Reset Search
 

 

Article

Windows 10 End Systems Show as Rejected Due To Authentication Became Stale

« Go Back

Information

 
TitleWindows 10 End Systems Show as Rejected Due To Authentication Became Stale
Symptoms
  • Windows 10 End Systems unable to access the network via wired or wireless devices.
  • Windows 10 End Systems show up in Reject State in NAC Manager.
  • Authentication Became Stale message are logged in NAC Manager for Windows 10 End Systems running 802.1x.
Environment
  • All NAC platforms
  • All wireless platforms
  • All wired platforms
  • IdentiFi Wireless
  • 8021.x
  • TLS v1.2
  • Windows 10
  • Windows 7
Cause
This is caused by an invalid "Signature Algorithm" with MD5 encryption when the Windows 10 End System requires TLS v1.2 in the certificate / key exchange.
(This is not applicable to TLS v1.0)
Resolution
Upgrade to 6.3.0.174 and regenerate the certificate.

In Version 6.3.0.174 the default_md option has changed from "md5" to "sha256". Unless the certificate has been regenerated at version 6.3.0.174 or above you will need to regenerate the certificate manually.

To verify which algorithm is currently being used type the following commands:
cd /opt/nac/radius/raddb/certs/
openssl x509 -in selfsigned_server.pem –text
If you see:

        X509v3 extensions:
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
    Signature Algorithm: md5WithRSAEncryption
         36:af:e5:8e:04:2e:64:59:45:ad:93:d6:5b:99:e3:07:92:21:
 
You will need to regenerate the certificate.          


Prior to version 6.3.0.174:
  1. Edit the /opt/nac/radius/raddb/certs/selfsigned/server.cnf file so the option for "default_md=md5" is changed to "default_md=sha256"
  2. Generate a new server certificate with the command:
    /opt/nac/radius/raddb/certs/generate_server_cert
  3. Restart the NAC services with the command: 
    nacctl restart

***Note that after a nacctl restart the server.cnf file will revert back to MD5 so if the certificate is regenerated again before a patch is applied, (for whatever reason) then it will revert to MD5.***

If you have upgraded to 6.3.0.174 or higher and have default RADIUS certificates that were generated before 6.3.0.17 you STILL need to regenerate the certificate:

If you upgraded to 6.3.0.174, but not on 7.0:
  1. Generate a new server certificate with the command:
    /opt/nac/radius/raddb/certs/generate_server_cert
  2. Restart the NAC services with the command: 
    nacctl restart
If you upgraded to version 7.0 or higher:

Follow the following procedure: How to regenerate/remove NAC RADIUS certificates
 
Additional notes
Added Windows 7, as I have had a customer report that this was successful for him on a group of Dell E6430 laptops that were failing.  
 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255