Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Clearpass OCSP Optional Setting

Jump to Best Answer
This thread has been viewed 14 times

  • 1.  Clearpass OCSP Optional Setting

    Posted Sep 26, 2018 09:37 AM

    I'm looking for clarification on what the EAP-TLS OCSP "optional" setting actually means/does. We leverage Cloudpath for EAP-TLS enrollment and Clearpass as the Radius server. We set "Verify Certificate using OCSP" setting to optional as a precautionary measure should the OCSP URL at our Cloudpath installation become unresponsive.

     

    That event occurred the last two evenings (OCSP responder was down on Cloudpath) and Clearpass started rejecting all incoming authentication requests. I'm not sure I understand what "optional" actually means in this scenario - can someone shed some light on the underlying architecture behind this setting? I assumed "optional" would allow clients to fail OCSP silently and continue to authenticate, but clearly that's not the case.

     

    Thank you!



  • 2.  RE: Clearpass OCSP Optional Setting

    EMPLOYEE
    Posted Sep 26, 2018 09:39 AM
    If an OCSP responder URI is in the certificate, a status check will be attempted. If there is not an OCSP responder URI in the certificate, a status check will not be attempted. OCSP should always be required.


  • 3.  RE: Clearpass OCSP Optional Setting

    Posted Sep 26, 2018 09:45 AM

    So what is the purpose of the "optional" setting? An OCSP URI is specified in the certificate and under normal circumstances an OCSP check is made. However, if the OCSP responder is unavailable, we had assumed the "optional" setting would ignore the check. This doesn't appear to be the case. So regardless of that setting in Clearpass, if an OCSP URI is specified in the certificate, a status check is made and if the OCSP response URI is not responding, authentication will fail?



  • 4.  RE: Clearpass OCSP Optional Setting
    Best Answer

    EMPLOYEE
    Posted Sep 26, 2018 09:50 AM
    As mentioned, optional will still allow authentication to pass if there is no OCSP URI in the certificate.

    If you do not want to require OCSP, change it to None. Another option is to use OCSP with CRL fallback which will consult the CRL if the OCSP responder is not available.


  • 5.  RE: Clearpass OCSP Optional Setting

    Posted Sep 26, 2018 09:59 AM

    Ok, thanks - that makes more sense. I was under the impression the "optional" bit was Clearpass making the decision to check OCSP, when in fact it is checking the incoming certificate for existence of an OCSP URI. All our EAP-TLS certificates have an OCSP URI set, so Clearpass will check that URL no matter what.