ISE errors for OSCP after migrating PKI servers from MS 2012 to 2019

NetworkMonkey101 · ‎09-13-2023

Hi all,

Our older PKI servers were running on 2012 OS. We built 2019 OS VM's and then migrated the PKI services/information from the old to the new, keeping Hostnames and IP address as they were.

Following this users were not able to authenticate and errors below were seen in ISE.

2550
Sent an OCSP request to the primary OCSP server for the CA - External OCSP Server

12563
OCSP server returned an error - certificate for

12552
Conversation with OCSP server ended with failure - certificate for

12558
Performed fallback to secondary OCSP server - certificate for

12551
Sent an OCSP request to the secondary OCSP server for the CA - External OCSP Server

12563
OCSP server returned an error - certificate for

12552
Conversation with OCSP server ended with failure - certificate for

12572
OCSP response not cached - certificate for

To remediate the issue we turned off the option to "reject the request if OSCP returns UNKNOWN" within the ISE trusted cert,

What I am trying to figure out is how we can enable this feature again and if there is something within Server 2019 that would of caused this?

Thanks

Arne Bier · ‎09-17-2023

Hi @NetworkMonkey101

The OCSP checks are performed by the PSN nodes handling the 802.1X transaction. Have you checked that the relevant PSNs can communicate with all of the OCSP servers specified in the OCSP Client Profile on TCP/80?

Sometimes a tcpdump reveals a good deal of information. I would ensure that the TCP comms is at least bi-directional.

Do you use static URLs in ISE for the OCSP responder location, or do you use the AIA in the client certificate?

As far as setting up the OCSP Response in Windows 2019 is concerned, I am not too sure about that. Might have to search for some Windows articles to ensure it's setup correctly.