Apologies... while not the original poster, I want to know if "Verify Certificate using OCSP" => "Optional" is a fail-open status? The original poster had problems when SecureW2 CRL wasn't available and their end stations fell off the network. If using OCSP, I'm looking for a configuration where that would not happen...if "Verify Certificate using OCSP" => "Optional" and if the OCSP server is unavailable, will the end station be allowed or denied?Thank you!
That's a good question - because according to this post - "optional will still allow authentication to pass if there is no OCSP URI in the certificate." - so I don't think that option would a fail-open at all. However, the post continues with "If you do not want to require OCSP, change it to None. Another option is to use OCSP with CRL fallback which will consult the CRL if the OCSP responder is not available." - which matches up with Matthew's response up above -
Thank you Herman - that was our theory as well although didn't have lab setup available to test the theory. We consulted with TAC - although weren't entirely confident in their initial recommendation which was to "Uncheck Authorization Required" AND "Remove the CRL" - because of some initial confusion.
What we did end up doing though was temporarily setting "Auto-Update" to "periodically update every 1 hour" to manually trigger an update - and then reverted back to "Update whenever CRL is update" - CRL Properties of CRL Last Update Time and CRL Next Update Time did update - but suspect due to our db issues - took about 15 minutes for the update to finally complete (based on it took 15 minutes for the Last Checked time) to update. This got us by for another week after we finally made progress on our database issue. Shall test in the future for behavior in lab and OSCP options.
In other note - we finally got our database issues taken care of. Issues were results of constant "db deadlocks" with errors showing up in System Event Details "Fdb: DB write service(fdb) unstable backlog" - cause was we had a ridiculous amount of "failed logins" - that were constantly trying to update the database (removed this from deny enforcement profile - and worked with groups on campus to clean up their failing endpoints due to a certificate change).
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.