Hello Reese, If I understand correctly, you are using PacketFence PKI and you want to use the builtin OCSP in PacketFence to reject any revoked certificates correct?
Which Packetfence version are you running ? What’s the OCSP url that you have configured ? Is the EAP TLS working on regular non-revoked cert? Thanks, Ludovic Zammit Product Support Engineer Principal Lead Cell: +1.613.670.8432 Akamai Technologies - Inverse 145 Broadway Cambridge, MA 02142 Connect with Us: <https://community.akamai.com/> <http://blogs.akamai.com/> <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> <http://www.linkedin.com/company/akamai-technologies> <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > On Feb 15, 2024, at 7:30 PM, Herber, Reese via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Good Afternoon, > > I'm hoping someone can chime in on setting up OCSP. We have successfully > implemented EAP-TLS machine authentication, working with our Active > Directory-managed Windows machines and our JAMF-managed MacOS devices. Our > current goal is to extend this setup to include a few (<50) BYOD devices by > generating machine auth certificates for them. However, we are facing > challenges with the OCSP. > > Despite revoking a test certificate issued from the Packetfence PKI for a > BYOD device, the certificate remains valid for login, indicating that OCSP is > not functioning as expected. Moreover, when OCSP is enabled, it appears to > disrupt the connection for our Windows devices authenticated through valid > certificates, specifically when attempting to connect to RADIUS. > > Here is the error we encounter in the radius logs for the windows devices > when this issue occurs: > > Module-Failure-Message = "eap_tls: ocsp: Couldn't get OCSP response", > Module-Failure-Message = "eap_tls: (TLS) ocsp: Unable to check certificate > failing", > Module-Failure-Message = "eap_tls: (TLS) Alert write:fatal:internal error", > Module-Failure-Message = "eap_tls: (TLS) Server : Error in error", > Module-Failure-Message = "eap_tls: (TLS) Failed reading from OpenSSL", > Module-Failure-Message = "eap_tls: (TLS) error:27076072:OCSP > routines:parse_http_line1:server response error", > Module-Failure-Message = "eap_tls: (TLS) error:1417C086:SSL > routines:tls_process_client_certificate:certificate verify failed", > Module-Failure-Message = "eap_tls: (TLS) System call (I\/O) error (-1)", > Module-Failure-Message = "eap_tls: (TLS) EAP Receive handshake failed during > operation", > Module-Failure-Message = "eap_tls: [eaptls process] = fail", > Module-Failure-Message = "eap: Failed continuing EAP TLS (13) session. EAP > sub-module failed" > > Here are the things I am hoping to get some insight on: > > How to correctly configure OCSP for the specific template used for BYOD > devices, ensuring that revoked certificates are recognized as invalid and > deny the connection. > Why my windows devices are throwing errors about being unable to get an OCSP > response when the MacOS devices don't have that issue. > > > I'm hoping there is just a setting I am missing here, but please let me know > if I can answer any additional questions. > Thanks, > > Reese Herber > Systems Integration Analyst > Department of Learning and Innovation > > Phone: 253-530-3715 > > "The fusion of technology and education is the canvas on which we paint the > masterpiece of our collective future, one pixel at a time." > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TQWBmmEvfY8qqz6OUjxpkc3eVuLwTqMx63A40XDoFtQxGp4O9BGn6nySE_sr-PHVCoAhplhN8lBswCSdF0ZDtspac0XBM7Yiwigr1Q$ >
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users