Hi all.
I have a setup consisting in CPPM validating clients through EAP-TLS. Root CA is trusted by CPPM and validation is working fine without revocation checking ("Verify Certificate using OCSP:" to "None" in EAP TLS authentication method). Our organization has no OCSP but it has CRL verification. CRL URL is included in client certificates, but when we configure "Required(CRL fallback)" as certificate verification method clients stop validating. This is the output of the authentication failure:
Error Code: 215
Error Category: Authentication failure
Error Message: TLS session error
Alerts for this Request
RADIUS Certificate does not contain OCSP URL
EAP-TLS: fatal alert by server - unknown_ca
TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session
The "Certificate does not contain OCSP URL" was expected, as the certificate has no OCSP URL in it, but it's puzzling finding "unknown_ca" as RADIUS response. We have included the CRL in "Administration » Certificates » Revocation Lists". It seems that the auth method is not doing "CRL fallback" at all. Any idea of what's wrong with the setup?