AAA, NAC, Guest Access & BYOD

EAP-TLS with OCSP check is not working on CPPM

by on ‎07-11-2014 09:03 AM

When I enable Verify Certificate- Required in the Auth Method, the auth fails with unknown CA. I have checked the certs on CPPM and even regenerated a new one but it did not help.

 

Note that I have also changed the "Reject if OCSP response does not have Nonce" setting in the RADIUS server parameters to see if that was the issue.

 

 

Environment Information : This article works best with CPPM 6.2 version

 

In the debug logs we see the following:-

2013-11-28 15:45:44,393 [Th 16 Req 1397 SessId R00000180-03-52976528] ERROR RadiusServer.Radius - Error: OCSP response status: unauthorized

2013-11-28 15:45:44,393 [Th 16 Req 1397 SessId R00000180-03-52976528] DEBUG RadiusServer.Radius - Request Policy Evaluation Status: 0, Request Status: 0

2013-11-28 15:45:44,393 [Th 16 Req 1397 SessId R00000180-03-52976528] ERROR RadiusServer.Radius - ocsp] --> Certificate has expired/been revoked!

2013-11-28 15:45:44,393 [Th 16 Req 1397 SessId R00000180-03-52976528] ERROR RadiusServer.Radius - OCSP checks have failed

 

This issue occurs because Nonce Request is disabled on AD.


Allow Nonce requests: This option instructs the Online Responder to inspect and process an OCSP request nonce extension. If a nonce extension is included in the OCSP request and this option is selected, the Online Responder will ignore any cached OCSP response and will create a new response that includes the nonce provided in the request. If this option is disabled and a request that includes a nonce extension is received, the Online Responder will reject the request with an "unauthorized" error.


The below Microsoft article contains the details about OCSP- Noance.


http://technet.microsoft.com/en-us/library/cc770413



The issue will be addresses once the Noance request option is enabled on AD.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.