Hi Team Another day another issue with our lab that we cannot get to the bottom of with the logging and a bit of tracing.
We have a fully functioning EAP-TLS solution working without having OSCP enabled. When we enable the OSCP checking the radius returns a reject. This is because we have not enabled softfail in the OSCP profile and there is an error happening. Radius Logging shows the following Starting OCSP Request Debug: eap_tls: ocsp: Using responder URL http://pki-2020.corporateroot.net:80/ocsp ERROR: eap_tls: ocsp: Couldn't verify OCSP basic response ERROR: eap_tls: (TLS) ocsp: Certificate has been expired/revoked ERROR: eap_tls: (TLS) Alert write:fatal:internal error ERROR: eap_tls: (TLS) Server : Error in error ERROR: eap_tls: (TLS) Failed reading from OpenSSL ERROR: eap_tls: (TLS) error:27069065:OCSP routines:OCSP_basic_verify:certificate verify error ERROR: eap_tls: (TLS) error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed ERROR: eap_tls: (TLS) System call (I/O) error (-1) ERROR: eap_tls: (TLS) EAP Receive handshake failed during operation ERROR: eap_tls: [eaptls process] = fail We are using a MS PKI and are aware that we have not enabled NONCE But in the OSCP profile we have also made sure we do not have it enabled. [Graphical user interface, text, application Description automatically generated] We have also made sure the Radius Server has a valid certificate just to be sure (Lets Encrypt) This is what is presented in the Audit [Graphical user interface, text, application Description automatically generated] Matches the logging. Any clues where we need to be. Kind Regards Simon Simon Sutcliffe IT Architect, Workplace Solutions T +44 1733 336600 | M +44 7775 823368 | E simon.sutcli...@rhdhv.com<mailto:simon.sutcli...@rhdhv.com> | W www.royalhaskoningdhv.com<http://www.royalhaskoningdhv.com/> HaskoningDHV UK Ltd., a company of Royal HaskoningDHV [cid:image001.jpg@01D8178C.BEDF86D0] Royal HaskoningDHV - Internal Use Only This email and any attachments are intended solely for the use of the addressee(s); disclosure or copying by others than the intended person(s) is strictly prohibited. If you have received this email in error, please treat this email as confidential, notify the sender and delete all copies of the email immediately
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
