Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA 8.2(1) - DoD PKI CA Certs & OCSP

Hello all ... I am successful in getting my ASA to create SSL VPN's with AnyConnect (v2.4.1012) using DoD Common Access Cards (Smartcards).  I cannot however successfully query the OCSP servers.  I keep getting the same error:

OCSP status check failed. Reason: Failed to verify OCSP response.

OCSP status check failed. Reason: Signature could not be validated.

I have followed the guidelines offered by DoD and Cisco:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/product_implementation_design_guide0900aecd805fc1d0.html

I have checked 'Consider certificate valid if revocation information cannot be retried', applied a filter to only allow DoD Issued Certs access & tied login to AAA (LDAP - Active Directory) ... I still perform two-phase authentication by validating DoD issued certs and bounce the login credentials against our Ou ... But I have no way of checking certificate revocation.

Any ideas?

2425
Views
0
Helpful
0
Replies