The message seems clear to me. And certificate revocation has always been a problematic/unreliable mechanism, especially as during an 802.1X authentication, there is no access to a CRL or OCSP service as it requires network connectivity. It may be that the clients that show the issue have other communication with a service using the same server certificate, for example if you have the same certificate for HTTPS and RADIUS, and the client connects to the ClearPass WebUI or ClearPass guest.
From the client message, it seems that the revocation is on the RADIUS Server certificate in ClearPass, so I would check that certificate. Please note that in most cases, using a private CA for the RADIUS server certificate is recommended for the reasons that public certificates cannot be valid for more than a year, so you have a certificate roll-over every year, and with a public CA you cannot be sure that the same Root CA is still available, where if there is a change in the Root CA you would need to touch all of your clients to change the certificate trust. But it would be best to work with your Aruba partner or other specialist on this topic of certificate authentication.
I don't fully understand "I tried deleting those certificates but one came back after a reboot."; as that seems related to your client, and the issue seems to be in the ClearPass certificate... If your server cert is revoked, you should get a new one and install that; changing RADIUS/EAP certificates can be challenging if you don't fully understand what you are doing, so make sure you get/find the right knowledge and experience.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Apr 04, 2024 04:38 PM
From: cnoga@waterfrontoronto.ca
Subject: RADIUS Timeouts - Supposed Expired Certificate
Hi Everyone,
We've just put ClearPass into our environment with 802.1x authentication on WiFi and Wired. The initial rollout saw only 2-3 out of 100 client PCs with chronic timeouts on Radius Auth requests. Now the number of client PC's timing out is growing. From the Radius logs, I can see the timeout clients respond to the repeated challenge requests the same way working clients do. However, the timeout clients don't answer the last challenge request from the server.
This led me to look at the client PC side. From Windows event viewer, I found reports of a certificate having been revoked. In the details I can see it's from GoDaddy. I tried deleting those certificates but one came back after a reboot. Then setting up the 802.1x auth failed again, generating the same certificate revoked error in Event Viewer.
I don't get why the majority of client PC's are still doing OK, even though a certificate is supposedly revoked.
Also, I noticed the clear pass server appears to have a different set of GoDaddy certificates from the ones already on the PCs (different validity dates etc).
Has anyone else run into something like this?
Any ideas are appreciated. See attached for logs and Event error message.
Thanks!