This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

RADIUS authentication went haywire after a root CA was renewed

Question
0

Sign in to vote

We had an intermediate certificate about to expire. We renewed it and everything went fine. The new CA cert was added to the domain controller, the same PKI was used, the cert was cross published to forest with certutil's crossCA capability.

Strangely enough RADIUS did not like the cert. Even more strange: NAP RADIUS authentication stopped working on all domain controllers, even those that did not use the renewed root CA for authentication.

Eventually we requested a new certificate for 802.1x specifically and everything worked again. I'm just curious if anyone can explain what went wrong? Why would RADIUS break because of a root CA change when RADIUS isn't pointing at that root CA?

Monday, June 15, 2015 5:07 PM

Answers

0

Sign in to vote
Hi,

According to your description, my understanding is that renewed CA causes RADIUS authentication failed. And replaced with a new certificate resolved this problem.

You have mentioned that this CA is not used for RADIUS, but since renewed CA causes authenticated failed, there might be something related. Detailed error message, logs and event might be helpful for further identify the problem.

Besides, links below provides detailed description about certificates and NPS, just for your reference:
https://technet.microsoft.com/en-us/library/cc772401(v=ws.10).aspx

Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.
- Proposed as answer by Eve WangMicrosoft contingent staff Tuesday, June 23, 2015 7:58 AM
- Marked as answer by Eve WangMicrosoft contingent staff Thursday, June 25, 2015 2:44 AM
Wednesday, June 17, 2015 6:13 AM