Network Management

Has anyone ever encountered this message in the UAM "Authetication Failure Log":

 

E63502::Certificate not yet valid.

 

I am using a windows domain CA and have created a cert for the IMC server and installed it correctly. The device attempting to connect also has a domain user certificate. Authentication works if i send the auth request to an NPS server...so i know the user cert is OK. 

 

Inspecting the RADIUS logs on the MSM wireless controller, i can see that the client device never responds to the RADIUS Access-Challenge from UAM. I have tried with both Local UAM user accounts and LDAP/AD User Accounts. 

 

Any advice?

#certificate

Certificates have two dates - a "not valid before" date, and an expiry date. That sort of error sounds like the thing you get when a system is not NTP-synched.

 

Check the time settings on all your systems. Are they all correct? 

 

Check the "not valid before" time on your certificate - is it correct?

Hi am not a specialist on this, but one time I had this problem an beside the error message telling certificate not yet valid, in my case there is nothing to do with time or date. In my case we have to use a diferent template for the certificate. It looks like the message is wrong. It bring us to think the problem is something related to time and it is not. Unfortunately it wal some time ago an I do not have the template I used anymore. My sugestion is to try diferent template and try to log using computer or user and if yo get one combination work, you can study the certificate detais and maybe discover the root cause.

Bye
Edu

I was able to recreate the certificate template I used in the past. The guy from the CA (Certification Authority) created a template which is customizable when you request it and after several trials I was able to authenticate and do no have anymore the "certificate not yet valid" error message. When I requested a certificate using this customizable template I wrote in subject field just the account name, for instance, "eteixeira" (my initial and surname) using CN=eteixeira and in alternative name I did the same "eteixeira" using upn = eteixeira, without anything else, and it worked, I was able to authenticate and did not receive the error message anymore. I had to create an authentication service in IMC without suffix and to assign this service to the account eteixeira which I synchronized from AD (Active Directory). The problem now I have to discuss with the CA guy is if it is possible to create a template like the one I did without using the option customize in request time, in other words, how to place the account name in subject field and alternative name field. During my testes I realized that if you write the character@ in subject or alternative name you get "certificate not yet valid". Can anybody that understand better about certificates tell us how to create such certificate?

Also I believe it will be very important some product engineer from IMC to fix this problem in IMC, because I think that if NPS accept the certificate the IMC must do the same.

Thanks. Bye Edu

---

@Eduardo_1 wrote:

Hi am not a specialist on this, but one time I had this problem an beside the error message telling certificate not yet valid, in my case there is nothing to do with time or date. In my case we have to use a diferent template for the certificate. It looks like the message is wrong. It bring us to think the problem is something related to time and it is not. Unfortunately it wal some time ago an I do not have the template I used anymore. My sugestion is to try diferent template and try to log using computer or user and if yo get one combination work, you can study the certificate detais and maybe discover the root cause.

Bye
Edu

---

At the moment we have the same problem and the HP-Support seams also not to know an solution. I tried to find the right settings for an certificate template for about 10 or 12 hours, but i didn't find a working template setting.

 

Can anyone maybe post a few screens of functional certificate template settings? I am dispaired with this problem. Espacially cause the Microsoft Standard-Usertemplate would work with an Microsoft NPS but it won't with this ****ing IMC Server.

 

We tried the certificate validation from the IMC - everything is fine. We tried an PEAP-Authentication to test the right settings in IMC - everything is fine. Only this EAP-TLS Certificate Authentication won't work.

 

I'll post an reply, if we'll find a solution ourself, but at the moment i don't think so...

 

Bye

Moewa

The HP Support found a working solution for us.

There is a Setting in the IMC, which checks the Username from the Certificate with the Username from the IMC. This was the fault and the reason for this error message in our Environment.

We set the "Check Username in Certificate"-Option to "No" and had a working solution. Cause we are using AD-Users dedicated to Special OUs and this dedicated to Special Access Services in Sync Policies für every OU, we don't need to check the Username. The Certificates are pushed via GPO to our Clients, so there is no way to fake a certificate for external Devices and there is no need to check this Username.

You can find this setting on "User" --> "User Access Policy" --> "Service Parameters" -- > "System Settings" --> "System Parameters" --> and then on the lower half of the settings page right sight.

So if you get this error and you are sure, that your settings are right, check if the test of the Username will be the reason, which causes this error code.

Hi All,

 

I was experiencing the same problem, after some research I found that in the user certificate template that I am using, has activate option User Principal Name, in this field at Active Directory is composed of username@domain.com, compared with the Sync Policy of LDAP at IMC I am using sAMAccountName for username/account, so problem is that in the certificate we have usermane@domain.com and IMC we have only username, I tried an alternative solution that was deactivate Username Check under system configuration at IMC but, I extremely not recommend it because any user could use another user account without any restriction, so let's go to the solution, in my case first I tried to change at Sync Policy at IMC to use userPrincipalName for username/account but IMC do not permit the use of "@" in username/account field, :-( , so I used cn for sync username/account and at CA Certificate Template disable checkbox of userPrincipalName, now comaring the cn field at certificate aginst username/account at IMC we have a perfect match, :-) . Now the auth using certificate with autoenroll are functioning as expected. I hope that this is usefully for anyone reading it, thanks.

I am having same issue with EAP-TLS certificate authentication(MSCHAPv2 work perefect)

 

error i am getting is USER ACCESS LOG: Invalid authentication type

and in radius tracl log i am getting:

                                                                   

RT[0]: Receive message from 10.80.18.51:
CODE = 1.
ID   = 156.
ATTRIBUTES:
 Acct-Multi-Session-Id(50) = "A0-48-1C-4D-03-22-6C-88-14-BE-FC-AC-55-E6-B5-AA-00-07-7D-2F".
 Acct-Session-Id(44) = "af9617dd-00000020".
 NAS-Port(5) = 33.
 NAS-Port-Type(61) = 19.
 NAS-Identifier(32) = "CN30F2D9TZ".
 NAS-IP-Address(4) = 173019764.
 Framed-MTU(12) = 1496.
 User-Name(1) = "BYOD".
 Calling-Station-Id(31) = "6C-88-14-BE-FC-AC".
 Called-Station-Id(30) = "A0-48-1C-4D-03-20:BYOD".
 Service-Type(6) = 2.
 EAP-Message(79) = "020f00090142594f44".
 Attribute (8744-0) is not define in this device type.
 Attribute (8744-0) is not define in this device type.
 Attribute (8744-0) is not define in this device type.
 Attribute (8744-0) is not define in this device type.
 Attribute (8744-250) is not define in this device type.
 Attribute (8744-249) is not define in this device type.
 Message-Authenticator(80) = "38729733c769ab5ebb8f988fc90e9f53".

 

Anybody have any clue i have register case with HP 3 week still waiting..