Security

Reply
Occasional Contributor I

Activating OCSP check after client onboard the device

Hi Guys,

 

I'm currently using the EAP-TLS authentication method and ClearPass is acting as the CA server. I noticed that after I revoke the client certificate from the onboard module, the client still able to connect to the network.

After done searching the solution that I need to enable OCSP feature on the CA configuration and change the authentication method with EAP-TLS with OCSP enable with the URL referring to the configuration URL inside the CA.

 

My question is, do I need to re-onboard all the client devices to make it work?

 

Thanks guys

Erik

Guru Elite

Re: Activating OCSP check after client onboard the device


eriksetiadi wrote:

Hi Guys,

 

I'm currently using the EAP-TLS authentication method and ClearPass is acting as the CA server. I noticed that after I revoke the client certificate from the onboard module, the client still able to connect to the network.

After done searching the solution that I need to enable OCSP feature on the CA configuration and change the authentication method with EAP-TLS with OCSP enable with the URL referring to the configuration URL inside the CA.

 

My question is, do I need to re-onboard all the client devices to make it work?

 

Thanks guys

Erik


So, if you did not enable it initially in the CA, it will not be in certificates that have already been issued, so CPPM cannot read it.  You would have to enable "Override from Client" and enter the OCSP URL manually.

 

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Occasional Contributor I

Re: Activating OCSP check after client onboard the device

So your saying is, if I'm enabling the URL override inside the EAP-TLS authentication method configuration below and put the same URL that ClearPass CA page generate that I don't have to re-onboard all the end devices?

 

Override OCSP URL.png

 

 

Guru Elite

Re: Activating OCSP check after client onboard the device

Correct.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: