Ludovic,

You caught off guard with the question about PKI.

After I upgraded to PF ver 11.0 iI was using PF native PKI.

Hence its sample certificate, i.e. C=FR, ST=Radius, O=Example Inc., CN=Example 
Server Certificate, emailAddress=ad...@example.org 
<mailto:emailAddress=ad...@example.org> 

Of course we can’t use it. Hence I tried to upload the wild card certificate 
with the private key that was installed on many servers and network devices in 
our company without any issues. For some reason as I demonstrated it earlier 
Windows OS supplicant can’t use or rather doesn’t trust RADIUS server 
presenting this certificate for PEAP session .

I downloaded this wildcard certificate using PF web interface by going to into 
Edit under RADIUS section.

I don’t mind generating and using the certificate from within PF. As long as it 
 uses the acceptable subject name and an issuer under our control we can live 
it with it. But I don’t see PF PKI anymore in the new version. I remember 
playing with PF CA earlier and was successful with configuring EAP-TLS

 

Eugene

 

From: Zammit, Ludovic <luza...@akamai.com> 
Sent: Tuesday, November 02, 2021 1:49 PM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Rejected users logging via Windows

 

Hello,

 

You an use the Web admin to install the RADIUS SSL cert.

 

Make sure to restart radiusd on all servers to apply the cert.

 

You can use the PF PKI and the PF PKI provisioner to install it on Windows for 
a Wireless interface. You could also download the cert from the PF web 
interface and install it manually on the device.

 

What’s the PKI that you are using ?

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal


  
<https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png>
 

                

Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142

        
                

Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://twitter.com/akamai>  <http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main> 

        





On Nov 2, 2021, at 2:18 PM, E.P. <ype...@gmail.com <mailto:ype...@gmail.com> > 
wrote:

 

Yes, Ludovic,

Apparently the certificate has some issues. RADIUS debug revealed this:

 

(18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading 
application data from OpenSSL: error:14094419:SSL 
routines:ssl3_read_bytes:tlsv1 alert access denied

(18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail

(18) Tue Nov  2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) 
session.  EAP sub-module failed

(18) Tue Nov  2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID 215 
length 4

(18) Tue Nov  2 11:06:07 2021: Debug: eap: Failed in EAP select

(18) Tue Nov  2 11:06:07 2021: Debug:     [eap] = invalid

(18) Tue Nov  2 11:06:07 2021: Debug:   } # authenticate = invalid

 

So, all that I did was copying three files into /usr/local/pf/raddb/certs folder

1.      Server.crt (the certificate issued by Godaddy CA)
2.      Server.key (private key)
3.      ca.pem (root CA)

 

I just wanted to replace this example certificate that PF uses for EAP/TLS 
session

 

<image001.png>

 

Is there any instruction how to generate a different certificate on PF that 
will be accepted by Windows OS supplicant ?

 

Eugene

From: Zammit, Ludovic <luza...@akamai.com <mailto:luza...@akamai.com> > 
Sent: Tuesday, November 02, 2021 5:51 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: E.P. <ype...@gmail.com <mailto:ype...@gmail.com> >
Subject: Re: [PacketFence-users] Rejected users logging via Windows

 

Hello EP,

 

It looks like the certificate passed to PF was not correct.

 

Use the command:

 

raddebug -f /usr/local/pf/var/run/radiusd.sock

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal


  
<https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png>
 

                


Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142

        
                


Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNd3a-yo5g$>
  
<https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNcYAR2ZcA$>
  
<https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNdX7v2epA$>
  
<https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfuFopyQg$>
 

        






On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users 
<packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> > wrote:

 

Hello,

A while ago someone asked here this question and there was no reply.

I hit it again and I have clue, out of the blue, all authentications attempts 
from Windows OS fail:

 

Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert 
read:fatal:access denied
Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected user: 
it.tech 
<https://urldefense.com/v3/__http:/it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$>
 
Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS) 
Alert read:fatal:access denied): [it.tech 
<https://urldefense.com/v3/__http:/it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$>
 ] (from client 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03)

 

No problem with mobile phones.

Trying to run RADIUS in the debug mode using the old radiusd -X command but on 
ver 11 it can’t be found anymore.

Any ideas ?

 

Eugene

_______________________________________________
PacketFence-users mailing list
 <mailto:PacketFence-users@lists.sourceforge.net> 
PacketFence-users@lists.sourceforge.net
 
<https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$>
 
https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$

 

_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to