radiusd on all servers to apply the cert. > > You can use the PF PKI and the PF PKI provisioner to install it on Windows > for a Wireless interface. You could also download the cert from the PF web > interface and install it manually on the device. > > What’s the PKI that you are using ? > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: > <https://community.akamai.com/> <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcN5r1d-yg$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcNKJ82nTA$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcPmzXiK2Q$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcM1tFbzZg$> > > > >> On Nov 2, 2021, at 2:18 PM, E.P. <ype...@gmail.com >> <mailto:ype...@gmail.com>> wrote: >> >> Yes, Ludovic, >> Apparently the certificate has some issues. RADIUS debug revealed this: >> >> (18) Tue Nov 2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading >> application data from OpenSSL: error:14094419:SSL >> routines:ssl3_read_bytes:tlsv1 alert access denied >> (18) Tue Nov 2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail >> (18) Tue Nov 2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) >> session. EAP sub-module failed >> (18) Tue Nov 2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID >> 215 length 4 >> (18) Tue Nov 2 11:06:07 2021: Debug: eap: Failed in EAP select >> (18) Tue Nov 2 11:06:07 2021: Debug: [eap] = invalid >> (18) Tue Nov 2 11:06:07 2021: Debug: } # authenticate = invalid >> >> So, all that I did was copying three files into /usr/local/pf/raddb/certs >> folder >> Server.crt (the certificate issued by Godaddy CA) >> Server.key (private key) >> ca.pem (root CA) >> >> I just wanted to replace this example certificate that PF uses for EAP/TLS >> session >> >> <image001.png> >> >> Is there any instruction how to generate a different certificate on PF that >> will be accepted by Windows OS supplicant ? >> >> Eugene >> From: Zammit, Ludovic <luza...@akamai.com <mailto:luza...@akamai.com>> >> Sent: Tuesday, November 02, 2021 5:51 AM >> To: packetfence-users@lists.sourceforge.net >> <mailto:packetfence-users@lists.sourceforge.net> >> Cc: E.P. <ype...@gmail.com <mailto:ype...@gmail.com>> >> Subject: Re: [PacketFence-users] Rejected users logging via Windows >> >> Hello EP, >> >> It looks like the certificate passed to PF was not correct. >> >> Use the command: >> >> raddebug -f /usr/local/pf/var/run/radiusd.sock >> >> Thanks, >> >> Ludovic Zammit >> Product Support Engineer Principal >> >> Cell: +1.613.670.8432 >> Akamai Technologies - Inverse >> 145 Broadway >> Cambridge, MA 02142 >> Connect with Us: >> <https://community.akamai.com/> <http://blogs.akamai.com/> >> <https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNd3a-yo5g$> >> >> <https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNcYAR2ZcA$> >> >> <https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNdX7v2epA$> >> >> <https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfuFopyQg$> >> >> >> >> >>> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users >>> <packetfence-users@lists.sourceforge.net >>> <mailto:packetfence-users@lists.sourceforge.net>> wrote: >>> >>> Hello, >>> A while ago someone asked here this question and there was no reply. >>> I hit it again and I have clue, out of the blue, all authentications >>> attempts from Windows OS fail: >>> >>> Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32 >>> Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert >>> read:fatal:access denied >>> Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected >>> user: it.tech >>> <https://urldefense.com/v3/__http:/it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$> >>> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: >>> (TLS) Alert read:fatal:access denied): [it.tech >>> <https://urldefense.com/v3/__http:/it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$>] >>> (from client 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03) >>> >>> No problem with mobile phones. >>> Trying to run RADIUS in the debug mode using the old radiusd -X command but >>> on ver 11 it can’t be found anymore. >>> Any ideas ? >>> >>> Eugene >>> _______________________________________________ >>> PacketFence-users mailing list >>> PacketFence-users@lists.sourceforge.net >>> <mailto:PacketFence-users@lists.sourceforge.net> >>> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$ >>> >>> <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
