Please login to access that KB Article

Cloudpath (CP) - Client Certificates Unexpectedly Revoked

Summary

Users who were previously able to connect to wireless SSIDs suddenly fail to authenticate on the following day. Investigation shows certificates were marked as revoked despite being valid and not meeting OCSP monitoring thresholds. This article explains the root cause related to this issue, associated symptoms, affected versions, and recommended mitigation and resolution steps.

Question

Why are valid client certificates unexpectedly revoked in RUCKUS Cloudpath, causing users to be unable to connect to the wireless network?

Customer Environment

RUCKUS Cloudpath (CP) EAP-TLS authentication with client certificates OCSP Monitoring enabled in certificate templates Affected versions: CP5.9 CP5.1.2R7 CP6.0R3 CP6.0R4 CP6.0R5 CP6.0R6 Issue Found in: CP6.0R5 CP6.0R6

Symptoms

  • Users successfully connected on Day 1 but fail on Day 2
  • Authentication failures with valid (non-expired) certificates, but revoked with the reason 'unused'

Example Logs:

User was connected on Day 1

ts=20260615 053047.000, source=RADIUS, authType=Access-Accept, server=port14689, macAddress=18:93:41:24:4E:E7, [email protected], [email protected], serial=12709cc4cac569a3e57492e0e3f79a3918b218c4, ssid=TEST, registration=, lookupType=CERTIFICATE, certPk=21720, certTemplatePk=6, [email protected], policyPk=25, policy=policy1, vlan=177


The same user certificate was revoked on Day 2

ts=20260616 051401.000, source=RADIUS, type=UNKNOWN, authType=Access-Reject, server=port14689, macAddress=18:93:41:24:4E:E7, [email protected], ssid=TEST, nasId=00:E6:3A:9C:DE:70, list=, registration=, certPk=, certTemplatePk=, reason=eap_tls: ocsp: Cert status: revoked


User-added image


The certificates were marked as revoked despite being valid and not meeting OCSP monitoring thresholds.
User-added image

Root Cause

A software defect in RUCKUS Cloudpath affects the OCSP Monitoring feature due to incorrect handling of cached OCSP responses. This created a sudden bulk certificate revocation. As a result, OCSP Monitoring-based revocation is unreliable in affected versions.

Workaround

  • Disable OCSP Monitoring in the certificate template to prevent additional certificates from entering this inconsistent state
  • Avoid relying on automated OCSP-based revocation for critical use cases
  • Perform manual/external certificate revocation where required

Resolution

CP6.0R7 or later

Article Number:
000015444

Updated:
July 01, 2026 11:33 PM (about 22 hours ago)

Tags:
Performance, Known Issues and Workarounds, Cloudpath

Votes:
0

This article is:
helpful
not helpful

Working...Please wait

This is here to prevent you from accidentally submitting twice.

The page will automatically refresh.

Alert!!

Close