Monday, August 2, 2021

Is CRL checking required for wired 802.1x on Windows?

I'm running into sporadic issues with Windows clients failing to authenticate with wired 802.1x. We're using an internally signed certificate on our authentication server and it is trusted by the clients. The server certificate does have CRL/OCSP distribution points listed.

Logs from the machine do show that during authentication the client is failing to reach out to the CRL distribution point, which makes sense since we do not have a pre-auth ACL allowing that. However, it's not clear to me if that's actually causing the failure. Our Microsoft engineer states that it is the cause but cannot provide any documentation on the CRL requirement. I believe he's just assigning causality due to them both happening at nearly the same time.

Windows documentation states that the client does not require CRL checking of the server certificate when Wireless 802.1x occurs. I can not find the same statement about Wired 802.1x. Furthermore our Cisco engineer has never seen this as a requirement for wired 802.1x

To try and narrow it down I removed all cached CRLs/OCSP from a client and was able to authenticate successfully. This tells me that CRL verification is not required and goes against what the Microsoft engineer is stating.

Does anyone know if CRL checking is required during Windows 10 wired-802.1x authentication?



No comments:

Post a Comment