Security

does anyone have experience with enabling OCSP checking in their EAP TLS profile ("Verify Certificate using OCSP:") on ClearPass with Microsoft AD as CA / OCSP server (Online reponder)?

when I enable it and can see the client certificate contains the information ClearPass still says there is no OCSP link to be found in the certificate.

This must be configured on a Microsoft CA:  http://technet.microsoft.com/en-us/library/cc732526.aspx

and it is, i have been through several of those tech documents from microsoft and with the microsoft tool i can confirm OCSP is working, but ClearPass reports the certificate doesn't contain the OCSP url.

Duplicate the EAP-TLS authentication method and instead of getting it from the certificate, put in the URL manually and see if that works.

What version of ClearPass?

yeah that would be next step, hopefully i have some time for that thursday.

tried with version 6.0.1 and 5.2.

boneyard,

Please forward us the logs from the Access Tracker when you do your testing so we can figure this out.

Thanks.

the good news is that i can get it working with the "Override OCSP URL from Client" option, it appears that you have to enable to NONCE extension on the microsoft 2008 CA for that, see screenshot ms-ca-online-reponder-config-signing-nonce.png. might be a good idea to make this configurable on ClearPass, or at least mention it is used.

i got the hint for this via a blog [1] were someone is checking OCSP via openssl and mentioned the no_nonce flag.

the bad news is that using the OCSP url from the certificate doesnt work, the other settings are identical, so require OCSP check but no overwrite OCSP URL. so my conclusion is that clearpass cant read the OCSP URL from the certificate correctly. the same blog [1] as above does mention something about this, assuming that ClearPass uses the openssl libraries.

below is part of the access tracker output, i attached the full version also and a screenshot from the certificate proving the OCSP URL info is in there (ms-ca-certificate-aruba.png):

2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - chain-depth=1,
2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - error=0
2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> User-Name = aruba
2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> subject = /DC=loc/DC=hnk/CN=hnk-TDC-hnk-01-CA
2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> issuer = /DC=loc/DC=hnk/CN=hnk-TDC-hnk-01-CA
2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> verify return:1
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Version value 3
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Serial-Number value 19:28:58:07:00:00:00:00:00:10
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-DN value CN=aruba networks,CN=Users,DC=hnk,DC=loc
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-DC value loc
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-DC value hnk
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-CN value Users
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-CN value aruba networks
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-DN value CN=hnk-TDC-hnk-01-CA,DC=hnk,DC=loc
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-DC value loc
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-DC value hnk
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-CN value hnk-TDC-hnk-01-CA
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-AltName-msUPN value aruba@hnk.loc
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - --> Starting OCSP Request
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - Parsing the OCSP URLs in the certificate
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - Certificate does not contain OCSP URL. OCSP check required.
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - ocsp] --> Certificate has expired/been revoked!
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - OCSP checks have failed
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - chain-depth=0,
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - error=0
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> User-Name = aruba
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> subject = /DC=loc/DC=hnk/CN=Users/CN=aruba networks
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> issuer = /DC=loc/DC=hnk/CN=hnk-TDC-hnk-01-CA
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> verify return:0
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: >>> TLS 1.0 Alert length 0002], fatal certificate_unknown
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - TLS Alert write:fatal:certificate unknown
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate B
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: tls_handshake_recv failed
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - eaptls_process returned 4
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap: Handler failed in EAP/tls
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: SSL ex data at index 0 - (nil)
2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap: Failed in EAP select
2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - modcallauthenticate]: module "svc_3011_eap" returns invalid for request 223
2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - modcall: leaving group svc_3011_eap (returns invalid) for request 223
2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - auth: Failed to validate the user.
2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - Found Post-Auth-Type
2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - Processing the post-auth section of radiusd.conf
2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - modcall: entering group REJECT for request 223

any clue someone or should i open a TAC case for this one?

using cppm version 5.2.0.43003 btw, but i dont believe that the version will matter much, perhaps the openssl version used, is that visible somewhere?

[1] http://www.carbonwind.net/blog/post/Quickly-probing-with-OpenSSL-for-the-status-of-a-certificate-using-OCSP.aspx

Attachment(s)

access-tracker-ocsp-cert-fail.txt   88 KB 1 version

Whether request should be rejected if OCSP responder does not include NONCE or not is now

configurable in CPPM. This is controlled by Reject if OCSP response does not have Nonce parameter

of Radius server on Service Parameters tab of Administration » Server Manager » Server Configuration >> <cppm>

screen. This parameter is availalbe in CPPM 6.0.1. For CPPM 5.0.2, cumulative update patch 2 has to be installed.

From the logs it looks like CPPM is not able to parse the OCSP URL in the certificate. Please open

a TAC case for this. If possible, please also provide us the client certificate you are using to authenticate.

thank you pattaluri, should have checked there first anyway, so many settings :)

i created a TAC case and also provided client and CA cert, ID 1370523.

for anyone else that is going to attempt this check the link cjospeh provided, it helped out a lot while initially setting this up.

in the end it turned out to be a bug, with the latest patches CPPM 5.x is able to read the URL from the certificate. latest 6.x should also be fine, didn't test that myself.

Thanks for the update on this Boneyard. Hate those loose ends ;)