Hello Joe, Please do that on the server and generate an authentication:
raddebug -f /usr/local/pf/var/run/radiusd.sock | tee raddebug.log Attach the raddebug.log file. Thanks, Ludovic Zammit Product Support Engineer Principal Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Jul 5, 2022, at 1:53 PM, Joe Clempka <[email protected]> wrote: > > Thanks Ludovic! I'll give this a try. I think my issue was trying to use > the existing Active Directory internal source and not doing an LDAP one. > > "The thing for PF to use the username given from the cert, by default, it > would try to match the username as a sAMAccountName. Make sure it matches and > it would work." > - For this part, the phone's cert subject is the MAC address. Is there a way > for PacketFence to use the stripped username instead of looking at the cert's > subject? > > > > On Mon, Jul 4, 2022 at 12:02 PM Zammit, Ludovic <[email protected] > <mailto:[email protected]>> wrote: > Hello Joe, > > Yes, PacketFence does exactly what you want it to do. > > The only thing is that you need to put a LDAP source on a connection profile > that catches the EAP TLS authentication. > > The thing for PF to use the username given from the cert, by default, it > would try to match the username as a sAMAccountName. Make sure it matches and > it would work. > > You could also do another check, you could create a radius filter / VLAN > filter that check the MAC OUI of the device and allow only yours, maybe it > would be less work than creating 800+ AD account. > > Thanks, > > Ludovic Zammit > Product Support Engineer Principal > > Cell: +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com/> > <http://blogs.akamai.com/> > <https://urldefense.com/v3/__https://twitter.com/akamai__;!!GjvTz_vk!S5vhJBlh5FleIqdRfWjOT1H1-9PWCnQforwIr8U_4VIOubonaELAScIoSN2-mvm8LLkS4ourKtzn5mfaPA$> > > <https://urldefense.com/v3/__http://www.facebook.com/AkamaiTechnologies__;!!GjvTz_vk!S5vhJBlh5FleIqdRfWjOT1H1-9PWCnQforwIr8U_4VIOubonaELAScIoSN2-mvm8LLkS4ourKtzA6cw0SA$> > > <https://urldefense.com/v3/__http://www.linkedin.com/company/akamai-technologies__;!!GjvTz_vk!S5vhJBlh5FleIqdRfWjOT1H1-9PWCnQforwIr8U_4VIOubonaELAScIoSN2-mvm8LLkS4ourKtyzOkffEA$> > > <https://urldefense.com/v3/__http://www.youtube.com/user/akamaitechnologies?feature=results_main__;!!GjvTz_vk!S5vhJBlh5FleIqdRfWjOT1H1-9PWCnQforwIr8U_4VIOubonaELAScIoSN2-mvm8LLkS4ourKtwboGRTAA$> > >> On Jul 2, 2022, at 2:07 PM, Joe Clempka via PacketFence-users >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hey All, >> >> Is it possible when using EAP-TLS to restrict based on stripped username? >> >> The VoIP phones I am using send the last few characters of their MAC >> address for username and that is being used as the stripped name, and >> thus forced into the NULL realm (doesn't seem like there is any way >> around that). >> >> EAP-TLS works fine - phone powers on, sends its cert signed by the >> phone vendor CA, and PacketFence trusts the CA for this EAP profile >> and allows it. >> >> But the issue is the cert on the phones is generic provided by the >> manufacturer. This means that ANY VoIP phone by this vendor could >> come onto the network and start the EAP-TLS process, as it will >> present to PacketFence a certificate signed by the CA that I told >> PacketFence to use for EAP-TLS (defined under PKI SSL Certificates >> --.> SSL Certificates --> Certificate Authority, I just paste in the >> CAs I use then map that to TLS Profile and then EAP Profile and then >> map that EAP Profile to the NULL realm). >> >> The vendor said they don't support PacketFence, and said to use >> Microsoft's NPS server, as that can use EAP-TLS plus looking up >> against AD for a username (that would be equal to the stripped MAC >> address). So Microsoft's way would be EAP-TLS where the stripped >> username must exist in AD plus have a cert issued by the phone vendor >> (and thus only user objects we create in AD with specific stripped >> names would be allowed). >> >> In AD, you would have a username with the last part of the MAC >> address, and a cert assigned to that user in AD (extracted from the >> phone). During EAP-TLS, it verifies the user object exists AND that >> it has a cert issued by the trusted CA. Versus in PacketFence it just >> cares that the client cert is issued by a trusted CA, and anyone with >> a cert signed by that CA would be trusted (so any VoIP phone by that >> vendor). >> >> Is that possible in PacketFence to lookup against AD and/or restrict >> based on a list of stripped names (it would be 800+ phone MAC >> names...). >> >> Thanks! >> >> >> _______________________________________________ >> PacketFence-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QnpxOcMWOpXMkDB2PlGA4H-YEEZ8032DzfZ7BXr5cA1PzdwpZ_5xevwK8z2GeC0ullpj13chII-QkZ-ej4gA_fm0GrqO1QzDkQYokA$ >> >> <https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!QnpxOcMWOpXMkDB2PlGA4H-YEEZ8032DzfZ7BXr5cA1PzdwpZ_5xevwK8z2GeC0ullpj13chII-QkZ-ej4gA_fm0GrqO1QzDkQYokA$> >> >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
