Security

We're deploying a wired EAP-TLS implementation that will use machine auth only.  So far the idea is to check for three things about the client certificate before granting access to a machine:

1. Must be issued by our ADCS

2. Must not be expired

3. Must not be revoked

From the documentation, it seems we have to set up an OCSP responder to verify #3.  Since we're not using user auth, we have deselected "Authorization Required" in the Authentication Method. 

To check for #2, in the enforcement policy, I have something like "Certificate:Not-Valid-After  GREATER_THAN  2018-06-05 11:51:12", but that uses a fixed date!  How do we check if the certificate has expired?

Also, I'm looking for more info about the 'certificate comparison' feature in the auth method.  What does this do?

Any suggestions on more details to check besides the 3 listed?

Thanks in advance!  

Hmmm... perhaps I asked too many questions at once.  Any feedback on any part of this question would thoroughly appreciated.

1) This can be done in policy by checking the Issuer CN or DN

2) This is automatically checked. An expired certificate will fail

3) CRL can also be used and is enabled by default in ADCS environments

That's great.  Thanks again Tim!