Wireless Access

Reply
Frequent Contributor II

cppm dot1x with ocsp running on windows 2012 server

Anyone had any issues with ocsp verification with Microsoft CA running on 2012? I have removed nonces as a requirement and validated ocsp with certutil from a windows workstation using the client certificate that i exported off the laptop and it checks out OK. Interestingly enough the ocsp check when done from a Linux machine (not cppm) fails and the ocsp call using openssl is totally different to the oscp call from certutil on windows (seems to reference a Microsoft cryptoAPI) I have a tac raised and will post the solution when we get one but wondered if anyone could give us a head start? BTW all roots and intermediates are present and eaptls works fine providing I disable ocsp verification within the authentication method under the configured service. Many thanks.
Frequent Contributor II

Re: cppm dot1x with ocsp running on windows 2012 server

The fix....

 

Just in case anyone gets caught out on this who have done a recent installtion of PKI:

 

http://technet.microsoft.com/en-us/library/cc770945.aspx

 

By allowing "Enable NONCE extensions support" you allow an OCSP check to get processed properly.

 

Note now my linux systems can do a OCSP check successfully - I guess at CPPMs heart lies a linux server, as most of the stuff is nowadays.

 

I have more detail I can post up if anyone wants me to, regarding the certutil OCSP validatoin check the MicrosoftCryptoAPI and the openssl method fi you want.

 

Hope it saves you guys some time if you end up in the same boat.

Frequent Contributor II

Re: cppm dot1x with ocsp running on windows 2012 server

Sorry to be absolutely crystal clear - nonce support needs to be enabled on the Microsoft CA server

Aruba

Re: cppm dot1x with ocsp running on windows 2012 server

Thanks for the info soapdish. Can yoyu post what you found on the AAA tread? Im sure some of the other guys could benifit from your information.

 

http://community.arubanetworks.com/t5/AAA-NAC-Guest-Access-BYOD/bd-p/aaa-nac-guest-access-byod

 

 

Thank You,
Troy

--Give Kudos: found something helpful, important, or cool? Click Kudos Star in a post.

--Problem Solved? Click "Accepted Solution" in a post.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: