Security

I'm testing Cisco Anyconnect on an iPad that's been onboarded with the ClearPass CA.  Anyconnect is set to use the onboard certificate for authentication.  The ASA is performing authentication, validating certificate against the CA chain and doing an OCSP check.  For some reason, the OCSP check fails.  In a packet capture from Clearpass, I see in the OCSP request from the ASA and the response from Clearpass, but can't make heads or tails of the response to figure out why it's failing.  Will Clearpass accept OCSP checks from external devices, such as the ASA?  I'm using the OCSP specified in the onboard settings.

The alternative would be to pass the authentication and authorization to Clearpass and keep the ASA from doing the authentication and OCSP check, but we can't figure out how to get that working.

What do you have configured in the EAP-TLS authentication method?

Here's a dumb question... do I need to have a service configured that just allows for the OCSP check?  We don't have anything setup in Clearpass. Just telling the ASA to do the OCSP check.

I see...OK.  So, in ClearPass Guest, what do you see in Administration --> Support --> Application Log

Duh!  Forgot OCSP responses were logged there.  Thanks for the reminder!

Response = good.... dang must have a different problem then?