So now create a client cert, install it on the device and try to connect with the client certificate and check to see if the radius request has been accepted. (Radius audit log and radius.log). If it's ok then you can start to play with the connection profile and the authentication source.
Le mer. 15 mars 2023 à 09:16, Mudrich, J. <j.mudr...@altmark-klinikum.de> a écrit : > Hallo Fabrice, > > > > thanks fort the reply. > > Internal PKI is already set up and I created a new cert for the > RADIUS-Server and added the CA-Cert to the config. Everything is green here. > > What’s next? > > I added a new internal authentication source (EAPTLS) with Authentication > Rule: > > Matches: all > > Conditions: > > SSID equals “MySSID” > > Actions: > > Role “MyRole” > > Access Duration 5 Days > > > > Is it advised to create a new connection profile or could I just use the > default profile to start with? > > > > Kind regards > > Johannes > > > > > > *Von:* Fabrice Durand via PacketFence-users [mailto: > packetfence-users@lists.sourceforge.net] > *Gesendet:* Mittwoch, 15. März 2023 13:26 > *An:* packetfence-users@lists.sourceforge.net > *Cc:* Fabrice Durand <oeufd...@gmail.com> > *Betreff:* Re: [PacketFence-users] EAP-TLS Configuration > > > > Hello Johannes, > > > > in fact you can follow this to create the certificates needed for eap-tls. > https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fInstallation%5fGuide.html%23%5fcertificate%5fauthority%5fcreation&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-89b6a79fa8e29690a0fb757f35a4e77ad72230b7 > > > > Once you have created the ca certificate and applied it in the radius > section. > > > > ``` > > Once done copy the certificate in the clipboard from the Certificate > Authorities list (Configuration → Integration → PKI → Certificate > Authorities and click on *Copy Certificate*) then edit the RADIUS > certificate section in Configuration → Systen Configuration → SSL > Certificates → RADIUS → Edit and paste the public key in "Certificate > Authority" and Save. (Don’t forget to restart radiusd-auth) > > This will authorize the EAP TLS authentications using the PKI issued > certificates. > > ``` > > Create a certificate template > https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fInstallation%5fGuide.html%23%5ftemplate%5fcreation&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-47e8fdb284e6cf949b6f07f2c1b584fb27582f15 > and create a certificate for the end user. > > Once you have the pkcs12 file, import it on your device and configure the > supplicant to use this certificate to connect to a secure ssid (it could be > wired too). > > > > So when you will try to connect , you should be able to see the radius > authentication in the radius audit log , the next steps will be to > configure a EAPTLS or Authorize authentication source and assign it to a > connection profile where you set the filter to sub_connection_type = > EAP_TLS. > > > > Let me know if you are stuck at some point. > > Regards > > Fabrice > > > > > > > > Le mer. 15 mars 2023 à 07:45, Mudrich, J. via PacketFence-users < > packetfence-users@lists.sourceforge.net> a écrit : > > Hello again, > > > > I’m trying to configure PF for EAP-TLS authentication. I couldn’t find any > comprehensive guide or manual so I hope you can help. > > I would like to use the internal PKI. That’s what I already set up. Maybe > someone can walk me through this? > > > > Some wild guesses: > > I think I need to set up an Authentication Source (internal -> EAPTLS)? > > Are there any changes needed in the RADIUS configuration (System > Configuration -> Radius)? > > What’s with “PKI SSL Certificates”, do I need to add the internal PKIs CA > there? > > > > Some additional thoughts: I can already see the devices I’d like to manage > via EAP-TLS in my nodes list because of their DHCP broadcasts. Will these > nodes then somehow be connected to the certificates issued by the internal > PKI? > > > > Thanks and kind regards > > Johannes > > > > *Johannes Mudrich* > Mitarbeiter > IT > > Altmark-Klinikum gGmbH > Ernst-von-Bergmann-Straße 22 > 39638 Gardelegen > > Tel.: > > 03907 791229 > > Fax.: > > 03907 791248 > > Mail: > > j.mudr...@altmark-klinikum.de > > > > <https://www.salusaltmarkholding.de/> > > Salus Altmark Holding gGmbH > Tel.: +49 39325700 > Sitz der Gesellschaft: > Seepark 5 | 39116 Magdeburg > www.salusaltmarkholding.de > > > <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.instagram.com%2fsalusaltmarkholding%2f&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-dce1268519b5625582a03eef4bc853db3204a6a2> > > <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.facebook.com%2fSalusAltmarkHolding&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-b63f8a5adecaee4872c4195440f8a68d2077b365> > > <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fde.linkedin.com%2fcompany%2fsalus%2dggmbh&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-95d1611d5cc21a1e73b9282b39b9ee851cb951aa> > > <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.xing.com%2fpages%2fsalusaltmarkholdingggmbh&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-e6fbd12c5bcdb3bb6e1877eec1707ed93ee13315> > > <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.youtube.com%2fuser%2fSALUSgGmbH&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-6c539efef5aab5c7f87707f699fa25229c9940c4> > > Registergericht: AG Stendal: HRB 112594 > Geschäftsführer: Jürgen Richter > Aufsichtsratsvorsitz: Wolfgang Beck > Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch > gespeichert werden. Nähere Informationen: > www.salusaltmarkholding.de/datenschutz > > Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr > an. > Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf. > > > > *Johannes Mudrich* > Mitarbeiter > IT > > Altmark-Klinikum gGmbH > Ernst-von-Bergmann-Straße 22 > 39638 Gardelegen > > Tel.: 03907 791229 > Fax.: 03907 791248 > Mail: j.mudr...@altmark-klinikum.de > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > > https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.sourceforge.net%2flists%2flistinfo%2fpacketfence%2dusers&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-f40b171d9b2f9c8030b57654ce22166f1ca89076 > > >
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
