Hi everyone, I got it. Had to enter the RADIUS root cert “common name” as “Domain” in the WiFi config on the phone.
Kind regards Johannes Johannes Mudrich Mitarbeiter IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-Straße 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de Von: Mudrich, J. Gesendet: Donnerstag, 16. März 2023 07:42 An: 'Fabrice Durand' <oeufd...@gmail.com> Cc: packetfence-users@lists.sourceforge.net Betreff: AW: [PacketFence-users] EAP-TLS Configuration Hello Fabrice, I’m getting closer. I can see a Radius request but: Module-Failure-Message = "eap_tls: (TLS) Alert read:fatal:internal error" Module-Failure-Message = "eap_tls: (TLS) Failed reading from OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error" Module-Failure-Message = "eap_tls: (TLS) Cannot continue as the peer is misbehaving." Module-Failure-Message = "eap_tls: [eaptls process] = fail" Module-Failure-Message = "eap: Failed continuing EAP TLS (13) session. EAP sub-module failed" Radius.log: (40878) eap_tls: ERROR: (TLS) Alert read:fatal:internal error (40878) Login incorrect (eap_tls: (TLS) Alert read:fatal:internal error): [Test_2] (from client 10.9.254.109/32 port 0 cli ba:27:bd:98:30:d2) NAS is an Aerohive / Extreme Networks AP. Client is an Android phone. I’m still not sure, what to use as user name (identity). Kind Regards Johannes Von: Fabrice Durand [mailto:oeufd...@gmail.com] Gesendet: Mittwoch, 15. März 2023 14:20 An: Mudrich, J. <j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>> Cc: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Betreff: Re: [PacketFence-users] EAP-TLS Configuration So now create a client cert, install it on the device and try to connect with the client certificate and check to see if the radius request has been accepted. (Radius audit log and radius.log). If it's ok then you can start to play with the connection profile and the authentication source. Le mer. 15 mars 2023 à 09:16, Mudrich, J. <j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de>> a écrit : Hallo Fabrice, thanks fort the reply. Internal PKI is already set up and I created a new cert for the RADIUS-Server and added the CA-Cert to the config. Everything is green here. What’s next? I added a new internal authentication source (EAPTLS) with Authentication Rule: Matches: all Conditions: SSID equals “MySSID” Actions: Role “MyRole” Access Duration 5 Days Is it advised to create a new connection profile or could I just use the default profile to start with? Kind regards Johannes Von: Fabrice Durand via PacketFence-users [mailto:packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>] Gesendet: Mittwoch, 15. März 2023 13:26 An: packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net> Cc: Fabrice Durand <oeufd...@gmail.com<mailto:oeufd...@gmail.com>> Betreff: Re: [PacketFence-users] EAP-TLS Configuration Hello Johannes, in fact you can follow this to create the certificates needed for eap-tls. https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fInstallation%5fGuide.html%23%5fcertificate%5fauthority%5fcreation&umid=4A293877-F6F0-3405-A6CC-805E7606CC63&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-1b9466d6008b3a98df7b68e1096316f9b0d811c5 Once you have created the ca certificate and applied it in the radius section. ``` Once done copy the certificate in the clipboard from the Certificate Authorities list (Configuration → Integration → PKI → Certificate Authorities and click on Copy Certificate) then edit the RADIUS certificate section in Configuration → Systen Configuration → SSL Certificates → RADIUS → Edit and paste the public key in "Certificate Authority" and Save. (Don’t forget to restart radiusd-auth) This will authorize the EAP TLS authentications using the PKI issued certificates. ``` Create a certificate template https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fInstallation%5fGuide.html%23%5ftemplate%5fcreation&umid=4A293877-F6F0-3405-A6CC-805E7606CC63&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-0f673fccbf9ab7623a8f3af26369a929b3dc2573 and create a certificate for the end user. Once you have the pkcs12 file, import it on your device and configure the supplicant to use this certificate to connect to a secure ssid (it could be wired too). So when you will try to connect , you should be able to see the radius authentication in the radius audit log , the next steps will be to configure a EAPTLS or Authorize authentication source and assign it to a connection profile where you set the filter to sub_connection_type = EAP_TLS. Let me know if you are stuck at some point. Regards Fabrice Le mer. 15 mars 2023 à 07:45, Mudrich, J. via PacketFence-users <packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>> a écrit : Hello again, I’m trying to configure PF for EAP-TLS authentication. I couldn’t find any comprehensive guide or manual so I hope you can help. I would like to use the internal PKI. That’s what I already set up. Maybe someone can walk me through this? Some wild guesses: I think I need to set up an Authentication Source (internal -> EAPTLS)? Are there any changes needed in the RADIUS configuration (System Configuration -> Radius)? What’s with “PKI SSL Certificates”, do I need to add the internal PKIs CA there? Some additional thoughts: I can already see the devices I’d like to manage via EAP-TLS in my nodes list because of their DHCP broadcasts. Will these nodes then somehow be connected to the certificates issued by the internal PKI? Thanks and kind regards Johannes Johannes Mudrich Mitarbeiter IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-Straße 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de> [cid:image001.png@01D958A3.5B8EF7B0]<https://www.salusaltmarkholding.de/> Salus Altmark Holding gGmbH Tel.: +49 39325700 Sitz der Gesellschaft: Seepark 5 | 39116 Magdeburg www.salusaltmarkholding.de<https://www.salusaltmarkholding.de> [cid:image002.png@01D958A3.5B8EF7B0]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.instagram.com%2fsalusaltmarkholding%2f&umid=4A293877-F6F0-3405-A6CC-805E7606CC63&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-769e45ded9558d634281da08312b083d9c909b1d> [cid:image003.png@01D958A3.5B8EF7B0] <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.facebook.com%2fSalusAltmarkHolding&umid=4A293877-F6F0-3405-A6CC-805E7606CC63&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-0563498bb9eeafad60424fc6485e5219520ac4c0> [cid:image004.png@01D958A3.5B8EF7B0] <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fde.linkedin.com%2fcompany%2fsalus%2dggmbh&umid=4A293877-F6F0-3405-A6CC-805E7606CC63&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-fd43ebdb852fb4f907a9962c2ac0cb4837cf7d15> [cid:image005.png@01D958A3.5B8EF7B0] <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.xing.com%2fpages%2fsalusaltmarkholdingggmbh&umid=4A293877-F6F0-3405-A6CC-805E7606CC63&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-5abe4dfdb20e231c1f61ceaa15422a0dd1b3cb83> [cid:image006.png@01D958A3.5B8EF7B0] <https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.youtube.com%2fuser%2fSALUSgGmbH&umid=4A293877-F6F0-3405-A6CC-805E7606CC63&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-94a24467db14ac8451f627ba3e217b4f84e29c42> Registergericht: AG Stendal: HRB 112594 Geschäftsführer: Jürgen Richter Aufsichtsratsvorsitz: Wolfgang Beck Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch gespeichert werden. Nähere Informationen: www.salusaltmarkholding.de/datenschutz<https://www.salusaltmarkholding.de/datenschutz> Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an. Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf. Johannes Mudrich Mitarbeiter IT Altmark-Klinikum gGmbH Ernst-von-Bergmann-Straße 22 39638 Gardelegen Tel.: 03907 791229 Fax.: 03907 791248 Mail: j.mudr...@altmark-klinikum.de<mailto:j.mudr...@altmark-klinikum.de> _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net<mailto:PacketFence-users@lists.sourceforge.net> https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.sourceforge.net%2flists%2flistinfo%2fpacketfence%2dusers&umid=4A293877-F6F0-3405-A6CC-805E7606CC63&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-4b7bac73f25c24275d25a7e6aa36a83deecc7cf8
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users