Security

Reply
Contributor I
Posts: 45
Registered: ‎09-11-2010

IOS devices can connect after certificate has been revoke

Hi all,

 

I tested onboard with IOS device which work fine but after certificated has been revoked IOS device can connect using EAP-TLS.

 

what's i miss something?

please advise

Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: IOS devices can connect after certificate has been revoke

Did you configure an OCSP URL in the EAP-TLS authentication method?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 45
Registered: ‎09-11-2010

Re: IOS devices can connect after certificate has been revoke

Hi Colin, I use build in default CA and I think it have OCSP by default. how can i check that? regards, aakmit
Guru Elite
Posts: 20,585
Registered: ‎03-29-2007

Re: IOS devices can connect after certificate has been revoke

In ClearPass policy manager, the EAP-TLS authentication method by default does not have an OCSP URL.  You need to make a copy of it and the copy will allow you to enter an OCSP URL, look at the certificate for an OCSP URL and enforce it.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Contributor I
Posts: 45
Registered: ‎09-11-2010

Re: IOS devices can connect after certificate has been revoke

Hi Colin,

 

Thanks for your help.Now it's work.

 

regards,

aakmit

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: IOS devices can connect after certificate has been revoke

[ Edited ]

Oh wait I think I just figured out how to do it.. Sorry.

Under your service we need to change the 'Authentication Methods' and select the EAP-TLS that we want to use...

 

I am testing now

------------------------------------------------------------

Hey,

 

CPPM Version: 6.1.3.54640 

 

I am trying to setup the OCSP as well.

 

I am looking under the CPPM > Authentication > Methods

 

They have [EAP TLS], and [EAP TLS With OCSP Enabled]

 

And I created one called [EAP TLS With OCSP] because I want to try it and not override the OCSP URL because in my 'Certificate Authority Settings' I 'Specify an OCSP Reponder URL' (Perhaps this is not the same setting?).

 

In the certificate generated for the client I see the correct URL for the OCSP check that I specified so I am assuming that my client certificate contains the appropriate information to verify the certificate.

 

Where I am little confused is since there are 3 EAP-TLS types defined how does the the CPPM know which one to use?

I thought that we might change this under: ClearPass Onboard > Configuration Profiles > Network Settings

But you can only select EAP-TLS basically, how do we tell the system which EAL-TLS definition to use?

 

Hopefully that makes sense.

 

Thank you,

 

Cheers

Aruba
Posts: 1,537
Registered: ‎06-12-2012

Re: IOS devices can connect after certificate has been revoke

[ Edited ]

I think I understand what your looking for but correct me if Im wrong.

 

If you go to the methods and select the service eap-tls with ocsp enabled once its open you can click copy (which I believe you already did) 

 

eaptls.png

 

In that method you have the option to select multiple options and one of them is the check mark to override ocsp url from client. and what that does is give you the option to force ocsp to the location you designate. In a subscriber model you can tell the server where to check for the revocation. Either itself buy using the default Local host where the server will look at itself or a specified address which you can get by looking at the root CA in the certificate section.

 

ocsp.png

 

 

eaptls2.png

 

 

Then you will need to specify the method in your service.

 

eaptlsservice.png

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: IOS devices can connect after certificate has been revoke

@tarnold

 

Awesome once again!

Thank for you the clarification.

 

I had managed to figure out that in the service I needed to select my new EAP-TLS definition. That was the part that was missing for me.

 

But the clarifiction definitely helps!

 

The only difference I did was that under the 'Certificate Authority Settings' I took the option 'Authoriy Info Access - Specify an OCSP Responder URL' install of overriding the OCSP URL in the EAP-TLS method. Not sure if the override is recommended versus specifiying it on your 'Certificate Authority Settings'.

 

Certificate_Authority_settings.png

Authentication_Method_Custom_EAPTLS.png

MVP
Posts: 1,407
Registered: ‎11-30-2011

Re: IOS devices can connect after certificate has been revoke

not sure about recommended, but specifiying it on your 'Certificate Authority Settings' is nicer in my opinion.

Super Contributor II
Posts: 383
Registered: ‎09-05-2012

Re: IOS devices can connect after certificate has been revoke

That works for me.

I sort of thought it was a toss up between the two. 

It nice to have options though in case for whatever reason the setting in the 'Certificate Authority Settings' doesn't work.

 

Correct me if I am wrong, but the option to specify the OCSP URL didn't exist in the 'Certificate Authority Settings' in CPPM version 6.0.X?

Search Airheads
Showing results for 
Search instead for 
Did you mean: