Help
FortiNAC
NOTE: FortiNAC is now named FortiNAC-F. For post-9.4 articles, see FortiNAC-F. FortiNAC is a zero-trust network access solution that provides users with enhanced visibility into the Internet of Things (IoT) devices on their enterprise networks.
ndumaj
Staff
Staff

Created on ‎11-13-2023 02:50 AM Edited on ‎11-13-2023 02:59 AM By Community Manager

Article Id 283945

Technical Tip: How to enable OCSP support and OSCP responder errors on FortiNAC

Description This article is an OCSP introduction and configuration in FortiNAC, follow this document for a description:

OCSP for X.509 certificate revocation checking 


This protocol specifies the data that needs to be exchanged between an application checking the status of one or more certificates and the server providing the corresponding status.

This specification defines the following definitive response indicators for use in the certificate status value:

  • good: The 'good' state indicates a positive response to the status inquiry.
  • revoked: The 'revoked' state indicates that the certificate has been revoked, either temporarily (the revocation reason is certificateHold) or permanently.
  • unknown: The 'unknown' state indicates that the responder does not know about the certificate being requested, usually because the request indicates an unrecognized issuer that is not served by this responder.
Scope FortiNAC legacy, FortiNAC-F.
Solution

Enable Online Certificate Status Protocol (OCSP) support in FortiNAC.
Go into FortiNAC -> Network -> RADIUS -> Local RADIUS configuration Details and enable OCSP.


OCSP.png

 

If enabled, EAP-TLS client certificates will have OCSP verification performed, using the URL embedded in the client certificate.
Important: Certificates must contain the OCSP URL. Otherwise, client authentication will fail.

Enable radius debug and Troubleshooting:


OCSP1.png

 

Error: OCSP: Response Status: unauthorized  <---- This means that OCSP Service Nonces is not enabled on the Server.


OCSP2.png

 


Microsoft implementation of OCSP is compliant with RFC 5019 The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments, which is a simplified version of RFC 2560 X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP.

It is possible to force the Microsoft OCSP service to accept those signed requests and reply with the correct signed response. Navigate to Revocation Configuration -> RevocationConfiguration1 -> Edit Properties, and select the option to Enable NONCE extension support.


OCSP3.png

 
Related documents:
Section 2, RFC 6960
Microsoft OCSP handshake issue
835
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.