Security

Hello,

In deploying EAP-TLS with OCSP checking with ClearPass as the RADIUS server in our enterprise, we see the following warnings in our logs:

WARN RadiusServer.Radius - Error: Couldn't verify OCSP basic response, status 0, trying with OCSP_TRUSTOTHER flag
WARN RadiusServer.Radius - Error: Couldn't verify OCSP basic response, status 0, trying with OCSP_NOCHECKS flag
WARN RadiusServer.Radius - Error: Couldn't verify OCSP basic response, status 0, trying with OCSP_NOVERIFY

INFO RadiusServer.Radius - chain-depth=0,
INFO RadiusServer.Radius - error=3
INFO RadiusServer.Radius - --> User-Name = tim.haynie
INFO RadiusServer.Radius - --> subject = /CN=tim.haynie
INFO RadiusServer.Radius - --> issuer = /DC=com/DC=<redacted>
INFO RadiusServer.Radius - --> verify return:1

Based on "verify return:1" it appears to still be checking our OCSP server and getting back a response on returning whether or not the cert is valid, but we want to understand the meaning of the warnings in the log. Any insight is appreciated.

ClearPass is NOT the CA, neither root nor intermediate, for the user certs.

Thanks,

Tim

Are you leveraging OCSP stapling in your environment?

We are checking to make sure, but we are 99% confident that we are doing OCSP stapling since it is on by default on Windows Server 2008 onward (we are on 2012 r2).

Any more insight?

I found this article on openssl, and I think it could be related: 

https://www.openssl.org/docs/man1.0.1/apps/ocsp.html

However if we are doing the -no_cert_checks and -noverify parameters, isn't this defeating the purpose of OCSP? Why can't those options be turned off?

So there's two things I can think of:

1) The OCSP response does not have an nonce.

2) The OCSP signing certificate is not in the ClearPass trust store

You shouldn't really need to worry about it for a network authentication scenario.