Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

IOS devices can connect after certificate has been revoke

Jump to Best Answer
  • 1.  IOS devices can connect after certificate has been revoke

    Posted Jan 22, 2013 09:51 AM

    Hi all,

     

    I tested onboard with IOS device which work fine but after certificated has been revoked IOS device can connect using EAP-TLS.

     

    what's i miss something?

    please advise



  • 2.  RE: IOS devices can connect after certificate has been revoke

    Posted Jan 22, 2013 10:01 AM

    Did you configure an OCSP URL in the EAP-TLS authentication method?

     



  • 3.  RE: IOS devices can connect after certificate has been revoke

    Posted Jan 22, 2013 10:12 AM
    Hi Colin, I use build in default CA and I think it have OCSP by default. how can i check that? regards, aakmit


  • 4.  RE: IOS devices can connect after certificate has been revoke
    Best Answer

    Posted Jan 22, 2013 10:23 AM

    In ClearPass policy manager, the EAP-TLS authentication method by default does not have an OCSP URL.  You need to make a copy of it and the copy will allow you to enter an OCSP URL, look at the certificate for an OCSP URL and enforce it.

     

     



  • 5.  RE: IOS devices can connect after certificate has been revoke

    Posted Jan 22, 2013 10:33 AM

    Hi Colin,

     

    Thanks for your help.Now it's work.

     

    regards,

    aakmit



  • 6.  RE: IOS devices can connect after certificate has been revoke

    Posted Aug 16, 2013 11:12 AM

    Oh wait I think I just figured out how to do it.. Sorry.

    Under your service we need to change the 'Authentication Methods' and select the EAP-TLS that we want to use...

     

    I am testing now

    ------------------------------------------------------------

    Hey,

     

    CPPM Version: 6.1.3.54640 

     

    I am trying to setup the OCSP as well.

     

    I am looking under the CPPM > Authentication > Methods

     

    They have [EAP TLS], and [EAP TLS With OCSP Enabled]

     

    And I created one called [EAP TLS With OCSP] because I want to try it and not override the OCSP URL because in my 'Certificate Authority Settings' I 'Specify an OCSP Reponder URL' (Perhaps this is not the same setting?).

     

    In the certificate generated for the client I see the correct URL for the OCSP check that I specified so I am assuming that my client certificate contains the appropriate information to verify the certificate.

     

    Where I am little confused is since there are 3 EAP-TLS types defined how does the the CPPM know which one to use?

    I thought that we might change this under: ClearPass Onboard > Configuration Profiles > Network Settings

    But you can only select EAP-TLS basically, how do we tell the system which EAL-TLS definition to use?

     

    Hopefully that makes sense.

     

    Thank you,

     

    Cheers



  • 7.  RE: IOS devices can connect after certificate has been revoke

    Posted Aug 16, 2013 12:08 PM

    I think I understand what your looking for but correct me if Im wrong.

     

    If you go to the methods and select the service eap-tls with ocsp enabled once its open you can click copy (which I believe you already did) 

     

    eaptls.png

     

    In that method you have the option to select multiple options and one of them is the check mark to override ocsp url from client. and what that does is give you the option to force ocsp to the location you designate. In a subscriber model you can tell the server where to check for the revocation. Either itself buy using the default Local host where the server will look at itself or a specified address which you can get by looking at the root CA in the certificate section.

     

    ocsp.png

     

     

    eaptls2.png

     

     

    Then you will need to specify the method in your service.

     

    eaptlsservice.png

     



  • 8.  RE: IOS devices can connect after certificate has been revoke

    Posted Aug 16, 2013 01:27 PM

    @tarnold

     

    Awesome once again!

    Thank for you the clarification.

     

    I had managed to figure out that in the service I needed to select my new EAP-TLS definition. That was the part that was missing for me.

     

    But the clarifiction definitely helps!

     

    The only difference I did was that under the 'Certificate Authority Settings' I took the option 'Authoriy Info Access - Specify an OCSP Responder URL' install of overriding the OCSP URL in the EAP-TLS method. Not sure if the override is recommended versus specifiying it on your 'Certificate Authority Settings'.

     

    Certificate_Authority_settings.png

    Authentication_Method_Custom_EAPTLS.png



  • 9.  RE: IOS devices can connect after certificate has been revoke

    Posted Aug 20, 2013 08:55 AM

    not sure about recommended, but specifiying it on your 'Certificate Authority Settings' is nicer in my opinion.



  • 10.  RE: IOS devices can connect after certificate has been revoke

    Posted Aug 20, 2013 09:30 AM

    That works for me.

    I sort of thought it was a toss up between the two. 

    It nice to have options though in case for whatever reason the setting in the 'Certificate Authority Settings' doesn't work.

     

    Correct me if I am wrong, but the option to specify the OCSP URL didn't exist in the 'Certificate Authority Settings' in CPPM version 6.0.X?