AAA, NAC, Guest Access & BYOD

What does "Reject if OCSP response does not have Nonce" parameter in CPPM does in OCSP checking?

Aruba Employee

If OCSP check is enabled on Clearpass:
 
a) CPPM always sends nonce in OCSP request.
 
b) If nonce is present in OCSP response, it should match the nonce in OCSP request. If it does not, the certificate verification will fail and the request will be rejected.
 
c) If nonce is not present in OCSP response whether the certificate verification will fail or succeed will depend on value of RADIUS service parameter “Reject if OCSP response does not have nonce”.
 
If the value of the parameter is true, certificate verification will fail.
 
If the value of the parameter is false, certificate verification will succeed.
 
d) Default value of the parameter is true.
 
e) This parameter is present at the below location:
Administration » Server Manager » Server Configuration » Select server » Click on "Service Parameters" tab » Select Service "Radius Server" » Main (Reject if OCSP  response does not have Nonce).
 
 
Sample dashboard logs with RADIUS Debug enabled for failed request where nonce is not present in OCSP response and “Reject if OCSP response does not have nonce” set to True:
 
--> Starting OCSP Request
2012-08-20 14:57:48,262 [Th 5 Req 334 SessId R00000032-01-503288ac] DEBUG RadiusServer.Radius - Parsing the configured OCSP URLhttp://ocsp.digicert.com
2012-08-20 14:57:48,262 [Th 5 Req 334 SessId R00000032-01-503288ac] DEBUG RadiusServer.Radius - ocsp] --> Responder URL =http://ocsp.digicert.com:80/
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] DEBUG RadiusServer.Radius - ocsp] --> Response status: successful
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] ERROR RadiusServer.Radius - Error: OCSP response has wrong nonce value
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] ERROR RadiusServer.Radius - ocsp] --> Certificate has expired/been revoked!
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] ERROR RadiusServer.Radius - OCSP checks have failed
2012-08-20 14:57:48,345 [Th 5 Req 334 SessId R00000032-01-503288ac] INFO RadiusServer.Radius - chain-depth=0,
 
 
This parameter is available in CPPM 6.0.1 and above. For CPPM 5.0.2, cumulative update patch 2 has to be installed.

Version history
Revision #:
1 of 1
Last update:
‎06-29-2014 11:05 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.