NAC वातावरण में OCSP और CRL के साथ प्रमाणपत्र निरस्तीकरण को स्वचालित करना

Automating Certificate Revocation with OCSP and CRL in a NAC Environment A Purple Technical Briefing — Approximately 10 Minutes --- INTRODUCTION AND CONTEXT — approximately 1 minute Welcome to the Purple Technical Briefing series. I'm your host, and today we're getting into the mechanics of automating certificate revocation — specifically how OCSP and CRL work inside a Network Access Control environment, and why getting this right is one of the most overlooked security decisions in enterprise WiFi deployments. If you're running a hotel chain, a retail estate, a stadium, or a public-sector network with hundreds or thousands of connected devices, certificate lifecycle management is not a nice-to-have. It is the difference between a network that enforces policy in real time and one that's quietly harbouring revoked credentials from devices that should have been cut off weeks ago. We'll cover the technical architecture, walk through two real deployment scenarios, and finish with the questions your team should be asking before you go anywhere near a production rollout. Let's get into it. --- TECHNICAL DEEP-DIVE — approximately 5 minutes First, let's establish the problem we're solving. In any IEEE 802.1X-authenticated network — which is the standard underpinning enterprise WiFi, wired NAC, and most modern guest access architectures — devices authenticate using either credentials or certificates. Certificates are preferable because they don't rely on shared secrets, they're device-bound, and they integrate cleanly with MDM platforms through protocols like SCEP. But certificates have a lifecycle. They expire, they get compromised, and devices get decommissioned. When any of those things happen, you need a mechanism to tell your network infrastructure: this certificate is no longer valid, stop trusting it. That mechanism comes in two flavours: CRL, which stands for Certificate Revocation List, and OCSP, which stands for Online Certificate Status Protocol. Let's start with CRL. A Certificate Revocation List is exactly what it sounds like — a signed list, published by your Certificate Authority, of every certificate serial number that has been revoked. Your NAC infrastructure — typically a RADIUS server like FreeRADIUS, Cisco ISE, or Aruba ClearPass — downloads this list periodically from a CRL Distribution Point, which is just an HTTP or LDAP endpoint. The RADIUS server caches the list locally and checks incoming certificate serial numbers against it during the EAP-TLS handshake. The operational advantage of CRL is simplicity and offline resilience. Once the list is downloaded, revocation checking works even if your CA is unreachable. The disadvantage is latency. If you revoke a certificate at 9am and your CRL refresh interval is 24 hours, that device could still authenticate until the next scheduled download. In a high-security environment — a hospital, a financial services back office, a government network — that window is unacceptable. OCSP solves the latency problem. Instead of maintaining a local cached list, your RADIUS server sends a real-time query to an OCSP Responder — a service that sits in front of your CA — for each certificate it needs to validate. The responder returns one of three answers: Good, Revoked, or Unknown. The entire exchange happens inline, during the EAP-TLS handshake, typically in under 100 milliseconds on a well-provisioned infrastructure. The tradeoff with OCSP is availability dependency. If your OCSP Responder goes down, or if your RADIUS server can't reach it due to a network partition, you have a policy decision to make: do you fail open — allowing authentication to proceed — or fail closed — denying access until the responder is reachable? Fail open maintains uptime but creates a security gap. Fail closed maintains security posture but can lock out legitimate users during an infrastructure incident. There's a third option worth knowing about: OCSP Stapling. In this model, the certificate holder — the client device — periodically fetches a signed OCSP response from the responder and attaches it to the TLS handshake. The RADIUS server validates the stapled response rather than making its own OCSP query. This reduces load on the OCSP Responder, eliminates the privacy concern of exposing certificate serials to an external service, and improves resilience. The downside is that not all EAP supplicants support stapling, so you need to verify client compatibility before relying on it. Now, how does this fit into a NAC architecture? Your NAC policy engine — whether that's Cisco ISE, Aruba ClearPass, Juniper Mist, or an open-source stack built around FreeRADIUS and PacketFence — sits between the supplicant and the network. When a device attempts to connect, the RADIUS server receives the Access-Request, performs EAP-TLS negotiation, validates the client certificate chain, checks revocation status via OCSP or CRL, and then either issues an Access-Accept with a VLAN assignment or an Access-Reject. The automation piece comes in at two levels. First, at the certificate issuance layer: your MDM platform — Jamf, Intune, Workspace ONE — uses SCEP to automatically provision certificates to managed devices. When a device is unenrolled or decommissioned, the MDM triggers a revocation call to the CA, which updates the CRL and notifies the OCSP Responder. Second, at the NAC enforcement layer: your RADIUS server is configured to query OCSP or refresh its CRL cache on a defined schedule, ensuring that revocation decisions propagate to access policy without manual intervention. The critical integration point here is the CA-to-NAC communication pipeline. In a well-designed deployment, revocation is a fully automated chain: MDM decommissions device, triggers CA revocation, CA updates OCSP Responder and publishes new CRL, RADIUS server picks up the change — either immediately via OCSP or within the next CRL refresh window — and the device is denied access on its next authentication attempt. --- IMPLEMENTATION RECOMMENDATIONS AND PITFALLS — approximately 2 minutes Let me give you the practical guidance that saves deployments from going sideways. First: define your revocation latency tolerance before you choose your mechanism. If you're running a hotel guest WiFi network where the primary risk is a decommissioned staff device, a 4-hour CRL refresh interval is probably fine. If you're running a healthcare network where a compromised device could access patient data, you want OCSP with fail-closed policy and a highly available responder cluster. Second: do not run a single OCSP Responder in production. Deploy at minimum two, behind a load balancer, with health monitoring. An OCSP Responder outage that causes fail-closed behaviour will generate support tickets faster than almost any other infrastructure failure. Third: watch your CRL size. In large deployments — we're talking tens of thousands of certificates — CRL files can grow to several megabytes. A RADIUS server downloading a 5MB CRL every hour across a WAN link is a throughput problem waiting to happen. Consider delta CRLs, which only contain changes since the last full CRL, or migrate to OCSP for high-volume environments. Fourth: test your revocation pipeline regularly. It's not enough to configure OCSP and assume it works. Automate a monthly test: issue a certificate, revoke it, attempt authentication, verify rejection. If your monitoring doesn't catch a broken OCSP Responder, your revocation mechanism is theatre. Fifth: align your certificate validity periods with your revocation strategy. Short-lived certificates — 24 to 72 hours — reduce the window of exposure for compromised credentials and can reduce your dependency on revocation infrastructure entirely. This is the direction the industry is moving, and it's worth evaluating for new deployments. --- RAPID-FIRE Q AND A — approximately 1 minute Question: Can I use both OCSP and CRL simultaneously? Yes. Most RADIUS implementations support a fallback chain: try OCSP first, fall back to CRL if the responder is unreachable. This gives you real-time checking under normal conditions and offline resilience during outages. Question: Does Purple's guest WiFi platform integrate with certificate-based NAC? Purple's platform operates at the guest access layer, handling captive portal authentication, data capture, and analytics. For enterprise staff networks running 802.1X with certificate authentication, Purple integrates with the underlying network infrastructure — the access points, controllers, and RADIUS servers — rather than replacing the certificate management stack. The guest and staff networks are typically segmented, with different authentication mechanisms appropriate to each. Question: What's the compliance angle? PCI DSS 4.0 requires that access to cardholder data environments uses strong authentication. GDPR requires appropriate technical measures to protect personal data. Both frameworks are satisfied by certificate-based 802.1X with automated revocation — provided you can demonstrate that revocation is timely and tested. Your audit trail needs to show when certificates were revoked and when that revocation propagated to network enforcement. --- SUMMARY AND NEXT STEPS — approximately 1 minute To bring this together: automating certificate revocation in a NAC environment is a three-layer problem. You need a CA that supports automated revocation triggers, an OCSP Responder or CRL Distribution Point that's highly available and properly sized, and a RADIUS server configured to enforce revocation status as part of its access policy. The choice between OCSP and CRL is not binary — it's a risk-tolerance decision that should be made in the context of your environment's security requirements, network topology, and operational maturity. If you're building or reviewing a NAC deployment and want to understand how Purple's guest WiFi and analytics platform fits into the broader network architecture, the links in the show notes will take you to the relevant technical guides. Thanks for listening. We'll see you in the next briefing. --- END OF SCRIPT