Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PKI - Wireless Clients Unable to Logon due to unavailable revocation server

Posted on 2011-09-12
7
Medium Priority
?
2,823 Views
Last Modified: 2013-12-09
Hello Gurus,

I am having issues connecting my wireless laptops to the network.
This is the error message that I get on my IAS server:

User host/Laptop1.abc.com was denied access.
 Fully-Qualified-User-Name = abc.com/Workstation Accounts/Secured Notebooks/Laptop1
 NAS-IP-Address = x.x.x.x
 NAS-Identifier = x.x.x.x
 Called-Station-Identifier = A.B.C.D
 Calling-Station-Identifier = A.B.C.D
 Client-Friendly-Name = WIRELESS
 Client-IP-Address = x.x.x.x
 NAS-Port-Type = Wireless - IEEE 802.11
 NAS-Port = 2
 Proxy-Policy-Name = Use Windows authentication for all users
 Authentication-Provider = Windows
 Authentication-Server = <undetermined>
 Policy-Name = WIRELESS
 Authentication-Type = EAP
 EAP-Type = Smart Card or other certificate
 Reason-Code = 259
 Reason = The revocation function was unable to check revocation because the revocation server was offline.

I have restarted the IAS server and tested that I can get get to IASServer\certsrv. This works fine.

I installed this patch from Microsoft to resolve an schannel issue - WindowsServer2003-KB933430-x86-ENU.exe on the IAS server. This patch resolved the schannel issue but moved on to the error listed above.

Your assistance is greatly appreciated.

Thanks,
Joe


0
Comment
Question by:joedelapaz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
7 Comments
 

Author Comment

by:joedelapaz
ID: 36527056
Whoops, I meant to write:

I have restarted the IAS server and the Certificate servers and tested that I can get get to CertServer\certsrv. This works fine. I can download certs and crls from this location and install it. I don't know why it thinks that the revocation server is down.

0
 
LVL 16

Expert Comment

by:SteveJ
ID: 36531083
So has a crl been published to the device thats checking for revoked certs? When you say you have tested it, how did yoi test? Whats the dste on the crl server?

What happens when you disable crl checking? Can clients login then?

Steve
0
 

Author Comment

by:joedelapaz
ID: 36533611
Hi Steve,

Certificate Services is not my strong suit. However, this is what I've got so far.

I have tested that I can get to CertServer\certsrv and manually download certificates and crls.
The Issuing CA certificate does not expire until 2016.
The next update on the CRL is this Thur Sept 15, 2011
Time on the CRL server is synced successfully with AD.

I tried disabling CRL checking on the CertServer using  - http://technet.microsoft.com/en-us/library/cc775782(WS.10).aspx and trying to update the MD_CERT_NO_REVOC_CHECK value.

However, I got this warning message instead.

The property (MD_CERT_NO_REVOC_CHECK) is not valid for the class it has been associated with.  This property will be ignored.  Incorrect XML:MD_CERT_NO_REVOC_CHECK
ErrorCode           : 0x80210523
Interceptor         : 14
OperationType       : Populate
Table               : MBProperty
ConfigurationSource : C:\WINDOWS\system32\inetsrv\EditWhileRunning_Metabase.xml
MajorVersion        : 274

I can download the crl manually onto the laptop without any issues.


0
Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

 
LVL 16

Expert Comment

by:SteveJ
ID: 36540303
Well, if nobody can log in it usually means the cache period has expired on the crl and the crl/ca cant be reached. Thats the default behavior. Is the server you are checking the crl at dual homed? Like the crl can be reached from one nic but not the other?

Steve
0
 

Author Comment

by:joedelapaz
ID: 36547229
Hi Steve,

It's got a dual nic that uses HP Nic teaming.
But no, the crl is reachable from either nic.

Cheers,
Joe
0
 

Accepted Solution

by:
joedelapaz earned 0 total points
ID: 38412236
Please close off this question. Rebuilt the PKI environment. To get this working.
0
 

Author Closing Comment

by:joedelapaz
ID: 38426068
I ended up rebuilding the PKI environment in order to get this back up and running. Root cause unknown.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question