AAA, NAC, Guest Access & BYOD

 View Only
last person joined: one year ago 

Solutions for legacy and existing products and solutions, including Clearpass, CPPM, OnBoard, OnGuard, Guest, QuickConnect, AirGroup, and Introspect
Back to Library

What does "Reject if OCSP response does not have Nonce" parameter in CPPM does in OCSP checking? 

Jun 30, 2014 02:05 AM

If OCSP check is enabled on Clearpass:
 
a) CPPM always sends nonce in OCSP request.
 
b) If nonce is present in OCSP response, it should match the nonce in OCSP request. If it does not, the certificate verification will fail and the request will be rejected.
 
c) If nonce is not present in OCSP response whether the certificate verification will fail or succeed will depend on value of RADIUS service parameter “Reject if OCSP response does not have nonce”.
 
If the value of the parameter is true, certificate verification will fail.
 
If the value of the parameter is false, certificate verification will succeed.
 
d) Default value of the parameter is true.
 
e) This parameter is present at the below location:
Administration » Server Manager » Server Configuration » Select server » Click on "Service Parameters" tab » Select Service "Radius Server" » Main (Reject if OCSP  response does not have Nonce).
 
 
Sample dashboard logs with RADIUS Debug enabled for failed request where nonce is not present in OCSP response and “Reject if OCSP response does not have nonce” set to True:
 
--> Starting OCSP Request
2012-08-20 14:57:48,262 [Th 5 Req 334 SessId R00000032-01-503288ac] DEBUG RadiusServer.Radius - Parsing the configured OCSP URLhttp://ocsp.digicert.com
2012-08-20 14:57:48,262 [Th 5 Req 334 SessId R00000032-01-503288ac] DEBUG RadiusServer.Radius - ocsp] --> Responder URL =http://ocsp.digicert.com:80/
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] DEBUG RadiusServer.Radius - ocsp] --> Response status: successful
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] ERROR RadiusServer.Radius - Error: OCSP response has wrong nonce value
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] ERROR RadiusServer.Radius - ocsp] --> Certificate has expired/been revoked!
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] ERROR RadiusServer.Radius - OCSP checks have failed
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] INFO RadiusServer.Radius - chain-depth=0,
 
 
This parameter is available in CPPM 6.0.1 and above. For CPPM 5.0.2, cumulative update patch 2 has to be installed.

Statistics
0 Favorited
2 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.