Security

Hi all,

 

I tested onboard with IOS device which work fine but after certificated has been revoked IOS device can connect using EAP-TLS.

 

what's i miss something?

please advise

Did you configure an OCSP URL in the EAP-TLS authentication method?

 

Hi Colin, I use build in default CA and I think it have OCSP by default. how can i check that? regards, aakmit

In ClearPass policy manager, the EAP-TLS authentication method by default does not have an OCSP URL.  You need to make a copy of it and the copy will allow you to enter an OCSP URL, look at the certificate for an OCSP URL and enforce it.

 

 

Hi Colin,

 

Thanks for your help.Now it's work.

 

regards,

aakmit

Oh wait I think I just figured out how to do it.. Sorry.

Under your service we need to change the 'Authentication Methods' and select the EAP-TLS that we want to use...

 

I am testing now

------------------------------------------------------------

Hey,

 

CPPM Version: 6.1.3.54640 

 

I am trying to setup the OCSP as well.

 

I am looking under the CPPM > Authentication > Methods

 

They have [EAP TLS], and [EAP TLS With OCSP Enabled]

 

And I created one called [EAP TLS With OCSP] because I want to try it and not override the OCSP URL because in my 'Certificate Authority Settings' I 'Specify an OCSP Reponder URL' (Perhaps this is not the same setting?).

 

In the certificate generated for the client I see the correct URL for the OCSP check that I specified so I am assuming that my client certificate contains the appropriate information to verify the certificate.

 

Where I am little confused is since there are 3 EAP-TLS types defined how does the the CPPM know which one to use?

I thought that we might change this under: ClearPass Onboard > Configuration Profiles > Network Settings

But you can only select EAP-TLS basically, how do we tell the system which EAL-TLS definition to use?

 

Hopefully that makes sense.

 

Thank you,

 

Cheers

I think I understand what your looking for but correct me if Im wrong.

 

If you go to the methods and select the service eap-tls with ocsp enabled once its open you can click copy (which I believe you already did) 

 

 

In that method you have the option to select multiple options and one of them is the check mark to override ocsp url from client. and what that does is give you the option to force ocsp to the location you designate. In a subscriber model you can tell the server where to check for the revocation. Either itself buy using the default Local host where the server will look at itself or a specified address which you can get by looking at the root CA in the certificate section.

 

 

 

 

 

Then you will need to specify the method in your service.

 

 

@tarnold

 

Awesome once again!

Thank for you the clarification.

 

I had managed to figure out that in the service I needed to select my new EAP-TLS definition. That was the part that was missing for me.

 

But the clarifiction definitely helps!

 

The only difference I did was that under the 'Certificate Authority Settings' I took the option 'Authoriy Info Access - Specify an OCSP Responder URL' install of overriding the OCSP URL in the EAP-TLS method. Not sure if the override is recommended versus specifiying it on your 'Certificate Authority Settings'.

 

not sure about recommended, but specifiying it on your 'Certificate Authority Settings' is nicer in my opinion.

That works for me.

I sort of thought it was a toss up between the two. 

It nice to have options though in case for whatever reason the setting in the 'Certificate Authority Settings' doesn't work.

 

Correct me if I am wrong, but the option to specify the OCSP URL didn't exist in the 'Certificate Authority Settings' in CPPM version 6.0.X?