On 24.05.2023 20:26, packetfence-users-requ...@lists.sourceforge.net wrote:
Hello Ludovic,
If I read that right, you are trying to do EAP TLS certificate based authentication. RADIUS authentication as a whole happens in two steps. The first step (RADIUS Authentication) will be to verify your certificate issuer and then step 2 (RADIUS Authorization) where PF checks the available sources for that authentication where it will try to match a source rule to get a role applied to the connection. Depending which PKI you are using, it depends how the certificate is created. PF won’t trust the username passed by the device (because it can be changed), so PF has a list of trusted certificate attributes that it will trust as username from inside the certificate. PacketFence-UserNameAttribute TLS-Client-Cert-Subject-Alt-Name-Upn TLS-Client-Cert-Common-Name Most of the time using the servicePrincipaleName won’t work because it’s not a EAP PEAP authentication.
thank you for your explanation. Unfortunately I'm still a bit stuck on the topic, I try to give some more detail.
The whole process of authentication/authorization works well so far. Authorization is done by AD, currently based on servicePrincipalName, but its basically the same as TLS-Client-Cert-Common-Name. The hostname is also validated by AD, then the group membership of the host is evaluated and used to assign a role (this is the essential part of the authorization), finally the a radius filter will set some radius attributes according to the role (vlan among others). All of this works as expected, only packetfence seems to regard it as user- instead of machine-auth.
So, in the result the host is logged as User, the "Auditing/RADIUS Audit Logs" explicitly reports "Computer Name N/A" and "User Name host/somename.domain" and the host ist listed unter the Users tab whereas it should be placed in Nodes with somename.domain as the computername.
The only location I found to specify the source of the hostname to use is "Username Attribute" in the Authentication Source, and this allows only a list of AD Attributes (like servicePrincipalName), so I can't point it to TLS-Client-Cert-Subject-Alt-Name-Upn or TLS-Client-Cert-Common-Name. But shouldn't the "host/" part sufficiently qualify the name as a machine/node?
Kind regards and sorry for bringing the topic up again. Jo _______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
