Rokkhan
2017-05-23 19:23:44 UTC
Hi,
I have installed packetfence 6.5.1 on a centos 6.8 and I created 2 profiles
(Guests and Byod)
Guest is working correctly but I am unable to get working Byod with
packetfence-pki and eap-tls.
I am able to show a captive portal where user can login through and ldap
user source and are moved to an android or windows provisioner where
generates a client cert but I have two issues:
On android I can not configure wlan I have tried with packetfence-agent for
android it downloads the profile, asks me for the password and finally says
"The SSID has been created" but no SSID has been created. I have tried on a
Android 6.0 and Android 7.1 with the same result.
On windows, it download the windows agent, installs the certs and
configures the SSID on my W10 laptop but when I try to get acces I get an
auth error.
I have followed the packetfence-pki manual where shows how to create the
CA, server cert and client cert profiles. Configured eap.conf like this:
[***@SLX00010808 tls_certs]# nano /usr/local/pf/conf/radiusd/eap.conf
tls-config tls-common {
private_key_file = [% install_dir
%]/conf/ssl/tls_certs/slx00010808.key
certificate_file = [% install_dir
%]/conf/ssl/tls_certs/slx00010808.pem
ca_file = [% install_dir %]/conf/ssl/tls_certs/EroskiCA.pem
ocsp {
enable = yes
override_cert_url = yes
url = "http://172.22.5.235:9292/pki/ocsp/"
}
To point to custom created certs but I get this error when I try to connect
with my laptop:
Tue May 23 20:10:16 2017 : ERROR: (47) eap_tls: ERROR: SSL says error 20
: unable to get local issuer certificate
Tue May 23 20:10:16 2017 : ERROR: (47) eap_tls: ERROR: TLS Alert
write:fatal:unknown CA
Tue May 23 20:10:16 2017 : Error: tls: TLS_accept: Error in SSLv3 read
client certificate B
Tue May 23 20:10:16 2017 : Auth: (47) Login incorrect (eap_tls: SSL says
error 20 : unable to get local issuer certificate): [***@eroski.es] (from
client 172.22.15.0/24 port 1 cli e4:f8:9c:78:40:88)
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Closing connection (33):
Hit idle_timeout, was idle for 207 seconds
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Closing connection (34):
Hit idle_timeout, was idle for 207 seconds
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Opening additional
connection (35), 1 of 64 pending slots used
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Need 2 more connections to
reach 10 spares
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Opening additional
connection (36), 1 of 63 pending slots used
Tue May 23 20:10:16 2017 : [mac:e4:f8:9c:78:40:88] Rejected user:
***@eroski.es
Any help will be appreciated I am quite desperate with this issue.
Greetings.
I have installed packetfence 6.5.1 on a centos 6.8 and I created 2 profiles
(Guests and Byod)
Guest is working correctly but I am unable to get working Byod with
packetfence-pki and eap-tls.
I am able to show a captive portal where user can login through and ldap
user source and are moved to an android or windows provisioner where
generates a client cert but I have two issues:
On android I can not configure wlan I have tried with packetfence-agent for
android it downloads the profile, asks me for the password and finally says
"The SSID has been created" but no SSID has been created. I have tried on a
Android 6.0 and Android 7.1 with the same result.
On windows, it download the windows agent, installs the certs and
configures the SSID on my W10 laptop but when I try to get acces I get an
auth error.
I have followed the packetfence-pki manual where shows how to create the
CA, server cert and client cert profiles. Configured eap.conf like this:
[***@SLX00010808 tls_certs]# nano /usr/local/pf/conf/radiusd/eap.conf
tls-config tls-common {
private_key_file = [% install_dir
%]/conf/ssl/tls_certs/slx00010808.key
certificate_file = [% install_dir
%]/conf/ssl/tls_certs/slx00010808.pem
ca_file = [% install_dir %]/conf/ssl/tls_certs/EroskiCA.pem
ocsp {
enable = yes
override_cert_url = yes
url = "http://172.22.5.235:9292/pki/ocsp/"
}
To point to custom created certs but I get this error when I try to connect
with my laptop:
Tue May 23 20:10:16 2017 : ERROR: (47) eap_tls: ERROR: SSL says error 20
: unable to get local issuer certificate
Tue May 23 20:10:16 2017 : ERROR: (47) eap_tls: ERROR: TLS Alert
write:fatal:unknown CA
Tue May 23 20:10:16 2017 : Error: tls: TLS_accept: Error in SSLv3 read
client certificate B
Tue May 23 20:10:16 2017 : Auth: (47) Login incorrect (eap_tls: SSL says
error 20 : unable to get local issuer certificate): [***@eroski.es] (from
client 172.22.15.0/24 port 1 cli e4:f8:9c:78:40:88)
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Closing connection (33):
Hit idle_timeout, was idle for 207 seconds
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Closing connection (34):
Hit idle_timeout, was idle for 207 seconds
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Opening additional
connection (35), 1 of 64 pending slots used
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Need 2 more connections to
reach 10 spares
Tue May 23 20:10:16 2017 : Info: rlm_sql (sql): Opening additional
connection (36), 1 of 63 pending slots used
Tue May 23 20:10:16 2017 : [mac:e4:f8:9c:78:40:88] Rejected user:
***@eroski.es
Any help will be appreciated I am quite desperate with this issue.
Greetings.