ISE 2.3 with OCSP - Authentication an Authorization - Page 2

paul46 · ‎03-04-2018

Hi Folks,

I have successfully authenticated machine using certificate (EAP-TLS) and having an interesting issue. I have configured OCSP server (external CA) and tested same machine with expired certificate. not sure why it's successfully authenticating? Also, I used CERTIFICATE:Is Expired=True authorization condition but it would not trigger. It's bypassing this condition and going further and executes the one which provides full corporate access!

I would expect failed authentication if certificate is not valid then why it's even going to the authorization phase?

I have ensured that firewall is not an issue between ISE and OCSP server.

Has anyone got similar experience before? Not sure if it does require any configuration at OCSP server end. I have asked external CA to confirm this. Meanwhile, just thought to put it here for further discussion.

ajc · ‎03-13-2018

Hi all,

Important to clarify that I am not suggesting to revoke in production the intermediate cert because that would affect all the devices with a cert signed by that intermediate CA. I was referring to a lab environment so you can test revoking intermediate LAB CA and check ISE Logs. In addition to that, I agree with Octavian, you should revoke enduser machine cert in the lab to simulate an stolen or lost device and see how the logs on ISE looks like as well.

On my case, we have CRL instead of OCSP and that is the one we use to revoke machine certs. I see your OCSP failed and enduser machine cert "revoked" is still valid. Let's investigate.

regards