Security

 View Only
last person joined: 11 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

EAP-TLS Failure Due To Expired CRL (URL Download)

This thread has been viewed 34 times
  • 1.  EAP-TLS Failure Due To Expired CRL (URL Download)

    Posted Jan 26, 2022 08:23 PM
    If we remove the CRL URL configuration (SecureW2 PKI), will this bypass the CRL check? And if so, will removing it after expiration be effective or would it have to be done prior to CRL expiration - say in middle of an outage.

    Not recommended I know, but background: the past 2 weeks our Clearpass Admin has been working with senior engineering on database issues that have affected random operator redirects, device registration delays (6 hours), endpoint updates, and most recently the CRL wasn't able to update for about 7 hours in middle of the night (resulting in outage for onboarded individuals). And we're still in a holding pattern, but nothing they've tried has resolved our issues. Yet the EAP-TLS auths are the biggest concern on our mind

    ---------------------------------
    Chris
    ---------------------------------


  • 2.  RE: EAP-TLS Failure Due To Expired CRL (URL Download)

    EMPLOYEE
    Posted Jan 31, 2022 11:00 AM
    According to this post, when the CRL expires, all authentications (I assume for the specific issuer) are rejected.

    My assumption would be that if you remove the CRL, that CRL checking is just disabled, and you can do that best before the CRL expires to prevent downtime. If you can't afford the risk, I would have this verified (tested in lab) by your Aruba partner or Aruba support.

    Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 3.  RE: EAP-TLS Failure Due To Expired CRL (URL Download)

    Posted Feb 07, 2022 01:41 PM
    "Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding."

    Could you please provide an example configuration for this?  It is not immediately obvious how to configure the [EAP TLS] (or a copy of) Authentication Method to support fail open.  We have been asking this question for a while without a usable answer.

    Thank you!


    ------------------------------
    Ben Higgins
    ------------------------------



  • 4.  RE: EAP-TLS Failure Due To Expired CRL (URL Download)

    EMPLOYEE
    Posted Feb 07, 2022 02:07 PM
      |   view attached
    It configurable under the EAP-TLS auth method. You can edit your existing method and change the drop down "verify certificate using OCSP" to "Required (CRL Fallback)"


    ------------------------------
    Mathew George
    ------------------------------



  • 5.  RE: EAP-TLS Failure Due To Expired CRL (URL Download)

    Posted Feb 07, 2022 02:26 PM

    Apologies... while not the original poster, I want to know if "Verify Certificate using OCSP" => "Optional" is a fail-open status?  The original poster had problems when SecureW2 CRL wasn't available and their end stations fell off the network.  If using OCSP, I'm looking for a configuration where that would not happen...

    if "Verify Certificate using OCSP" => "Optional" and if the OCSP server is unavailable, will the end station be allowed or denied?

    Thank you!



    ------------------------------
    Ben Higgins
    ------------------------------



  • 6.  RE: EAP-TLS Failure Due To Expired CRL (URL Download)

    Posted Feb 07, 2022 03:06 PM

    Hi Ben,

    That's a good question - because according to this post - "optional will still allow authentication to pass if there is no OCSP URI in the certificate." - so I don't think that option would a fail-open at all. However, the post continues with "If you do not want to require OCSP, change it to None. Another option is to use OCSP with CRL fallback which will consult the CRL if the OCSP responder is not available." - which matches up with Matthew's response up above - 


    ------------------------------
    Chris
    ------------------------------



  • 7.  RE: EAP-TLS Failure Due To Expired CRL (URL Download)

    Posted Feb 07, 2022 02:55 PM

    Thank you Herman - that was our theory as well although didn't have lab setup available to test the theory. We consulted with TAC - although weren't entirely confident in their initial recommendation which was to "Uncheck Authorization Required" AND "Remove the CRL" - because of some initial confusion.

    What we did end up doing though was temporarily setting "Auto-Update" to "periodically update every 1 hour" to manually trigger an update - and then reverted back to "Update whenever CRL is update" - CRL Properties of CRL Last Update Time and CRL Next Update Time did update - but suspect due to our db issues - took about 15 minutes for the update to finally complete (based on it took 15 minutes for the Last Checked time) to update. This got us by for another week after we finally made progress on our database issue. Shall test in the future for behavior in lab and OSCP options.

    In other note - we finally got our database issues taken care of. Issues were results of constant "db deadlocks" with errors showing up in System Event Details "Fdb: DB write service(fdb) unstable backlog" - cause was we had a ridiculous amount of  "failed logins" - that were constantly trying to update the database (removed this from deny enforcement profile - and worked with groups on campus to clean up their failing endpoints due to a certificate change).

    Symptoms:

    • Guest Operator Redirect Hanging
    • Captive Portal Redirect Hanging
    • Delayed Device and Guest Account Creations (sometimes 6 hours)
    • Delayed CoA Triggering.
    • Endpoint Database entries not being updated

      TAC also explained to us that when the CRL is checked - it gets loaded into the database and the radius config is restarted. So helped make a bit of sense on why the CRL expiration had occurred due to being unable to update it's database record for CRL.


    ------------------------------
    Chris
    ------------------------------