Issue with OCSP check
Alan DeKok
aland at deployingradius.com
Mon Aug 5 15:15:24 CEST 2019
On Aug 5, 2019, at 9:01 AM, Antoine JOUBERT via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>
> I had setup and got OCSP working with Freeradius in early 2016. However, I've recently noticed that it's not working anymore, as users with a revoked certificate are still able to connect to the network due to softfail being enabled.
That's largely what softfail means.
> I'm using the Debian Stretch package of Freeradius :
>
> freeradius -v
> radiusd: FreeRADIUS Version 3.0.12, for host x86_64-pc-linux-gnu, built on Aug 10 2017 at 07:05:06
> FreeRADIUS Version 3.0.12
Arg. You may want to update to 3.0.19 using the packages on http://packages.networkradius.com
> Our company is using its own PKI, managed with EasyRSA. Every user certificate is signed directly with our CA certificate.
> ...
> (7) eap_tls: Starting OCSP Request
> *(7) eap_tls: ERROR: Couldn't get issuer_cert for user*
The EAP-TLS session doesn't contain the issuer certificate. Why? It's not clear. TLS and user supplicants are magic. :(
Update to 3.0.19. It will then set "request:TLS-OCSP-Cert-Valid = 2" if the OSCP checks were skipped. You can check for that in policies.
Alan DeKok.
More information about the Freeradius-Users
mailing list