Security

last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

cppm dot1x with ocsp running on windows 2012 server

This thread has been viewed 0 times

  • 1.  cppm dot1x with ocsp running on windows 2012 server

    Posted Dec 15, 2013 04:02 PM

    I was asked to move my post - hope it saves you the headaches of having to go through the arguments I have with my security guys....

     

    Issue:

     

    Anyone had any issues with ocsp verification with Microsoft CA running on 2012? I have removed nonces as a requirement and validated ocsp with certutil from a windows workstation using the client certificate that i exported off the laptop and it checks out OK. Interestingly enough the ocsp check when done from a Linux machine (not cppm) fails and the ocsp call using openssl is totally different to the oscp call from certutil on windows (seems to reference a Microsoft cryptoAPI) I have a tac raised and will post the solution when we get one but wondered if anyone could give us a head start? BTW all roots and intermediates are present and eaptls works fine providing I disable ocsp verification within the authentication method under the configured service. Many thanks.

     

    The fix:

     

    Just in case anyone gets caught out on this who have done a recent installtion of PKI:

     

    http://technet.microsoft.com/en-us/library/cc770945.aspx

     

    By allowing "Enable NONCE extensions support" you allow an OCSP check to get processed properly.  Keep the nonce option enabled on 6.2 CPPM.

     

    Note now my linux systems can do a OCSP check successfully - I guess at CPPMs heart lies a linux server, as most of the stuff is nowadays.

     

    I have more detail I can post up if anyone wants me to, regarding the certutil OCSP validatoin check the MicrosoftCryptoAPI and the openssl method fi you want.

     

    Hope it saves you guys some time if you end up in the same boat.

     

    To be absolutely crystal clear - nonce support needs to be enabled on the Microsoft CA server

     



  • 2.  RE: cppm dot1x with ocsp running on windows 2012 server

    Posted Dec 15, 2013 04:06 PM

    BTW - in a futher twist on the end, two CRL servers contain revocation material in this deployment, these sit behind a load balancer.  The ocsp call was being arbitrarity divided (as you would want & expect) by the load balancer.  Trouble was that the cert revocation serials were not being syncronised properly causing the ocsp call to return bad info.... another argument ensued and well this sync frequency was upped as  opposed to publshing a specific oscp url within each signed certificate  - anyone got any opinions on this last point BTW?



  • 3.  RE: cppm dot1x with ocsp running on windows 2012 server

    EMPLOYEE
    Posted Dec 15, 2013 11:49 PM
    Thanks for the post and I'm sure there will be others in the future that will benefit from all the information that you can post.

    With the growing concern with security a lot more people out there starting to deploy certificates more and more people will have to learn about OCSP with Clearpass, other PKI infrastructures and what are the best practices.


  • 4.  RE: cppm dot1x with ocsp running on windows 2012 server

    Posted Apr 23, 2014 09:07 AM

    Hello,

    just been going through the same issue on the Aruba controller and using certificates for IKEv1 authentication instead of PSK. Running OCSP check from controller to Microsoft 2012 CA failed until the NONCE exemption support was enabled on the CA.