Security

If we remove the CRL URL configuration (SecureW2 PKI), will this bypass the CRL check? And if so, will removing it after expiration be effective or would it have to be done prior to CRL expiration - say in middle of an outage.

Not recommended I know, but background: the past 2 weeks our Clearpass Admin has been working with senior engineering on database issues that have affected random operator redirects, device registration delays (6 hours), endpoint updates, and most recently the CRL wasn't able to update for about 7 hours in middle of the night (resulting in outage for onboarded individuals). And we're still in a holding pattern, but nothing they've tried has resolved our issues. Yet the EAP-TLS auths are the biggest concern on our mind

---------------------------------
Chris
---------------------------------

According to this post, when the CRL expires, all authentications (I assume for the specific issuer) are rejected.

My assumption would be that if you remove the CRL, that CRL checking is just disabled, and you can do that best before the CRL expires to prevent downtime. If you can't afford the risk, I would have this verified (tested in lab) by your Aruba partner or Aruba support.

Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Jan 26, 2022 08:22 PM
From: Christopher Johnson
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

If we remove the CRL URL configuration (SecureW2 PKI), will this bypass the CRL check? And if so, will removing it after expiration be effective or would it have to be done prior to CRL expiration - say in middle of an outage.

Not recommended I know, but background: the past 2 weeks our Clearpass Admin has been working with senior engineering on database issues that have affected random operator redirects, device registration delays (6 hours), endpoint updates, and most recently the CRL wasn't able to update for about 7 hours in middle of the night (resulting in outage for onboarded individuals). And we're still in a holding pattern, but nothing they've tried has resolved our issues. Yet the EAP-TLS auths are the biggest concern on our mind

---------------------------------
Chris
---------------------------------

"Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding."

Could you please provide an example configuration for this?  It is not immediately obvious how to configure the [EAP TLS] (or a copy of) Authentication Method to support fail open.  We have been asking this question for a while without a usable answer.

Thank you!

------------------------------
Ben Higgins
------------------------------

Original Message:
Sent: Jan 31, 2022 10:59 AM
From: Herman Robers
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

According to this post, when the CRL expires, all authentications (I assume for the specific issuer) are rejected.

My assumption would be that if you remove the CRL, that CRL checking is just disabled, and you can do that best before the CRL expires to prevent downtime. If you can't afford the risk, I would have this verified (tested in lab) by your Aruba partner or Aruba support.

Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 26, 2022 08:22 PM
From: Christopher Johnson
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

If we remove the CRL URL configuration (SecureW2 PKI), will this bypass the CRL check? And if so, will removing it after expiration be effective or would it have to be done prior to CRL expiration - say in middle of an outage.

Not recommended I know, but background: the past 2 weeks our Clearpass Admin has been working with senior engineering on database issues that have affected random operator redirects, device registration delays (6 hours), endpoint updates, and most recently the CRL wasn't able to update for about 7 hours in middle of the night (resulting in outage for onboarded individuals). And we're still in a holding pattern, but nothing they've tried has resolved our issues. Yet the EAP-TLS auths are the biggest concern on our mind

---------------------------------
Chris
---------------------------------

It configurable under the EAP-TLS auth method. You can edit your existing method and change the drop down "verify certificate using OCSP" to "Required (CRL Fallback)"


------------------------------
Mathew George
------------------------------

Original Message:
Sent: Feb 07, 2022 01:40 PM
From: Ben Higgins
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

"Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding."

Could you please provide an example configuration for this?  It is not immediately obvious how to configure the [EAP TLS] (or a copy of) Authentication Method to support fail open.  We have been asking this question for a while without a usable answer.

Thank you!

------------------------------
Ben Higgins

Original Message:
Sent: Jan 31, 2022 10:59 AM
From: Herman Robers
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

According to this post, when the CRL expires, all authentications (I assume for the specific issuer) are rejected.

My assumption would be that if you remove the CRL, that CRL checking is just disabled, and you can do that best before the CRL expires to prevent downtime. If you can't afford the risk, I would have this verified (tested in lab) by your Aruba partner or Aruba support.

Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 26, 2022 08:22 PM
From: Christopher Johnson
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

If we remove the CRL URL configuration (SecureW2 PKI), will this bypass the CRL check? And if so, will removing it after expiration be effective or would it have to be done prior to CRL expiration - say in middle of an outage.

Not recommended I know, but background: the past 2 weeks our Clearpass Admin has been working with senior engineering on database issues that have affected random operator redirects, device registration delays (6 hours), endpoint updates, and most recently the CRL wasn't able to update for about 7 hours in middle of the night (resulting in outage for onboarded individuals). And we're still in a holding pattern, but nothing they've tried has resolved our issues. Yet the EAP-TLS auths are the biggest concern on our mind

---------------------------------
Chris
---------------------------------

Apologies... while not the original poster, I want to know if "Verify Certificate using OCSP" => "Optional" is a fail-open status?  The original poster had problems when SecureW2 CRL wasn't available and their end stations fell off the network.  If using OCSP, I'm looking for a configuration where that would not happen...

if "Verify Certificate using OCSP" => "Optional" and if the OCSP server is unavailable, will the end station be allowed or denied?

Thank you!

------------------------------
Ben Higgins
------------------------------

Original Message:
Sent: Feb 07, 2022 02:07 PM
From: Mathew George
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

It configurable under the EAP-TLS auth method. You can edit your existing method and change the drop down "verify certificate using OCSP" to "Required (CRL Fallback)"


------------------------------
Mathew George

Original Message:
Sent: Feb 07, 2022 01:40 PM
From: Ben Higgins
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

"Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding."

Could you please provide an example configuration for this?  It is not immediately obvious how to configure the [EAP TLS] (or a copy of) Authentication Method to support fail open.  We have been asking this question for a while without a usable answer.

Thank you!

------------------------------
Ben Higgins

Original Message:
Sent: Jan 31, 2022 10:59 AM
From: Herman Robers
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

According to this post, when the CRL expires, all authentications (I assume for the specific issuer) are rejected.

My assumption would be that if you remove the CRL, that CRL checking is just disabled, and you can do that best before the CRL expires to prevent downtime. If you can't afford the risk, I would have this verified (tested in lab) by your Aruba partner or Aruba support.

Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 26, 2022 08:22 PM
From: Christopher Johnson
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

If we remove the CRL URL configuration (SecureW2 PKI), will this bypass the CRL check? And if so, will removing it after expiration be effective or would it have to be done prior to CRL expiration - say in middle of an outage.

Not recommended I know, but background: the past 2 weeks our Clearpass Admin has been working with senior engineering on database issues that have affected random operator redirects, device registration delays (6 hours), endpoint updates, and most recently the CRL wasn't able to update for about 7 hours in middle of the night (resulting in outage for onboarded individuals). And we're still in a holding pattern, but nothing they've tried has resolved our issues. Yet the EAP-TLS auths are the biggest concern on our mind

---------------------------------
Chris
---------------------------------

Hi Ben,

That's a good question - because according to this post - "optional will still allow authentication to pass if there is no OCSP URI in the certificate." - so I don't think that option would a fail-open at all. However, the post continues with "If you do not want to require OCSP, change it to None. Another option is to use OCSP with CRL fallback which will consult the CRL if the OCSP responder is not available." - which matches up with Matthew's response up above - 

------------------------------
Chris
------------------------------

Original Message:
Sent: Feb 07, 2022 02:26 PM
From: Ben Higgins
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

Apologies... while not the original poster, I want to know if "Verify Certificate using OCSP" => "Optional" is a fail-open status?  The original poster had problems when SecureW2 CRL wasn't available and their end stations fell off the network.  If using OCSP, I'm looking for a configuration where that would not happen...

if "Verify Certificate using OCSP" => "Optional" and if the OCSP server is unavailable, will the end station be allowed or denied?

Thank you!

------------------------------
Ben Higgins

Original Message:
Sent: Feb 07, 2022 02:07 PM
From: Mathew George
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

It configurable under the EAP-TLS auth method. You can edit your existing method and change the drop down "verify certificate using OCSP" to "Required (CRL Fallback)"


------------------------------
Mathew George

Original Message:
Sent: Feb 07, 2022 01:40 PM
From: Ben Higgins
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

"Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding."

Could you please provide an example configuration for this?  It is not immediately obvious how to configure the [EAP TLS] (or a copy of) Authentication Method to support fail open.  We have been asking this question for a while without a usable answer.

Thank you!

------------------------------
Ben Higgins

Original Message:
Sent: Jan 31, 2022 10:59 AM
From: Herman Robers
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

According to this post, when the CRL expires, all authentications (I assume for the specific issuer) are rejected.

My assumption would be that if you remove the CRL, that CRL checking is just disabled, and you can do that best before the CRL expires to prevent downtime. If you can't afford the risk, I would have this verified (tested in lab) by your Aruba partner or Aruba support.

Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 26, 2022 08:22 PM
From: Christopher Johnson
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

If we remove the CRL URL configuration (SecureW2 PKI), will this bypass the CRL check? And if so, will removing it after expiration be effective or would it have to be done prior to CRL expiration - say in middle of an outage.

Not recommended I know, but background: the past 2 weeks our Clearpass Admin has been working with senior engineering on database issues that have affected random operator redirects, device registration delays (6 hours), endpoint updates, and most recently the CRL wasn't able to update for about 7 hours in middle of the night (resulting in outage for onboarded individuals). And we're still in a holding pattern, but nothing they've tried has resolved our issues. Yet the EAP-TLS auths are the biggest concern on our mind

---------------------------------
Chris
---------------------------------

Thank you Herman - that was our theory as well although didn't have lab setup available to test the theory. We consulted with TAC - although weren't entirely confident in their initial recommendation which was to "Uncheck Authorization Required" AND "Remove the CRL" - because of some initial confusion.

What we did end up doing though was temporarily setting "Auto-Update" to "periodically update every 1 hour" to manually trigger an update - and then reverted back to "Update whenever CRL is update" - CRL Properties of CRL Last Update Time and CRL Next Update Time did update - but suspect due to our db issues - took about 15 minutes for the update to finally complete (based on it took 15 minutes for the Last Checked time) to update. This got us by for another week after we finally made progress on our database issue. Shall test in the future for behavior in lab and OSCP options.

In other note - we finally got our database issues taken care of. Issues were results of constant "db deadlocks" with errors showing up in System Event Details "Fdb: DB write service(fdb) unstable backlog" - cause was we had a ridiculous amount of  "failed logins" - that were constantly trying to update the database (removed this from deny enforcement profile - and worked with groups on campus to clean up their failing endpoints due to a certificate change).

Symptoms:

• Guest Operator Redirect Hanging
• Captive Portal Redirect Hanging
• Delayed Device and Guest Account Creations (sometimes 6 hours)
• Delayed CoA Triggering.
• Endpoint Database entries not being updated
  
  TAC also explained to us that when the CRL is checked - it gets loaded into the database and the radius config is restarted. So helped make a bit of sense on why the CRL expiration had occurred due to being unable to update it's database record for CRL.

------------------------------
Chris
------------------------------

Original Message:
Sent: Jan 31, 2022 10:59 AM
From: Herman Robers
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

According to this post, when the CRL expires, all authentications (I assume for the specific issuer) are rejected.

My assumption would be that if you remove the CRL, that CRL checking is just disabled, and you can do that best before the CRL expires to prevent downtime. If you can't afford the risk, I would have this verified (tested in lab) by your Aruba partner or Aruba support.

Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Jan 26, 2022 08:22 PM
From: Chris
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)

If we remove the CRL URL configuration (SecureW2 PKI), will this bypass the CRL check? And if so, will removing it after expiration be effective or would it have to be done prior to CRL expiration - say in middle of an outage.

Not recommended I know, but background: the past 2 weeks our Clearpass Admin has been working with senior engineering on database issues that have affected random operator redirects, device registration delays (6 hours), endpoint updates, and most recently the CRL wasn't able to update for about 7 hours in middle of the night (resulting in outage for onboarded individuals). And we're still in a holding pattern, but nothing they've tried has resolved our issues. Yet the EAP-TLS auths are the biggest concern on our mind

---------------------------------
Chris
---------------------------------