Hi,
Only ever used OCSP for certs validation. CRL list seems painful, whereas OCSP to a system with a back end db gave you instant up to date response. ( not sure its true but someone mentioned the windows ocsp was just a front end to CRL lists … so only way to keep an up to date ocsp system was to schedule CRL list generation more frequent … but don’t know if that’s true or not, not a windoze person .. yetch!)
Ran the CloudPath onboarding solution for 5 years and had that set up so people could install client certs and clearpass just did cert validation via ocsp .. no AD involved. in fact took it 1 step further in that given only provider for certs on the site eduroam wifi was the Cloudpath system I used the eap-tls method option to override the ocsp url with a fixed one pointing to Cloudpath. That way if someone came on site with their own eap-tls client ( think ocsp validation going off site to unknown server as being “guest access” on a wpa2-enterprise net) the only server used for ocsp validation would be cloud path.If you weren’t a locally configured device you didn’t get connected using TLS
This was only in “test mode “ not production but did run certs on windows/android /macos iOS / Chromebooks and it just worked. Even started looking at SCEP to drop certs on Apple devices and the VmWare MDM solution. Think we had ~ 300-400 TLS clients in the end. The MDM stuff was cool, could fire up android tablets that ran 1 app , no access to anything else and eat-tls provided the “always on” connectivity
It all worked and was pretty cool!
What didn’t work was the systems people using the win PKI to generate certs with a realm in the CN so devices could use eap-tls on eduroam at remote sites. At the time they didn’t want to use CloudPath as an intermediate CA bound to their root CA .. which would have been good. … that may have changed
A
Original Message:
Sent: 6/16/2021 4:14:00 AM
From: pete2020
Subject: RE: clearpass EAP-TLS without AD source
thanks again Alex,
i was just setting up a lab to get an EAP-TLS session going with no AD.
However absolutely appreciate what you are saying with regard to OCSP.
I have never used OCSP.
I think we are going to see OCSP more and more.
Have you done many installs with EAP-TLS and OCSP?
CHEERS
Pete
------------------------------
Pete Elms
------------------------------
Original Message:
Sent: Jun 15, 2021 01:01 PM
From: Alex Sharaz
Subject: clearpass EAP-TLS without AD source
Yup its Alex.
course if you don't have ocsp or authorization all you're checking is that the cert hasn't expired, you're not checking whether its been revoked, so notarially ideal
but it works
Rgds
A
Original Message:
Sent: 6/15/2021 12:06:00 PM
From: pete2020
Subject: RE: clearpass EAP-TLS without AD source
i'm assuming your name is Alex.
thanks Alex for taking the time.
i've given you KUDOS for your answer.
Let me know if the KUDOS hasn't showed up.
cheers
pete
------------------------------
Pete Elms
Original Message:
Sent: Jun 15, 2021 12:03 PM
From: Pete Elms
Subject: clearpass EAP-TLS without AD source
thank you so much you were absolutely right.
works a treat.
have a great day
pete
------------------------------
Pete Elms
Original Message:
Sent: Jun 15, 2021 11:47 AM
From: Alex Sharaz
Subject: clearpass EAP-TLS without AD source
create a copy of the eap0-tls method and uncheck authorisation required.
if his client cert has an OCSP url then you could also enable ocsp
Original Message:
Sent: 6/15/2021 11:04:00 AM
From: pete2020
Subject: clearpass EAP-TLS without AD source
hello Airheads,
How do you set up a Clearpass EAP-TLS service WITHOUT an authentication source (Such as AD).
I basically want to do EAP-TLS based on CA trusts.
The client has got a personal certificate and a copy of the CA that generated it is on Clearpass.
regards
Pete
------------------------------
Pete Elms
------------------------------