AAA, NAC, Guest Access & BYOD

EAP-TLS with OCSP check fails with error "OCSP response status: unauthorized"

Environment Information- In enterprise solutions, we find a growing trend of people moving to cert based authentication. EAP-TLS as an authentication method is quite robust, secure and effective.
While implementing EAP-TLS with OSCP check on ClearPass (6.4.x and prior version), we see under a certain circumstance that the authentication fails. OCSP check is here done to check the validity of the client cert.
 

This article is specifically for EAP-TLS client certificates, issued by a Microsoft Windows Server certificate authority with Online Certificate Status Protocol (OCSP) enabled.

 

Symptoms- While implementing EAP-TLS with OSCP check on ClearPass, we see under a certain circumstance that the authentication fails and the logs report the following:

[Th 16 Req 1397 SessId R00000180-03-52976528] ERROR RadiusServer.Radius -  Error: OCSP response status: unauthorized
[Th 16 Req 1397 SessId R00000180-03-52976528] DEBUG RadiusServer.Radius - Request Policy Evaluation Status: 0, Request Status: 0
[Th 16 Req 1397 SessId R00000180-03-52976528] ERROR RadiusServer.Radius - ocsp] --> Certificate has expired/been revoked!
[Th 16 Req 1397 SessId R00000180-03-52976528] ERROR RadiusServer.Radius - OCSP checks have failed 

Cause- The reason for this error to appear is that NONCE is not enabled on the respective domain controller. On the domain controller "Enable NONCE extension" is disabled by default. It has to be enabled in "Signature" section in OSCP responder properties. 

Below is a Microsoft article link which explains the same:

https://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx

 

Resolution- Allow Nonce requests. This option instructs the Online Responder to inspect and process an OCSP request nonce extension. If a nonce extension is included in the OCSP request and this option is selected, the Online Responder will ignore any cached OCSP response and will create a new response that includes the nonce provided in the request. If this option is disabled and a request that includes a nonce extension is received, the Online Responder will reject the request with an "unauthorized" error.

Once  we enable Nonce on the domain controller, EAP-TLS auth were successful.

In CPPM 6.5 code, we have added new radius service parameter (Include Nonce in OCSP request) to decide whether OCSP request should have nonce or not. If the OCSP server doesn’t support the nonce, then we can set the value as FALSE for this parameter to avoid the EAP-TLS authentication failure.

 

Answer- [Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - --> Starting OCSP Request
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - Parsing the OCSP URLs in the certificate
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - Authority Information Access entries 3
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - Idx 0, OBJ Id 179
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - Idx 1, OBJ Id 179
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - Idx 2, OBJ Id 178
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - Location Type 6
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - OCSP URL 
http://lab-server.arubanetworks.com/ocsp
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - Parsing the OCSP URL http://lab-server.arubanetworks.com/ocsp in the certificate succeeded
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - [ocsp] --> Responder URL = 
http://lab-server.arubanetworks.com:80/ocsp
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - [ocsp] --> retry true
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - [ocsp] --> sending OCSP request
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - [ocsp] --> Response status: successful
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - Nonce value in OCSP request and response equal - 1
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - OCSP response - This Update: Feb 22 13:49:15 2015 PST, Next Update: Feb 24 01:09:15 2015 PST
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - [oscp] --> Cert status: good
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] DEBUG RadiusServer.Radius - [ocsp] --> Certificate is valid!
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] INFO RadiusServer.Radius - chain-depth=0,
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] INFO RadiusServer.Radius - error=0
[Th 21 Req 1428 SessId R00000347-04-6322b0a4] INFO RadiusServer.Radius - --> User-Name = 
Aj@lab-server.arubanetworks.com

Version history
Revision #:
1 of 1
Last update:
‎04-05-2015 10:50 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.