Cisco ISE and the Case for the "Unauthorized" Response from the Microsoft OCSP Online Responder

As you know, nowadays, using the Online Certificate Status Protocol (OCSP) is preferred over CRL checking, and Microsoft-based OCSP implementation is the most commonly used method.

If you add a new ISE OCSP Client Profile with the default options, unfortunately, you will find that the integration with ISE and Microsoft OCSP Online Responder does not work. In this case, you will see that even a client with a revoked certificate can connect to the network without any problems!

If you are sure of the configuration on the Online Responder side, one useful troubleshooting method is to capture the traffic between ISE and the Online Responder to gain more insight into how the operation is occurring...

Now, if you capture the traffic between ISE and Microsoft Online Responder, you may encounter the following situation:

According to Microsoft, the only situation in which the Online Responder answers with an "unauthorized" responseStatus is when the OCSP Client inserts a NONCE Extension (id-pkix-ocsp-nonce) in its OCSP request and the Online Responder does not support this functionality (as you can see in the first image, the "Enable NONCE Extension Support" option is enabled by default). But, what is NONCE extension?

You can configure a nonce to be sent as part of the OCSP request. The nonce includes a pseudo-random number in the OCSP request, which is verified upon receipt. This ensures that the number received in the response matches the number included in the request. This option helps prevent replay attacks by ensuring old communications cannot be reused.

Now, from the responder side:

As you can see above, the "Enable NONCE extension support" option is disabled by default. After enabling this option on the Online Responder, it responded with expected answer: