Re: [PacketFence-users] mspki computer authentication

[Will Halsall via PacketFence-users]

Thank you for your help adding an AD Computer auth source fixed me problem and 
all is working as expected now


WillH

From: Antoine Amacher via PacketFence-users 
[mailto:packetfence-users@lists.sourceforge.net]
Sent: Wednesday, July 5, 2017 5:48 PM
To: packetfence-users@lists.sourceforge.net
Cc: Antoine Amacher
Subject: Re: [PacketFence-users] mspki computer authentication


Hello Will,

The certificate exchange looks fine, do you have an AD computer auth source? 
(using ServicePrincipalName as an attribute)

Also is the CA in the radiusd/eap.conf, and is it installed on the client?

You could also try to run RADIUS in debug to have more infos:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t3600

Thanks

On 07/05/2017 11:13 AM, Will Halsall via PacketFence-users wrote:
Hi All,

I have tried to setup mspki to use ad computer authentication and have folloed 
the Qick instaolation guide but cannot get the clients to work.
The client is a windows 10 domain laptop
The server is PF 7.1.0
The CA is installed on windows2012R2

When I try to connect I get the following in the radius log. Could anyone 
advise on how to go about resolving this issue or if its even possible?

Willh


RADIUS Request

User-Name = "host/Stuart-PC.college.farnborough"
NAS-IP-Address = 172.16.36.30
NAS-Port = 0
Service-Type = Login-User
Framed-MTU = 1100
State = 0x7e1adcc07913d16fa3fa9452e2e3aa94
Called-Station-Id = "04:bd:88:c4:e2:60"
Calling-Station-Id = "00:24:2b:60:ff:79"
NAS-Identifier = "IAP Cluster FCOT"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Jul  5 2017 16:00:37 BST"
EAP-Message = 0x020900060d00
Message-Authenticator = 0x5cf158a0b8216591e4a2125a9c68ee90
Aruba-Essid-Name = "test"
Aruba-Location-Id = "N2 - outside"
Aruba-AP-Group = "IAP Cluster"
EAP-Type = TLS
Stripped-User-Name = "host/Stuart-PC.college.farnborough"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.16.36.30
Called-Station-SSID = "test"
Tmp-String-1 = "00242b60ff79"
TLS-Cert-Serial = "72c5b6d2120648b44e26747040ed5949"
TLS-Cert-Expiration = "220701135414Z"
TLS-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"
TLS-Cert-Subject = "/DC=farnborough/DC=college/CN=azure"
TLS-Cert-Common-Name = "azure"
TLS-Client-Cert-Serial = "7d0060dfebbdb604c4cc8200020060"
TLS-Client-Cert-Expiration = "190705141544Z"
TLS-Client-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"
TLS-Client-Cert-Subject = "/CN=Stuart-PC.college.farnborough"
TLS-Client-Cert-Common-Name = "Stuart-PC.college.farnborough"
TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication
TLS Web Client Authentication"
TLS-Client-Cert-X509v3-Subject-Key-Identifier = 
"6D:D8:A4:E6:C5:9F:BC:58:D1:A9:89:AE:A6:D4:C1:60:F4:C2:DF:F2"
TLS-Client-Cert-X509v3-Authority-Key-Identifier = 
"keyid:81:0F:70:98:FB:13:46:81:60:6E:0C:46:EC:DA:B8:64:47:E9:6A:8C\n"
TLS-Client-Cert-Subject-Alt-Name-Dns = "Stuart-PC.college.farnborough"
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\"}"
User-Password = "**"
SQL-User-Name = "host/Stuart-PC.college.farnborough"

RADIUS Reply

MS-MPPE-Recv-Key = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d
MS-MPPE-Send-Key = 
0x5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a
EAP-MSK = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a
EAP-EMSK = 
0xc5bfd638609e0698282b0bf2de29ddf6b9fdf7139a9f904b7b3ad26fc2d15ea55533869cdd945115bb9ec75e0662627807100d8aae044f3232bd63f3c1f22282
EAP-Session-Id = 
0x0d595cff1448a9ab1b5f34620219363a29ba87e4f2ff3058941f15a081ef0de171595cff15d2572d184a352a5e88a3b0af21328a83b299dec4f4ca938c86f0941f
EAP-Message = 0x03090004
Message-Authenticator = 0x
Stripped-User-Name = "host/Stuart-PC.college.farnborough"





[http://fcot5.farn-ct.ac.uk/Email_Signature_Open_Events.jpg]<https://www.farn-ct.ac.uk/about/Events>

This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential information.
If it has come to you in error, please contact the sender as soon as possible,
and note that you must take no action based on the content, nor must you copy,
distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.




--

Check out the vibrant tech community on one of t

Re: [PacketFence-users] mspki computer authentication

[Antoine Amacher via PacketFence-users]

Hello Will,

The certificate exchange looks fine, do you have an AD computer auth 
source? (using ServicePrincipalName as an attribute)


Also is the CA in the radiusd/eap.conf, and is it installed on the client?

You could also try to run RADIUS in debug to have more infos:

raddebug -f /usr/local/pf/var/run/radiusd.sock -t3600

Thanks


On 07/05/2017 11:13 AM, Will Halsall via PacketFence-users wrote:


Hi All,

I have tried to setup mspki to use ad computer authentication and have 
folloed the Qick instaolation guide but cannot get the clients to work.


The client is a windows 10 domain laptop

The server is PF 7.1.0

The CA is installed on windows2012R2

When I try to connect I get the following in the radius log. Could 
anyone advise on how to go about resolving this issue or if its even 
possible?


Willh

RADIUS Request



User-Name = "host/Stuart-PC.college.farnborough"

NAS-IP-Address = 172.16.36.30

NAS-Port = 0

Service-Type = Login-User

Framed-MTU = 1100

State = 0x7e1adcc07913d16fa3fa9452e2e3aa94

Called-Station-Id = "04:bd:88:c4:e2:60"

Calling-Station-Id = "00:24:2b:60:ff:79"

NAS-Identifier = "IAP Cluster FCOT"

NAS-Port-Type = Wireless-802.11

Event-Timestamp = "Jul  5 2017 16:00:37 BST"

EAP-Message = 0x020900060d00

Message-Authenticator = 0x5cf158a0b8216591e4a2125a9c68ee90

Aruba-Essid-Name = "test"

Aruba-Location-Id = "N2 - outside"

Aruba-AP-Group = "IAP Cluster"

EAP-Type = TLS

Stripped-User-Name = "host/Stuart-PC.college.farnborough"

Realm = "null"

FreeRADIUS-Client-IP-Address = 172.16.36.30

Called-Station-SSID = "test"

Tmp-String-1 = "00242b60ff79"

TLS-Cert-Serial = "72c5b6d2120648b44e26747040ed5949"

TLS-Cert-Expiration = "220701135414Z"

TLS-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"

TLS-Cert-Subject = "/DC=farnborough/DC=college/CN=azure"

TLS-Cert-Common-Name = "azure"

TLS-Client-Cert-Serial = "7d0060dfebbdb604c4cc8200020060"

TLS-Client-Cert-Expiration = "190705141544Z"

TLS-Client-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"

TLS-Client-Cert-Subject = "/CN=Stuart-PC.college.farnborough"

TLS-Client-Cert-Common-Name = "Stuart-PC.college.farnborough"

TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication

TLS Web Client Authentication"

TLS-Client-Cert-X509v3-Subject-Key-Identifier = 
"6D:D8:A4:E6:C5:9F:BC:58:D1:A9:89:AE:A6:D4:C1:60:F4:C2:DF:F2"


TLS-Client-Cert-X509v3-Authority-Key-Identifier = 
"keyid:81:0F:70:98:FB:13:46:81:60:6E:0C:46:EC:DA:B8:64:47:E9:6A:8C\n"


TLS-Client-Cert-Subject-Alt-Name-Dns = "Stuart-PC.college.farnborough"

Module-Failure-Message = "rest: Server returned:"

Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\"}"


User-Password = "**"

SQL-User-Name = "host/Stuart-PC.college.farnborough"

RADIUS Reply



MS-MPPE-Recv-Key = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d


MS-MPPE-Send-Key = 
0x5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a


EAP-MSK = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a


EAP-EMSK = 
0xc5bfd638609e0698282b0bf2de29ddf6b9fdf7139a9f904b7b3ad26fc2d15ea55533869cdd945115bb9ec75e0662627807100d8aae044f3232bd63f3c1f22282


EAP-Session-Id = 
0x0d595cff1448a9ab1b5f34620219363a29ba87e4f2ff3058941f15a081ef0de171595cff15d2572d184a352a5e88a3b0af21328a83b299dec4f4ca938c86f0941f


EAP-Message = 0x03090004

Message-Authenticator = 0x

Stripped-User-Name = "host/Stuart-PC.college.farnborough"



This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential 
information.
If it has come to you in error, please contact the sender as soon as 
possible,
and note that you must take no action based on the content, nor must 
you copy,

distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.



--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot


___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Antoine Amacher
aamac...@inverse.ca  ::  www.inverse.ca
+1.514.447.4918 x130  :: +1 (866) 353-6153 x130
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence 
(www.packetfence.org)

--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! 

[PacketFence-users] mspki computer authentication

[Will Halsall via PacketFence-users]

Hi All,

I have tried to setup mspki to use ad computer authentication and have folloed 
the Qick instaolation guide but cannot get the clients to work.
The client is a windows 10 domain laptop
The server is PF 7.1.0
The CA is installed on windows2012R2

When I try to connect I get the following in the radius log. Could anyone 
advise on how to go about resolving this issue or if its even possible?

Willh


RADIUS Request

User-Name = "host/Stuart-PC.college.farnborough"
NAS-IP-Address = 172.16.36.30
NAS-Port = 0
Service-Type = Login-User
Framed-MTU = 1100
State = 0x7e1adcc07913d16fa3fa9452e2e3aa94
Called-Station-Id = "04:bd:88:c4:e2:60"
Calling-Station-Id = "00:24:2b:60:ff:79"
NAS-Identifier = "IAP Cluster FCOT"
NAS-Port-Type = Wireless-802.11
Event-Timestamp = "Jul  5 2017 16:00:37 BST"
EAP-Message = 0x020900060d00
Message-Authenticator = 0x5cf158a0b8216591e4a2125a9c68ee90
Aruba-Essid-Name = "test"
Aruba-Location-Id = "N2 - outside"
Aruba-AP-Group = "IAP Cluster"
EAP-Type = TLS
Stripped-User-Name = "host/Stuart-PC.college.farnborough"
Realm = "null"
FreeRADIUS-Client-IP-Address = 172.16.36.30
Called-Station-SSID = "test"
Tmp-String-1 = "00242b60ff79"
TLS-Cert-Serial = "72c5b6d2120648b44e26747040ed5949"
TLS-Cert-Expiration = "220701135414Z"
TLS-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"
TLS-Cert-Subject = "/DC=farnborough/DC=college/CN=azure"
TLS-Cert-Common-Name = "azure"
TLS-Client-Cert-Serial = "7d0060dfebbdb604c4cc8200020060"
TLS-Client-Cert-Expiration = "190705141544Z"
TLS-Client-Cert-Issuer = "/DC=farnborough/DC=college/CN=azure"
TLS-Client-Cert-Subject = "/CN=Stuart-PC.college.farnborough"
TLS-Client-Cert-Common-Name = "Stuart-PC.college.farnborough"
TLS-Client-Cert-X509v3-Extended-Key-Usage = "TLS Web Server Authentication
TLS Web Client Authentication"
TLS-Client-Cert-X509v3-Subject-Key-Identifier = 
"6D:D8:A4:E6:C5:9F:BC:58:D1:A9:89:AE:A6:D4:C1:60:F4:C2:DF:F2"
TLS-Client-Cert-X509v3-Authority-Key-Identifier = 
"keyid:81:0F:70:98:FB:13:46:81:60:6E:0C:46:EC:DA:B8:64:47:E9:6A:8C\n"
TLS-Client-Cert-Subject-Alt-Name-Dns = "Stuart-PC.college.farnborough"
Module-Failure-Message = "rest: Server returned:"
Module-Failure-Message = "rest: 
{\"control:PacketFence-Authorization-Status\":\"allow\"}"
User-Password = "**"
SQL-User-Name = "host/Stuart-PC.college.farnborough"

RADIUS Reply

MS-MPPE-Recv-Key = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d
MS-MPPE-Send-Key = 
0x5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a
EAP-MSK = 
0x10c55a8412cf0b3fc533006069e474e5933f2778dc0bb095abe95eef2ac56f1d5e2d706a0e612d4797052c9a8d0e1eb8a4fe42afada4b42d24176d025157fa6a
EAP-EMSK = 
0xc5bfd638609e0698282b0bf2de29ddf6b9fdf7139a9f904b7b3ad26fc2d15ea55533869cdd945115bb9ec75e0662627807100d8aae044f3232bd63f3c1f22282
EAP-Session-Id = 
0x0d595cff1448a9ab1b5f34620219363a29ba87e4f2ff3058941f15a081ef0de171595cff15d2572d184a352a5e88a3b0af21328a83b299dec4f4ca938c86f0941f
EAP-Message = 0x03090004
Message-Authenticator = 0x
Stripped-User-Name = "host/Stuart-PC.college.farnborough"





[http://fcot5.farn-ct.ac.uk/Email_Signature_Open_Events.jpg] 


This message is intended only for the use of the person(s) to
whom it is addressed, and may contain privileged and confidential information.
If it has come to you in error, please contact the sender as soon as possible,
and note that you must take no action based on the content, nor must you copy,
distribute, or show the content to any other person.


In accordance with its legal obligations, Farnborough College of
Technology reserves the right to monitor the content of e-mails sent and
received, but will not do so routinely.
--
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot___
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users