Radius serer + WLC and Client Certificate Authentication

STOYKOV-EX, Dimitar 0 Reputation points

Hello people, We have an issue with our radius server. I will explain what is our goal and what configuration we have so far: Our goal is to authenticate clients in the domain using WLC and Client Certificate Authentication. Each client in our domain has a unique personal certificate. The idea is when an employee opens his PC automatically connects to the specified by the GPO recommended network by using the certificate and not the username and password. Currently, we configured the WLC Cisco controller to receive the client certificate, authenticate it and provide the IP address(of course if the policies are validated). Afterward that the WLC controller has to send the request to the radius server. The radius should check if the certificate is valid (not expired) and not included in the revocation list. Here our issue came. It seems that the radius cannot access the revocation list and cannot check if the certificate is revoked. We validated that by disabling the revocation list check in the Radius server registry settings. If we set it to ignore the revocation list check, the authentication succeeds, and the client is authenticated successfully. The thing is that this way we lower the security of the connection significantly and we would like to make sure the certificate is validated against the revocation list. At the same time, there are no issues in the connection between the RADIUS server and the server where the revocation list is stored/published. Could you please let me know if there is any specific configuration that should be made in order for the radius to be able to check the status of the authenticated certificate in the revocation list? Is there any configuration guide that we have to follow in order to implement the necessary configuration in the most proper way? Many thanks in advance for your assistance!

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,151 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 43,226 Reputation points


    I'd be happy to help you out with your question. Sorry for the inconvenience caused.

    To resolve this issue, there are a few things you can try. First, make sure that the RADIUS server has access to the revocation list. Check the permissions and firewall settings to make sure that the RADIUS server is able to access the list. You can also try accessing the revocation list from the RADIUS server manually to see if there are any connectivity issues.

    Next, check the revocation configuration on the RADIUS server. Make sure that the RADIUS server is configured to check the revocation list. This can usually be done in the server's registry settings or in the RADIUS server software.

    If you're still having issues with the revocation list, consider using a different method for revocation checking. One option is to use Online Certificate Status Protocol (OCSP) to check the status of a certificate. This method does not require downloading the entire revocation list and can be more efficient.

    Ultimately, it's important to balance security with usability when implementing authentication methods. If you're unable to resolve the issue with revocation checking, consider using a different authentication method that meets your security requirements.

    If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments No comments