Security

Hi all,

I just configured the authentication method to combine ClearPass with our OCSP server to validate the device-certifcates using this default service:
Authentication Method > [EAP-TLS With OCSP Enabled]

I use this option to validate if the used certificate is not revoked by the CA.
By setting the 'Verify Certificate using OCSP' to 'Optional' I was hoping that the certificate would be validated against our OCSP server IF the server is available. If the server is offline, I would like ClearPass to skip the OCSP validation and just continue on. This doesn't appear to be the case, as access is rejected when I set the OCSP url to a random IP, not the OSCP server. 



Test with random server as OCSP (simulating an offline OCSP server):


My question: How do I configure EAP-TLS With OCSP to skip the validation IF the OCSP server is not available? 
Thanks in advance!

------------------------------
Lex
------------------------------

Clearpass OCSP Optional Setting | Security (arubanetworks.com)

I don't believe you can soft fail.

------------------------------
Tim C
------------------------------

Original Message:
Sent: Oct 04, 2021 05:27 AM
From: Lex Krijnen
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Hi all,

I just configured the authentication method to combine ClearPass with our OCSP server to validate the device-certifcates using this default service:
Authentication Method > [EAP-TLS With OCSP Enabled]

I use this option to validate if the used certificate is not revoked by the CA.
By setting the 'Verify Certificate using OCSP' to 'Optional' I was hoping that the certificate would be validated against our OCSP server IF the server is available. If the server is offline, I would like ClearPass to skip the OCSP validation and just continue on. This doesn't appear to be the case, as access is rejected when I set the OCSP url to a random IP, not the OSCP server. 



Test with random server as OCSP (simulating an offline OCSP server):


My question: How do I configure EAP-TLS With OCSP to skip the validation IF the OCSP server is not available? 
Thanks in advance!

------------------------------
Lex
------------------------------

Hi timms,

Thanks for your reply, I've red the post you mentioned yesterdays. Concluding; there's no way to configure ClearPass to ignore the OCSP check if the server is unavailable? I've red about the CRL fallback, but in our case the CRL publication is located on the same server as the OCSP itself. 

I want to avoid clients not getting authenticated when the OCSP server is unreachable, but check certificates if the OCSP is online (as of most of the time). Is there some sort of way to achieve this?

------------------------------
Lex
------------------------------

Original Message:
Sent: Oct 04, 2021 06:42 PM
From: Tim C
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Clearpass OCSP Optional Setting | Security (arubanetworks.com)

I don't believe you can soft fail.

------------------------------
Tim C

Original Message:
Sent: Oct 04, 2021 05:27 AM
From: Lex Krijnen
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Hi all,

I just configured the authentication method to combine ClearPass with our OCSP server to validate the device-certifcates using this default service:
Authentication Method > [EAP-TLS With OCSP Enabled]

I use this option to validate if the used certificate is not revoked by the CA.
By setting the 'Verify Certificate using OCSP' to 'Optional' I was hoping that the certificate would be validated against our OCSP server IF the server is available. If the server is offline, I would like ClearPass to skip the OCSP validation and just continue on. This doesn't appear to be the case, as access is rejected when I set the OCSP url to a random IP, not the OSCP server. 



Test with random server as OCSP (simulating an offline OCSP server):


My question: How do I configure EAP-TLS With OCSP to skip the validation IF the OCSP server is not available? 
Thanks in advance!

------------------------------
Lex
------------------------------

Original Message:
Sent: 10/5/2021 3:35:00 AM
From: lkrijnen
Subject: RE: ClearPass EAP-TLS with (optional?) OCSP Authentication

Hi timms,

Thanks for your reply, I've red the post you mentioned yesterdays. Concluding; there's no way to configure ClearPass to ignore the OCSP check if the server is unavailable? I've red about the CRL fallback, but in our case the CRL publication is located on the same server as the OCSP itself. 

I want to avoid clients not getting authenticated when the OCSP server is unreachable, but check certificates if the OCSP is online (as of most of the time). Is there some sort of way to achieve this?

------------------------------
Lex
------------------------------

Original Message:
Sent: Oct 04, 2021 06:42 PM
From: Tim C
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Clearpass OCSP Optional Setting | Security (arubanetworks.com)

I don't believe you can soft fail.

------------------------------
Tim C

Original Message:
Sent: Oct 04, 2021 05:27 AM
From: Lex Krijnen
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Hi all,

I just configured the authentication method to combine ClearPass with our OCSP server to validate the device-certifcates using this default service:
Authentication Method > [EAP-TLS With OCSP Enabled]

I use this option to validate if the used certificate is not revoked by the CA.
By setting the 'Verify Certificate using OCSP' to 'Optional' I was hoping that the certificate would be validated against our OCSP server IF the server is available. If the server is offline, I would like ClearPass to skip the OCSP validation and just continue on. This doesn't appear to be the case, as access is rejected when I set the OCSP url to a random IP, not the OSCP server. 



Test with random server as OCSP (simulating an offline OCSP server):


My question: How do I configure EAP-TLS With OCSP to skip the validation IF the OCSP server is not available? 
Thanks in advance!

------------------------------
Lex
------------------------------

CRL is downloaded periodically, so there is a good chance that if you have an outage on your OCSP server, there still is a valid CRL available on ClearPass.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Oct 05, 2021 03:34 AM
From: Lex Krijnen
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Hi timms,

Thanks for your reply, I've red the post you mentioned yesterdays. Concluding; there's no way to configure ClearPass to ignore the OCSP check if the server is unavailable? I've red about the CRL fallback, but in our case the CRL publication is located on the same server as the OCSP itself. 

I want to avoid clients not getting authenticated when the OCSP server is unreachable, but check certificates if the OCSP is online (as of most of the time). Is there some sort of way to achieve this?

------------------------------
Lex

Original Message:
Sent: Oct 04, 2021 06:42 PM
From: Tim C
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Clearpass OCSP Optional Setting | Security (arubanetworks.com)

I don't believe you can soft fail.

------------------------------
Tim C

Original Message:
Sent: Oct 04, 2021 05:27 AM
From: Lex Krijnen
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Hi all,

I just configured the authentication method to combine ClearPass with our OCSP server to validate the device-certifcates using this default service:
Authentication Method > [EAP-TLS With OCSP Enabled]

I use this option to validate if the used certificate is not revoked by the CA.
By setting the 'Verify Certificate using OCSP' to 'Optional' I was hoping that the certificate would be validated against our OCSP server IF the server is available. If the server is offline, I would like ClearPass to skip the OCSP validation and just continue on. This doesn't appear to be the case, as access is rejected when I set the OCSP url to a random IP, not the OSCP server. 



Test with random server as OCSP (simulating an offline OCSP server):


My question: How do I configure EAP-TLS With OCSP to skip the validation IF the OCSP server is not available? 
Thanks in advance!

------------------------------
Lex
------------------------------

Hi Herman,

That's right, CRL would be the rescuer in this scenario; however, it is only for a limited amount of time as each CRL files will have an expiry time set by the respective CRL server.

So, the authentications would work, only until that point.

After it reaches the expiry date/time, authentications will fail.

------------------------------
Vignesh S
------------------------------

Original Message:
Sent: Oct 05, 2021 09:06 AM
From: Herman Robers
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

CRL is downloaded periodically, so there is a good chance that if you have an outage on your OCSP server, there still is a valid CRL available on ClearPass.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Oct 05, 2021 03:34 AM
From: Lex Krijnen
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Hi timms,

Thanks for your reply, I've red the post you mentioned yesterdays. Concluding; there's no way to configure ClearPass to ignore the OCSP check if the server is unavailable? I've red about the CRL fallback, but in our case the CRL publication is located on the same server as the OCSP itself. 

I want to avoid clients not getting authenticated when the OCSP server is unreachable, but check certificates if the OCSP is online (as of most of the time). Is there some sort of way to achieve this?

------------------------------
Lex

Original Message:
Sent: Oct 04, 2021 06:42 PM
From: Tim C
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Clearpass OCSP Optional Setting | Security (arubanetworks.com)

I don't believe you can soft fail.

------------------------------
Tim C

Original Message:
Sent: Oct 04, 2021 05:27 AM
From: Lex Krijnen
Subject: ClearPass EAP-TLS with (optional?) OCSP Authentication

Hi all,

I just configured the authentication method to combine ClearPass with our OCSP server to validate the device-certifcates using this default service:
Authentication Method > [EAP-TLS With OCSP Enabled]

I use this option to validate if the used certificate is not revoked by the CA.
By setting the 'Verify Certificate using OCSP' to 'Optional' I was hoping that the certificate would be validated against our OCSP server IF the server is available. If the server is offline, I would like ClearPass to skip the OCSP validation and just continue on. This doesn't appear to be the case, as access is rejected when I set the OCSP url to a random IP, not the OSCP server. 



Test with random server as OCSP (simulating an offline OCSP server):


My question: How do I configure EAP-TLS With OCSP to skip the validation IF the OCSP server is not available? 
Thanks in advance!

------------------------------
Lex
------------------------------