Correct. We are running 13.1. For the OCSP url I tried using http://<ServerDNS>:22225/api/v1/pki/ocsp but that gives me an error connection timed out. When I switch to <serverDNS>/ocsp I end up at a "Not Implemented: GET not supported for current URL"
Searching through the documentation shows a lot of information regarding the OCSP settings for Microsoft PKI and very little for the Packetfence PKI. EAP-TLS works great for our SCEP created certificates (using the Packetfence PKI) and for the Windows ADCS certificates. [image: image.png] Thanks, Reese Herber Systems Integration Analyst Department of Learning and Innovation Phone: 253-530-3715 "The fusion of technology and education is the canvas on which we paint the masterpiece of our collective future, one pixel at a time." On Fri, Feb 16, 2024 at 1:32 PM Zammit, Ludovic <[email protected]> wrote: > Hello Reese, > > If I understand correctly, you are using PacketFence PKI and you want to > use the builtin OCSP in PacketFence to reject any revoked certificates > correct? > > Which Packetfence version are you running ? > > What’s the OCSP url that you have configured ? > > Is the EAP TLS working on regular non-revoked cert? > > Thanks, > > > > *Ludovic Zammit* > *Product Support Engineer Principal Lead* > *Cell:* +1.613.670.8432 > Akamai Technologies - Inverse > 145 Broadway > Cambridge, MA 02142 > Connect with Us: <https://community.akamai.com> <http://blogs.akamai.com> > <https://twitter.com/akamai> <http://www.facebook.com/AkamaiTechnologies> > <http://www.linkedin.com/company/akamai-technologies> > <http://www.youtube.com/user/akamaitechnologies?feature=results_main> > > On Feb 15, 2024, at 7:30 PM, Herber, Reese via PacketFence-users < > [email protected]> wrote: > > Good Afternoon, > > I'm hoping someone can chime in on setting up OCSP. We have successfully > implemented EAP-TLS machine authentication, working with our Active > Directory-managed Windows machines and our JAMF-managed MacOS devices. Our > current goal is to extend this setup to include a few (<50) BYOD devices by > generating machine auth certificates for them. However, we are facing > challenges with the OCSP. > > Despite revoking a test certificate issued from the Packetfence PKI for a > BYOD device, the certificate remains valid for login, indicating that OCSP > is not functioning as expected. Moreover, when OCSP is enabled, it appears > to disrupt the connection for our Windows devices authenticated through > valid certificates, specifically when attempting to connect to RADIUS. > > Here is the error we encounter in the radius logs for the windows devices > when this issue occurs: > > Module-Failure-Message = "eap_tls: ocsp: Couldn't get OCSP response", > Module-Failure-Message = "eap_tls: (TLS) ocsp: Unable to check certificate > failing", Module-Failure-Message = "eap_tls: (TLS) Alert > write:fatal:internal error", Module-Failure-Message = "eap_tls: (TLS) > Server : Error in error", Module-Failure-Message = "eap_tls: (TLS) Failed > reading from OpenSSL", Module-Failure-Message = "eap_tls: (TLS) > error:27076072:OCSP routines:parse_http_line1:server response error", > Module-Failure-Message = "eap_tls: (TLS) error:1417C086:SSL > routines:tls_process_client_certificate:certificate verify failed", > Module-Failure-Message = "eap_tls: (TLS) System call (I\/O) error (-1)", > Module-Failure-Message = "eap_tls: (TLS) EAP Receive handshake failed > during operation", Module-Failure-Message = "eap_tls: [eaptls process] = > fail", Module-Failure-Message = "eap: Failed continuing EAP TLS (13) > session. EAP sub-module failed" > > Here are the things I am hoping to get some insight on: > > 1. How to correctly configure OCSP for the specific template used for > BYOD devices, ensuring that revoked certificates are recognized as invalid > and deny the connection. > 2. Why my windows devices are throwing errors about being unable to > get an OCSP response when the MacOS devices don't have that issue. > > > I'm hoping there is just a setting I am missing here, but please let me > know if I can answer any additional questions. > > Thanks, > > Reese Herber > Systems Integration Analyst > Department of Learning and Innovation > Phone: 253-530-3715 > "The fusion of technology and education is the canvas on which we paint the > masterpiece of our collective future, one pixel at a time." > > _______________________________________________ > PacketFence-users mailing list > [email protected] > > https://urldefense.com/v3/__https://lists.sourceforge.net/lists/listinfo/packetfence-users__;!!GjvTz_vk!TQWBmmEvfY8qqz6OUjxpkc3eVuLwTqMx63A40XDoFtQxGp4O9BGn6nySE_sr-PHVCoAhplhN8lBswCSdF0ZDtspac0XBM7Yiwigr1Q$ > > >
_______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
