Re: [PacketFence-users] Rejected users logging via Windows

2021-11-04 Thread Zammit, Ludovic via PacketFence-users 
Hello,

Yes, the official documentation:

https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki 
<https://www.packetfence.org/doc/PacketFence_Installation_Guide.html#pf-pki>

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Nov 4, 2021, at 2:55 AM, ype...@gmail.com wrote:
> 
> Morning, Ludovic,
> Is there any better document on the new PF PKI than this one 
> https://fossies.org/linux/packetfence/docs/installation/pki/packetfence.asciidoc
>  
> <https://urldefense.com/v3/__https://fossies.org/linux/packetfence/docs/installation/pki/packetfence.asciidoc__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN82_qnb-QtA$>
>  
> As far as I understand, after I created a CA I need to create a template 
> before generating a new certificate? Suppose I generated a certificate based 
> on this template how would I import it to PF to be used for RADIUS to replace 
> the example certificate I showed earlier. I want to make sure that nothing is 
> broken and it will be fully accepted and PEAP sessions from Windows 
> supplicants are not ended up with an error
>  
> Eugene
>  
> From: Zammit, Ludovic  
> Sent: Wednesday, November 3, 2021 7:18 AM
> To: ype...@gmail.com
> Cc: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Rejected users logging via Windows
>  
> Hello EP,
>  
> It’s under Configuration > Integration > PKI
>  
> Thanks,
>  
> Ludovic Zammit
> Product Support Engineer Principal
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:
>  <https://community.akamai.com/> <http://blogs.akamai.com/> 
> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN828lBx7Yeg$>
>  
> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN82_4nB-YNw$>
>  
> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN829z5OHoRA$>
>  
> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!BBhSIFxHuciV2QPh2R5J6TPDJgiO4BctA4bXtTp6SryVQhmRblSN829lPKzkkA$>
>  
> 
> 
>> On Nov 3, 2021, at 3:12 AM, E.P. > <mailto:ype...@gmail.com>> wrote:
>>  
>> Ludovic,
>> You caught off guard with the question about PKI.
>> After I upgraded to PF ver 11.0 iI was using PF native PKI.
>> Hence its sample certificate, i.e. C=FR, ST=Radius, O=Example Inc., 
>> CN=Example Server Certificate, emailAddress=ad...@example.org 
>> <mailto:emailAddress=ad...@example.org>
>> Of course we can’t use it. Hence I tried to upload the wild card certificate 
>> with the private key that was installed on many servers and network devices 
>> in our company without any issues. For some reason as I demonstrated it 
>> earlier Windows OS supplicant can’t use or rather doesn’t trust RADIUS 
>> server presenting this certificate for PEAP session .
>> I downloaded this wildcard certificate using PF web interface by going to 
>> into Edit under RADIUS section.
>> I don’t mind generating and using the certificate from within PF. As long as 
>> it  uses the acceptable subject name and an issuer under our control we can 
>> live it with it. But I don’t see PF PKI anymore in the new version. I 
>> remember playing with PF CA earlier and was successful with configuring 
>> EAP-TLS
>>  
>> Eugene
>>  
>> From: Zammit, Ludovic mailto:luza...@akamai.com>> 
>> Sent: Tuesday, November 02, 2021 1:49 PM
>> To: ype...@gmail.com <mailto:ype...@gmail.com>
>> Cc: packetfence-users@lists.sourceforge.net 
>> <mailto:packetfence-users@lists.sourceforge.net>
>> Subject: Re: [PacketFence-users] Rejected users logging via Windows
>>  
>> Hello,
>>  
>> You an use the Web admin to install the RADIUS SSL cert.
>>  
>> Make sure to restart radiusd on all servers to apply the cert.
>>  
>> You can use the PF PKI and the PF PKI provisioner to install it on Windows 
>> for a

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-04 Thread ypefti--- via PacketFence-users 
Morning, Ludovic,

Is there any better document on the new PF PKI than this one 

https://fossies.org/linux/packetfence/docs/installation/pki/packetfence.asciidoc

 

As far as I understand, after I created a CA I need to create a template before 
generating a new certificate? Suppose I generated a certificate based on this 
template how would I import it to PF to be used for RADIUS to replace the 
example certificate I showed earlier. I want to make sure that nothing is 
broken and it will be fully accepted and PEAP sessions from Windows supplicants 
are not ended up with an error

 

Eugene

 

From: Zammit, Ludovic  
Sent: Wednesday, November 3, 2021 7:18 AM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Rejected users logging via Windows

 

Hello EP,

 

It’s under Configuration > Integration > PKI

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal


  
<https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png>
 



Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142




Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://twitter.com/akamai>  <http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main> 







On Nov 3, 2021, at 3:12 AM, E.P. mailto:ype...@gmail.com> > 
wrote:

 

Ludovic,

You caught off guard with the question about PKI.

After I upgraded to PF ver 11.0 iI was using PF native PKI.

Hence its sample certificate, i.e. C=FR, ST=Radius, O=Example Inc., CN=Example 
Server Certificate, emailAddress=ad...@example.org 
<mailto:emailAddress=ad...@example.org> 

Of course we can’t use it. Hence I tried to upload the wild card certificate 
with the private key that was installed on many servers and network devices in 
our company without any issues. For some reason as I demonstrated it earlier 
Windows OS supplicant can’t use or rather doesn’t trust RADIUS server 
presenting this certificate for PEAP session .

I downloaded this wildcard certificate using PF web interface by going to into 
Edit under RADIUS section.

I don’t mind generating and using the certificate from within PF. As long as it 
 uses the acceptable subject name and an issuer under our control we can live 
it with it. But I don’t see PF PKI anymore in the new version. I remember 
playing with PF CA earlier and was successful with configuring EAP-TLS

 

Eugene

 

From: Zammit, Ludovic mailto:luza...@akamai.com> > 
Sent: Tuesday, November 02, 2021 1:49 PM
To: ype...@gmail.com <mailto:ype...@gmail.com> 
Cc: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Subject: Re: [PacketFence-users] Rejected users logging via Windows

 

Hello,

 

You an use the Web admin to install the RADIUS SSL cert.

 

Make sure to restart radiusd on all servers to apply the cert.

 

You can use the PF PKI and the PF PKI provisioner to install it on Windows for 
a Wireless interface. You could also download the cert from the PF web 
interface and install it manually on the device.

 

What’s the PKI that you are using ?

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal


  
<https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png>
 




Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142





Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcN5r1d-yg$>
  
<https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcNKJ82nTA$>
  
<https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcPmzXiK2Q$>
  
<https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcM1tFbzZg$>
 








On Nov 2, 2021, at 2:18 PM, E.P. mailto:ype...@gmail.com> > 
wrote:

 

Yes, Ludovic,

Apparently the certificate has some issues. RADIUS debug revealed this:

 

(18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading 
application data from OpenSSL: error:14094419:SSL 
routines:ssl3_read_bytes:tlsv1 alert access denied

(18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail

(18) Tue Nov  2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) 
session.  EAP sub-module failed

(18) Tue Nov  2 11:06:07 2021: Debug: eap: S

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-03 Thread E.P. via PacketFence-users 
Ludovic,

You caught off guard with the question about PKI.

After I upgraded to PF ver 11.0 iI was using PF native PKI.

Hence its sample certificate, i.e. C=FR, ST=Radius, O=Example Inc., CN=Example 
Server Certificate, emailAddress=ad...@example.org 
<mailto:emailAddress=ad...@example.org> 

Of course we can’t use it. Hence I tried to upload the wild card certificate 
with the private key that was installed on many servers and network devices in 
our company without any issues. For some reason as I demonstrated it earlier 
Windows OS supplicant can’t use or rather doesn’t trust RADIUS server 
presenting this certificate for PEAP session .

I downloaded this wildcard certificate using PF web interface by going to into 
Edit under RADIUS section.

I don’t mind generating and using the certificate from within PF. As long as it 
 uses the acceptable subject name and an issuer under our control we can live 
it with it. But I don’t see PF PKI anymore in the new version. I remember 
playing with PF CA earlier and was successful with configuring EAP-TLS

 

Eugene

 

From: Zammit, Ludovic  
Sent: Tuesday, November 02, 2021 1:49 PM
To: ype...@gmail.com
Cc: packetfence-users@lists.sourceforge.net
Subject: Re: [PacketFence-users] Rejected users logging via Windows

 

Hello,

 

You an use the Web admin to install the RADIUS SSL cert.

 

Make sure to restart radiusd on all servers to apply the cert.

 

You can use the PF PKI and the PF PKI provisioner to install it on Windows for 
a Wireless interface. You could also download the cert from the PF web 
interface and install it manually on the device.

 

What’s the PKI that you are using ?

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal


  
<https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png>
 



Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142




Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://twitter.com/akamai>  <http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main> 







On Nov 2, 2021, at 2:18 PM, E.P. mailto:ype...@gmail.com> > 
wrote:

 

Yes, Ludovic,

Apparently the certificate has some issues. RADIUS debug revealed this:

 

(18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading 
application data from OpenSSL: error:14094419:SSL 
routines:ssl3_read_bytes:tlsv1 alert access denied

(18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail

(18) Tue Nov  2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) 
session.  EAP sub-module failed

(18) Tue Nov  2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID 215 
length 4

(18) Tue Nov  2 11:06:07 2021: Debug: eap: Failed in EAP select

(18) Tue Nov  2 11:06:07 2021: Debug: [eap] = invalid

(18) Tue Nov  2 11:06:07 2021: Debug:   } # authenticate = invalid

 

So, all that I did was copying three files into /usr/local/pf/raddb/certs folder

1.  Server.crt (the certificate issued by Godaddy CA)
2.  Server.key (private key)
3.  ca.pem (root CA)

 

I just wanted to replace this example certificate that PF uses for EAP/TLS 
session

 



 

Is there any instruction how to generate a different certificate on PF that 
will be accepted by Windows OS supplicant ?

 

Eugene

From: Zammit, Ludovic mailto:luza...@akamai.com> > 
Sent: Tuesday, November 02, 2021 5:51 AM
To: packetfence-users@lists.sourceforge.net 
<mailto:packetfence-users@lists.sourceforge.net> 
Cc: E.P. mailto:ype...@gmail.com> >
Subject: Re: [PacketFence-users] Rejected users logging via Windows

 

Hello EP,

 

It looks like the certificate passed to PF was not correct.

 

Use the command:

 

raddebug -f /usr/local/pf/var/run/radiusd.sock

 

Thanks,

 


Ludovic Zammit
Product Support Engineer Principal


  
<https://www.akamai.com/us/en/multimedia/images/custom/2019/logo-no-tag-93x45.png>
 




Cell: +1.613.670.8432

Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142





Connect with Us:

 <https://community.akamai.com/>  <http://blogs.akamai.com/>  
<https://urldefense.com/v3/__https:/twitter.com/akamai__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNd3a-yo5g$>
  
<https://urldefense.com/v3/__http:/www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNcYAR2ZcA$>
  
<https://urldefense.com/v3/__http:/www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNdX7v2epA$>
  
<https://urldefense.com/v3/__http:/www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-03 Thread Zammit, Ludovic via PacketFence-users 
Hello EP,

It’s under Configuration > Integration > PKI

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Nov 3, 2021, at 3:12 AM, E.P.  wrote:
> 
> Ludovic,
> You caught off guard with the question about PKI.
> After I upgraded to PF ver 11.0 iI was using PF native PKI.
> Hence its sample certificate, i.e. C=FR, ST=Radius, O=Example Inc., 
> CN=Example Server Certificate, emailAddress=ad...@example.org 
> <mailto:emailAddress=ad...@example.org>
> Of course we can’t use it. Hence I tried to upload the wild card certificate 
> with the private key that was installed on many servers and network devices 
> in our company without any issues. For some reason as I demonstrated it 
> earlier Windows OS supplicant can’t use or rather doesn’t trust RADIUS server 
> presenting this certificate for PEAP session .
> I downloaded this wildcard certificate using PF web interface by going to 
> into Edit under RADIUS section.
> I don’t mind generating and using the certificate from within PF. As long as 
> it  uses the acceptable subject name and an issuer under our control we can 
> live it with it. But I don’t see PF PKI anymore in the new version. I 
> remember playing with PF CA earlier and was successful with configuring 
> EAP-TLS
>  
> Eugene
>  
> From: Zammit, Ludovic  
> Sent: Tuesday, November 02, 2021 1:49 PM
> To: ype...@gmail.com
> Cc: packetfence-users@lists.sourceforge.net
> Subject: Re: [PacketFence-users] Rejected users logging via Windows
>  
> Hello,
>  
> You an use the Web admin to install the RADIUS SSL cert.
>  
> Make sure to restart radiusd on all servers to apply the cert.
>  
> You can use the PF PKI and the PF PKI provisioner to install it on Windows 
> for a Wireless interface. You could also download the cert from the PF web 
> interface and install it manually on the device.
>  
> What’s the PKI that you are using ?
>  
> Thanks,
>  
> Ludovic Zammit
> Product Support Engineer Principal
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:
>  <https://community.akamai.com/> <http://blogs.akamai.com/> 
> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcN5r1d-yg$>
>  
> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcNKJ82nTA$>
>  
> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcPmzXiK2Q$>
>  
> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!Bxspdps_NfYU4Ec04UZfer20gvG6N0ZG3sq3Norn7drY3bWQx4jKDcM1tFbzZg$>
>  
> 
> 
>> On Nov 2, 2021, at 2:18 PM, E.P. > <mailto:ype...@gmail.com>> wrote:
>>  
>> Yes, Ludovic,
>> Apparently the certificate has some issues. RADIUS debug revealed this:
>>  
>> (18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading 
>> application data from OpenSSL: error:14094419:SSL 
>> routines:ssl3_read_bytes:tlsv1 alert access denied
>> (18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail
>> (18) Tue Nov  2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) 
>> session.  EAP sub-module failed
>> (18) Tue Nov  2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID 
>> 215 length 4
>> (18) Tue Nov  2 11:06:07 2021: Debug: eap: Failed in EAP select
>> (18) Tue Nov  2 11:06:07 2021: Debug: [eap] = invalid
>> (18) Tue Nov  2 11:06:07 2021: Debug:   } # authenticate = invalid
>>  
>> So, all that I did was copying three files into /usr/local/pf/raddb/certs 
>> folder
>> Server.crt (the certificate issued by Godaddy CA)
>> Server.key (private key)
>> ca.pem (root CA)
>>  
>> I just wanted to replace this example certificate that PF uses for EAP/TLS 
>> session
>>  
>> 
>>  
>> Is there any instruction how to generate a different certificate on PF that 
>> will be accepted by Windows OS supplicant ?
>>  
>> Eugene
>> From: Zammit, Ludovic mailto:luza...@akamai.com>> 
>>

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-02 Thread Zammit, Ludovic via PacketFence-users 
Hello EP,

It looks like the certificate passed to PF was not correct.

Use the command:

raddebug -f /usr/local/pf/var/run/radiusd.sock

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users 
>  > wrote:
> 
> Hello,
> A while ago someone asked here this question and there was no reply.
> I hit it again and I have clue, out of the blue, all authentications attempts 
> from Windows OS fail:
>  
> Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
> Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert 
> read:fatal:access denied
> Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected user: 
> it.tech 
> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS) 
> Alert read:fatal:access denied): [it.tech ] (from client 
> 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03)
>  
> No problem with mobile phones.
> Trying to run RADIUS in the debug mode using the old radiusd -X command but 
> on ver 11 it can’t be found anymore.
> Any ideas ?
>  
> Eugene
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-02 Thread Zammit, Ludovic via PacketFence-users 
Hello,

You an use the Web admin to install the RADIUS SSL cert.

Make sure to restart radiusd on all servers to apply the cert.

You can use the PF PKI and the PF PKI provisioner to install it on Windows for 
a Wireless interface. You could also download the cert from the PF web 
interface and install it manually on the device.

What’s the PKI that you are using ?

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us: <https://community.akamai.com/>  
<http://blogs.akamai.com/>  <https://twitter.com/akamai>  
<http://www.facebook.com/AkamaiTechnologies>  
<http://www.linkedin.com/company/akamai-technologies>  
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>

> On Nov 2, 2021, at 2:18 PM, E.P.  wrote:
> 
> Yes, Ludovic,
> Apparently the certificate has some issues. RADIUS debug revealed this:
>  
> (18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading 
> application data from OpenSSL: error:14094419:SSL 
> routines:ssl3_read_bytes:tlsv1 alert access denied
> (18) Tue Nov  2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail
> (18) Tue Nov  2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) 
> session.  EAP sub-module failed
> (18) Tue Nov  2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID 
> 215 length 4
> (18) Tue Nov  2 11:06:07 2021: Debug: eap: Failed in EAP select
> (18) Tue Nov  2 11:06:07 2021: Debug: [eap] = invalid
> (18) Tue Nov  2 11:06:07 2021: Debug:   } # authenticate = invalid
>  
> So, all that I did was copying three files into /usr/local/pf/raddb/certs 
> folder
> Server.crt (the certificate issued by Godaddy CA)
> Server.key (private key)
> ca.pem (root CA)
>  
> I just wanted to replace this example certificate that PF uses for EAP/TLS 
> session
>  
> 
>  
> Is there any instruction how to generate a different certificate on PF that 
> will be accepted by Windows OS supplicant ?
>  
> Eugene
> From: Zammit, Ludovic  
> Sent: Tuesday, November 02, 2021 5:51 AM
> To: packetfence-users@lists.sourceforge.net
> Cc: E.P. 
> Subject: Re: [PacketFence-users] Rejected users logging via Windows
>  
> Hello EP,
>  
> It looks like the certificate passed to PF was not correct.
>  
> Use the command:
>  
> raddebug -f /usr/local/pf/var/run/radiusd.sock
>  
> Thanks,
>  
> Ludovic Zammit
> Product Support Engineer Principal
> 
> Cell: +1.613.670.8432
> Akamai Technologies - Inverse
> 145 Broadway
> Cambridge, MA 02142
> Connect with Us:
>  <https://community.akamai.com/> <http://blogs.akamai.com/> 
> <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNd3a-yo5g$>
>  
> <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNcYAR2ZcA$>
>  
> <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNdX7v2epA$>
>  
> <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfuFopyQg$>
>  
> 
> 
>> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users 
>> > <mailto:packetfence-users@lists.sourceforge.net>> wrote:
>>  
>> Hello,
>> A while ago someone asked here this question and there was no reply.
>> I hit it again and I have clue, out of the blue, all authentications 
>> attempts from Windows OS fail:
>>  
>> Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
>> Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert 
>> read:fatal:access denied
>> Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected 
>> user: it.tech 
>> <https://urldefense.com/v3/__http://it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$>
>> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS) 
>> Alert read:fatal:access denied): [it.tech 
>> <https://urldefense.com/v3/__http://it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$>]
>>  (from client 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03)
>>  
>> No problem with mobile phones.
>> Trying to run RADIUS in the debug mode using the old radiusd -X command but 
>> on ver 11 it can’t be found anymore.
>> Any ideas ?
>>  
>> Eugene
>>

Re: [PacketFence-users] Rejected users logging via Windows

2021-11-02 Thread Zammit, Ludovic via PacketFence-users 
Hello EP,

It looks like the certificate passed to PF was not correct.

Use the command:

raddebug -f /usr/local/pf/var/run/radiusd.sock

Thanks,

Ludovic Zammit
Product Support Engineer Principal

Cell: +1.613.670.8432
Akamai Technologies - Inverse
145 Broadway
Cambridge, MA 02142
Connect with Us:   
    
  
  


> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users 
>  wrote:
> 
> Hello,
> A while ago someone asked here this question and there was no reply.
> I hit it again and I have clue, out of the blue, all authentications attempts 
> from Windows OS fail:
>  
> Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
> Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert 
> read:fatal:access denied
> Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected user: 
> it.tech 
> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS) 
> Alert read:fatal:access denied): [it.tech ] (from client 
> 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03)
>  
> No problem with mobile phones.
> Trying to run RADIUS in the debug mode using the old radiusd -X command but 
> on ver 11 it can’t be found anymore.
> Any ideas ?
>  
> Eugene
> ___
> PacketFence-users mailing list
> PacketFence-users@lists.sourceforge.net 
> 
> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$
>  
> 


smime.p7s
Description: S/MIME cryptographic signature
___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

[PacketFence-users] Rejected users logging via Windows

2021-11-02 Thread E.P. via PacketFence-users 
Hello,

A while ago someone asked here this question and there was no reply.

I hit it again and I have clue, out of the blue, all authentications
attempts from Windows OS fail:

 

Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32
Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert
read:fatal:access denied
Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected
user: it.tech
Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS)
Alert read:fatal:access denied): [it.tech] (from client 172.19.254.2/32 port
0 cli c4:9d:ed:8c:11:03)

 

No problem with mobile phones.

Trying to run RADIUS in the debug mode using the old radiusd -X command but
on ver 11 it can't be found anymore.

Any ideas ?

 

Eugene

___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users