Today my customer was configuring their first EAP-TLS authentication through their Internet Authentication Service (IAS) and discovered a problem. Since their IAS server was inside their intranet, and didn’t have unfettered access to the Internet, the request attempts were being rejected due to a failed CRL check. We plan on installing an OCSP client software in the near future but we needed an immediate remedy. So I looked for how to disable the CRL check on the IAS server. Unfortunately this isn’t clearly documented anywhere obvious so I wanted to post my findings here in case someone else needs the information.
In order to disable CRL checking on IAS you need to first add the following registry information:
Location : HKLM\system\currentcontrolset\services\rasman\ppp\eap\13 Value Name : IgnoreRevocationOffline Value Type : Reg_Dword Value Range : 1
Finally you need to restart the server in order for these changes to take effect.
IMPORTANT NOTE: Understand that you are now removing a key component of PKI based authentication and you should not leave this configuration as a long term solution.
CSS-Tricks
Janko at Warp Speed
Kim Cameron's Identity Weblog
Pluralsight Blogs
Thu, Nov 13, 2008
Security, Technology