Security

Hi all.

I have a setup consisting in CPPM validating clients through EAP-TLS. Root CA is trusted by CPPM and validation is working fine without revocation checking ("Verify Certificate using OCSP:" to "None" in EAP TLS authentication method). Our organization has no OCSP but it has CRL verification. CRL URL is included in client certificates, but when we configure "Required(CRL fallback)" as certificate verification method clients stop validating. This is the output of the authentication failure:

Error Code: 215
Error Category: Authentication failure
Error Message: TLS session error

Alerts for this Request

RADIUS Certificate does not contain OCSP URL
EAP-TLS: fatal alert by server - unknown_ca
TLS Handshake failed in SSL_read with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed
eap-tls: Error in establishing TLS session

The "Certificate does not contain OCSP URL" was expected, as the certificate has no OCSP URL in it, but it's puzzling finding "unknown_ca" as RADIUS response. We have included the CRL in "Administration » Certificates » Revocation Lists". It seems that the auth method is not doing "CRL fallback" at all.  Any idea of what's wrong with the setup?

Does the CRL last check show a recent time and status is successful?

I think working with Aruba Support is the best option at this moment, as OCSP is recommended and the most widely deployed verification method.

Well, this is puzzling... after asking our sysadmin to revoke the certificate of the laptop we are using to test EAP-TLS, the authentication fails with the message "EAP-TLS: fatal alert by server - certificate_revoked" with "Verify Certificate using OCSP" set to None, so I guess I'm not understanding the whole point of having some kind of certificate verification if CPPM seems to do the checking anyway. I think I will open a case to the TAC. Thanks!

CRL is always evaluated.

Is good to know that. But then what's the point of having a "CRL fallback" option in EAP-TLS method in CPPM?