Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
478
Views
3
Helpful
7
Replies

OCSP and Live Logs

Go to solution
russell.sage
Level 1
Level 1

‎02-08-2024 04:32 AM

I have a customer who has laptops with a VPN client and a certificate issued via SCEPMAN. The VPN client connects to Netmotion which in turn sends a radius request to the ISE for the client certificate to be checked against SCEPMAN and the result passed back to Netmotion to accept or reject the connection request from the user. This works. The strange thing is I see nothing in the Live Logs on the ISE box. A TCP dump shows the entire exchange. A valid certificate return a RADIUS access-accept and a revoked certificate an access-reject.

Secondly this doesn't seem to hit any policy set. Does the enabling of OCSP override policy sets?

Is there some setting in ISE that needs to be turned on to see this activity in the live logs?

I can find no policy set library or dictionary for handling OCSP activity.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to russell.sage

‎02-08-2024 01:02 PM

When enabled on the Trusted Certificate, OSCP (and CRL) checks for certificate revocation are something that happens as part of the Authentication Process. There are no dictionaries for manipulating those checks.

In ISE, the MAC address is the essential key to how a RADIUS session is created and tracked. My guess would be that Netmotion is not providing a MAC address as part of the RADIUS request and so ISE does not have a way to insert the session into the live logs or other normal processes.

You would likely need to do a TCPdump on ISE to capture the RADIUS traffic from Netmotion to see how it is constructing that. This is certainly not a use case I've ever heard of ISE being used for before.

View solution in original post

7 Replies 7

Go to solution
ahollifield
VIP
VIP

‎02-08-2024 05:06 AM

I don't think ISE is evaluating the certificate in this scenario.  If this is like ASA/FTD the certificate validation occurs on the headend and "Auhorize-only" is configured for ISE.  Not sure if that same concept exists in Netmotion.  

Do all live logs not work?  Or only this one scenario? https://www.adamhollifield.com/2022/09/fix-cisco-ise-messaging-service.html

0 Helpful

Go to solution
russell.sage
Level 1
Level 1
In response to ahollifield

‎02-08-2024 05:42 AM

Hi don't expect ISE to evaluate the certificate I would expect ISE to make an OCSP request to SCEPMAN and that does appear to be happening. So are you saying if ISE doesn't evaluate the certificate then nothing should be seen in the Live logs even though ISE is receiving RADIUS requests.

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to russell.sage

‎02-08-2024 06:26 AM

Maybe I’m not following here. What is being via RADIUS to ISE? The certificate? Username? Something else?
0 Helpful

Go to solution
russell.sage
Level 1
Level 1
In response to ahollifield

‎02-08-2024 06:47 AM

Its probably me. Netmotion makes a radius request to ISE for access by requesting that ISE conduct a certificate revocation check with SCEPMAN. If the customer uses a revoked certificate ISE sends backs a radius access-reject message else if the certificate is valid it returns a RADIUS access-accept message. My question is I don't see how you build that into a policy set. There is no library or dictionary for OCSP. Under Authentication policy I can do a check for Network Access-EapAuthentication equals EAP-TLS but that seems a bit pointless. So at present I am authenticating using the default with the option if Auth fails to reject. I don't see how Authorisation comes into play at all.

RADIUS live logs show nothing at all. 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to russell.sage

‎02-08-2024 12:37 PM - edited ‎02-08-2024 12:37 PM

Right that's exactly what's not making sense to me.  What type of RADIUS request is this?  Is it EAP?  How exactly is the certificate flowing from Netmotion to ISE?  Is it the entire certificate or just the common name?  Why is Netmotion using ISE at all and not just talking to SCEPMAN directly for OCSP?

Do you have any other Live Logs in this deployment?  Or is this the only thing ISE is being used for?

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to russell.sage

‎02-08-2024 01:02 PM

When enabled on the Trusted Certificate, OSCP (and CRL) checks for certificate revocation are something that happens as part of the Authentication Process. There are no dictionaries for manipulating those checks.

In ISE, the MAC address is the essential key to how a RADIUS session is created and tracked. My guess would be that Netmotion is not providing a MAC address as part of the RADIUS request and so ISE does not have a way to insert the session into the live logs or other normal processes.

You would likely need to do a TCPdump on ISE to capture the RADIUS traffic from Netmotion to see how it is constructing that. This is certainly not a use case I've ever heard of ISE being used for before.

Go to solution
russell.sage
Level 1
Level 1
In response to Greg Gibbs

‎02-09-2024 06:39 AM

Greg many thanks. A tcp dump of the RADIUS traffic coming from Netmotion doesn't include a Called-Station ID with mac address. Just a NAS Identifier. I will feedback to the Netmotion team.

Customers Also Viewed These Support Documents