Troubleshooting EAP-TLS with External Certificates

A.L.M.Buxey at A.L.M.Buxey at
Sat Sep 10 12:02:08 CEST 2016


> I don't like OSCP checks in radius.  It creates another opportunity to slow down the authentication process, and unless you tell it to fail open, if the responder is down, then no one can authenticate (at least I think that is so).  With that said, if you are supporting a commercial entity and not something academic, then you may have to go the extra mile.  If we need to block a user, we block the MAC address or username with NAC.  Not fool proof.  But also takes the burden away from radius, which can be pummeled from a lot of extra work.  

we do OSCP on ours with no performance issue - we have the configuration set to fail open
in case there is an issue....but we're investigating using CRL check if the OSCP does
fail (which it hasnt so far - thats with 2 years of operation with this setup, around 20k
concurrent wireless users.  in the academic space.


More information about the Freeradius-Users mailing list