We're deploying a wired EAP-TLS implementation that will use machine auth only. So far the idea is to check for three things about the client certificate before granting access to a machine:
1. Must be issued by our ADCS
2. Must not be expired
3. Must not be revoked
From the documentation, it seems we have to set up an OCSP responder to verify #3. Since we're not using user auth, we have deselected "Authorization Required" in the Authentication Method.
To check for #2, in the enforcement policy, I have something like "Certificate:Not-Valid-After GREATER_THAN 2018-06-05 11:51:12", but that uses a fixed date! How do we check if the certificate has expired?
Also, I'm looking for more info about the 'certificate comparison' feature in the auth method. What does this do?
Any suggestions on more details to check besides the 3 listed?
Thanks in advance!