Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Client Certificate Revoked in CRL on ACS. EAP-TLS. Cert not snt frm client

Hi there,

Usually in EAP-TLS, the server sends the client its cert, and then the client send the server its cert.

We have revoked a certificate for a client, and it is working fine. The client cannot log onto the network.

Thing is, in the packet capture of the eap-tls handshake, the client never attempts to send the server its certificate.

Its almost as if, when the server sends the client its cert, it tells the client not to bother sending its cert to the server as the server knows it is revoked and has communicated this to the client.

Two thoughts,

Could it have something to do with the eap-identity response from the client to the server in the initial eap-tls session setup?


Does the server send to the client the contents of the CRL when the server sends the client its server certificate?

I do hope someone has seen the same :) There does not seem to be much documentation on the actual CRL process.

Many thx and kind regards,



Re: Client Certificate Revoked in CRL on ACS. EAP-TLS. Cert not

EAP-TLS requires support from the end client and the Authentication, Authorization, and Accounting (AAA) client. An example of an EAP-TLS client includes the Microsoft Windows XP operating system.

EAP-TLS-compliant AAA clients include:

•Cisco 802.1x-enabled switch platforms (such as the Catalyst 6500 product line)

•Cisco Aironet Wireless solutions

To accomplish secure Cisco Aironet connectivity, EAP-TLS generates a dynamic, per-user, per-connection, unique session key.

enabling an EAP-TLS session resume allows ACS to trust a user based on the cached TLS session from the original EAP-TLS authentication. Because ACS only caches a TLS session when a new EAP-TLS authentication succeeds, the existence of a cached TLS session is proof that the user has successfully authenticated in the number of minutes that the EAP-TLS session timeout option specified.

New Member

Re: Client Certificate Revoked in CRL on ACS. EAP-TLS. Cert not

This is really good information. Many thx for this. Could I ask if this is documented in a Cisco doc so I can use it in my documentation?

Many thx indeed,


CreatePlease to create content