Security

Reply
MVP
Posts: 1,111
Registered: ‎10-11-2011

Cisco ASA Use OCSP URL from ClearPass Onboard CA

I'm testing Cisco Anyconnect on an iPad that's been onboarded with the ClearPass CA.  Anyconnect is set to use the onboard certificate for authentication.  The ASA is performing authentication, validating certificate against the CA chain and doing an OCSP check.  For some reason, the OCSP check fails.  In a packet capture from Clearpass, I see in the OCSP request from the ASA and the response from Clearpass, but can't make heads or tails of the response to figure out why it's failing.  Will Clearpass accept OCSP checks from external devices, such as the ASA?  I'm using the OCSP specified in the onboard settings.

 

The alternative would be to pass the authentication and authorization to Clearpass and keep the ASA from doing the authentication and OCSP check, but we can't figure out how to get that working.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Cisco ASA Use OCSP URL from ClearPass Onboard CA

What do you have configured in the EAP-TLS authentication method?

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Cisco ASA Use OCSP URL from ClearPass Onboard CA

Here's a dumb question... do I need to have a service configured that just allows for the OCSP check?  We don't have anything setup in Clearpass. Just telling the ASA to do the OCSP check.

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Aruba
Posts: 1,377
Registered: ‎12-12-2011

Re: Cisco ASA Use OCSP URL from ClearPass Onboard CA

I see...OK.  So, in ClearPass Guest, what do you see in Administration --> Support --> Application Log

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
MVP
Posts: 1,111
Registered: ‎10-11-2011

Re: Cisco ASA Use OCSP URL from ClearPass Onboard CA

Duh!  Forgot OCSP responses were logged there.  Thanks for the reminder!

 

Response = good.... dang must have a different problem then?

=======================================
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.
Search Airheads
Showing results for 
Search instead for 
Did you mean: