11-18-2013 08:19 PM
We are using EAP-TLS certificates (after onboarding iOS devices) for authentication. Hopefully I should use [EAP TLS with OCSP enabled] as authentication method (not just 'EAP-TLS'). I'm trying to revoke a tls-client cert in clearpass such that it's client is denied access.
I'm mentioning an OCSP URL in Authority Info Access in clearpass onboard CA settings also. But when I try to access the network, I'm getting "Could not verify OCSP response - EAP-TLS: fatal alert by server - certificate_unknown" error. Please see the attached images.
Could you pls guide?
Solved! Go to Solution.
11-19-2013 11:38 AM - edited 11-19-2013 11:41 AM
Is ClearPass the certificate authority or is it a subordinate CA?
If it's the CA, view the details for [EAP TLS With OCSP Enabled]. Check this against the actual OCSP URL. To do this, switchover to ClearPass Guest, and navigate to: Onboard > Initial Setup > Certificate Authorities. The ClearPass CA is listed here along with the OCSP URL. Make sure it matches the URL in your EAP TLS method.
If a reply adequately addresses your issue, please click on the "Accept as Solution" and "Give Kudos" button so this information can benefit other users.