Menu
▾
▴
[PacketFence-users] Device authentication with client TLS certificate issued by PKI
|
From: E.P. <yp...@gm...> - 2018-01-10 08:57:23
|
And here comes the culmination of my saga with PKI ;) Actually, I was slowly going towards it and really hoped I will jump through this final hoop smoothly. Alas… Anyways, to cut the long story short, I failed TLS authentication for Windows 10 endpoint. Here’s what I did so far. We want to issue certificates to users based on MAC addresses of their devices. Hence I added a new certificate and used MAC address in CN field in the format 70:1a:04:2c:52:ff The profile I used while issuing this certificate was created exactly as it was described in the admin guide for PKI, namely TLSClient. Then I downloaded this certificate after it was signed and imported to Windows laptop. The security properties of the wireless connection profile on the laptop was configured to use TLS, i.e. Microsoft: Smart card or other certificate Trying to authenticate while running radius in debug mode and see a lot of interesting stuff. Pasting only relevant lines: (5) eap_tls: Continuing EAP-TLS (5) eap_tls: Got final TLS record fragment (46 bytes) (5) eap_tls: [eaptls verify] = ok (5) eap_tls: Done initial handshake (5) eap_tls: <<< recv TLS 1.0 Handshake [length 03ac], Certificate (5) eap_tls: Creating attributes from certificate OIDs (5) eap_tls: TLS-Client-Cert-Serial := "03" (5) eap_tls: TLS-Client-Cert-Expiration := "200110080019Z" (5) eap_tls: TLS-Client-Cert-Subject := "/CN=70:1a:04:2c:52:ff/emailAddress=it...@op.../ST=BC/O=Options Community Services/C=CA" (5) eap_tls: TLS-Client-Cert-Issuer := "/CN=Options-PF-CA/emailAddress=it...@op.../ST=British Columbia/O=Options Community Services/C=CA" (5) eap_tls: TLS-Client-Cert-Common-Name := "70:1a:04:2c:52:ff" (5) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate (5) eap_tls: ERROR: TLS Alert write:fatal:unknown CA tls: TLS_accept: Error in error (5) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed (5) eap_tls: ERROR: System call (I/O) error (-1) (5) eap_tls: ERROR: TLS receive handshake failed during operation (5) eap_tls: ERROR: [eaptls process] = fail (5) eap: ERROR: Failed continuing EAP TLS (13) session. EAP sub-module failed (5) eap: Sending EAP Failure (code 4) ID 213 length 4 (5) eap: Failed in EAP select (5) [eap] = invalid (5) } # authenticate = invalid (5) Failed to authenticate the user (5) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer certificate): [70:1a:04:2c:52:ff] (from client 172.19.254.2 port 0 cli 70:1a:04:2c:52:ff) (5) Using Post-Auth-Type Reject Same happens if I issue the certificate to the user based on its name, not MAC address (5) eap_tls: TLS-Client-Cert-Serial := "04" (5) eap_tls: TLS-Client-Cert-Expiration := "200110083931Z" (5) eap_tls: TLS-Client-Cert-Subject := "/CN=it.tech/emailAddress=it...@op.../ST=BC/O=Options Community Services/C=CA" (5) eap_tls: TLS-Client-Cert-Issuer := "/CN=Options-PF-CA/emailAddress=it...@op.../ST=British Columbia/O=Options Community Services/C=CA" (5) eap_tls: TLS-Client-Cert-Common-Name := "it.tech" (5) eap_tls: ERROR: SSL says error 20 : unable to get local issuer certificate Eugene From: Durand fabrice [mailto:fd...@in...] Sent: Tuesday, January 09, 2018 2:46 PM To: E.P. Cc: pac...@li... Subject: Re: [PacketFence-users] PKI installation The admin user is different between PacketFence and the PKI. When i said "In configuration -> Users -> Edit admin -> Change User Password" in was in the pki admin interface. Fabrice Le 2018-01-09 à 13:47, E.P. a écrit : Sorry for being a pain in the lower part of the back, Fabrice ;) I thought that the admin user in PF is different from PKI. At least I know that I did change the password for admin in PF as you described and this is how I login to the main GUI. But I can’t login as admin with the same password to PKI. Eugene |