Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1531
Views
5
Helpful
2
Replies

Expired Root CA but DOT1x is still working?

Go to solution
LanDownUnda
Spotlight
Spotlight

‎11-18-2021 01:51 AM

Hi All!

 

I wanted to swing this question past the wider audience. I recently came across an ISE deployment (v2.6) whereby the certificate used for EAP authentication is valid however the top two certificates in the certificates chain are expired.

 

Clients are still accepting the certificate without any problems and are authenticating successfully on the network.

 

Can anyone explain to me why having expired certificates in the chain does not result in clients rejecting the ISE certificate? I'm assuming its something possibly on the Supplicant side but I'm never claimed to be a Windows expert

 

Any help would be greatly appreciated!

 

P.S. The supplicants have the expired certificates installed in the Trust Store.

*** Rate All Helpful Responses ***
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-18-2021 04:05 AM

Clients are still accepting the certificate without any problems and are authenticating successfully on the network.

 

Can anyone explain to me why having expired certificates in the chain does not result in clients rejecting the ISE certificate? I'm assuming its something possibly on the Supplicant side but I'm never claimed to be a Windows expert

-So I am assuming you are using the native supplicant and not NAM.  Anyways, this could very well be a native supplicant configuration issue.  I would start with verifying if the following is set:

 

Verify the server's identity by validating the certificate: Specifies that the client verifies that server certificates presented to the client computer have the correct signatures, have not expired, and were issued by a trusted root certification authority (CA).

 

Note that by default this is enabled.  I would still double check.

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-04-2021 01:23 PM

This is 100% an endpoint supplicant configuration issue.

There are options to ignore the authentication server certificate.

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎11-18-2021 04:05 AM

Clients are still accepting the certificate without any problems and are authenticating successfully on the network.

 

Can anyone explain to me why having expired certificates in the chain does not result in clients rejecting the ISE certificate? I'm assuming its something possibly on the Supplicant side but I'm never claimed to be a Windows expert

-So I am assuming you are using the native supplicant and not NAM.  Anyways, this could very well be a native supplicant configuration issue.  I would start with verifying if the following is set:

 

Verify the server's identity by validating the certificate: Specifies that the client verifies that server certificates presented to the client computer have the correct signatures, have not expired, and were issued by a trusted root certification authority (CA).

 

Note that by default this is enabled.  I would still double check.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-04-2021 01:23 PM

This is 100% an endpoint supplicant configuration issue.

There are options to ignore the authentication server certificate.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents