topic Re: OCSP - response signature verification failed in Network Access Control

OCSP - response signature verification failed

Jagermeister — Fri, 17 Jan 2025 12:32:06 GMT

Hi all,

I have configured my ISE setup to validate certificates against a external OCSP responder but I do not get it to work.

The 802.1X certificates that my supplicants are using are issued by the external CA and my ISE setup has this certificate chain imported as trusted certificates. I've configured a OCSP profile that is using the OCSP URLs that are specified in the AIA of the cert. As i wish, the validation of the response certificate is enabled.

Now, in my live log i'm seeing the following:


0	Take OCSP servers list from AIA extension of client certificate - certificate for <cert name>
12989	Sent an OCSP request to the next OCSP server in the list - External OCSP Server	0
12567	OCSP server response signature verification failed - certificate for <cert name>	261
12552	Conversation with OCSP server ended with failure - certificate for <cert name>	0

Looking into the prrt-server.log isn't revealing much either;

,0x7f787ae98700,NIL-CONTEXT,Crypto::Result=0, Crypto.OcspClient::performRequest - Response signature verification failed, result 0, error error:27069076:OCSP routines:OCSP_b

I've tried to validate the same cert on another device against the external OCSP responder and then the response is accepted, so it seems that only my ISE setup is not able to validate the response signature for some reason. Decided to make a TCP dump on the PSN and in OCSP response it says the cert status is good.

How can I find more detailed information about why ISE thinks the response signature is invalid?

Re: OCSP - response signature verification failed

MHM Cisco World — Fri, 17 Jan 2025 12:52:04 GMT

how you config these options?

MHM

Re: OCSP - response signature verification failed

Jagermeister — Fri, 17 Jan 2025 13:11:31 GMT

Nothing special, I try to validate it against my OCSP profile that is looking at the OCSP URL from the AIA in the certificate. Also tried to set the server manually but doesn't make a difference.

OCSP profile:

Re: OCSP - response signature verification failed

Aref Alsouqi — Sat, 18 Jan 2025 13:59:16 GMT

Could you please try to unckeck the "Validate Response Signature" tick box and see if that makes any difference? from the logs you shared it does seem that ISE can't validate the OCSP response from the server. I know you mentioned that you already imported the OCSP certificates chain, but I would double check this and also I would make sure that those certs are not expired. Alternatively it could be something else in the OCSP response that ISE can't validate for some reason. What version of ISE are you running?

Re: OCSP - response signature verification failed

MHM Cisco World — Sat, 18 Jan 2025 14:32:22 GMT

disable Nonce only

that it

MHM

Re: OCSP - response signature verification failed

Marcelo Morais — Sun, 19 Jan 2025 23:23:34 GMT

Hi @Jagermeister

in ISE, the Components that are responsible to add info to the prrt-server.log file are:

runtime-AAA
runtime-config
runtime-GRPC
runtime-logging

The default Log Level of ALL these Components are WARN.

Try to increase the Log Level to get more info about your issue:

In Operations > Troubleshoot > Debug Wizard > Debug Log Configuration > select the Node :

Hope this helps !!!

Re: OCSP - response signature verification failed

Marcelo Morais — Mon, 20 Jan 2025 00:05:48 GMT

Hi @Jagermeister ,

also take a look at:

CSCwj32472 Internal OCSP responder could not work with default configuration

CSCwi51182 ISE as OCSP client Needs More Tolerable for Current Time Differences from those of OCSP responders

Hope this helps !!!

Re: OCSP - response signature verification failed

JPavonM — Tue, 04 Feb 2025 12:33:37 GMT

As @Aref Alsouqi said, try to disable "Validate Response Signature" as that worked for me. In my case, Sectigo enterprise OCSP repsponder does not include the cert in the payload and that's why ISE keeps returning "Unknown", but if you check the cert by using a Linux box and command line, you will see the real response from the OCSP responder.

It has non sense why Cisco ISE keeps enabling that by default when including the Certificate in the payload is an optional feature in the RFC.