Security

 View Only
Expand all | Collapse all

EAP TLS with OCSP checking against microsoft AD CA

This thread has been viewed 20 times
  • 1.  EAP TLS with OCSP checking against microsoft AD CA

    Posted Dec 24, 2012 08:49 AM

    does anyone have experience with enabling OCSP checking in their EAP TLS profile ("Verify Certificate using OCSP:") on ClearPass with Microsoft AD as CA / OCSP server (Online reponder)?

     

    when I enable it and can see the client certificate contains the information ClearPass still says there is no OCSP link to be found in the certificate.

     



  • 2.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Dec 24, 2012 09:17 AM

    This must be configured on a Microsoft CA:  http://technet.microsoft.com/en-us/library/cc732526.aspx

     

     



  • 3.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Dec 24, 2012 09:54 AM
      |   view attached

    and it is, i have been through several of those tech documents from microsoft and with the microsoft tool i can confirm OCSP is working, but ClearPass reports the certificate doesn't contain the OCSP url.



  • 4.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Dec 24, 2012 09:57 AM

    Duplicate the EAP-TLS authentication method and instead of getting it from the certificate, put in the URL manually and see if that works.

     

    What version of ClearPass?

     



  • 5.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Dec 25, 2012 09:55 AM

    yeah that would be next step, hopefully i have some time for that thursday.

     

    tried with version 6.0.1 and 5.2.



  • 6.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Dec 25, 2012 01:41 PM

    boneyard,

     

    Please forward us the logs from the Access Tracker when you do your testing so we can figure this out.

     

    Thanks.



  • 7.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Dec 27, 2012 10:23 AM

    the good news is that i can get it working with the "Override OCSP URL from Client" option, it appears that you have to enable to NONCE extension on the microsoft 2008 CA for that, see screenshot ms-ca-online-reponder-config-signing-nonce.png. might be a good idea to make this configurable on ClearPass, or at least mention it is used.

     

    i got the hint for this via a blog [1] were someone is checking OCSP via openssl and mentioned the no_nonce flag.

     

    the bad news is that using the OCSP url from the certificate doesnt work, the other settings are identical, so require OCSP check but no overwrite OCSP URL. so my conclusion is that clearpass cant read the OCSP URL from the certificate correctly. the same blog [1] as above does mention something about this, assuming that ClearPass uses the openssl libraries.

     

    below is part of the access tracker output, i attached the full version also and a screenshot from the certificate proving the OCSP URL info is in there (ms-ca-certificate-aruba.png):

     

    2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - chain-depth=1,
    2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - error=0
    2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> User-Name = aruba
    2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> subject = /DC=loc/DC=hnk/CN=hnk-TDC-hnk-01-CA
    2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> issuer = /DC=loc/DC=hnk/CN=hnk-TDC-hnk-01-CA
    2012-12-27 15:25:38,168     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> verify return:1
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Version value 3
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Serial-Number value 19:28:58:07:00:00:00:00:00:10
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-DN value CN=aruba networks,CN=Users,DC=hnk,DC=loc
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-DC value loc
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-DC value hnk
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-CN value Users
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-CN value aruba networks
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-DN value CN=hnk-TDC-hnk-01-CA,DC=hnk,DC=loc
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-DC value loc
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-DC value hnk
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Issuer-CN value hnk-TDC-hnk-01-CA
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: Adding certificate attribute Subject-AltName-msUPN value aruba@hnk.loc
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - --> Starting OCSP Request
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - Parsing the OCSP URLs in the certificate
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - Certificate does not contain OCSP URL. OCSP check required.
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - ocsp] --> Certificate has expired/been revoked!
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - OCSP checks have failed
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - chain-depth=0,
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - error=0
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> User-Name = aruba
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> subject = /DC=loc/DC=hnk/CN=Users/CN=aruba networks
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> issuer = /DC=loc/DC=hnk/CN=hnk-TDC-hnk-01-CA
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - --> verify return:0
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: >>> TLS 1.0 Alert length 0002], fatal certificate_unknown
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - TLS Alert write:fatal:certificate unknown
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] INFO RadiusServer.Radius - TLS_accept:error in SSLv3 read client certificate B
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] ERROR RadiusServer.Radius - rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: tls_handshake_recv failed
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - eaptls_process returned 4
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap: Handler failed in EAP/tls
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap_tls: SSL ex data at index 0 - (nil)
    2012-12-27 15:25:38,169     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - rlm_eap: Failed in EAP select
    2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - modcallauthenticate]: module "svc_3011_eap" returns invalid for request 223
    2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - modcall: leaving group svc_3011_eap (returns invalid) for request 223
    2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - auth: Failed to validate the user.
    2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - Found Post-Auth-Type
    2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - Processing the post-auth section of radiusd.conf
    2012-12-27 15:25:38,170     [Th 4 Req 223 SessId R0000002a-03-50dc5a62] DEBUG RadiusServer.Radius - modcall: entering group REJECT for request 223

     

    any clue someone or should i open a TAC case for this one?

     

    using cppm version 5.2.0.43003 btw, but i dont believe that the version will matter much, perhaps the openssl version used, is that visible somewhere?

     

    [1] http://www.carbonwind.net/blog/post/Quickly-probing-with-OpenSSL-for-the-status-of-a-certificate-using-OCSP.aspx

    Attachment(s)



  • 8.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Dec 27, 2012 02:22 PM
      |   view attached

    Whether request should be rejected if OCSP responder does not include NONCE or not is now

    configurable in CPPM. This is controlled by Reject if OCSP response does not have Nonce parameter

    of Radius server on Service Parameters tab of Administration » Server Manager » Server Configuration >> <cppm>

    screen. This parameter is availalbe in CPPM 6.0.1. For CPPM 5.0.2, cumulative update patch 2 has to be installed.

     

    From the logs it looks like CPPM is not able to parse the OCSP URL in the certificate. Please open

    a TAC case for this. If possible, please also provide us the client certificate you are using to authenticate.



  • 9.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Dec 28, 2012 06:28 AM

    thank you pattaluri, should have checked there first anyway, so many settings :)

     

    i created a TAC case and also provided client and CA cert, ID 1370523.

     

    for anyone else that is going to attempt this check the link cjospeh provided, it helped out a lot while initially setting this up.

     



  • 10.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Mar 01, 2013 04:15 AM

    in the end it turned out to be a bug, with the latest patches CPPM 5.x is able to read the URL from the certificate. latest 6.x should also be fine, didn't test that myself.



  • 11.  RE: EAP TLS with OCSP checking against microsoft AD CA

    Posted Mar 01, 2013 05:18 AM

    Thanks for the update on this Boneyard. Hate those loose ends ;)