Hello, You an use the Web admin to install the RADIUS SSL cert.
Make sure to restart radiusd on all servers to apply the cert. You can use the PF PKI and the PF PKI provisioner to install it on Windows for a Wireless interface. You could also download the cert from the PF web interface and install it manually on the device. What’s the PKI that you are using ? Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Nov 2, 2021, at 2:18 PM, E.P. <[email protected]> wrote: > > Yes, Ludovic, > Apparently the certificate has some issues. RADIUS debug revealed this: > > (18) Tue Nov 2 11:06:07 2021: ERROR: eap_peap: (TLS) Failed reading > application data from OpenSSL: error:14094419:SSL > routines:ssl3_read_bytes:tlsv1 alert access denied > (18) Tue Nov 2 11:06:07 2021: ERROR: eap_peap: [eaptls process] = fail > (18) Tue Nov 2 11:06:07 2021: ERROR: eap: Failed continuing EAP PEAP (25) > session. EAP sub-module failed > (18) Tue Nov 2 11:06:07 2021: Debug: eap: Sending EAP Failure (code 4) ID > 215 length 4 > (18) Tue Nov 2 11:06:07 2021: Debug: eap: Failed in EAP select > (18) Tue Nov 2 11:06:07 2021: Debug: [eap] = invalid > (18) Tue Nov 2 11:06:07 2021: Debug: } # authenticate = invalid > > So, all that I did was copying three files into /usr/local/pf/raddb/certs > folder > Server.crt (the certificate issued by Godaddy CA) > Server.key (private key) > ca.pem (root CA) > > I just wanted to replace this example certificate that PF uses for EAP/TLS > session > > <image001.png> > > Is there any instruction how to generate a different certificate on PF that > will be accepted by Windows OS supplicant ? > > Eugene > From: Zammit, Ludovic <[email protected]> > Sent: Tuesday, November 02, 2021 5:51 AM > To: [email protected] > Cc: E.P. <[email protected]> > Subject: Re: [PacketFence-users] Rejected users logging via Windows > > Hello EP, > > It looks like the certificate passed to PF was not correct. > > Use the command: > > raddebug -f /usr/local/pf/var/run/radiusd.sock > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: > <https://community.akamai.com/> <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNd3a-yo5g$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNcYAR2ZcA$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNdX7v2epA$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfuFopyQg$> > > > >> On Nov 2, 2021, at 3:07 AM, E.P. via PacketFence-users >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hello, >> A while ago someone asked here this question and there was no reply. >> I hit it again and I have clue, out of the blue, all authentications >> attempts from Windows OS fail: >> >> Nov 1 23:52:53 packetfence auth[2736]: Adding client 172.19.254.2/32 >> Nov 1 23:52:53 packetfence auth[2736]: (24) eap_peap: ERROR: (TLS) Alert >> read:fatal:access denied >> Nov 1 23:52:53 packetfence auth[2736]: [mac:c4:9d:ed:8c:11:03] Rejected >> user: it.tech >> <https://urldefense.com/v3/__http://it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$> >> Nov 1 23:52:53 packetfence auth[2736]: (24) Login incorrect (eap_peap: (TLS) >> Alert read:fatal:access denied): [it.tech >> <https://urldefense.com/v3/__http://it.tech/__;!!GjvTz_vk!AaUextL_VDqbW5caHWMmIh3876Ltlye32g0DQrmp4OvULBz38Eq0qNfsXrekrw$>] >> (from client 172.19.254.2/32 port 0 cli c4:9d:ed:8c:11:03) >> >> No problem with mobile phones. >> Trying to run RADIUS in the debug mode using the old radiusd -X command but >> on ver 11 it can’t be found anymore. >> Any ideas ? >> >> Eugene >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$ >> >> <https://urldefense.com/v3/__https:/lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!HSzjvTbxfJXK0mkPrgLUPV-NYCaZZ_BeC5q6gvsmiOPixf6OENCNuSHeVErDcS-r$>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
