I'm testing Cisco Anyconnect on an iPad that's been onboarded with the ClearPass CA. Anyconnect is set to use the onboard certificate for authentication. The ASA is performing authentication, validating certificate against the CA chain and doing an OCSP check. For some reason, the OCSP check fails. In a packet capture from Clearpass, I see in the OCSP request from the ASA and the response from Clearpass, but can't make heads or tails of the response to figure out why it's failing. Will Clearpass accept OCSP checks from external devices, such as the ASA? I'm using the OCSP specified in the onboard settings.
The alternative would be to pass the authentication and authorization to Clearpass and keep the ASA from doing the authentication and OCSP check, but we can't figure out how to get that working.