Security

Hello guys,

We are using EAP-TLS certificates (after onboarding iOS devices) for authentication. Hopefully I should use [EAP TLS with OCSP enabled] as authentication method (not just 'EAP-TLS'). I'm trying to revoke a tls-client cert in clearpass such that it's client is denied access.

I'm mentioning an OCSP URL in Authority Info Access in clearpass onboard CA settings also. But when I try to access the network, I'm getting "Could not verify OCSP response - EAP-TLS: fatal alert by server - certificate_unknown" error. Please see the attached images.

Could you pls guide?

Thanks,
Bharani..

Is ClearPass the certificate authority or is it a subordinate CA?

If it's the CA, view the details for [EAP TLS With OCSP Enabled].  Check this against the actual OCSP URL.  To do this, switchover to ClearPass Guest, and navigate to: Onboard > Initial Setup > Certificate Authorities.  The ClearPass CA is listed here along with the OCSP URL.  Make sure it matches the URL in your EAP TLS method.

Hello MVP,

Thank you for your reply. Probably that should be the mistake I guess. I'll go to office and give it a try and get back to you.

Regards,

Bharani..

Hi,

It has worked! The OCSP URL should be same on CPPM as well as CA settings in CPPM onboard page.

Thank you.

Regards,

Bharani..