Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Don't try this at home: Can we let a device EAP-TLS with an expired cert?

This thread has been viewed 0 times

  • 1.  Don't try this at home: Can we let a device EAP-TLS with an expired cert?

    Posted Jan 18, 2018 01:19 PM

    We have a vendor who's "totally automated system for updating certificates" turns out to be a very-alpha web-portal where you manually upload certficates re-wrapped in their special text format.

    Never mind my thoughts about that, the upshot is we have 30 wireless clients at a remote office getting rejects due to expired certificates.

    That's what's supposed to happen.

    Now for what isn't supposed to happen:

    What do I have to tell ClearPass to get it to accept them with an expired cert? Is it even possible?



  • 2.  RE: Don't try this at home: Can we let a device EAP-TLS with an expired cert?
    Best Answer

    EMPLOYEE
    Posted Jan 18, 2018 01:25 PM

    No. An expired cert by spec does not pass basic certificate validation and is therefore rejected before any policy evaluation can happen.



  • 3.  RE: Don't try this at home: Can we let a device EAP-TLS with an expired cert?

    Posted Jan 18, 2018 01:41 PM

    That's how I was reading the logging - just thought I'd get resounding confirmation.  Thanks.

     

    The vendor will have to priveledge of visiting the remote site to complete their "automated" cert update. Joy.