Scribd Logo
Upload

Welcome to Scribd!

  • By Default

    Uploaded by

    AfghanTechGuru
    169 views1 page
    The document discusses registry values that can be modified on an NPS server to change the certificate revocation checking behavior for wireless clients authenticating via EAP-TLS or PEAP-TLS. Key registry values include IgnoreNoRevocationCheck, IgnoreRevocationOffline, NoRevocationCheck, and NoRootRevocationCheck, which if set to 1 will make NPS more lenient by ignoring certificate revocation checking in certain scenarios. All registry values must be added as DWORD types and set to either 0 or 1.

    Original Description:

    NPS

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses registry values that can be modified on an NPS server to change the certificate revocation checking behavior for wireless clients authenticating via EAP-TLS or PEAP-TLS. Key registry values include IgnoreNoRevocationCheck, IgnoreRevocationOffline, NoRevocationCheck, and NoRootRevocationCheck, which if set to 1 will make NPS more lenient by ignoring certificate revocation checking in certain scenarios. All registry values must be added as DWORD types and set to either 0 or 1.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    169 views1 page

    By Default

    Uploaded by

    AfghanTechGuru
    The document discusses registry values that can be modified on an NPS server to change the certificate revocation checking behavior for wireless clients authenticating via EAP-TLS or PEAP-TLS. Key registry values include IgnoreNoRevocationCheck, IgnoreRevocationOffline, NoRevocationCheck, and NoRootRevocationCheck, which if set to 1 will make NPS more lenient by ignoring certificate revocation checking in certain scenarios. All registry values must be added as DWORD types and set to either 0 or 1.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 1

    By default, NPS performs certificate revocation checking on the certificate received from the

    wireless clients. You can use the following registry values in


    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\PPP\E AP\13 on
    the NPS server to modify certificate revocation checking behavior:

    IgnoreNoRevocationCheck: When set to 1, NPS accepts EAP-TLS authentications,


    even when it does not perform or cannot complete a revocation check of the client's
    certificate chain (excluding the root certificate). Typically, revocation checks fail because
    the certificate does not include CRL information.
    IgnoreNoRevocationCheck is set to 0 (disabled) by default. NPS rejects an EAP-TLS or
    PEAP-TLS authentication unless it can complete a revocation check of the client's
    certificate chain (including the root certificate) and verify that none of the certificates has
    been revoked.
    Set IgnoreNoRevocationCheck to 1 to accept EAP-TLS or PEAP-TLS authentications
    when the certificate does not include CRL distribution points, such as those from
    thirdparty CAs.
    IgnoreRevocationOffline: When set to 1, NPS accepts EAP-TLS or PEAP-TLS
    authentications even when a server that stores a CRL is not available on the network.
    IgnoreRevocationOffline is set to 0 by default. NPS rejects an EAP-TLS or PEAP-TLS
    authentication unless it can access CRLs and complete a revocation check of their
    certificate chain and verify that none of the certificates has been revoked. When it cannot
    connect to a location that stores a CRL, EAP-TLS or PEAP-TLS considers the certificate
    to have failed the revocation check.
    Set IgnoreRevocationOffline to 1 to prevent certificate validation failure because of poor
    network conditions that inhibit revocation checks from completing successfully.
    NoRevocationCheck: When set to 1, NPS does not perform a revocation check on the
    wireless client's certificate. The revocation check verifies that the wireless client's
    certificate and the certificates in its certificate chain have not been revoked.
    NoRevocationCheck is set to 0 by default.
    NoRootRevocationCheck: When set to 1, NPS does not perform a revocation check of
    the wireless client's root CA certificate. This entry eliminates only the revocation check
    of the client's root CA certificate. A revocation check is still performed on the remainder
    of the wireless client's certificate chain. NoRootRevocationCheck is set to 0 by default.
    You can use NoRootRevocationCheck to authenticate clients when the root CA
    certificate does not include CRL distribution points, such as those from third-party CAs.
    Also, this entry can prevent certification-related delays that occur when a certificate
    revocation list is offline or is expired.

    All these registry values must be added as a DWORD type (a registry data type composed of
    hexadecimal data with a maximum allotted space of 4 bytes) and set to 0 or 1. The Windows
    wireless client does not use these values.

    You might also like