Windows NPS (Server 2019) ignoring revoke certificates for EAP-TLS

Ricardo Saunders 1 Reputation point
2022-07-07T19:34:27.837+00:00

I have a Windows NPS setup with EAP-TLS working.
However when I revoked a machine certificate ; the Client is still granted access.
Based on a number of forums I have done the following:

[1] Configured OCSP and CRL
[2] Revoked certificate is showing as revoked when using when the certutil -url command
[3] CRL is being published the minimum of 1 hour
[4] Changes made on NPS Server in relation to NPS CRL Check Registry Settings
[5] Changes made on NPS Server and Client in relation to Configure the TLS Handle Expiry Time Registry Settings
[6] Run " certutil -setreg chain\ChainCacheResyncFiletime @now " on CA Server,NPS Server and Client PC.

The following forum below seems to be the closet match but I have double checked everything listed below:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/b6e5ae8b-7508-4b0d-aac4-71e5b87096fc/nps-server-ignoring-crl-for-client-authentication?forum=winserversecurity

Thank You,

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
Windows for business | Windows Server | Devices and deployment | Configure application groups
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. rr-4098 2,051 Reputation points
    2022-07-09T15:52:44.923+00:00

  2. rr-4098 2,051 Reputation points
    2022-07-10T08:25:15.987+00:00

    If you reboot the NPS server, does it check the cert CRL post reboot? IF so, how long does the NPS server continue to do this?


  3. Limitless Technology 39,931 Reputation points
    2022-07-11T10:08:57.167+00:00

    Hi, Ricardo. Thank you for your question and reaching out. My name is John and I’d be more than happy to help you with your query.

    Please follow these:
    On your Authentication Methods section on the Constraints tab in NPS; click Microsoft Protected EAP and click Edit. What supported EAP types do you have listed? Also, Is the proper certificate present.

    OR

    On the Windows machine, change the Network Authentication Method to Smart Card or other Certificate (to use EAP-TLS)…..which is often more common as not all OS' support PEAP-TLS.

    ------------------------------------------------------------------------------------------------------------------------------------

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.