- Community Home
- >
- Networking
- >
- IMC
- >
- Re: Certificate Error with EAP-TLS and UAM
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-02-2013 09:41 PM
тАО05-02-2013 09:41 PM
Certificate Error with EAP-TLS and UAM
Has anyone ever encountered this message in the UAM "Authetication Failure Log":
E63502::Certificate not yet valid.
I am using a windows domain CA and have created a cert for the IMC server and installed it correctly. The device attempting to connect also has a domain user certificate. Authentication works if i send the auth request to an NPS server...so i know the user cert is OK.
Inspecting the RADIUS logs on the MSM wireless controller, i can see that the client device never responds to the RADIUS Access-Challenge from UAM. I have tried with both Local UAM user accounts and LDAP/AD User Accounts.
Any advice?
- Tags:
- certificate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-03-2013 01:02 AM
тАО05-03-2013 01:02 AM
Re: Certificate Error with EAP-TLS and UAM
Certificates have two dates - a "not valid before" date, and an expiry date. That sort of error sounds like the thing you get when a system is not NTP-synched.
Check the time settings on all your systems. Are they all correct?
Check the "not valid before" time on your certificate - is it correct?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-16-2013 02:47 PM
тАО12-16-2013 02:47 PM
Re: Certificate Error with EAP-TLS and UAM
Hi am not a specialist on this, but one time I had this problem an beside the error message telling certificate not yet valid, in my case there is nothing to do with time or date. In my case we have to use a diferent template for the certificate. It looks like the message is wrong. It bring us to think the problem is something related to time and it is not. Unfortunately it wal some time ago an I do not have the template I used anymore. My sugestion is to try diferent template and try to log using computer or user and if yo get one combination work, you can study the certificate detais and maybe discover the root cause.
Bye
Edu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-23-2013 02:12 PM
тАО12-23-2013 02:12 PM
Re: Certificate Error with EAP-TLS and UAM
I was able to recreate the certificate template I used in the past. The guy from the CA (Certification Authority) created a template which is customizable when you request it and after several trials I was able to authenticate and do no have anymore the "certificate not yet valid" error message. When I requested a certificate using this customizable template I wrote in subject field just the account name, for instance, "eteixeira" (my initial and surname) using CN=eteixeira and in alternative name I did the same "eteixeira" using upn = eteixeira, without anything else, and it worked, I was able to authenticate and did not receive the error message anymore. I had to create an authentication service in IMC without suffix and to assign this service to the account eteixeira which I synchronized from AD (Active Directory). The problem now I have to discuss with the CA guy is if it is possible to create a template like the one I did without using the option customize in request time, in other words, how to place the account name in subject field and alternative name field. During my testes I realized that if you write the character@ in subject or alternative name you get "certificate not yet valid". Can anybody that understand better about certificates tell us how to create such certificate?
Also I believe it will be very important some product engineer from IMC to fix this problem in IMC, because I think that if NPS accept the certificate the IMC must do the same.
Thanks. Bye Edu
@Eduardo_1 wrote:Hi am not a specialist on this, but one time I had this problem an beside the error message telling certificate not yet valid, in my case there is nothing to do with time or date. In my case we have to use a diferent template for the certificate. It looks like the message is wrong. It bring us to think the problem is something related to time and it is not. Unfortunately it wal some time ago an I do not have the template I used anymore. My sugestion is to try diferent template and try to log using computer or user and if yo get one combination work, you can study the certificate detais and maybe discover the root cause.
Bye
Edu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-09-2014 01:32 AM - edited тАО05-09-2014 01:33 AM
тАО05-09-2014 01:32 AM - edited тАО05-09-2014 01:33 AM
Re: Certificate Error with EAP-TLS and UAM
At the moment we have the same problem and the HP-Support seams also not to know an solution. I tried to find the right settings for an certificate template for about 10 or 12 hours, but i didn't find a working template setting.
Can anyone maybe post a few screens of functional certificate template settings? I am dispaired with this problem. Espacially cause the Microsoft Standard-Usertemplate would work with an Microsoft NPS but it won't with this ****ing IMC Server.
We tried the certificate validation from the IMC - everything is fine. We tried an PEAP-Authentication to test the right settings in IMC - everything is fine. Only this EAP-TLS Certificate Authentication won't work.
I'll post an reply, if we'll find a solution ourself, but at the moment i don't think so...
Bye
Moewa
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО06-05-2014 03:56 AM
тАО06-05-2014 03:56 AM
Re: Certificate Error with EAP-TLS and UAM
There is a Setting in the IMC, which checks the Username from the Certificate with the Username from the IMC. This was the fault and the reason for this error message in our Environment.
We set the "Check Username in Certificate"-Option to "No" and had a working solution. Cause we are using AD-Users dedicated to Special OUs and this dedicated to Special Access Services in Sync Policies f├╝r every OU, we don't need to check the Username. The Certificates are pushed via GPO to our Clients, so there is no way to fake a certificate for external Devices and there is no need to check this Username.
You can find this setting on "User" --> "User Access Policy" --> "Service Parameters" -- > "System Settings" --> "System Parameters" --> and then on the lower half of the settings page right sight.
So if you get this error and you are sure, that your settings are right, check if the test of the Username will be the reason, which causes this error code.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО05-08-2015 06:51 AM
тАО05-08-2015 06:51 AM
Re: Certificate Error with EAP-TLS and UAM
Hi All,
I was experiencing the same problem, after some research I found that in the user certificate template that I am using, has activate option User Principal Name, in this field at Active Directory is composed of username@domain.com, compared with the Sync Policy of LDAP at IMC I am using sAMAccountName for username/account, so problem is that in the certificate we have usermane@domain.com and IMC we have only username, I tried an alternative solution that was deactivate Username Check under system configuration at IMC but, I extremely not recommend it because any user could use another user account without any restriction, so let's go to the solution, in my case first I tried to change at Sync Policy at IMC to use userPrincipalName for username/account but IMC do not permit the use of "@" in username/account field, :-( , so I used cn for sync username/account and at CA Certificate Template disable checkbox of userPrincipalName, now comaring the cn field at certificate aginst username/account at IMC we have a perfect match, :-) . Now the auth using certificate with autoenroll are functioning as expected. I hope that this is usefully for anyone reading it, thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО09-03-2015 03:13 AM
тАО09-03-2015 03:13 AM
Re: Certificate Error with EAP-TLS and UAM
I am having same issue with EAP-TLS certificate authentication(MSCHAPv2 work perefect)
error i am getting is USER ACCESS LOG: Invalid authentication type
and in radius tracl log i am getting:
RT[0]: Receive message from 10.80.18.51:
CODE = 1.
ID = 156.
ATTRIBUTES:
Acct-Multi-Session-Id(50) = "A0-48-1C-4D-03-22-6C-88-14-BE-FC-AC-55-E6-B5-AA-00-07-7D-2F".
Acct-Session-Id(44) = "af9617dd-00000020".
NAS-Port(5) = 33.
NAS-Port-Type(61) = 19.
NAS-Identifier(32) = "CN30F2D9TZ".
NAS-IP-Address(4) = 173019764.
Framed-MTU(12) = 1496.
User-Name(1) = "BYOD".
Calling-Station-Id(31) = "6C-88-14-BE-FC-AC".
Called-Station-Id(30) = "A0-48-1C-4D-03-20:BYOD".
Service-Type(6) = 2.
EAP-Message(79) = "020f00090142594f44".
Attribute (8744-0) is not define in this device type.
Attribute (8744-0) is not define in this device type.
Attribute (8744-0) is not define in this device type.
Attribute (8744-0) is not define in this device type.
Attribute (8744-250) is not define in this device type.
Attribute (8744-249) is not define in this device type.
Message-Authenticator(80) = "38729733c769ab5ebb8f988fc90e9f53".
Anybody have any clue i have register case with HP 3 week still waiting..