Header Only - DO NOT REMOVE - Extreme Networks

NAC Alarm if RADIUS certificate is about to expire


Userlevel 3
Hi,

I just had a major issue beacuse the RADIUS certificate of the NAC/IAM appliance did expire. This caused a big problem because of IEEE 802.1X Authentication was used. The problem was quickly resolved but it could have been avoided if an alarm would have been present.

Best scenario for future releases: If the RADIUS (or any NAC certificate) is about to expire (e.g. in 1 or 2 months) a warning is presented. And in the last days an alarm is caused.

I hope this idea will be realized to avoid major .1X problems 🙂

Best Regards
Michael

18 replies

Userlevel 2
Hi Michael. I am meeting with my product marketing group this morning and I will see if I can get any thoughts on this. Thanks for the suggestion.
This is something that we are considering but not yet committed. Feedback from others will be very helpful, if they see the need.
The need is obvious. Due to the fact, that the certificates have to be renewed manualy it must be possible to set a reminder for the admins. This could be also a good thing for Alarm Manager. As soon as there is a useable trigger, one could use alarm manager to send email to admin (or other actions of course). Otherwise the whole network could be jammed.
This should be a matter of course. When the RADIUS server certificate expires, all .1X authentication fails. Imagine the severity of that trap.

Right now my customers are solving this issue by saving the date in Outlook (or similar) and are not happy about the workaround. It lacks reliability.
Userlevel 3
Dear Extreme Team,

are there any news regarding this issue/idea? There is really a need for it.
I mark on my outlook calendar about radius certs expiration date-- kind of old fashion but works..
Charles Yang wrote:

I mark on my outlook calendar about radius certs expiration date-- kind of old fashion but works..

Just to be sarcastic: Yes you are right. Let's stop any effort for improvements. Because the world - how it is - works. 😉
Charles Yang wrote:

I mark on my outlook calendar about radius certs expiration date-- kind of old fashion but works..

Max, Thank you for the smile. and I should clarify what I was trying to convey. I know exactly how you felt and what I said I don't mean sarcastically. In my situation, not just for NAC, same certificate expiration date and its re-issuing tasks are now part of corporate life for all other system. When I said we put it in the calendar, we-- IT as a whole, we manage it as a corporate maintenance cycle, put it in production calendar and ensure it is changed/ upgraded when the time come.
Yes, you are right about there is no alarming feature for certs expiration to date. However, our business side of IT operation continues-- utilizing a conventional method as a stop-gap to prevent future "inconvenience" in IT operation--until better technology can make my life easier...
I'd love the see the new feature if GTAC warms up to it. In the meantime, our IT business and its continuity comes first.

-cy
Userlevel 3
Charles Yang wrote:

I mark on my outlook calendar about radius certs expiration date-- kind of old fashion but works..

Hi Charles, you are right - maintaining the certificates in an outlook calender is a valid and convenient way. And from a customer point of view acceptable for webserver certificates ect. But to clarify something. NAC is an integral part of the NetSight management solution. And with that customers expect alarms if mission critical systems are about to impact their productivity. As I said, I understand and appreciate your comment as you want to give a hint how we can make our life a bit easier with certificates. By the way - this should not bee too difficult to implement as openssl has the functionality built in (openssl x509 -in -checkend Best Regards Best Regards
Userlevel 1
I would like to see this also.

I realise you can see the date in the "Manage Appliance Certificates" dialog, but there is nothing to show what format the date is in - is it US or UK format?

Something unambiguous showing "Days until RADIUS certificate expiry" or the date as "17 September 2014" would be useful. That way the expiry cannot be misinterpreted.

Or perhaps support for NAC to obtain / renew certificates automatically using SCEP?

Thanks,
Mark.
Userlevel 3
Hey folks,

any news from Product Management yet? Would be cool to hear if there is any progress

@ Mark: The SCEP feature would be extremly helpful.

Also the certificate converting into PKCS8 format is not a big deal but very strange to customers who are not familiar with OpenSSL. An import of PKCS12 certificates would be much easier.

Best Regards
Michael
Userlevel 5
Hello folks,

do we have this function meanwhile?

Regards
Stephan
Userlevel 7
Yes, make sure it's enabled and some kind of notification like email is set......



-Ron
Userlevel 5
Hi Ron,

thank you for the fast answer,

Best regards,
Stephan
Userlevel 3
In addition to alarming, there are also two new columns within the end-system list that might be help for you:
Certificate Expiration, Certificate Issuer
Kurt
Userlevel 6
Wants to use certificate Expiring Notice.

But it is current unknown how many days before the notice will be triggered and how to adjust this value to customers demand.

GTAC Case running ...
Userlevel 6
M.Nees wrote:

Wants to use certificate Expiring Notice.

But it is current unknown how many days before the notice will be triggered and how to adjust this value to customers demand.

GTAC Case running ...

There are fixed dates which can (currently) not be adjusted:

The first warning is logged as a “minor” alarm 30 days from expiration.
The second warning is logged as a “major” alarm at 7 days from expiration.
It also logs “critical” alarms in these two cases: “Invalid not before” and “Invalid not after” (dates in the cert is what is being referenced by after and before).
Userlevel 6
M.Nees wrote:

Wants to use certificate Expiring Notice.

But it is current unknown how many days before the notice will be triggered and how to adjust this value to customers demand.

GTAC Case running ...

Alarm can be configured via (hidden) appliance attributes:
CERT_EXPIRE_WARNING_DAYS=numer-of-days
CERT_EXPIRE_NOTICE_DAYS=numer-of-days

Reply