Cloudpath (CP) - Client Certificates Unexpectedly Revoked
Summary
Users who were previously able to connect to wireless SSIDs suddenly fail to authenticate on the following day. Investigation shows certificates were marked as revoked despite being valid and not meeting OCSP monitoring thresholds. This article explains the root cause related to this issue, associated symptoms, affected versions, and recommended mitigation and resolution steps.Question
Why are valid client certificates unexpectedly revoked in RUCKUS Cloudpath, causing users to be unable to connect to the wireless network?Customer Environment
RUCKUS Cloudpath (CP) EAP-TLS authentication with client certificates OCSP Monitoring enabled in certificate templates Affected versions: CP5.9 CP5.1.2R7 CP6.0R3 CP6.0R4 CP6.0R5 CP6.0R6 Issue Found in: CP6.0R5 CP6.0R6Symptoms
- Users successfully connected on Day 1 but fail on Day 2
- Authentication failures with valid (non-expired) certificates, but revoked with the reason 'unused'
Example Logs:
User was connected on Day 1
ts=20260615 053047.000, source=RADIUS, authType=Access-Accept, server=port14689, macAddress=18:93:41:24:4E:E7, [email protected], [email protected], serial=12709cc4cac569a3e57492e0e3f79a3918b218c4, ssid=TEST, registration=, lookupType=CERTIFICATE, certPk=21720, certTemplatePk=6, [email protected], policyPk=25, policy=policy1, vlan=177
The same user certificate was revoked on Day 2
ts=20260616 051401.000, source=RADIUS, type=UNKNOWN, authType=Access-Reject, server=port14689, macAddress=18:93:41:24:4E:E7, [email protected], ssid=TEST, nasId=00:E6:3A:9C:DE:70, list=, registration=, certPk=, certTemplatePk=, reason=eap_tls: ocsp: Cert status: revoked
The certificates were marked as revoked despite being valid and not meeting OCSP monitoring thresholds.
Root Cause
A software defect in RUCKUS Cloudpath affects the OCSP Monitoring feature due to incorrect handling of cached OCSP responses. This created a sudden bulk certificate revocation. As a result, OCSP Monitoring-based revocation is unreliable in affected versions.Workaround
- Disable OCSP Monitoring in the certificate template to prevent additional certificates from entering this inconsistent state
- Avoid relying on automated OCSP-based revocation for critical use cases
- Perform manual/external certificate revocation where required
Resolution
CP6.0R7 or laterArticle Number:
000015444
Updated:
July 01, 2026 11:33 PM (about 22 hours ago)
Tags:
Performance, Known Issues and Workarounds, Cloudpath
Votes:
0
This article is:
helpful
not helpful