AAA, NAC, Guest Access & BYOD

How to enable signing for OCSP requests?
Requirement:

Some certificate providers/ocsp responders only accept signed requests. So ClearPass server needs to sign the OCSP requests before it forward the requests to OCSP responder URL.



Solution:

From ClearPass version 6.5, a new knob is added in the radius service parameter (Enable signing for OCSP Request) to decide whether CPPM sign the OCSP request with Radius server certificate. Default value for this parameter is FALSE to disable the signing process.



Configuration:

To enable OCSP request Signing, navigate to Administration > Server Manager > Server Configuration and click the Server Name  and go to Service Parameters tab, select RADIUS server in the Select Service drop-down list. Scroll down to Enable signing for OCSP Request row and set the value to TRUE. 

 

Note: Modification to Service Parameters is not a global configuration. So any changes to the service parameters should be performed on all the nodes in the Cluster.

 



Verification

The below Access Tracker log snippet will show you the OCSP request process with signing.

 

[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - --> Starting OCSP Request
[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - Including nonce in OCSP request
[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - Signing the OCSP request
[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - Parsing the configured OCSP URL http://localhost/guest/mdps_ocsp.php/1
[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - ocsp] --> Responder URL = http://localhost:80/guest/mdps_ocsp.php/1
[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - ocsp] --> retry true
[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - ocsp] --> sending OCSP request
[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - ocsp] --> Response status: successful
[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - Nonce value in OCSP request and response equal - 1
[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - OCSP response - This Update: June 11 18:30:04 2015 GMT, Next Update: June 11 19:30:04 2015 GMT

[Th 37 Req 26 SessId R00000003-01-54653790] DEBUG RadiusServer.Radius - oscp] --> Cert status: good

Version History
Revision #:
2 of 2
Last update:
‎07-31-2015 02:01 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.