Hallo Fabrice,
thanks fort the reply.
Internal PKI is already set up and I created a new cert for the RADIUS-Server
and added the CA-Cert to the config. Everything is green here.
What’s next?
I added a new internal authentication source (EAPTLS) with Authentication Rule:
Matches: all
Conditions:
SSID equals “MySSID”
Actions:
Role “MyRole”
Access Duration 5 Days
Is it advised to create a new connection profile or could I just use the
default profile to start with?
Kind regards
Johannes
Von: Fabrice Durand via PacketFence-users
[mailto:[email protected]]
Gesendet: Mittwoch, 15. März 2023 13:26
An: [email protected]
Cc: Fabrice Durand <[email protected]>
Betreff: Re: [PacketFence-users] EAP-TLS Configuration
Hello Johannes,
in fact you can follow this to create the certificates needed for eap-tls.
https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fInstallation%5fGuide.html%23%5fcertificate%5fauthority%5fcreation&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-89b6a79fa8e29690a0fb757f35a4e77ad72230b7
Once you have created the ca certificate and applied it in the radius section.
```
Once done copy the certificate in the clipboard from the Certificate
Authorities list (Configuration → Integration → PKI → Certificate Authorities
and click on Copy Certificate) then edit the RADIUS certificate section in
Configuration → Systen Configuration → SSL Certificates → RADIUS → Edit and
paste the public key in "Certificate Authority" and Save. (Don’t forget to
restart radiusd-auth)
This will authorize the EAP TLS authentications using the PKI issued
certificates.
```
Create a certificate template
https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.packetfence.org%2fdoc%2fPacketFence%5fInstallation%5fGuide.html%23%5ftemplate%5fcreation&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-47e8fdb284e6cf949b6f07f2c1b584fb27582f15
and create a certificate for the end user.
Once you have the pkcs12 file, import it on your device and configure the
supplicant to use this certificate to connect to a secure ssid (it could be
wired too).
So when you will try to connect , you should be able to see the radius
authentication in the radius audit log , the next steps will be to configure a
EAPTLS or Authorize authentication source and assign it to a connection profile
where you set the filter to sub_connection_type = EAP_TLS.
Let me know if you are stuck at some point.
Regards
Fabrice
Le mer. 15 mars 2023 à 07:45, Mudrich, J. via PacketFence-users
<[email protected]<mailto:[email protected]>>
a écrit :
Hello again,
I’m trying to configure PF for EAP-TLS authentication. I couldn’t find any
comprehensive guide or manual so I hope you can help.
I would like to use the internal PKI. That’s what I already set up. Maybe
someone can walk me through this?
Some wild guesses:
I think I need to set up an Authentication Source (internal -> EAPTLS)?
Are there any changes needed in the RADIUS configuration (System Configuration
-> Radius)?
What’s with “PKI SSL Certificates”, do I need to add the internal PKIs CA there?
Some additional thoughts: I can already see the devices I’d like to manage via
EAP-TLS in my nodes list because of their DHCP broadcasts. Will these nodes
then somehow be connected to the certificates issued by the internal PKI?
Thanks and kind regards
Johannes
Johannes Mudrich
Mitarbeiter
IT
Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen
Tel.:
03907 791229
Fax.:
03907 791248
Mail:
[email protected]<mailto:[email protected]>
[cid:[email protected]]<https://www.salusaltmarkholding.de/>
Salus Altmark Holding gGmbH
Tel.: +49 39325700
Sitz der Gesellschaft:
Seepark 5 | 39116 Magdeburg
www.salusaltmarkholding.de<https://www.salusaltmarkholding.de>
[cid:[email protected]]<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.instagram.com%2fsalusaltmarkholding%2f&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-dce1268519b5625582a03eef4bc853db3204a6a2>
[cid:[email protected]]
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.facebook.com%2fSalusAltmarkHolding&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-b63f8a5adecaee4872c4195440f8a68d2077b365>
[cid:[email protected]]
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fde.linkedin.com%2fcompany%2fsalus%2dggmbh&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-95d1611d5cc21a1e73b9282b39b9ee851cb951aa>
[cid:[email protected]]
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.xing.com%2fpages%2fsalusaltmarkholdingggmbh&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-e6fbd12c5bcdb3bb6e1877eec1707ed93ee13315>
[cid:[email protected]]
<https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2fwww.youtube.com%2fuser%2fSALUSgGmbH&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-6c539efef5aab5c7f87707f699fa25229c9940c4>
Registergericht: AG Stendal: HRB 112594
Geschäftsführer: Jürgen Richter
Aufsichtsratsvorsitz: Wolfgang Beck
Gemäß Art. 13 DSGVO informieren wir darüber, dass Ihre Daten elektronisch
gespeichert werden. Nähere Informationen:
www.salusaltmarkholding.de/datenschutz<https://www.salusaltmarkholding.de/datenschutz>
Ab Januar 2022 nehmen wir keine Mails mit doc-, xls- und ppt-Anhängen mehr an.
Bitte verwenden Sie die aktuellen Office-Formate docx, xlsx, pptx oder pdf.
Johannes Mudrich
Mitarbeiter
IT
Altmark-Klinikum gGmbH
Ernst-von-Bergmann-Straße 22
39638 Gardelegen
Tel.: 03907 791229
Fax.: 03907 791248
Mail: [email protected]
_______________________________________________
PacketFence-users mailing list
[email protected]<mailto:[email protected]>
https://ddei5-0-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=https%3a%2f%2flists.sourceforge.net%2flists%2flistinfo%2fpacketfence%2dusers&umid=E3706BCB-F6EF-8E05-80DF-86957D07AF20&auth=3e2d8a84646f95c9f39ab0aaf495a2c8b99c6f77-f40b171d9b2f9c8030b57654ce22166f1ca89076
_______________________________________________
PacketFence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
