HPE Community
IMC
1752660 Members
5681 Online
108788 Solutions
New Discussion юеВ

Re: 802.1x authentication error: E63502::Certificate not yet valid.

 
LS1971
Frequent Advisor

тАО09-03-2013 09:54 AM

тАО09-03-2013 09:54 AM

802.1x authentication error: E63502::Certificate not yet valid.

Hi,

 

we have an iMC installation with WLAN+UAM. An LDAP connection is configured, the users get synced on demand. We can automatically log in from our Windows 7 domain integrated clients. We can also access the guest WLAN (same SSID, different VLAN ID) from Androids and iPhones using a specific AD user.
But when we try to log in from a Windows 7 workgroup client (not domain integrated) we get the following error in iMC Authentication Failure Log List:

 

E63502::Certificate not yet valid.

 

On the Windows client we get the following three error events:

 

Log Name:      Microsoft-Windows-WLAN-AutoConfig/Operational
Source:        Microsoft-Windows-WLAN-AutoConfig
Date:          03.09.2013 18:24:42
Event ID:      12013
Task Category: OneXAuthentication
Level:         Error
Keywords:      (512)
User:          SYSTEM
Computer:      PCNAME
Description:
Wireless 802.1x authentication failed.Network Adapter: D-Link DWA-121 Wireless N USB Adapter
Interface GUID: {b40379ff-21e6-479a-9e9c-e8fe3fcbf3ce}
Local MAC Address: FE:CC:BA:98:76:54
Network SSID: SECRETSSID
BSS Type: Infrastructure
Peer MAC Address: 12:34:56:78:9A:BC
Identity: NULL
User: username
Domain: PCNAME
Reason: Explicit Eap failure received
Error: 0x80420014
EAP Reason: 0x80420100
EAP Root cause String:
EAP Error: 0x80420014

 

Log Name:      Microsoft-Windows-WLAN-AutoConfig/Operational
Source:        Microsoft-Windows-WLAN-AutoConfig
Date:          03.09.2013 18:24:42
Event ID:      11006
Task Category: MsmSecurity
Level:         Error
Keywords:      (512)
User:          SYSTEM
Computer:      PCNAME
Description:
Wireless security failed.Network Adapter: D-Link DWA-121 Wireless N USB Adapter
Interface GUID: {b40379ff-21e6-479a-9e9c-e8fe3fcbf3ce}
Local MAC Address: FE:CC:BA:98:76:54
Network SSID: SECRETSSID
BSS Type: Infrastructure
Peer MAC Address: 12:34:56:78:9A:BC
Reason: Explicit Eap failure received
Error: 0x80420014

 

Log Name:      Microsoft-Windows-WLAN-AutoConfig/Operational

Source:        Microsoft-Windows-WLAN-AutoConfig
Date:          03.09.2013 18:24:42
Event ID:      8002
Task Category: AcmConnection
Level:         Error
Keywords:      (512)
User:          SYSTEM
Computer:      PCNAME
Description:
WLAN AutoConfig service failed to connect to a wireless network.Network Adapter: D-Link DWA-121 Wireless N USB Adapter
Interface GUID: {b40379ff-21e6-479a-9e9c-e8fe3fcbf3ce}
Connection Mode: Connection to a secure network without a profile
Profile Name: SECRETSSID
SSID:SECRETSSID
BSS Type: Infrastructure
Failure Reason:The specific network is not available.


We found and installed a Microsoft hotfix for Windows 7:

 

Windows 7 does not connect to an IEEE 802.1X-authenticated network if an invalid certificate is installed
http://support.microsoft.com/kb/2494172

 

But that didn't change anything.

 

Any ideas?

 

Regards, Leonardo

Regards, Leonardo
0 Kudos
3 REPLIES 3
Eduardo_1
Member

тАО12-18-2013 11:10 AM

тАО12-18-2013 11:10 AM

Re: 802.1x authentication error: E63502::Certificate not yet valid.

I had this problem one time ago and the message about certificate not yet valid let me think it is related to time, but this was wrong, in my case the problem was solved configuring a different certificate template. I remember that we have to try several different options with subject name and alternate name options in certificate. This was a long time ago and now I do not have the template I used anymore. Now I am facing the same problem again in a customer and trying to find again the correct template. Please if someone reading this message is able to figure out the correct certificate template please let me know, I will do the same if I was able to discover the correct template I used in the past. Thanks. Bye Edu

0 Kudos
Peter_Debruyne
Honored Contributor

тАО12-20-2013 07:57 AM

тАО12-20-2013 07:57 AM

Re: 802.1x authentication error: E63502::Certificate not yet valid.

Hi,

 

I normally use a copy of the Web server template, which worked fine so far. I did have issues with some certificates in the past which were too big and got fragmented in the EAP exchange process.

Creating another cert resolved that issue,

 

Best regards,Peter.

0 Kudos
FernandQuintino
New Member

тАО05-08-2015 06:51 AM

тАО05-08-2015 06:51 AM

Re: 802.1x authentication error: E63502::Certificate not yet valid.

Hi All,

 

I was experiencing the same problem, after some research I found that in the user certificate template that I am using, has activate option User Principal Name, in this field at Active Directory is composed of username@domain.com, compared with the Sync Policy of LDAP at IMC I am using sAMAccountName for username/account, so problem is that in the certificate we have usermane@domain.com and IMC we have only username, I tried an alternative solution that was deactivate Username Check under system configuration at IMC but, I extremely not recommend it because any user could use another user account without any restriction, so let's go to the solution, in my case first I tried to change at Sync Policy at IMC to use userPrincipalName for username/account but IMC do not permit the use of "@" in username/account field, :-( , so I used cn for sync username/account and at CA Certificate Template disable checkbox of userPrincipalName, now comaring the cn field at certificate aginst username/account at IMC we have a perfect match, :-) . Now the auth using certificate with autoenroll are functioning as expected. I hope that this is usefully for anyone reading it, thanks.

 

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.