Dear all,
im trying to establish 802.1x authentication with FortiAuthenticator with WYSE ThinClients.
The issue i'm facing is that the WYSE Thinclients does not accept to upload the certicate in P12 format. So i had to convert the certificate from p12 to pem format with the following command.
openssl -in certificate.p12 -out certicate.pem -nodes
I'm not sure if this is the correct workaround regarding when I connect to the WYSE Client to the LAN i get the following error during the 802.1x authentication from in the Radius Debug log at the FortiAuthenticator.
(27114) NAS-Identifier = "SW05"
(27114) State = 0x27109ff1238a929e9e997608a9bd058a
(27114) User-Name = "pcoip-portal-010101010101"
(27114) EAP-Message = 0x029a00110d80000000071503030002022a
(27114) Framed-MTU = 1500
(27114) NAS-Port-Id = "port6"
(27114) NAS-Port = 6
(27114) NAS-Port-Type = Ethernet
(27114) Calling-Station-Id = "10-10-10-10-10"
(27114) Message-Authenticator = 0x282904555f961a374548479e83affca0
(27114) # Executing section authorize from file /usr/etc/raddb/sites-enabled/default
(27114) facauth: ===>NAS IP:10.10.10.10
(27114) facauth: ===>Username:pcoip-portal-010101010101
(27114) facauth: ===>Timestamp:1674245356.300727, age:0ms
(27114) facauth: Found authclient from preloaded authclients list for 10.10.10.10: FW01 (10.10.10.10)
(27114) facauth: Found authpolicy 'RADPOL' for client '10.10.10.10'
(27114) facauth: Client type: external (subtype: radius)
(27114) facauth: Input raw_username: (null) Realm: (null) username: pcoip-portal-847bebee4f93
(27114) facauth: Searching default realm as well
(27114) facauth: Realm not specified, default goes to FAC local user
(27114) facauth: Local user found: pcoip-portal-010101010101"
(27114) facauth: User [enable fido: false, token count: 0, revoked_token_count: 0]
(27114) facauth: Policy [fido_auth_opt: disabled, twofactor: allow both, no_fido: two factor, revoked: reject]
(27114) facauth: Decided on [is_fido: false, two_factor: allow both, token_type: none]
(27114) # Executing group from file /usr/etc/raddb/sites-enabled/default
(27114) eap: Expiring EAP session with state 0x27109ff1238a929e
(27114) eap: Finished EAP session with state 0x27109ff1238a929e
(27114) eap: Previous EAP request found for state 0x27109ff1238a929e, released from the list
(27114) eap_tls: ERROR: TLS Alert read:fatal:bad certificate
(27114) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
(27114) eap_tls: ERROR: TLS failed during operation
(27114) eap_tls: ERROR: [eaptls process] = fail
(27114) # Executing group from file /usr/etc/raddb/sites-enabled/default
(27114) facauth: Updated auth log 'pcoip-portal-010101010101"': 802.1x authentication failed
The questions now
-have a wrongly created the certificate?
-is the certificate wrongly converted with above command?
-is the WYSE Thin client inkompatible to SSL3?
any help would be much appreciated.
Cheers DanielDSC
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
p12/pfx is a container format including server certfile, private key and possible another things like intermediate certificates
Assuming you need those components individually to work with, try editing the output of
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
edit certificate.pem and extract certificate, private key etc (with its BEGIN/END) in separate files to use.
I guess
openssl pkcs12 -in certificate.p12 -out certif.cer
extract only the certificate file, you could try it
regards
/ Abel
yes this is what is did.
openssl pkcs12 -in certificate.p12 -out certif.cer << missed the parameter in the above post for pkcs12 but i converted the certificate successful with your command. But i still get the the following error from FortiAuthenticator
(27114) eap_tls: ERROR: Failed in __FUNCTION__ (SSL_read): error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
Hi,
maybe your third assumption .. .. (-is the WYSE Thin client inkompatible to SSL3?)
I don't know nothing about wyse, maybe others in the forum could help
regards
/ Abel
Hi Abelio,
at the moment i also assume this would be the reason for.
Thanks, and regards.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.