Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

ClearPass EAP-TLS with (optional?) OCSP Authentication

This thread has been viewed 54 times
  • 1.  ClearPass EAP-TLS with (optional?) OCSP Authentication

    Posted 22 days ago
    Hi all,

    I just configured the authentication method to combine ClearPass with our OCSP server to validate the device-certifcates using this default service:
    Authentication Method > [EAP-TLS With OCSP Enabled]

    I use this option to validate if the used certificate is not revoked by the CA.
    By setting the 'Verify Certificate using OCSP' to 'Optional' I was hoping that the certificate would be validated against our OCSP server IF the server is available. If the server is offline, I would like ClearPass to skip the OCSP validation and just continue on. This doesn't appear to be the case, as access is rejected when I set the OCSP url to a random IP, not the OSCP server. 



    Test with random server as OCSP (simulating an offline OCSP server):


    My question: How do I configure EAP-TLS With OCSP to skip the validation IF the OCSP server is not available? 
    Thanks in advance!

    ------------------------------
    Lex
    ------------------------------


  • 2.  RE: ClearPass EAP-TLS with (optional?) OCSP Authentication

    Posted 22 days ago
    Clearpass OCSP Optional Setting | Security (arubanetworks.com)

    I don't believe you can soft fail.

    ------------------------------
    Tim C
    ------------------------------



  • 3.  RE: ClearPass EAP-TLS with (optional?) OCSP Authentication

    Posted 21 days ago
    Hi timms,

    Thanks for your reply, I've red the post you mentioned yesterdays. Concluding; there's no way to configure ClearPass to ignore the OCSP check if the server is unavailable? I've red about the CRL fallback, but in our case the CRL publication is located on the same server as the OCSP itself. 

    I want to avoid clients not getting authenticated when the OCSP server is unreachable, but check certificates if the OCSP is online (as of most of the time). Is there some sort of way to achieve this?

    ------------------------------
    Lex
    ------------------------------



  • 4.  RE: ClearPass EAP-TLS with (optional?) OCSP Authentication

    Posted 21 days ago
    I don't believe it's possible and would not be a good idea.







  • 5.  RE: ClearPass EAP-TLS with (optional?) OCSP Authentication

    Posted 21 days ago
    CRL is downloaded periodically, so there is a good chance that if you have an outage on your OCSP server, there still is a valid CRL available on ClearPass.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 6.  RE: ClearPass EAP-TLS with (optional?) OCSP Authentication

    Posted 20 days ago

    Hi Herman,

    That's right, CRL would be the rescuer in this scenario; however, it is only for a limited amount of time as each CRL files will have an expiry time set by the respective CRL server.

    So, the authentications would work, only until that point.

    After it reaches the expiry date/time, authentications will fail.



    ------------------------------
    Vignesh S
    ------------------------------