1 Reply Latest reply on Oct 21, 2010 11:41 PM by sagrawal

    Why does a renewed X.509v3 user certificate require reconfiguration???

    Alert

      I'm running Window XP SP3, and its a Dell Latitude D520.

       

      My network makes use of 802.1x EAP/TLS, in short it requires a valid X.509v3 user certificate to authenticate.

       

      By default my Dell makes use of the Intel ProSet/Wireless WIFI Connection Utility (I'm running version 13.2.1.0) to connect to my wireless.

       

      Heres the problem:

      When configuring the connection based on EAP/TLS all works totally fine.

      Yet when I change my certificate I need to go over the entire configuration.

      This should not be necessary, since my certificate's CN, O and OU, country, locality etc fields, and issuing Root and SubRoot have not changed.

      All that changed was the validity period.

       

      The configuration setting even specifically asks about the username of the certificate, and its 100% the same (CN field)

       

      One might say, well uhhh you changed your certificate so its obvious that you must change the configuration accordingly.

      Well not true, since when I choose to NOT make use of the Intel ProSet/Wireless WIFI Connection Utility, and make use of the default Windows utiliy, it works fine, without requiring a reconfiguration after changing the certificate.

       

      To compare such a need, I verified the need to update a configuration based on updated X.509v3 user certificates, not for wireless but for Microsoft IIS, CISCO NAC, Juniper VPN, CheckPoint VPN1, IBM WebSphere, SAP J2EE portal, all do NOT require a configuration change.

       

      So obviously Intel is doing something very different OR I did something wrong in the configuration.

       

       

      Is there anybody here who can tell me how to configure the Intel ProSet/Wireless WIFI Connection Utility for EAP/TLS authentication, without the need to reconfigure the userside configuration when a user's certificate has been updated with a new one based on a new validity period of time?

       

      Many thanks.

       

      Gr. Mike

        • 1. Re: Why does a renewed X.509v3 user certificate require reconfiguration???
          sagrawal

          Hi Mike,

           

          It is the current Intel PROSet behavior for user profiles in that if existing certificate expires, Dr WiFi tool will generate an error during authentication and will prompt user to change his certificate in the profile.

          The workaround for this scenario is to use a Pre-logon/Common profile. This can be achieved by using Intel Administrator tool to create a Pre-logon/Common profile and use "Use a user certificate on this computer". This will allow Intel WiFi stack/supplicant to automatically choose the best user certificate for TLS authentication from user cert store.

          After adding the profile in the package...you can apply this package to any Win XP box. You can read on more on Administrator tool in PROset help. You may NOT want to install SSO if you are not going to use it.

           

          Thanks

          Sachin

          Intel Corp