Automatización de la revocación de certificados con OCSP y CRL en un entorno NAC

Esta guía de referencia técnica proporciona a los gerentes de TI y arquitectos de red un desglose completo de la automatización de la revocación de certificados en un entorno de Control de Acceso a la Red (NAC). Explora las compensaciones arquitectónicas entre OCSP y CRL, ofrece orientación de implementación neutral respecto al proveedor y describe el impacto empresarial de la aplicación de políticas en tiempo real.

📖 6 min read📝 1,437 words🔧 2 worked examples❓ 3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript

Automating Certificate Revocation with OCSP and CRL in a NAC Environment
A Purple Technical Briefing — Approximately 10 Minutes

---

INTRODUCTION AND CONTEXT — approximately 1 minute

Welcome to the Purple Technical Briefing series. I'm your host, and today we're getting into the mechanics of automating certificate revocation — specifically how OCSP and CRL work inside a Network Access Control environment, and why getting this right is one of the most overlooked security decisions in enterprise WiFi deployments.

If you're running a hotel chain, a retail estate, a stadium, or a public-sector network with hundreds or thousands of connected devices, certificate lifecycle management is not a nice-to-have. It is the difference between a network that enforces policy in real time and one that's quietly harbouring revoked credentials from devices that should have been cut off weeks ago.

We'll cover the technical architecture, walk through two real deployment scenarios, and finish with the questions your team should be asking before you go anywhere near a production rollout.

Let's get into it.

---

TECHNICAL DEEP-DIVE — approximately 5 minutes

First, let's establish the problem we're solving. In any IEEE 802.1X-authenticated network — which is the standard underpinning enterprise WiFi, wired NAC, and most modern guest access architectures — devices authenticate using either credentials or certificates. Certificates are preferable because they don't rely on shared secrets, they're device-bound, and they integrate cleanly with MDM platforms through protocols like SCEP. But certificates have a lifecycle. They expire, they get compromised, and devices get decommissioned. When any of those things happen, you need a mechanism to tell your network infrastructure: this certificate is no longer valid, stop trusting it.

That mechanism comes in two flavours: CRL, which stands for Certificate Revocation List, and OCSP, which stands for Online Certificate Status Protocol.

Let's start with CRL. A Certificate Revocation List is exactly what it sounds like — a signed list, published by your Certificate Authority, of every certificate serial number that has been revoked. Your NAC infrastructure — typically a RADIUS server like FreeRADIUS, Cisco ISE, or Aruba ClearPass — downloads this list periodically from a CRL Distribution Point, which is just an HTTP or LDAP endpoint. The RADIUS server caches the list locally and checks incoming certificate serial numbers against it during the EAP-TLS handshake.

The operational advantage of CRL is simplicity and offline resilience. Once the list is downloaded, revocation checking works even if your CA is unreachable. The disadvantage is latency. If you revoke a certificate at 9am and your CRL refresh interval is 24 hours, that device could still authenticate until the next scheduled download. In a high-security environment — a hospital, a financial services back office, a government network — that window is unacceptable.

OCSP solves the latency problem. Instead of maintaining a local cached list, your RADIUS server sends a real-time query to an OCSP Responder — a service that sits in front of your CA — for each certificate it needs to validate. The responder returns one of three answers: Good, Revoked, or Unknown. The entire exchange happens inline, during the EAP-TLS handshake, typically in under 100 milliseconds on a well-provisioned infrastructure.

The tradeoff with OCSP is availability dependency. If your OCSP Responder goes down, or if your RADIUS server can't reach it due to a network partition, you have a policy decision to make: do you fail open — allowing authentication to proceed — or fail closed — denying access until the responder is reachable? Fail open maintains uptime but creates a security gap. Fail closed maintains security posture but can lock out legitimate users during an infrastructure incident.

There's a third option worth knowing about: OCSP Stapling. In this model, the certificate holder — the client device — periodically fetches a signed OCSP response from the responder and attaches it to the TLS handshake. The RADIUS server validates the stapled response rather than making its own OCSP query. This reduces load on the OCSP Responder, eliminates the privacy concern of exposing certificate serials to an external service, and improves resilience. The downside is that not all EAP supplicants support stapling, so you need to verify client compatibility before relying on it.

Now, how does this fit into a NAC architecture? Your NAC policy engine — whether that's Cisco ISE, Aruba ClearPass, Juniper Mist, or an open-source stack built around FreeRADIUS and PacketFence — sits between the supplicant and the network. When a device attempts to connect, the RADIUS server receives the Access-Request, performs EAP-TLS negotiation, validates the client certificate chain, checks revocation status via OCSP or CRL, and then either issues an Access-Accept with a VLAN assignment or an Access-Reject.

The automation piece comes in at two levels. First, at the certificate issuance layer: your MDM platform — Jamf, Intune, Workspace ONE — uses SCEP to automatically provision certificates to managed devices. When a device is unenrolled or decommissioned, the MDM triggers a revocation call to the CA, which updates the CRL and notifies the OCSP Responder. Second, at the NAC enforcement layer: your RADIUS server is configured to query OCSP or refresh its CRL cache on a defined schedule, ensuring that revocation decisions propagate to access policy without manual intervention.

The critical integration point here is the CA-to-NAC communication pipeline. In a well-designed deployment, revocation is a fully automated chain: MDM decommissions device, triggers CA revocation, CA updates OCSP Responder and publishes new CRL, RADIUS server picks up the change — either immediately via OCSP or within the next CRL refresh window — and the device is denied access on its next authentication attempt.

---

IMPLEMENTATION RECOMMENDATIONS AND PITFALLS — approximately 2 minutes

Let me give you the practical guidance that saves deployments from going sideways.

First: define your revocation latency tolerance before you choose your mechanism. If you're running a hotel guest WiFi network where the primary risk is a decommissioned staff device, a 4-hour CRL refresh interval is probably fine. If you're running a healthcare network where a compromised device could access patient data, you want OCSP with fail-closed policy and a highly available responder cluster.

Second: do not run a single OCSP Responder in production. Deploy at minimum two, behind a load balancer, with health monitoring. An OCSP Responder outage that causes fail-closed behaviour will generate support tickets faster than almost any other infrastructure failure.

Third: watch your CRL size. In large deployments — we're talking tens of thousands of certificates — CRL files can grow to several megabytes. A RADIUS server downloading a 5MB CRL every hour across a WAN link is a throughput problem waiting to happen. Consider delta CRLs, which only contain changes since the last full CRL, or migrate to OCSP for high-volume environments.

Fourth: test your revocation pipeline regularly. It's not enough to configure OCSP and assume it works. Automate a monthly test: issue a certificate, revoke it, attempt authentication, verify rejection. If your monitoring doesn't catch a broken OCSP Responder, your revocation mechanism is theatre.

Fifth: align your certificate validity periods with your revocation strategy. Short-lived certificates — 24 to 72 hours — reduce the window of exposure for compromised credentials and can reduce your dependency on revocation infrastructure entirely. This is the direction the industry is moving, and it's worth evaluating for new deployments.

---

RAPID-FIRE Q AND A — approximately 1 minute

Question: Can I use both OCSP and CRL simultaneously?

Yes. Most RADIUS implementations support a fallback chain: try OCSP first, fall back to CRL if the responder is unreachable. This gives you real-time checking under normal conditions and offline resilience during outages.

Question: Does Purple's guest WiFi platform integrate with certificate-based NAC?

Purple's platform operates at the guest access layer, handling captive portal authentication, data capture, and analytics. For enterprise staff networks running 802.1X with certificate authentication, Purple integrates with the underlying network infrastructure — the access points, controllers, and RADIUS servers — rather than replacing the certificate management stack. The guest and staff networks are typically segmented, with different authentication mechanisms appropriate to each.

Question: What's the compliance angle?

PCI DSS 4.0 requires that access to cardholder data environments uses strong authentication. GDPR requires appropriate technical measures to protect personal data. Both frameworks are satisfied by certificate-based 802.1X with automated revocation — provided you can demonstrate that revocation is timely and tested. Your audit trail needs to show when certificates were revoked and when that revocation propagated to network enforcement.

---

SUMMARY AND NEXT STEPS — approximately 1 minute

To bring this together: automating certificate revocation in a NAC environment is a three-layer problem. You need a CA that supports automated revocation triggers, an OCSP Responder or CRL Distribution Point that's highly available and properly sized, and a RADIUS server configured to enforce revocation status as part of its access policy.

The choice between OCSP and CRL is not binary — it's a risk-tolerance decision that should be made in the context of your environment's security requirements, network topology, and operational maturity.

If you're building or reviewing a NAC deployment and want to understand how Purple's guest WiFi and analytics platform fits into the broader network architecture, the links in the show notes will take you to the relevant technical guides.

Thanks for listening. We'll see you in the next briefing.

---
END OF SCRIPT

Key Takeaways

✓Certificate revocation is essential for 802.1X networks to prevent compromised or decommissioned devices from maintaining access.
✓CRL (Certificate Revocation List) provides offline resilience but introduces latency between revocation and enforcement.
✓OCSP (Online Certificate Status Protocol) enables real-time revocation checking but requires highly available responder infrastructure.
✓Automation requires integrating your MDM platform to trigger revocation API calls to the Certificate Authority upon device decommissioning.
✓Enterprise deployments should use a hybrid approach: OCSP for real-time primary checks, with a cached CRL as a resilient fallback.
✓The decision to 'Fail Open' or 'Fail Closed' during an infrastructure outage is a critical business risk decision, not just an IT configuration.
✓Robust corporate NAC architectures complement public-facing guest WiFi platforms, ensuring comprehensive security across all network segments.

Resumen Ejecutivo

Para los directores de TI empresariales y arquitectos de red que gestionan entornos de alta densidad —como establecimientos de Hostelería , propiedades Minoristas y despliegues en el sector público— la gestión del ciclo de vida de los certificados es una frontera de seguridad crítica. Si bien IEEE 802.1X proporciona una autenticación robusta para dispositivos corporativos y BYOD, el mecanismo por el cual se revoca la confianza a menudo se pasa por alto hasta que ocurre una brecha.

La automatización de la revocación de certificados con el Protocolo de Estado de Certificado en Línea (OCSP) y las Listas de Revocación de Certificados (CRL) dentro de un entorno de Control de Acceso a la Red (NAC) cierra la brecha entre la deshabilitación de puntos finales y la aplicación de políticas de red. Esta guía explora la mecánica arquitectónica de la revocación automatizada, comparando las capacidades en tiempo real de OCSP con la resiliencia sin conexión de CRL.

Al integrar su plataforma de Gestión de Dispositivos Móviles (MDM), Autoridad de Certificación (CA) y motor de políticas NAC, las organizaciones pueden lograr un acceso a la red de confianza cero donde los dispositivos comprometidos o deshabilitados son denegados instantáneamente. Esta referencia técnica proporciona orientación de despliegue accionable, estrategias de mitigación de riesgos y explora cómo esta postura de seguridad orientada al personal complementa la infraestructura de cara al público como las plataformas Guest WiFi y WiFi Analytics de Purple.

Análisis Técnico Detallado

En cualquier red empresarial que utilice IEEE 802.1X con EAP-TLS, los dispositivos se autentican utilizando certificados digitales en lugar de credenciales compartidas. Este enfoque es fundamental para las arquitecturas de seguridad modernas, proporcionando una identidad vinculada al dispositivo que se integra sin problemas con las plataformas MDM a través de protocolos como SCEP (para más información, consulte El papel de SCEP y NAC en la infraestructura MDM moderna ). Sin embargo, los certificados tienen un ciclo de vida definido. Cuando un dispositivo se pierde, un usuario es despedido o una clave privada se ve comprometida, la infraestructura de red debe ser instruida explícitamente para dejar de confiar en ese certificado.

Esta instrucción de revocación se entrega a través de dos mecanismos principales: CRL y OCSP.

Arquitectura de la Lista de Revocación de Certificados (CRL)

Una CRL es un archivo firmado digitalmente publicado por la Autoridad de Certificación que contiene los números de serie de todos los certificados revocados que aún no han caducado. El motor de políticas NAC (actuando como servidor RADIUS) descarga periódicamente esta lista desde un Punto de Distribución de CRL (CDP) a través de HTTP o LDAP.

Durante el handshake EAP-TLS, el servidor RADIUS verifica el número de serie del certificado de cliente entrante contra su CRL almacenada localmente. Si el número de serie está presente, la autenticación es rechazada.

Características Arquitectónicas:

Resiliencia sin conexión: Debido a que el servidor RADIUS almacena en caché la CRL, la verificación de revocación continúa incluso si la CA o el CDP se vuelven inalcanzables.
Latencia: El principal inconveniente es la latencia entre la revocación y la aplicación. Si un certificado se revoca a las 09:00 y el intervalo de actualización de la CRL es de 24 horas, el dispositivo comprometido mantiene el acceso a la red hasta la siguiente descarga.
Sobrecarga de rendimiento: En entornos con decenas de miles de certificados, los archivos CRL pueden crecer hasta varios megabytes, creando una tensión en el ancho de banda durante los ciclos de actualización.

Arquitectura del Protocolo de Estado de Certificado en Línea (OCSP)

OCSP aborda las limitaciones de latencia de CRL al permitir la verificación de revocación en tiempo real. En lugar de descargar una lista completa, el servidor RADIUS envía una consulta dirigida que contiene el número de serie del certificado a un respondedor OCSP. El respondedor devuelve un estado firmado: Bueno, Revocado o Desconocido.

Características Arquitectónicas:

Aplicación en tiempo real: Las decisiones de revocación se propagan instantáneamente. Una vez que la CA actualiza el respondedor OCSP, el siguiente intento de autenticación por parte del dispositivo comprometido fallará.
Dependencia de disponibilidad: El motor de políticas NAC depende de que el respondedor OCSP tenga una alta disponibilidad. Si el respondedor es inalcanzable, el administrador de red debe definir una política de fallo: "fallo abierto" (permitir el acceso, comprometiendo la seguridad) o "fallo cerrado" (denegar el acceso, comprometiendo la disponibilidad).
OCSP Stapling: Para mitigar la carga y las preocupaciones de privacidad, OCSP Stapling permite al dispositivo cliente obtener la respuesta OCSP firmada y adjuntarla al handshake TLS, aunque el soporte del suplicante varía.

Integración con plataformas de invitados y análisis

Mientras que OCSP y CRL gestionan los rigurosos requisitos de seguridad de los dispositivos del personal y corporativos, las redes de cara al público requieren arquitecturas diferentes. Para los espacios públicos, integrar un NAC robusto para el personal con una plataforma pública dedicada como Purple garantiza una cobertura completa. La plataforma de Purple gestiona la autenticación del Captive Portal, la aceptación de los términos de servicio y la captura de datos para el segmento público, mientras que la infraestructura de red subyacente (a menudo los mismos puntos de acceso físicos y switches) aplica 802.1X y OCSP para los SSID corporativos. Comprender el entorno de radio es crucial para ambos segmentos; consulte Frecuencias Wi-Fi: Una guía de frecuencias Wi-Fi en 2026 para la planificación del espectro.

Guía de Implementación

El despliegue de la revocación automatizada de certificados requiere coordinación entre los dominios PKI, MDM y NAC. Siga estos pasos de implementación neutrales respecto al proveedor para establecer un pipeline de revocación resiliente.

Paso 1: Definir el Disparador de Revocación

La automatización comienza en la capa de gestión de puntos finales. Configure su plataforma MDM (por ejemplo, Microsoft Intune, Jamf Pro) para activar una llamada a la API de revocación a su Autoridad de Certificación cuando se cumplan condiciones específicas:

Dispositivo dado de baja del MDM
Dispositivo marcado como no conforme
Cuenta de usuario deshabilitada en el servicio de directorio

Paso 2: Configurar la infraestructura de revocación

Para implementaciones de CRL:

Configure la CA para publicar la CRL en un CDP de alta disponibilidad (por ejemplo, un servidor web interno con balanceo de carga).
Establezca el intervalo de publicación de la CRL en función de su tolerancia al riesgo (por ejemplo, cada 4 horas).
Configure el servidor RADIUS para obtener la CRL en un intervalo ligeramente más corto que el intervalo de publicación para asegurar que la caché esté siempre actualizada.

Para implementaciones de OCSP:

Implemente al menos dos respondedores OCSP detrás de un balanceador de carga para asegurar una alta disponibilidad.
Configure la CA para enviar actualizaciones de revocación a los respondedores OCSP de inmediato.
Configure el servidor RADIUS para consultar la IP virtual OCSP con balanceo de carga durante la autenticación EAP-TLS.

Paso 3: Establecer la política de respaldo

No dependa de un solo mecanismo. Configure su servidor RADIUS para usar OCSP como verificación de revocación principal, con un respaldo a una CRL almacenada en caché localmente si el respondedor OCSP no es accesible. Esto proporciona una aplicación en tiempo real en condiciones normales y resiliencia sin conexión durante interrupciones de infraestructura.

Paso 4: Definir el comportamiento ante fallos

Si tanto OCSP como la CRL en caché no están disponibles, el servidor RADIUS debe decidir cómo manejar la solicitud de autenticación.

Entornos de alta seguridad (por ejemplo, Sanidad ): Configure "fail closed". Deniegue el acceso para evitar que se conecten dispositivos potencialmente comprometidos.
Entornos estándar (por ejemplo, centros de Transporte ): Configure "fail open" con alertas. Permita el acceso para mantener la continuidad operativa, pero genere una alerta de alta prioridad para el SOC.

Mejores prácticas

Implementar CRLs Delta: Si depende de CRLs en un entorno grande, implemente CRLs Delta. Estos archivos contienen solo los cambios de revocación desde la publicación de la última CRL Base completa, lo que reduce significativamente el tamaño de descarga y el consumo de ancho de banda.
Monitorizar la latencia de OCSP: Las consultas OCSP se producen en línea durante el handshake EAP-TLS. Si el respondedor OCSP tarda 500 ms en responder, la autenticación se retrasa 500 ms. Monitorice la latencia del respondedor y escale horizontalmente si los tiempos de respuesta se degradan.
Certificados de corta duración: Considere reducir los períodos de validez de los certificados (por ejemplo, de 1 año a 7 días) mediante la renovación automatizada SCEP/EST. Los certificados de corta duración caducan rápidamente de forma natural, lo que reduce la dependencia de una infraestructura de revocación robusta.
Alinear con la estrategia de red más amplia: Asegúrese de que su implementación de NAC se alinee con su arquitectura de red de área amplia. Para obtener información sobre el diseño WAN moderno, consulte SD WAN vs MPLS: La guía de red empresarial de 2026 .

Solución de problemas y mitigación de riesgos

El modo de fallo más común en la revocación automatizada es una interrupción en la tubería CA-a-NAC que resulta en un evento de "fail closed" que bloquea a los usuarios legítimos.

Riesgo: Interrupción del respondedor OCSP Mitigación: Implemente respondedores en un clúster activo-activo a través de múltiples dominios de fallo. Implemente comprobaciones de estado exhaustivas en el balanceador de carga que verifiquen la capacidad del respondedor para consultar la base de datos de la CA, no solo la disponibilidad del puerto TCP 80.

Riesgo: Caché CRL obsoleta Mitigación: Los servidores RADIUS pueden fallar al descargar la última CRL debido a particiones de red o interrupciones de CDP. Implemente una monitorización que alerte si la CRL almacenada en caché localmente es más antigua que el intervalo de publicación definido.

Riesgo: Revocación MDM incompleta Mitigación: Si el MDM no logra activar la llamada de revocación a la CA, el certificado sigue siendo válido. Implemente un script de conciliación que compare periódicamente la lista de dispositivos activos del MDM con la lista de certificados válidos de la CA, revocando automáticamente cualquier discrepancia.

ROI e impacto empresarial

La automatización de la revocación de certificados transforma la seguridad de un proceso reactivo y manual en un mecanismo de defensa proactivo y automatizado.

Reducción de riesgos: Al eliminar la ventana de exposición entre el compromiso del dispositivo y el aislamiento de la red, las organizaciones reducen significativamente el riesgo de movimiento lateral y exfiltración de datos. Esto es crucial para mantener el cumplimiento con marcos como PCI DSS y GDPR.
Eficiencia operativa: La automatización de la tubería de revocación elimina la necesidad de que el personal de soporte actualice manualmente las configuraciones RADIUS o las bases de datos de la CA cuando un empleado se marcha, ahorrando cientos de horas anualmente en grandes empresas.
Estrategia de acceso unificado: Un entorno NAC robusto para dispositivos corporativos permite a los equipos de TI implementar con confianza servicios paralelos, como el guest WiFi basado en análisis de Purple o los servicios basados en ubicación (consulte BLE Low Energy Explained for Enterprise ), sabiendo que la infraestructura central es segura.

Escuche nuestro informe técnico sobre este tema a continuación:

Key Definitions

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)

The most secure standard for 802.1X network authentication, requiring both the client and the server to present digital certificates to prove their identity.

IT teams deploy EAP-TLS to eliminate the risks associated with password-based authentication, ensuring only managed, certificate-bearing devices can connect to the corporate network.

OCSP (Online Certificate Status Protocol)

An internet protocol used for obtaining the revocation status of an X.509 digital certificate in real-time.

Crucial for environments requiring immediate enforcement of access policies, such as when an employee is terminated and their device must be instantly disconnected.

CRL (Certificate Revocation List)

A periodically published, digitally signed list of certificate serial numbers that have been revoked by the issuing Certificate Authority.

Used as a primary revocation mechanism in offline or air-gapped networks, or as a highly resilient fallback mechanism for OCSP.

OCSP Stapling

A mechanism where the client device fetches its own OCSP response and 'staples' it to the TLS handshake, presenting it to the RADIUS server.

Reduces the load on the RADIUS server and OCSP Responder, and improves privacy by preventing the CA from seeing exactly when and where a device is authenticating.

Delta CRL

A smaller revocation list containing only the certificates revoked since the last full Base CRL was published.

Essential for large deployments to prevent network congestion, as full CRLs can become massive and consume significant bandwidth during refresh cycles.

CDP (CRL Distribution Point)

The location, typically an HTTP or LDAP URL, where the Certificate Authority publishes the CRL for clients and RADIUS servers to download.

IT teams must ensure the CDP is highly available and reachable from all NAC policy engines; if the CDP goes down, the RADIUS servers cannot update their caches.

Fail Open / Fail Closed

The policy decision dictating what happens when the revocation infrastructure (OCSP or CDP) is unreachable. Fail Open allows access; Fail Closed denies access.

A critical business decision balancing security posture against operational uptime. Requires sign-off from both IT operations and the CISO.

SCEP (Simple Certificate Enrollment Protocol)

A protocol used by MDM platforms to automate the issuance of digital certificates to managed devices without user intervention.

The starting point of the automated lifecycle. SCEP issues the certificate, and the MDM later triggers the CA to revoke it when the device is retired.

Worked Examples

A 500-bed hospital network is migrating from credential-based 802.1X to certificate-based EAP-TLS for all medical IoT devices and staff laptops. The CISO mandates that if a device is reported stolen, its network access must be terminated within 5 minutes. The network team is concerned about the RADIUS server load if it has to constantly query external services. How should the revocation architecture be designed?

The hospital must deploy OCSP to meet the 5-minute revocation SLA, as CRL refresh intervals cannot reliably meet this target without causing severe network overhead. To address the network team's load concerns, the architecture should implement OCSP Responders locally within the hospital's data centre, positioned close to the RADIUS servers to minimise latency. The RADIUS servers should be configured to query the local OCSP VIP. To ensure resilience, the RADIUS servers must be configured with a fallback to a locally cached CRL, updated hourly. The failure policy must be set to 'fail closed' due to the healthcare environment's strict compliance requirements.

Examiner's Commentary: This approach correctly balances the strict security requirement (5-minute SLA) with operational stability. By localising the OCSP Responders, the design mitigates latency and WAN dependency. The inclusion of a CRL fallback demonstrates a mature understanding of high-availability design, ensuring that a temporary OCSP outage does not immediately trigger the 'fail closed' policy and disrupt clinical operations.

A global retail chain with 1,200 stores uses SCEP to provision certificates to point-of-sale (POS) tablets. The stores have limited WAN bandwidth. The IT director wants to implement certificate revocation but is concerned that downloading large CRL files across 1,200 branch RADIUS servers will saturate the WAN links. What is the optimal deployment strategy?

The retail chain should implement a hybrid approach utilising Delta CRLs and OCSP Stapling. First, the CA should be configured to publish a Base CRL weekly and a Delta CRL (containing only recent revocations) every 4 hours. The branch RADIUS servers will only download the small Delta CRLs during the day, minimising WAN impact. Alternatively, if the POS tablets' EAP supplicants support it, OCSP Stapling should be enabled. This shifts the burden of fetching the OCSP response from the branch RADIUS server to the tablet itself, which can fetch the response directly from the central CA over standard HTTPS, bypassing the RADIUS server's processing overhead entirely.

Examiner's Commentary: This solution effectively addresses the specific constraint: WAN bandwidth at the edge. Recommending Delta CRLs is the standard industry practice for this scenario. The secondary recommendation of OCSP Stapling shows advanced knowledge of EAP-TLS mechanics, though the caveat regarding supplicant support is crucial, as many legacy IoT or POS devices do not support stapling.

Practice Questions

Q1. Your organisation is deploying 802.1X across 50 remote branch offices. The WAN links to the central data centre are highly congested and frequently drop packets. You need to implement certificate revocation for the branch corporate laptops. Which architecture should you choose?

Hint: Consider the impact of packet loss on real-time protocols versus the resilience of cached data.

View model answer

You should implement a CRL-based architecture, specifically using Base and Delta CRLs. Because the WAN links are congested and unreliable, real-time OCSP queries will frequently time out, causing authentication delays or failures. By configuring the branch RADIUS servers to download and cache Delta CRLs during off-peak hours, the local RADIUS server can perform revocation checks instantly against its cache, even if the WAN link drops entirely during the authentication attempt.

Q2. A security audit reveals that when your primary OCSP Responder goes offline for maintenance, all corporate users are completely locked out of the WiFi network. The business demands that maintenance should not impact user connectivity, but the CISO refuses to change the policy to 'Fail Open'. How do you resolve this?

Hint: If you cannot change the failure policy, you must change the availability of the service.

View model answer

You must implement high availability for the OCSP service. Deploy at least one additional OCSP Responder and place both behind a load balancer. Configure the RADIUS server to query the load balancer's Virtual IP (VIP). During maintenance, you can drain connections from the primary responder, take it offline, and the load balancer will seamlessly route all OCSP queries to the secondary responder, satisfying both the business uptime requirement and the CISO's 'Fail Closed' mandate.

Q3. You have configured your MDM to automatically revoke certificates when a device is marked as 'lost'. You test the system by marking a test iPad as lost. The MDM confirms the revocation, but 10 minutes later, the iPad successfully connects to the corporate WiFi. The RADIUS server is configured to use a CRL published every 24 hours. What is the root cause and how do you fix it?

Hint: Trace the timeline of the revocation data from the CA to the RADIUS server's enforcement engine.

View model answer

The root cause is latency in the CRL publication and refresh cycle. While the MDM successfully told the CA to revoke the certificate, the CA will not publish that updated status to the CRL Distribution Point until the next 24-hour cycle, and the RADIUS server will not download it until its own cache expires. To fix this, you must either migrate to OCSP for real-time checking, or drastically reduce the CRL publication and download intervals (e.g., to 1 hour) to meet your required enforcement timeline.