If OCSP check is enabled on Clearpass: a) CPPM always sends nonce in OCSP request. b) If nonce is present in OCSP response, it should match the nonce in OCSP request. If it does not, the certificate verification will fail and the request will be rejected. c) If nonce is not present in OCSP response whether the certificate verification will fail or succeed will depend on value of RADIUS service parameter “Reject if OCSP response does not have nonce”. If the value of the parameter is true, certificate verification will fail. If the value of the parameter is false, certificate verification will succeed. d) Default value of the parameter is true. e) This parameter is present at the below location:Administration » Server Manager » Server Configuration » Select server » Click on "Service Parameters" tab » Select Service "Radius Server" » Main (Reject if OCSP response does not have Nonce). Sample dashboard logs with RADIUS Debug enabled for failed request where nonce is not present in OCSP response and “Reject if OCSP response does not have nonce” set to True: --> Starting OCSP Request2012-08-20 14:57:48,262 [Th 5 Req 334 SessId R00000032-01-503288ac] DEBUG RadiusServer.Radius - Parsing the configured OCSP URLhttp://ocsp.digicert.com2012-08-20 14:57:48,262 [Th 5 Req 334 SessId R00000032-01-503288ac] DEBUG RadiusServer.Radius - ocsp] --> Responder URL =http://ocsp.digicert.com:80/2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] DEBUG RadiusServer.Radius - ocsp] --> Response status: successful2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] ERROR RadiusServer.Radius - Error: OCSP response has wrong nonce value2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] ERROR RadiusServer.Radius - ocsp] --> Certificate has expired/been revoked!2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] ERROR RadiusServer.Radius - OCSP checks have failed2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] INFO RadiusServer.Radius - chain-depth=0, This parameter is available in CPPM 6.0.1 and above. For CPPM 5.0.2, cumulative update patch 2 has to be installed.
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.