Kevin, We recently encountered a similar situation where Windows 8/8.1/10 devices were onboarding fine and some days later failing to authenticate and unable to re-onboard.
Turns out the Radius certificate (also self-signed root & intermediate) was revoked and there was no clear indication of this in the Radius configuration and Windows devices were silently failing. I eventually found and unrevoked the Radius certificate and the devices associated with no issue. Apparently Windows 8+ devices are much more particular about revocation status versus other operating systems that simply ensure valid certificate dates. Cloudpath did add a feature request to add revocation status to the Radius configuration pane in the Enrollment System. Tobias Heaton Network Operations University of New Hampshire -----Original Message----- From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Kevin McCormick Sent: Thursday, September 24, 2015 1:11 PM To: [email protected] Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and Androids does not seem to have any issues. The radius server is issuing the certificates and the Windows 8 and 10 appear to be saying that the radius server is reporting the certificates revoked. We can export the certs from the Windows 8 or 10 machine, and then check the certs on Windows 7 using the command 'certutil -f -urlfetch -verify cert_name.cer' and the radius server is reporting the certs are fine. We use our own Root CA and Intermediate CA. Kevin McCormick uTech Network Services Western Illinois University On 9/24/2015 11:55 AM, Turner, Ryan H wrote: > Let me see if I can clear things up... > > Your clients were successfully onboarded, and when the clients connect, they > are reporting that the radius server certificates being sent are revoked? Or > are you saying that your clients are reporting that the radius servers are > saying the client certificates are revoked? > > If I read the error, it would indicate to me that your clients are having > issues with the radius server certificates. Who issued the certs? > > Ryan H Turner > Senior Network Engineer > The University of North Carolina at Chapel Hill > CB 1150 Chapel Hill, NC 27599 > +1 919 445 0113 Office > +1 919 274 7926 Mobile > > -----Original Message----- > From: The EDUCAUSE Wireless Issues Constituent Group Listserv > [mailto:[email protected]] On Behalf Of Kevin McCormick > Sent: Thursday, September 24, 2015 12:00 PM > To: [email protected] > Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems > > I know many of you are using EAP-TLS and CloudPath on boarding. > > We have ran in to an issue where some Windows 8 and 10 machines will say the > server said the certificates are revoked, but they are not revoked. > We have checked the things like time being correct. We did discover the > command 'certutil -f -urlfetch -verify cert_name.cer' will work just fine on > Windows 7, but crashes on Windows 8 and Windows 10. The event viewer is > showing these errors. > > "The certificate received from the remote server has been revoked. This means > that the certificate authority that issued the certificate has invalidated > it. The SSL connection request has failed. The attached data contains the > server certificate." -- Attached is the root CA. > > "A fatal alert was generated and sent to the remote endpoint. This may result > in termination of the connection. The TLS protocol defined fatal error code > is 44. The Windows SChannel error state is 552." > > I have tried googling the problem and and have come up empty. > > CouldPath has told our security admin that our university seems to be the > only one having this issue. > > Makes me wonder if our certs are being generated with incorrect settings for > Windows 8 and Windows 10. > > What algorithm and key length are you using? > > Any suggestions? > > Kevin McCormick > uTech Network Services > Western Illinois University > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. > > ********** > Participation and subscription information for this EDUCAUSE Constituent > Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
