Security

Reply
Contributor II
Posts: 61
Registered: ‎07-01-2013

ClearPass OCSP warnings

[ Edited ]

Hello,

 

In deploying EAP-TLS with OCSP checking with ClearPass as the RADIUS server in our enterprise, we see the following warnings in our logs:

 

WARN RadiusServer.Radius - Error: Couldn't verify OCSP basic response, status 0, trying with OCSP_TRUSTOTHER flag
WARN RadiusServer.Radius - Error: Couldn't verify OCSP basic response, status 0, trying with OCSP_NOCHECKS flag
WARN RadiusServer.Radius - Error: Couldn't verify OCSP basic response, status 0, trying with OCSP_NOVERIFY

INFO RadiusServer.Radius - chain-depth=0,
INFO RadiusServer.Radius - error=3
INFO RadiusServer.Radius - --> User-Name = tim.haynie
INFO RadiusServer.Radius - --> subject = /CN=tim.haynie
INFO RadiusServer.Radius - --> issuer = /DC=com/DC=<redacted>
INFO RadiusServer.Radius - --> verify return:1

 

Based on "verify return:1" it appears to still be checking our OCSP server and getting back a response on returning whether or not the cert is valid, but we want to understand the meaning of the warnings in the log. Any insight is appreciated.

 

ClearPass is NOT the CA, neither root nor intermediate, for the user certs.

 

Thanks,

Tim

 

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CWAP, CWDP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: ClearPass OCSP warnings

Are you leveraging OCSP stapling in your environment?


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor II
Posts: 61
Registered: ‎07-01-2013

Re: ClearPass OCSP warnings

We are checking to make sure, but we are 99% confident that we are doing OCSP stapling since it is on by default on Windows Server 2008 onward (we are on 2012 r2).

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CWAP, CWDP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Contributor II
Posts: 61
Registered: ‎07-01-2013

Re: ClearPass OCSP warnings

Any more insight?

 

I found this article on openssl, and I think it could be related: 

 

https://www.openssl.org/docs/man1.0.1/apps/ocsp.html

 

However if we are doing the -no_cert_checks and -noverify parameters, isn't this defeating the purpose of OCSP? Why can't those options be turned off?

Tim Haynie, ACMX #508, ACDX #384, ACCP, CWSP, CWAP, CWDP, CCNP R/S, CCNP Wireless, CCNA Security, CCDA
Guru Elite
Posts: 8,460
Registered: ‎09-08-2010

Re: ClearPass OCSP warnings

[ Edited ]

So there's two things I can think of:

1) The OCSP response does not have an nonce.

2) The OCSP signing certificate is not in the ClearPass trust store

 

You shouldn't really need to worry about it for a network authentication scenario.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: