CRL Checking in IAS

Posted November 13, 2008 and filed under Security, Technology tags: radius, ias, crl

Today my customer was configuring their first EAP-TLS authentication through their Internet Authentication Service (IAS) and discovered a problem. Since their IAS server was inside their intranet, and didn’t have unfettered access to the Internet, the request attempts were being rejected due to a failed CRL check. We plan on installing an OCSP client software in the near future but we needed an immediate remedy. So I looked for how to disable the CRL check on the IAS server. Unfortunately this isn’t clearly documented anywhere obvious so I wanted to post my findings here in case someone else needs the information.

In order to disable CRL checking on IAS you need to first add the following registry information:

Location          : HKLM\system\currentcontrolset\services\rasman\ppp\eap\13
Value Name    : IgnoreRevocationOffline 
Value Type      : Reg_Dword
Value Range   : 1

Finally you need to restart the server in order for these changes to take effect.

IMPORTANT NOTE: Understand that you are now removing a key component of PKI based authentication and you should not leave this configuration as a long term solution.

ADFS, ISA, and Kerberos Constrained DelegationI have been working with my customer to design their Active Directory Federation Service (ADFS) to s...Tips For Using JavaScript On Your SiteI have several JavaScript's running on my blog that I use to enhance the user experience. On t...The High Cost of Secure Websites I provide support for a couple of web servers and have recently been asked to add SSL support to a...

Add comment

Name*
E-mail* (Will show your Gravatar icon)
Website
b i u quote

Notify me when new comments are added

CRL Checking in IAS

Related posts

Add comment

My Resources

Recent comments

Interesting Articles

CRL Checking in IAS

Related posts

Add comment

Chris Blankenship

My Resources

Recent comments

Interesting Articles