Skip to main content
Português
Preços

Automatizar a Revogação de Certificados com OCSP e CRL num Ambiente NAC

Este guia de referência técnica fornece a gestores de TI e arquitetos de rede uma análise abrangente da automatização da revogação de certificados num ambiente de Network Access Control (NAC). Explora as compensações arquitetónicas entre OCSP e CRL, oferece orientação de implementação neutra em relação a fornecedores e descreve o impacto comercial da aplicação de políticas em tempo real.

📖 6 min read📝 1,437 words🔧 2 worked examples3 practice questions📚 8 key definitions

Listen to this guide

View podcast transcript
Automating Certificate Revocation with OCSP and CRL in a NAC Environment A Purple Technical Briefing — Approximately 10 Minutes --- INTRODUCTION AND CONTEXT — approximately 1 minute Welcome to the Purple Technical Briefing series. I'm your host, and today we're getting into the mechanics of automating certificate revocation — specifically how OCSP and CRL work inside a Network Access Control environment, and why getting this right is one of the most overlooked security decisions in enterprise WiFi deployments. If you're running a hotel chain, a retail estate, a stadium, or a public-sector network with hundreds or thousands of connected devices, certificate lifecycle management is not a nice-to-have. It is the difference between a network that enforces policy in real time and one that's quietly harbouring revoked credentials from devices that should have been cut off weeks ago. We'll cover the technical architecture, walk through two real deployment scenarios, and finish with the questions your team should be asking before you go anywhere near a production rollout. Let's get into it. --- TECHNICAL DEEP-DIVE — approximately 5 minutes First, let's establish the problem we're solving. In any IEEE 802.1X-authenticated network — which is the standard underpinning enterprise WiFi, wired NAC, and most modern guest access architectures — devices authenticate using either credentials or certificates. Certificates are preferable because they don't rely on shared secrets, they're device-bound, and they integrate cleanly with MDM platforms through protocols like SCEP. But certificates have a lifecycle. They expire, they get compromised, and devices get decommissioned. When any of those things happen, you need a mechanism to tell your network infrastructure: this certificate is no longer valid, stop trusting it. That mechanism comes in two flavours: CRL, which stands for Certificate Revocation List, and OCSP, which stands for Online Certificate Status Protocol. Let's start with CRL. A Certificate Revocation List is exactly what it sounds like — a signed list, published by your Certificate Authority, of every certificate serial number that has been revoked. Your NAC infrastructure — typically a RADIUS server like FreeRADIUS, Cisco ISE, or Aruba ClearPass — downloads this list periodically from a CRL Distribution Point, which is just an HTTP or LDAP endpoint. The RADIUS server caches the list locally and checks incoming certificate serial numbers against it during the EAP-TLS handshake. The operational advantage of CRL is simplicity and offline resilience. Once the list is downloaded, revocation checking works even if your CA is unreachable. The disadvantage is latency. If you revoke a certificate at 9am and your CRL refresh interval is 24 hours, that device could still authenticate until the next scheduled download. In a high-security environment — a hospital, a financial services back office, a government network — that window is unacceptable. OCSP solves the latency problem. Instead of maintaining a local cached list, your RADIUS server sends a real-time query to an OCSP Responder — a service that sits in front of your CA — for each certificate it needs to validate. The responder returns one of three answers: Good, Revoked, or Unknown. The entire exchange happens inline, during the EAP-TLS handshake, typically in under 100 milliseconds on a well-provisioned infrastructure. The tradeoff with OCSP is availability dependency. If your OCSP Responder goes down, or if your RADIUS server can't reach it due to a network partition, you have a policy decision to make: do you fail open — allowing authentication to proceed — or fail closed — denying access until the responder is reachable? Fail open maintains uptime but creates a security gap. Fail closed maintains security posture but can lock out legitimate users during an infrastructure incident. There's a third option worth knowing about: OCSP Stapling. In this model, the certificate holder — the client device — periodically fetches a signed OCSP response from the responder and attaches it to the TLS handshake. The RADIUS server validates the stapled response rather than making its own OCSP query. This reduces load on the OCSP Responder, eliminates the privacy concern of exposing certificate serials to an external service, and improves resilience. The downside is that not all EAP supplicants support stapling, so you need to verify client compatibility before relying on it. Now, how does this fit into a NAC architecture? Your NAC policy engine — whether that's Cisco ISE, Aruba ClearPass, Juniper Mist, or an open-source stack built around FreeRADIUS and PacketFence — sits between the supplicant and the network. When a device attempts to connect, the RADIUS server receives the Access-Request, performs EAP-TLS negotiation, validates the client certificate chain, checks revocation status via OCSP or CRL, and then either issues an Access-Accept with a VLAN assignment or an Access-Reject. The automation piece comes in at two levels. First, at the certificate issuance layer: your MDM platform — Jamf, Intune, Workspace ONE — uses SCEP to automatically provision certificates to managed devices. When a device is unenrolled or decommissioned, the MDM triggers a revocation call to the CA, which updates the CRL and notifies the OCSP Responder. Second, at the NAC enforcement layer: your RADIUS server is configured to query OCSP or refresh its CRL cache on a defined schedule, ensuring that revocation decisions propagate to access policy without manual intervention. The critical integration point here is the CA-to-NAC communication pipeline. In a well-designed deployment, revocation is a fully automated chain: MDM decommissions device, triggers CA revocation, CA updates OCSP Responder and publishes new CRL, RADIUS server picks up the change — either immediately via OCSP or within the next CRL refresh window — and the device is denied access on its next authentication attempt. --- IMPLEMENTATION RECOMMENDATIONS AND PITFALLS — approximately 2 minutes Let me give you the practical guidance that saves deployments from going sideways. First: define your revocation latency tolerance before you choose your mechanism. If you're running a hotel guest WiFi network where the primary risk is a decommissioned staff device, a 4-hour CRL refresh interval is probably fine. If you're running a healthcare network where a compromised device could access patient data, you want OCSP with fail-closed policy and a highly available responder cluster. Second: do not run a single OCSP Responder in production. Deploy at minimum two, behind a load balancer, with health monitoring. An OCSP Responder outage that causes fail-closed behaviour will generate support tickets faster than almost any other infrastructure failure. Third: watch your CRL size. In large deployments — we're talking tens of thousands of certificates — CRL files can grow to several megabytes. A RADIUS server downloading a 5MB CRL every hour across a WAN link is a throughput problem waiting to happen. Consider delta CRLs, which only contain changes since the last full CRL, or migrate to OCSP for high-volume environments. Fourth: test your revocation pipeline regularly. It's not enough to configure OCSP and assume it works. Automate a monthly test: issue a certificate, revoke it, attempt authentication, verify rejection. If your monitoring doesn't catch a broken OCSP Responder, your revocation mechanism is theatre. Fifth: align your certificate validity periods with your revocation strategy. Short-lived certificates — 24 to 72 hours — reduce the window of exposure for compromised credentials and can reduce your dependency on revocation infrastructure entirely. This is the direction the industry is moving, and it's worth evaluating for new deployments. --- RAPID-FIRE Q AND A — approximately 1 minute Question: Can I use both OCSP and CRL simultaneously? Yes. Most RADIUS implementations support a fallback chain: try OCSP first, fall back to CRL if the responder is unreachable. This gives you real-time checking under normal conditions and offline resilience during outages. Question: Does Purple's guest WiFi platform integrate with certificate-based NAC? Purple's platform operates at the guest access layer, handling captive portal authentication, data capture, and analytics. For enterprise staff networks running 802.1X with certificate authentication, Purple integrates with the underlying network infrastructure — the access points, controllers, and RADIUS servers — rather than replacing the certificate management stack. The guest and staff networks are typically segmented, with different authentication mechanisms appropriate to each. Question: What's the compliance angle? PCI DSS 4.0 requires that access to cardholder data environments uses strong authentication. GDPR requires appropriate technical measures to protect personal data. Both frameworks are satisfied by certificate-based 802.1X with automated revocation — provided you can demonstrate that revocation is timely and tested. Your audit trail needs to show when certificates were revoked and when that revocation propagated to network enforcement. --- SUMMARY AND NEXT STEPS — approximately 1 minute To bring this together: automating certificate revocation in a NAC environment is a three-layer problem. You need a CA that supports automated revocation triggers, an OCSP Responder or CRL Distribution Point that's highly available and properly sized, and a RADIUS server configured to enforce revocation status as part of its access policy. The choice between OCSP and CRL is not binary — it's a risk-tolerance decision that should be made in the context of your environment's security requirements, network topology, and operational maturity. If you're building or reviewing a NAC deployment and want to understand how Purple's guest WiFi and analytics platform fits into the broader network architecture, the links in the show notes will take you to the relevant technical guides. Thanks for listening. We'll see you in the next briefing. --- END OF SCRIPT

header_image.png

Resumo Executivo

Para diretores de TI empresariais e arquitetos de rede que gerem ambientes de alta densidade — como locais de Hotelaria , propriedades de Retalho e implementações no setor público — a gestão do ciclo de vida dos certificados é uma fronteira de segurança crítica. Embora o IEEE 802.1X forneça autenticação robusta para dispositivos corporativos e BYOD, o mecanismo pelo qual a confiança é revogada é frequentemente negligenciado até que ocorra uma violação.

A automatização da revogação de certificados com o Online Certificate Status Protocol (OCSP) e as Certificate Revocation Lists (CRL) num ambiente de Network Access Control (NAC) preenche a lacuna entre a desativação de endpoints e a aplicação de políticas de rede. Este guia explora a mecânica arquitetónica da revogação automatizada, comparando as capacidades em tempo real do OCSP com a resiliência offline do CRL.

Ao integrar a sua plataforma de Mobile Device Management (MDM), Certificate Authority (CA) e motor de políticas NAC, as organizações podem alcançar acesso à rede de confiança zero, onde dispositivos comprometidos ou desativados são instantaneamente impedidos de entrar. Esta referência técnica fornece orientação de implementação acionável, estratégias de mitigação de riscos e explora como esta postura de segurança para funcionários complementa a infraestrutura pública, como as plataformas Guest WiFi e WiFi Analytics da Purple.

Análise Técnica Detalhada

Em qualquer rede empresarial que utilize IEEE 802.1X com EAP-TLS, os dispositivos autenticam-se usando certificados digitais em vez de credenciais partilhadas. Esta abordagem é fundamental para as arquiteturas de segurança modernas, fornecendo identidade vinculada ao dispositivo que se integra perfeitamente com plataformas MDM através de protocolos como SCEP (para leitura adicional, consulte The Role of SCEP and NAC in Modern MDM Infrastructure ). No entanto, os certificados têm um ciclo de vida definido. Quando um dispositivo é perdido, um utilizador é terminado ou uma chave privada é comprometida, a infraestrutura de rede deve ser explicitamente instruída a parar de confiar nesse certificado.

Esta instrução de revogação é entregue através de dois mecanismos principais: CRL e OCSP.

Arquitetura da Lista de Revogação de Certificados (CRL)

Uma CRL é um ficheiro assinado digitalmente publicado pela Certificate Authority que contém os números de série de todos os certificados revogados que ainda não expiraram. O motor de políticas NAC (atuando como servidor RADIUS) descarrega periodicamente esta lista de um CRL Distribution Point (CDP) via HTTP ou LDAP.

Durante o handshake EAP-TLS, o servidor RADIUS verifica o número de série do certificado do cliente recebido em relação à sua CRL armazenada localmente. Se o número de série estiver presente, a autenticação é rejeitada.

Características Arquitetónicas:

  • Resiliência Offline: Como o servidor RADIUS armazena a CRL em cache, a verificação de revogação continua mesmo que a CA ou o CDP se tornem inalcançáveis.
  • Latência: A principal desvantagem é a latência entre a revogação e a aplicação. Se um certificado for revogado às 09:00 e o intervalo de atualização da CRL for de 24 horas, o dispositivo comprometido mantém o acesso à rede até ao próximo download.
  • Sobrecarga de Débito: Em ambientes com dezenas de milhares de certificados, os ficheiros CRL podem atingir vários megabytes, criando uma sobrecarga de largura de banda durante os ciclos de atualização.

Arquitetura do Online Certificate Status Protocol (OCSP)

O OCSP aborda as limitações de latência da CRL, permitindo a verificação de revogação em tempo real. Em vez de descarregar uma lista completa, o servidor RADIUS envia uma consulta direcionada contendo o número de série do certificado para um OCSP Responder. O respondedor devolve um estado assinado: Good, Revoked ou Unknown.

Características Arquitetónicas:

  • Aplicação em Tempo Real: As decisões de revogação propagam-se instantaneamente. Assim que a CA atualiza o OCSP Responder, a próxima tentativa de autenticação pelo dispositivo comprometido falhará.
  • Dependência de Disponibilidade: O motor de políticas NAC depende de o OCSP Responder estar altamente disponível. Se o respondedor estiver inalcançável, o administrador de rede deve definir uma política de falha: "fail open" (permitir acesso, comprometendo a segurança) ou "fail closed" (negar acesso, comprometendo a disponibilidade).
  • OCSP Stapling: Para mitigar a carga e as preocupações com a privacidade, o OCSP Stapling permite que o dispositivo cliente obtenha a resposta OCSP assinada e a anexe ao handshake TLS, embora o suporte do suplicante varie.

ocsp_crl_architecture_overview.png

Integração com Plataformas de Convidados e Análise

Enquanto o OCSP e a CRL lidam com os rigorosos requisitos de segurança de funcionários e dispositivos corporativos, as redes públicas exigem arquiteturas diferentes. Para locais públicos, integrar um NAC robusto para funcionários com uma plataforma pública dedicada como a Purple garante uma cobertura abrangente. A plataforma da Purple gere a autenticação do captive portal, a aceitação dos termos de serviço e a captura de dados para o segmento público, enquanto a infraestrutura de rede subjacente (muitas vezes os mesmos pontos de acesso físicos e switches) aplica 802.1X e OCSP para SSIDs corporativos. Compreender o ambiente de rádio é crucial para ambos os segmentos; consulte Wi Fi Frequencies: A Guide to Wi-Fi Frequencies in 2026 para o planeamento do espectro.

Guia de Implementação

A implementação da revogação automatizada de certificados requer coordenação entre os domínios PKI, MDM e NAC. Siga estes passos de implementação neutros em relação a fornecedores para estabelecer um pipeline de revogação resiliente.

Passo 1: Definir o Gatilho de Revogação

A automação começa na camada de gestão de endpoints. Configure a sua plataforma MDM (por exemplo, Microsoft Intune, Jamf Pro) para acionar uma chamada API de revogação para a sua Autoridade de Certificação quando condições específicas são cumpridas:

  • Dispositivo desregistado do MDM
  • Dispositivo marcado como não conforme
  • Conta de utilizador desativada no serviço de diretório

Passo 2: Configurar a Infraestrutura de Revogação

Para Implementações de CRL:

  1. Configure a CA para publicar a CRL num CDP de alta disponibilidade (por exemplo, um servidor web interno com balanceamento de carga).
  2. Defina o intervalo de publicação da CRL com base na sua tolerância ao risco (por exemplo, a cada 4 horas).
  3. Configure o servidor RADIUS para obter a CRL num intervalo ligeiramente mais curto do que o intervalo de publicação para garantir que a cache está sempre atualizada.

Para Implementações de OCSP:

  1. Implemente pelo menos dois Respondedores OCSP atrás de um balanceador de carga para garantir alta disponibilidade.
  2. Configure a CA para enviar atualizações de revogação para os Respondedores OCSP imediatamente.
  3. Configure o servidor RADIUS para consultar o IP virtual OCSP com balanceamento de carga durante a autenticação EAP-TLS.

Passo 3: Estabelecer a Política de Contingência

Não dependa de um único mecanismo. Configure o seu servidor RADIUS para usar OCSP como a verificação de revogação primária, com uma contingência para uma CRL em cache local se o Respondedor OCSP estiver inacessível. Isto proporciona aplicação em tempo real em condições normais e resiliência offline durante interrupções de infraestrutura.

Passo 4: Definir o Comportamento em Caso de Falha

Se tanto o OCSP quanto a CRL em cache estiverem indisponíveis, o servidor RADIUS deve decidir como lidar com o pedido de autenticação.

  • Ambientes de Alta Segurança (por exemplo, Saúde ): Configure "fail closed". Negue o acesso para evitar que dispositivos potencialmente comprometidos se conectem.
  • Ambientes Padrão (por exemplo, centros de Transporte ): Configure "fail open" com alerta. Permita o acesso para manter a continuidade operacional, mas gere um alerta de alta prioridade para o SOC.

ocsp_vs_crl_comparison_chart.png

Melhores Práticas

  1. Implementar CRLs Delta: Se depender de CRLs num ambiente grande, implemente CRLs Delta. Estes ficheiros contêm apenas as alterações de revogação desde que a última CRL Base completa foi publicada, reduzindo significativamente o tamanho do download e o consumo de largura de banda.
  2. Monitorizar a Latência do OCSP: As consultas OCSP ocorrem em linha durante o handshake EAP-TLS. Se o Respondedor OCSP demorar 500ms a responder, a autenticação é atrasada em 500ms. Monitorize a latência do respondedor e escale horizontalmente se os tempos de resposta se degradarem.
  3. Certificados de Curta Duração: Considere reduzir os períodos de validade dos certificados (por exemplo, de 1 ano para 7 dias) através da renovação automatizada SCEP/EST. Certificados de curta duração expiram naturalmente rápido, reduzindo a dependência de uma infraestrutura de revogação robusta.
  4. Alinhar com a Estratégia de Rede Mais Ampla: Garanta que a sua implementação NAC se alinha com a sua arquitetura de rede de área alargada. Para informações sobre o design moderno de WAN, consulte SD WAN vs MPLS: O Guia de Rede Empresarial 2026 .

Resolução de Problemas e Mitigação de Riscos

O modo de falha mais comum na revogação automatizada é um pipeline CA-para-NAC quebrado, resultando num evento "fail closed" que bloqueia utilizadores legítimos.

Risco: Indisponibilidade do Respondedor OCSP Mitigação: Implemente respondedores num cluster ativo-ativo em múltiplos domínios de falha. Implemente verificações de saúde abrangentes no balanceador de carga que verifiquem a capacidade do respondedor de consultar a base de dados da CA, não apenas a disponibilidade da porta TCP 80.

Risco: Cache CRL Desatualizada Mitigação: Os servidores RADIUS podem falhar ao descarregar a CRL mais recente devido a partições de rede ou interrupções de CDP. Implemente monitorização que alerte se a CRL em cache local for mais antiga do que o intervalo de publicação definido.

Risco: Revogação MDM Incompleta Mitigação: Se o MDM falhar ao acionar a chamada de revogação para a CA, o certificado permanece válido. Implemente um script de reconciliação que compare periodicamente a lista de dispositivos ativos do MDM com a lista de certificados válidos da CA, revogando automaticamente quaisquer discrepâncias.

ROI e Impacto no Negócio

A automatização da revogação de certificados transforma a segurança de um processo reativo e manual num mecanismo de defesa proativo e automatizado.

  • Redução de Risco: Ao eliminar a janela de exposição entre o comprometimento do dispositivo e o isolamento da rede, as organizações reduzem significativamente o risco de movimento lateral e exfiltração de dados. Isto é crucial para manter a conformidade com frameworks como PCI DSS e GDPR.
  • Eficiência Operacional: A automatização do pipeline de revogação elimina a necessidade de a equipa de suporte técnico atualizar manualmente as configurações RADIUS ou as bases de dados da CA quando um funcionário sai, poupando centenas de horas anualmente em grandes empresas.
  • Estratégia de Acesso Unificada: Um ambiente NAC robusto para dispositivos corporativos permite que as equipas de TI implementem com confiança serviços paralelos, como o guest WiFi baseado em análises da Purple ou serviços baseados em localização (ver BLE Low Energy Explained for Enterprise ), sabendo que a infraestrutura central é segura.

Ouça o nosso briefing técnico sobre este tópico abaixo:

Key Definitions

EAP-TLS (Extensible Authentication Protocol - Transport Layer Security)

The most secure standard for 802.1X network authentication, requiring both the client and the server to present digital certificates to prove their identity.

IT teams deploy EAP-TLS to eliminate the risks associated with password-based authentication, ensuring only managed, certificate-bearing devices can connect to the corporate network.

OCSP (Online Certificate Status Protocol)

An internet protocol used for obtaining the revocation status of an X.509 digital certificate in real-time.

Crucial for environments requiring immediate enforcement of access policies, such as when an employee is terminated and their device must be instantly disconnected.

CRL (Certificate Revocation List)

A periodically published, digitally signed list of certificate serial numbers that have been revoked by the issuing Certificate Authority.

Used as a primary revocation mechanism in offline or air-gapped networks, or as a highly resilient fallback mechanism for OCSP.

OCSP Stapling

A mechanism where the client device fetches its own OCSP response and 'staples' it to the TLS handshake, presenting it to the RADIUS server.

Reduces the load on the RADIUS server and OCSP Responder, and improves privacy by preventing the CA from seeing exactly when and where a device is authenticating.

Delta CRL

A smaller revocation list containing only the certificates revoked since the last full Base CRL was published.

Essential for large deployments to prevent network congestion, as full CRLs can become massive and consume significant bandwidth during refresh cycles.

CDP (CRL Distribution Point)

The location, typically an HTTP or LDAP URL, where the Certificate Authority publishes the CRL for clients and RADIUS servers to download.

IT teams must ensure the CDP is highly available and reachable from all NAC policy engines; if the CDP goes down, the RADIUS servers cannot update their caches.

Fail Open / Fail Closed

The policy decision dictating what happens when the revocation infrastructure (OCSP or CDP) is unreachable. Fail Open allows access; Fail Closed denies access.

A critical business decision balancing security posture against operational uptime. Requires sign-off from both IT operations and the CISO.

SCEP (Simple Certificate Enrollment Protocol)

A protocol used by MDM platforms to automate the issuance of digital certificates to managed devices without user intervention.

The starting point of the automated lifecycle. SCEP issues the certificate, and the MDM later triggers the CA to revoke it when the device is retired.

Worked Examples

A 500-bed hospital network is migrating from credential-based 802.1X to certificate-based EAP-TLS for all medical IoT devices and staff laptops. The CISO mandates that if a device is reported stolen, its network access must be terminated within 5 minutes. The network team is concerned about the RADIUS server load if it has to constantly query external services. How should the revocation architecture be designed?

The hospital must deploy OCSP to meet the 5-minute revocation SLA, as CRL refresh intervals cannot reliably meet this target without causing severe network overhead. To address the network team's load concerns, the architecture should implement OCSP Responders locally within the hospital's data centre, positioned close to the RADIUS servers to minimise latency. The RADIUS servers should be configured to query the local OCSP VIP. To ensure resilience, the RADIUS servers must be configured with a fallback to a locally cached CRL, updated hourly. The failure policy must be set to 'fail closed' due to the healthcare environment's strict compliance requirements.

Examiner's Commentary: This approach correctly balances the strict security requirement (5-minute SLA) with operational stability. By localising the OCSP Responders, the design mitigates latency and WAN dependency. The inclusion of a CRL fallback demonstrates a mature understanding of high-availability design, ensuring that a temporary OCSP outage does not immediately trigger the 'fail closed' policy and disrupt clinical operations.

A global retail chain with 1,200 stores uses SCEP to provision certificates to point-of-sale (POS) tablets. The stores have limited WAN bandwidth. The IT director wants to implement certificate revocation but is concerned that downloading large CRL files across 1,200 branch RADIUS servers will saturate the WAN links. What is the optimal deployment strategy?

The retail chain should implement a hybrid approach utilising Delta CRLs and OCSP Stapling. First, the CA should be configured to publish a Base CRL weekly and a Delta CRL (containing only recent revocations) every 4 hours. The branch RADIUS servers will only download the small Delta CRLs during the day, minimising WAN impact. Alternatively, if the POS tablets' EAP supplicants support it, OCSP Stapling should be enabled. This shifts the burden of fetching the OCSP response from the branch RADIUS server to the tablet itself, which can fetch the response directly from the central CA over standard HTTPS, bypassing the RADIUS server's processing overhead entirely.

Examiner's Commentary: This solution effectively addresses the specific constraint: WAN bandwidth at the edge. Recommending Delta CRLs is the standard industry practice for this scenario. The secondary recommendation of OCSP Stapling shows advanced knowledge of EAP-TLS mechanics, though the caveat regarding supplicant support is crucial, as many legacy IoT or POS devices do not support stapling.

Practice Questions

Q1. Your organisation is deploying 802.1X across 50 remote branch offices. The WAN links to the central data centre are highly congested and frequently drop packets. You need to implement certificate revocation for the branch corporate laptops. Which architecture should you choose?

Hint: Consider the impact of packet loss on real-time protocols versus the resilience of cached data.

View model answer

You should implement a CRL-based architecture, specifically using Base and Delta CRLs. Because the WAN links are congested and unreliable, real-time OCSP queries will frequently time out, causing authentication delays or failures. By configuring the branch RADIUS servers to download and cache Delta CRLs during off-peak hours, the local RADIUS server can perform revocation checks instantly against its cache, even if the WAN link drops entirely during the authentication attempt.

Q2. A security audit reveals that when your primary OCSP Responder goes offline for maintenance, all corporate users are completely locked out of the WiFi network. The business demands that maintenance should not impact user connectivity, but the CISO refuses to change the policy to 'Fail Open'. How do you resolve this?

Hint: If you cannot change the failure policy, you must change the availability of the service.

View model answer

You must implement high availability for the OCSP service. Deploy at least one additional OCSP Responder and place both behind a load balancer. Configure the RADIUS server to query the load balancer's Virtual IP (VIP). During maintenance, you can drain connections from the primary responder, take it offline, and the load balancer will seamlessly route all OCSP queries to the secondary responder, satisfying both the business uptime requirement and the CISO's 'Fail Closed' mandate.

Q3. You have configured your MDM to automatically revoke certificates when a device is marked as 'lost'. You test the system by marking a test iPad as lost. The MDM confirms the revocation, but 10 minutes later, the iPad successfully connects to the corporate WiFi. The RADIUS server is configured to use a CRL published every 24 hours. What is the root cause and how do you fix it?

Hint: Trace the timeline of the revocation data from the CA to the RADIUS server's enforcement engine.

View model answer

The root cause is latency in the CRL publication and refresh cycle. While the MDM successfully told the CA to revoke the certificate, the CA will not publish that updated status to the CRL Distribution Point until the next 24-hour cycle, and the RADIUS server will not download it until its own cache expires. To fix this, you must either migrate to OCSP for real-time checking, or drastically reduce the CRL publication and download intervals (e.g., to 1 hour) to meet your required enforcement timeline.