On 2021-04-13 21:20:32+0000, Pratik Mehta wrote: > [...] > The problem is that Windows attempts to perform a CRL check on the > RADIUS server certificate during the TLS handshake and before 802.1x > authentication is complete. This causes the EAP session to timeout and > wireless connectivity to take a long time to be established (more than > 25 seconds). It does not make sense for the supplicant to perform a > CRL check before wireless connectivity > is established. > [...]
I can't speak to the specifics of the situation, but in general, the solution is to use OCSP stapling instead of a CRL check. The gist of OCSP stapling is the server contacts the CA/OCSP server to get a token that asserts the cert has not been revoked, and sends that with the cert to the client. This allows the client to verify the server's cert hasn't been revoked without having to connect another network resource. I've probably got the details there wrong, but that is the _idea_ of what is happening. Implementing OCSP stapling on your authentication servers may bypass the bug. Full disclosure: we haven't gotten around to implementing this ourselves yet, so there may well be dragons ahead that I am completely unaware of. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
signature.asc
Description: PGP signature
