Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
1
Helpful
1
Replies

ISE 3.1 OCSP Response for Condition Studio

Go to solution
russell.sage
Level 1
Level 1

‎05-23-2023 06:27 AM

My customer has asked us to authenticate based on whether the device is a corporate device. Corporate Devices will be issued a certificate via MS Intune. Access to network to be determined purely on the device having a valid certificate, checked via an OCSP request to their OCSP responder. Access to applications will be controlled via MS Azure conditional access.

I have connectivity to their OCSP responder but can't see from within the condition studio how to pickup the OCSP response.

Is a valid response somehow inferred?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎05-23-2023 01:23 PM

Hello @russell.sage 

That's right - you're relying on ISE to perform a revocation check each time it sees a cert signed by the Intune CA. In ISE you create a OCSP Profile in which ISE is either told which is the primary and secondary OCSP server to check, or, you can tell ISE to look in the AIA of the client cert for the OCSP responder. The thing about the URL in the AIA is that you only get one OCSP - if this is not a load balancer then you might have a redundancy issue. it might be safer to manually configure a primary and secondary responder in the OCSP profile. But both options do the same thing. If the OCSP responder returns a negative result (i.e. client cert is revoked) then ISE will reject that authentication.

The ISE Authorization will be a simple case of "If authentication passed then return Access-Accept etc....." - the OCSP takes care of Authentication success/failure logic.

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎05-23-2023 01:23 PM

Hello @russell.sage 

That's right - you're relying on ISE to perform a revocation check each time it sees a cert signed by the Intune CA. In ISE you create a OCSP Profile in which ISE is either told which is the primary and secondary OCSP server to check, or, you can tell ISE to look in the AIA of the client cert for the OCSP responder. The thing about the URL in the AIA is that you only get one OCSP - if this is not a load balancer then you might have a redundancy issue. it might be safer to manually configure a primary and secondary responder in the OCSP profile. But both options do the same thing. If the OCSP responder returns a negative result (i.e. client cert is revoked) then ISE will reject that authentication.

The ISE Authorization will be a simple case of "If authentication passed then return Access-Accept etc....." - the OCSP takes care of Authentication success/failure logic.

Customers Also Viewed These Support Documents