I think you got us on to something.
I checked the cert and got Leaf certificate is REVOKED (Reason=9).
Looks like this maybe the source of our issue.
Keep you informed.
Kevin McCormick
uTech Network Services
Western Illinois University
On 9/24/2015 12:18 PM, Heaton, Tobias wrote:
Kevin,
We recently encountered a similar situation where Windows 8/8.1/10 devices were
onboarding fine and some days later failing to authenticate and unable to
re-onboard.
Turns out the Radius certificate (also self-signed root & intermediate) was
revoked and there was no clear indication of this in the Radius configuration and
Windows devices were silently failing. I eventually found and unrevoked the Radius
certificate and the devices associated with no issue.
Apparently Windows 8+ devices are much more particular about revocation status
versus other operating systems that simply ensure valid certificate dates.
Cloudpath did add a feature request to add revocation status to the Radius
configuration pane in the Enrollment System.
Tobias Heaton
Network Operations
University of New Hampshire
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 1:11 PM
To: [email protected]
Subject: Re: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems
Clients on Windows 8 and 10 fail on boarding. Macs, Windows 7, IOS, and
Androids does not seem to have any issues.
The radius server is issuing the certificates and the Windows 8 and 10
appear to be saying that the radius server is reporting the certificates
revoked.
We can export the certs from the Windows 8 or 10 machine, and then check
the certs on Windows 7 using the command 'certutil -f -urlfetch -verify
cert_name.cer' and the radius server is reporting the certs are fine.
We use our own Root CA and Intermediate CA.
Kevin McCormick
uTech Network Services
Western Illinois University
On 9/24/2015 11:55 AM, Turner, Ryan H wrote:
Let me see if I can clear things up...
Your clients were successfully onboarded, and when the clients connect, they
are reporting that the radius server certificates being sent are revoked? Or
are you saying that your clients are reporting that the radius servers are
saying the client certificates are revoked?
If I read the error, it would indicate to me that your clients are having
issues with the radius server certificates. Who issued the certs?
Ryan H Turner
Senior Network Engineer
The University of North Carolina at Chapel Hill
CB 1150 Chapel Hill, NC 27599
+1 919 445 0113 Office
+1 919 274 7926 Mobile
-----Original Message-----
From: The EDUCAUSE Wireless Issues Constituent Group Listserv
[mailto:[email protected]] On Behalf Of Kevin McCormick
Sent: Thursday, September 24, 2015 12:00 PM
To: [email protected]
Subject: [WIRELESS-LAN] EAP-TLS Windows 8 and 10 Problems
I know many of you are using EAP-TLS and CloudPath on boarding.
We have ran in to an issue where some Windows 8 and 10 machines will say the
server said the certificates are revoked, but they are not revoked.
We have checked the things like time being correct. We did discover the command
'certutil -f -urlfetch -verify cert_name.cer' will work just fine on Windows 7,
but crashes on Windows 8 and Windows 10. The event viewer is showing these
errors.
"The certificate received from the remote server has been revoked. This means that
the certificate authority that issued the certificate has invalidated it. The SSL
connection request has failed. The attached data contains the server certificate."
-- Attached is the root CA.
"A fatal alert was generated and sent to the remote endpoint. This may result in
termination of the connection. The TLS protocol defined fatal error code is 44. The
Windows SChannel error state is 552."
I have tried googling the problem and and have come up empty.
CouldPath has told our security admin that our university seems to be the only
one having this issue.
Makes me wonder if our certs are being generated with incorrect settings for
Windows 8 and Windows 10.
What algorithm and key length are you using?
Any suggestions?
Kevin McCormick
uTech Network Services
Western Illinois University
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
**********
Participation and subscription information for this EDUCAUSE Constituent Group
discussion list can be found at http://www.educause.edu/groups/.
