02-13-2017 12:23 PM - edited 02-13-2017 12:33 PM
In deploying EAP-TLS with OCSP checking with ClearPass as the RADIUS server in our enterprise, we see the following warnings in our logs:
WARN RadiusServer.Radius - Error: Couldn't verify OCSP basic response, status 0, trying with OCSP_TRUSTOTHER flag
WARN RadiusServer.Radius - Error: Couldn't verify OCSP basic response, status 0, trying with OCSP_NOCHECKS flag
WARN RadiusServer.Radius - Error: Couldn't verify OCSP basic response, status 0, trying with OCSP_NOVERIFY
INFO RadiusServer.Radius - chain-depth=0,
INFO RadiusServer.Radius - error=3
INFO RadiusServer.Radius - --> User-Name = tim.haynie
INFO RadiusServer.Radius - --> subject = /CN=tim.haynie
INFO RadiusServer.Radius - --> issuer = /DC=com/DC=<redacted>
INFO RadiusServer.Radius - --> verify return:1
Based on "verify return:1" it appears to still be checking our OCSP server and getting back a response on returning whether or not the cert is valid, but we want to understand the meaning of the warnings in the log. Any insight is appreciated.
ClearPass is NOT the CA, neither root nor intermediate, for the user certs.
02-14-2017 11:15 AM
We are checking to make sure, but we are 99% confident that we are doing OCSP stapling since it is on by default on Windows Server 2008 onward (we are on 2012 r2).
02-15-2017 06:52 PM
Any more insight?
I found this article on openssl, and I think it could be related:
However if we are doing the -no_cert_checks and -noverify parameters, isn't this defeating the purpose of OCSP? Why can't those options be turned off?
02-17-2017 08:12 PM - edited 02-17-2017 08:13 PM
So there's two things I can think of:
1) The OCSP response does not have an nonce.
2) The OCSP signing certificate is not in the ClearPass trust store
You shouldn't really need to worry about it for a network authentication scenario.