Extreme Networks Summit WM Technical Reference Manual page 35

Version 5.1

Hide thumbs Also See for Summit WM:

Installation instructions (1 page)

Getting started manual (126 pages)

Maintenance manual (130 pages)

Table Of Contents

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

page of 222

/ 222
Contents
Table of Contents
Bookmarks

Table of Contents

Backing up the CA database, the CA certificate, and the CA keys is essential to protect against the

●

loss of critical data. The CA should be backed up on a regular basis (daily, weekly, monthly) based

on the number of certificates issued over the same interval. The more certificates issued, the more

frequently you should back up the CA.

You should review the concepts of security permissions and access control in Windows, since

●

enterprise CAs issue certificates based on the security permissions of the certificate requester.

Additionally, if you want to take advantage of autoenrollment for computer certificates, use Windows

2000 or Windows Server 2003 Certificate Services and create an enterprise CA at the issuer CA level. If

you want to take advantage of autoenrollment for user certificates, use Windows Server 2003, Enterprise

Edition, or Windows Server 2003, Datacenter Edition, Certificate Services and create an enterprise CA at

the issuer CA level.

By default, the IAS server checks for certificate revocation for all the certificates in the certificate chain

sent by the wireless client during the EAP-TLS authentication process. If certificate revocation fails for

any of the certificates in the chain, the connection attempt is not authenticated and is denied. The

certificate revocation check for a certificate can fail because of the following:

The certificate has been revoked, The issuer of the certificate has explicitly revoked the certificate.

●

The certificate revocation list (CRL) for the certificate is not reachable or available.

●

CAs maintain CRLs and publish them to specific CRL distribution points. The CRL distribution

●

points are included in the CRL Distribution Points property of the certificate. If the CRL

distribution points cannot be contacted to check for certificate revocation, then the certificate

revocation check fails.

Additionally, if there are no CRL distribution points in the certificate, the IAS server cannot verify

●

that the certificate has not been revoked and the certificate revocation check fails.

The publisher of the CRL did not issue the certificate.

●

Included in the CRL is the publishing CA. If the publishing CA of the CRL does not match the

●

issuing CA for the certificate for which certificate revocation is being checked, then the certificate

revocation check fails.

The CRL is not current

●

Each published CRL has a range of valid dates. If the CRL Next update date has passed, the CRL

●

is considered invalid and the certificate revocation check fails. New CRLs should be published

before the expiration date of the last published CRL

Because certificate revocation checking can prevent wireless access due to the unavailability or

expiration of CRLs for each certificate in the certificate chain, design your PKI for high availability of

CRLs. For instance, configure multiple CRL distribution points for each CA in the certificate hierarchy

and configure publication schedules that ensure that the most current CRL is always available.

Certificate revocation checking is only as accurate as the last published CRL. For example, if a certificate

is revoked, by default the new CRL containing the newly revoked certificate is not automatically

published. CRLs are typically published based on a configurable schedule. This means that the revoked

certificate can still be used to authenticate because the published CRL is not current; it does not contain

the revoked certificate and can therefore still be used to create wireless connections. To prevent this

from occurring, the network administrator must manually publish the new CRL with the newly

revoked certificate.

By default the IAS server uses the CRL distribution points in the certificates. However, it is also possible

to store a local copy of the CRL on the IAS server. In this case, the local CRL is used during certificate

revocation checking. If a new CRL is manually published to the Active Directory, the local CRL on the

IAS server is not updated. The local CRL is updated when it expires. This can create a situation wherein

Summit WM Technical Reference Guide, Software Version 5.1

Table of Contents

Extreme Networks Summit WM Technical Reference Manual page 35

Related Manuals for Extreme Networks Summit WM

Related Products for Extreme Networks Summit WM

Table of Contents