Business Community > Wireless > WAP-Enterprise 802.11x Certificate Revoked but device can still Auth
< Wireless

WAP-Enterprise 802.11x Certificate Revoked but device can still Auth

WAP-Enterprise 802.11x Certificate Revoked but device can still Auth

WAP-Enterprise 802.11x Certificate Revoked but device can still Auth
WAP-Enterprise 802.11x Certificate Revoked but device can still Auth
2025-11-27 10:38:24 - last edited 12 hours ago
Tags: #radius
Model: EAP620 HD  
Hardware Version: V2
Firmware Version: 1.4.4 Build 20250718

We have freeRadius running and working with TLS Certificate Auth. When we revoke the certificate the client can still acces the network even after rebooting the freeRadius .

 

Rebooting the access point resolves this and clients get rejected due to certificate revoked.

We have all cacheing disabled in freeRadius and have been informed that if freeRadius reboots then the AP is doing the cacheing. 

How can we resolve this? 


Research show the AP is holding on to some sort of PMKSA cache. 

  0      
 
  0      
 
#1
Options
1 Accepted Solution
Re:WAP-Enterprise 802.11x Certificate Revoked but device can still Auth-Solution
3 weeks ago - last edited 12 hours ago

Hi  @SHA2 

 

Thanks for posting here.

 

Is the 802.11r (Fast BSS Transition) feature enabled?

If your AP has 802.11r enabled, terminals may skip the full EAP authentication process with the FreeRADIUS server during reassociation and instead use cached PMKSA keys to establish a quick connection.

 

Protocol Mechanism:
The normal EAP-TLS authentication process includes steps such as Auth, Assoc, RADIUS interaction, and EAPOL key negotiation. However, when 802.11r is enabled, terminals only need to complete Auth and Assoc to quickly connect, bypassing reauthentication with the RADIUS server. As a result, even if the certificate is revoked, the AP may still allow terminal access using cached PMKSA keys.

 

If 802.11r is not enabled, please let us know.

Wish you a happy life and smooth network usage!  >Omada US Enterprise Beta Program Launch< >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  0  
  0  
#2
Options
3 Reply
Re:WAP-Enterprise 802.11x Certificate Revoked but device can still Auth-Solution
3 weeks ago - last edited 12 hours ago

Hi  @SHA2 

 

Thanks for posting here.

 

Is the 802.11r (Fast BSS Transition) feature enabled?

If your AP has 802.11r enabled, terminals may skip the full EAP authentication process with the FreeRADIUS server during reassociation and instead use cached PMKSA keys to establish a quick connection.

 

Protocol Mechanism:
The normal EAP-TLS authentication process includes steps such as Auth, Assoc, RADIUS interaction, and EAPOL key negotiation. However, when 802.11r is enabled, terminals only need to complete Auth and Assoc to quickly connect, bypassing reauthentication with the RADIUS server. As a result, even if the certificate is revoked, the AP may still allow terminal access using cached PMKSA keys.

 

If 802.11r is not enabled, please let us know.

Wish you a happy life and smooth network usage!  >Omada US Enterprise Beta Program Launch< >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  0  
  0  
#2
Options
Re:WAP-Enterprise 802.11x Certificate Revoked but device can still Auth
2 weeks ago

  @Vincent-TP 

 

There is no option to disable 802.11r.

  0  
  0  
#3
Options
Re:WAP-Enterprise 802.11x Certificate Revoked but device can still Auth
2 weeks ago

Hi  @SHA2 

 

It's under Advanced Settings for the SSID.

 

Wish you a happy life and smooth network usage!  >Omada US Enterprise Beta Program Launch< >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
  0  
  0  
#4
Options

Information

Helpful: 0

Views: 143

Replies: 3

Tags

radius
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.