OSCP stapling for RADIUS could open a big can of worms. I know support is growing rapidly on web servers and web browsers, but I'm much less sure about RADIUS servers. As for the client devices, I don't even know if OSCP would need to be supported by the OS, the supplicant, or both. If anybody knows I'd be interested in learning more about how OSCP may relate to 802.1X. If operating systems start to expect OSCP it could affect the way many of us use organizationally issued certs for auth. It seems to me that one of the perceived virtues of that approach is not worrying about revocation.
I'm somewhat reassured by the fact that MS says this is a bug and not a feature, but things change - and quickly too. Thanks, Chuck -----Original Message----- From: The EDUCAUSE Wireless Issues Community Group Listserv <WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU> On Behalf Of Jonathan Waldrep Sent: Wednesday, April 14, 2021 10:33 AM To: WIRELESS-LAN@LISTSERV.EDUCAUSE.EDU Subject: Re: [WIRELESS-LAN] Microsoft Windows 10 CRL Check on 802.1x Authentication On 2021-04-13 21:20:32+0000, Pratik Mehta wrote: > [...] > The problem is that Windows attempts to perform a CRL check on the > RADIUS server certificate during the TLS handshake and before 802.1x > authentication is complete. This causes the EAP session to timeout and > wireless connectivity to take a long time to be established (more than > 25 seconds). It does not make sense for the supplicant to perform a > CRL check before wireless connectivity is established. > [...] I can't speak to the specifics of the situation, but in general, the solution is to use OCSP stapling instead of a CRL check. The gist of OCSP stapling is the server contacts the CA/OCSP server to get a token that asserts the cert has not been revoked, and sends that with the cert to the client. This allows the client to verify the server's cert hasn't been revoked without having to connect another network resource. I've probably got the details there wrong, but that is the _idea_ of what is happening. Implementing OCSP stapling on your authentication servers may bypass the bug. Full disclosure: we haven't gotten around to implementing this ourselves yet, so there may well be dragons ahead that I am completely unaware of. -- Jonathan Waldrep Network Engineer Network Infrastructure and Services Virginia Tech ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
