locked
External OCSP Checking for Mobile Devices RRS feed

  • Question

  • Hi

    I'm currently designing a Windows AD-CS PKI solution for my company and I'm a little confused about whether I need to make the OSCP responder externally available.

    We use AirWatch SaaS MDM to manage company owned iPhones and this is going to be leveraged with its onprem cloud connector to issue certificates to the mobile devices for connecting to the corporate WiFi.  

    The goal is to be able to use device authentication to our Cisco Wireless AP's to prevent BYOD from connecting.

    What I'm not certain about is whether during the authentication process of the phones to the AP, whether the devices will try to perform an OSCP check on the certificates issued to the NPS/RADIUS server and if so, whether there is some kind of pre-auth that will allow the phones to connect to an internal OSCP responder or if not, do the phones revert to mobile network and try and verify over the internet?  Or does it just fail completely?  Is it possible to disable the OSCP check?

    Essentially I want to know whether I need to make OSCP externally accessible because all other clients that will have certiifcates will be connected to the domain and on the corpoartte network either directly or via VPN so aside from this scenario with the phones, I don't believe I need an external OSCP.


    • Edited by slinkoff Thursday, October 13, 2016 12:53 PM
    Friday, September 30, 2016 12:38 PM

Answers

  • In this case, the clients will NOT check revocation of the RADIUS server for the reason you stated - it is assumed there is no network connection. The most they can do if configured properly is determine if the RADIUS server certificate is trusted - but even that is optional.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Proposed as answer by Amy Wang_ Wednesday, October 19, 2016 5:07 AM
    • Marked as answer by Amy Wang_ Saturday, October 22, 2016 6:20 AM
    Tuesday, October 18, 2016 6:36 PM

All replies

  • You need to have both the OCSP responder available both internally and externally and the Web server hosting the CDP and AIA extensions. Ideally, the same URL is used both internally and externally.
    Brian
    • Proposed as answer by Todd Heron Friday, September 30, 2016 4:13 PM
    • Marked as answer by Amy Wang_ Tuesday, October 11, 2016 2:57 PM
    • Unmarked as answer by slinkoff Monday, October 17, 2016 9:15 AM
    • Unproposed as answer by slinkoff Monday, October 17, 2016 9:15 AM
    Friday, September 30, 2016 1:24 PM
  • Hi,

    I am checking to see how things are going there on this issue.

    Please feel free to let us know if further assistance is required.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 3, 2016 7:18 AM
  • Thanks Brian, yes in general for external clients then externally resolvable OCSP/CDP/AIA is desirable and I am designing HTTP locations with split DNS in readiness for this, but there is a bit of config to do with regards DMZ servers, file copies to DMZ location etc.  and I am trying to see if I can avoid actually doing that at this stage if the phones don't actually require it.

    The certs will get on the phones via an MDM profile payload and the MDM has a connector into on-prem AD and will have the CEP template given to so it can act as an RA and mediate the certificates for the devices.   It can then install the certs OTA.

    With this in mind, I'm not sure whether at any point in the process the phones will be doing any kind of cert validation that would require a connection to an externally facing OCSP responder/CDP.   How would it work if the phones didn't have a mobile network connection to get to the OCSP, i.e., they only had Wi-Fi capability?  How would they ever authenticate if they needed a wifi connection to get to anything?  Seems chicken and egg.

    I guess I'm unclear on where the certs are used.  The RADIUS/NPS server would validate the cert on the device against the internal OCSP/CDP but what about the phone?

    Thanks

    Thursday, October 13, 2016 8:48 AM
  • During the authentication, the RADIUS/NPS server presents its own certificate to the mobile device. The mobile phone would need to validate this certificate and access OCSP/CDP to do so.

    It is a mutual authentication.

    Mobile device (Client Authentication certificate) <-> RADIUS Server (Server Authentication certificate)

    As stated previously, You need to have both the OCSP responder available both internally and externally and the Web server hosting the CDP and AIA extensions. Ideally, the same URL is used both internally and externally.

    Brian

    Thursday, October 13, 2016 10:11 AM
  • I get what you are saying but this is what doesn't make sense.  How can the mobile device reach the OCSP/CDP if it doesn't have a network connection yet?!

    Since posting I've since found this, which seems to confirm that the mobile device doesn't actually do a check:

    https://technet.microsoft.com/en-gb/library/bb457017.aspx

    Quote:

    Notice that the wireless client does not perform certificate revocation checking for the certificates in the certificate chain of the IAS server's computer certificate. The assumption is that the wireless client does not yet have a physical connection to the network, and therefore cannot access a Web page or other resource in order to check for certificate revocation.


    • Edited by slinkoff Thursday, October 13, 2016 1:00 PM working link
    Thursday, October 13, 2016 12:57 PM
  • Hi,

    I am trying to involve someone familiar with this topic. There might be some time delay. Appreciate your patience.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Amy Wang_ Tuesday, October 18, 2016 1:43 PM
    Tuesday, October 18, 2016 1:42 PM
  • In this case, the clients will NOT check revocation of the RADIUS server for the reason you stated - it is assumed there is no network connection. The most they can do if configured properly is determine if the RADIUS server certificate is trusted - but even that is optional.

    Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. He is also co-founder of Revocent (revocent.com) and its CertAccord product that offers Linux certificate enrollment from a Microsoft CA. Connect with Mark at https://www.pkisolutions.com

    • Proposed as answer by Amy Wang_ Wednesday, October 19, 2016 5:07 AM
    • Marked as answer by Amy Wang_ Saturday, October 22, 2016 6:20 AM
    Tuesday, October 18, 2016 6:36 PM