Tank you Fabrice
Now it works. I have copied more certificates to the CA File. The "wired Phones" certificate was needed.

The only thing im wondering is, that the connection type for the phones is "Wired MAC Auth" and not "Wired 802.1x" like the Win 10 Clients.






Von: Fabrice Durand <***@inverse.ca>
An: packetfence-***@lists.sourceforge.net
Gesendet: 20:04 Mittwoch, 31.Mai 2017
Betreff: Re: [PacketFence-users] EAP-TLS with IP-PHones

You probably miss some certificates, here what i used:
        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=Alcatel Enterprise Solutions
            X509v3 Subject Key Identifier:
                B7:1F:4E:45:B5:00:DD:F3:C7:9A:97:62:04:08:D1:9A:4C:BA:4A:0D

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 1
            X509v3 Subject Key Identifier:
                78:7A:40:06:A1:79:56:85:BC:05:9B:D5:9A:D3:B0:16:4F:16:CB:E2

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 2
            X509v3 Subject Key Identifier:
                88:3E:CC:2D:90:29:C9:FE:14:FC:D3:30:A6:55:06:58:68:3F:A8:41

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 3
            X509v3 Subject Key Identifier:
                92:D7:26:7D:FD:3F:00:B9:4D:B3:19:89:0A:8D:03:60:ED:AC:DD:0A

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=AIPT 4
            X509v3 Subject Key Identifier:
                F2:4A:85:BA:64:98:68:45:21:BD:38:4B:BB:98:88:35:50:65:61:71

        Subject: C=FR, O=Alcatel-Lucent, OU=PKI Authority, CN=Wired Phones
            X509v3 Subject Key Identifier:
                D2:05:A3:38:E6:56:67:AC:85:3C:A4:21:5C:64:CF:D2:49:DB:CC:02

        Subject: C=FR, O=Alcatel, OU=PKI Authority, CN=Alcatel IP Touch
            X509v3 Subject Key Identifier:
                56:92:08:12:EE:43:D4:AF:B5:20:11:C0:92:A8:E0:62:C1:1E:7F:7C




Le 2017-05-31 à 11:37, Christian Gfeller a écrit :

Hello Fabrice   Thank you for your reply.   I have copied the Alcatel CA Cert to my existing CA Certificate:   -----BEGIN CERTIFICATE----- MS CA -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Alcatel CA -----END CERTIFICATE-----   The I restarted radiusd service.   When the phone will try to authenticate (EAP-TLS), this message ist in radius.log:   May 31 17:28:03 nac2 auth[4563]: (24) eap_tls:   ERROR: SSL says error 20 : unable to get local issuer certificate May 31 17:28:03 nac2 auth[4563]: (24) eap_tls: ERROR: TLS Alert write:fatal:unknown CA May 31 17:28:03 nac2 auth[4563]: tls: TLS_accept: Error in error May 31 17:28:03 nac2 auth[4563]: (24) Login incorrect (eap_tls: SSL says error 20 : unable to get local issuer certificate): [ALCIPT] (from client 192.168.1.46 port 20 cli 00:80:9f:dd:33:b0)   What ist missing?   Thank you Chris

Von: Fabrice Durand <***@inverse.ca>
An: packetfence-***@lists.sourceforge.net
Gesendet: 19:09 Dienstag, 23.Mai 2017
Betreff: Re: [PacketFence-users] EAP-TLS with IP-PHones

Hello Chtis, in fact you have to concatenate the root certificate in your CA file. (ca_file in eap.conf). Regards Fabrice


Le 2017-05-23 à 11:16, Christian Gfeller a écrit :

Hello packetfence users   I have a installation of Packetfence 7.0. MSPKI is integrated (https://packetfence.org/doc/PacketFence_MSPKI_Quick_Install_Guide.html) and EAP-TLS with Windows clients (802.1x) works fine. We have Alcatel Lucent wired IP Phones which supports 802.1x (MD5 and TLS) too. There is a certificate from Alcatel preinstalled on the phone. (Issued by “Alactel Enterprise Solutions”). I have downloaded the “Alcatel Enterprise Solutions” root certificate.   Which is the right way to authenticate the IP-phones with the built in certificate? How can i install the root certificate with already installed MSPKI?   Thank you Chris

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
***@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users




------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users


--
Fabrice Durand
***@inverse.ca :: +1.514.447.4918 (x135) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence (http://packetfence.org) ------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
PacketFence-users mailing list
PacketFence-***@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users