Good Afternoon, I'm hoping someone can chime in on setting up OCSP. We have successfully implemented EAP-TLS machine authentication, working with our Active Directory-managed Windows machines and our JAMF-managed MacOS devices. Our current goal is to extend this setup to include a few (<50) BYOD devices by generating machine auth certificates for them. However, we are facing challenges with the OCSP.
Despite revoking a test certificate issued from the Packetfence PKI for a BYOD device, the certificate remains valid for login, indicating that OCSP is not functioning as expected. Moreover, when OCSP is enabled, it appears to disrupt the connection for our Windows devices authenticated through valid certificates, specifically when attempting to connect to RADIUS. Here is the error we encounter in the radius logs for the windows devices when this issue occurs: Module-Failure-Message = "eap_tls: ocsp: Couldn't get OCSP response", Module-Failure-Message = "eap_tls: (TLS) ocsp: Unable to check certificate failing", Module-Failure-Message = "eap_tls: (TLS) Alert write:fatal:internal error", Module-Failure-Message = "eap_tls: (TLS) Server : Error in error", Module-Failure-Message = "eap_tls: (TLS) Failed reading from OpenSSL", Module-Failure-Message = "eap_tls: (TLS) error:27076072:OCSP routines:parse_http_line1:server response error", Module-Failure-Message = "eap_tls: (TLS) error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed", Module-Failure-Message = "eap_tls: (TLS) System call (I\/O) error (-1)", Module-Failure-Message = "eap_tls: (TLS) EAP Receive handshake failed during operation", Module-Failure-Message = "eap_tls: [eaptls process] = fail", Module-Failure-Message = "eap: Failed continuing EAP TLS (13) session. EAP sub-module failed" Here are the things I am hoping to get some insight on: 1. How to correctly configure OCSP for the specific template used for BYOD devices, ensuring that revoked certificates are recognized as invalid and deny the connection. 2. Why my windows devices are throwing errors about being unable to get an OCSP response when the MacOS devices don't have that issue. I'm hoping there is just a setting I am missing here, but please let me know if I can answer any additional questions. Thanks, Reese Herber Systems Integration Analyst Department of Learning and Innovation Phone: 253-530-3715 "The fusion of technology and education is the canvas on which we paint the masterpiece of our collective future, one pixel at a time."
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
