Security

 View Only

  • 1.  BYOD client certificates getting revoked randomly

    Posted Apr 15, 2025 04:10 PM
    Edited by NHN Apr 15, 2025 04:24 PM

    Hello everyone. 

    I am facing an issue with BYOD client certificates. ClearPass is automatically revoking some client certificates at 03:00 AM. Currently, there are 100+ certificates are issued, and 5 of them got revoked automatically.

    I can see the CRL process under Application logs happening everyday at 03:00 AM


    Is ClearPass revoking the certificates when the mac-address of the endpoints is Unknown or not available in the Endpoint DB?

    --------------------------
    Harendra
    ACEX165
    ------------------------------



  • 2.  RE: BYOD client certificates getting revoked randomly

    Posted Apr 16, 2025 08:40 AM

    By default, older duplicate certificates for the same device are revoked:

    As you have the mdpsMacAddress as 11:11:11:11:11:11, there may be something wrong with the MAC address detection, or you have overridden the MAC address in the onboard URL. Please check why the device is onboarded with 11:11:11:11:11:11, alternatively you could disable the revocation and see if that solves the issue.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your HPE Aruba Networking partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact HPE Aruba Networking TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or HPE Aruba Networking.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: BYOD client certificates getting revoked randomly

    Posted Apr 16, 2025 05:50 PM

    Thanks Herman. 

    I will update the configuration after Easter Monday and share the results. 

    Sorry about the MAC address, and I just typed 11:11:11:11:11:11 to indicate. ClearPass is getting the correct MAC address without overriding. 



    ------------------------------
    Harendra | ACEX165 | ACEP | CWDP | CWSP
    If you find my answer useful, consider giving kudos and/or mark it as the solution.
    ------------------------------

    Original Message


  • 4.  RE: BYOD client certificates getting revoked randomly

    Posted Apr 21, 2025 09:49 AM

    You'll notice "certificates to revoke for inactivity" in the audit list, you should look to see if your noted certificates are in that information.  MAC randomization means that session logging can get attributed to a MAC address that isn't associated with any issued certificate so the inactivity timer becomes useless.  Disable that check or otherwise ensure that the MAC address that the device is using during enrollment is the same as what gets used on the provisioned network.



    ------------------------------
    Carson Hulcher, ACEX#110
    ------------------------------

    Original Message


Related Content