Re: Certificate Error with EAP-TLS and UAM (751 Views)
Reply
Occasional Contributor
MartiBarber
Posts: 9
Registered: ‎04-02-2013
Message 1 of 6 (917 Views)

Certificate Error with EAP-TLS and UAM

Has anyone ever encountered this message in the UAM "Authetication Failure Log":

 

E63502::Certificate not yet valid.

 

I am using a windows domain CA and have created a cert for the IMC server and installed it correctly. The device attempting to connect also has a domain user certificate. Authentication works if i send the auth request to an NPS server...so i know the user cert is OK. 

 

Inspecting the RADIUS logs on the MSM wireless controller, i can see that the client device never responds to the RADIUS Access-Challenge from UAM. I have tried with both Local UAM user accounts and LDAP/AD User Accounts. 

 

Any advice?

Honored Contributor
LindsayHill
Posts: 743
Registered: ‎11-16-2011
Message 2 of 6 (903 Views)

Re: Certificate Error with EAP-TLS and UAM

Certificates have two dates - a "not valid before" date, and an expiry date. That sort of error sounds like the thing you get when a system is not NTP-synched.

 

Check the time settings on all your systems. Are they all correct? 

 

Check the "not valid before" time on your certificate - is it correct?

CCIE 36708 | @northlandboy | lkhill.com
Member
Eduardo_1
Posts: 5
Registered: ‎08-07-2009
Message 3 of 6 (767 Views)

Re: Certificate Error with EAP-TLS and UAM

Hi am not a specialist on this, but one time I had this problem an beside the error message telling certificate not yet valid, in my case there is nothing to do with time or date. In my case we have to use a diferent template for the certificate. It looks like the message is wrong. It bring us to think the problem is something related to time and it is not. Unfortunately it wal some time ago an I do not have the template I used anymore. My sugestion is to try diferent template and try to log using computer or user and if yo get one combination work, you can study the certificate detais and maybe discover the root cause.

Bye
Edu

Member
Eduardo_1
Posts: 5
Registered: ‎08-07-2009
Message 4 of 6 (751 Views)

Re: Certificate Error with EAP-TLS and UAM

I was able to recreate the certificate template I used in the past. The guy from the CA (Certification Authority) created a template which is customizable when you request it and after several trials I was able to authenticate and do no have anymore the "certificate not yet valid" error message. When I requested a certificate using this customizable template I wrote in subject field just the account name, for instance, "eteixeira" (my initial and surname) using CN=eteixeira and in alternative name I did the same "eteixeira" using upn = eteixeira, without anything else, and it worked, I was able to authenticate and did not receive the error message anymore. I had to create an authentication service in IMC without suffix and to assign this service to the account eteixeira which I synchronized from AD (Active Directory). The problem now I have to discuss with the CA guy is if it is possible to create a template like the one I did without using the option customize in request time, in other words, how to place the account name in subject field and alternative name field. During my testes I realized that if you write the character@ in subject or alternative name you get "certificate not yet valid". Can anybody that understand better about certificates tell us how to create such certificate?

Also I believe it will be very important some product engineer from IMC to fix this problem in IMC, because I think that if NPS accept the certificate the IMC must do the same.

Thanks. Bye Edu


Eduardo_1 wrote:

Hi am not a specialist on this, but one time I had this problem an beside the error message telling certificate not yet valid, in my case there is nothing to do with time or date. In my case we have to use a diferent template for the certificate. It looks like the message is wrong. It bring us to think the problem is something related to time and it is not. Unfortunately it wal some time ago an I do not have the template I used anymore. My sugestion is to try diferent template and try to log using computer or user and if yo get one combination work, you can study the certificate detais and maybe discover the root cause.

Bye
Edu




Visitor
Moewa
Posts: 4
Registered: ‎05-09-2014
Message 5 of 6 (552 Views)

Re: Certificate Error with EAP-TLS and UAM

[ Edited ]

At the moment we have the same problem and the HP-Support seams also not to know an solution. I tried to find the right settings for an certificate template for about 10 or 12 hours, but i didn't find a working template setting.

 

Can anyone maybe post a few screens of functional certificate template settings? I am dispaired with this problem. Espacially cause the Microsoft Standard-Usertemplate would work with an Microsoft NPS but it won't with this ****ing IMC Server.

 

We tried the certificate validation from the IMC - everything is fine. We tried an PEAP-Authentication to test the right settings in IMC - everything is fine. Only this EAP-TLS Certificate Authentication won't work.

 

I'll post an reply, if we'll find a solution ourself, but at the moment i don't think so...

 

Bye

Moewa

Visitor
Moewa
Posts: 4
Registered: ‎05-09-2014
Message 6 of 6 (489 Views)

Re: Certificate Error with EAP-TLS and UAM

The HP Support found a working solution for us.

There is a Setting in the IMC, which checks the Username from the Certificate with the Username from the IMC. This was the fault and the reason for this error message in our Environment.

We set the "Check Username in Certificate"-Option to "No" and had a working solution. Cause we are using AD-Users dedicated to Special OUs and this dedicated to Special Access Services in Sync Policies für every OU, we don't need to check the Username. The Certificates are pushed via GPO to our Clients, so there is no way to fake a certificate for external Devices and there is no need to check this Username.

You can find this setting on "User" --> "User Access Policy" --> "Service Parameters" -- > "System Settings" --> "System Parameters" --> and then on the lower half of the settings page right sight.

So if you get this error and you are sure, that your settings are right, check if the test of the Username will be the reason, which causes this error code.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.