Filter
Top Products
7-23
User Guide for Cisco Secure Access Control System 5.4
OL-26225-01
Chapter 7 Managing Network Resources
Working with OCSP Services
Failback To Primary
Server
Enable this option to use the secondary server for the given amount of time when the primary is
completely down. The time range is 1 to 999 minutes.
Primary Server
URL Enter the URL or the IP address of the primary server.
Enable Nonce
Extension Support
Check this check box to use a nonce in the OCSP request.
This option includes a random number in the OCSP request. When you select this option, it compares
the number that is received in the response with the number that is included in the request. This
method ensures that old communications are not reused.
You can configure a nonce in Windows 2008 servers. If the nonce from the ACS server is not matched
with the Windows server, Windows returns an unauthorized response. As a result, ACS fails the
request and considers this to be an unknown certificate.
Validate Response
Signature
Check this check box to instruct the OCSP responder to include one of the following signatures in the
response:
• The CA certificate
• A different certificate from the CA certificate
ACS validates the response certificate based on the OCSP response signature. If there is no OCSP
response signature, then ACS fails the response, and the status of the certificate cannot be determined.
Network Timeout Enter the number of seconds that ACS should wait for a response from the primary OCSP server. The
default is 5 seconds. Valid values are from 1 to 999 seconds.
Secondary Server
URL Enter the URL or the IP address of the secondary server.
Enable Nonce
Extension Support
Check this check box to use a nonce in the OCSP request.
This option includes a random number in the OCSP request. When you select this option, it compares
the number that is received in the response with the number that is included in the request. This
method ensures that old communications are not reused.
You can configure a nonce in Windows 2008 servers. If the nonce from the ACS server is not matched
with the Windows server, Windows returns an unauthorized response. As a result, ACS fails the
request and considers this to be an unknown certificate.
Validate Response
Signature
Check this check box to instruct the OCSP responder to include one of the following signatures in the
response:
• The CA certificate
• A different certificate from the CA certificate
ACS validates the response certificate based on the OCSP response signature. If there is no OCSP
response signature, then ACS fails the response, and the status of the certificate cannot be determined.
Network Timeout Enter the number of seconds that ACS should wait for a response from the primary OCSP server. The
default is 5 seconds. Valid values are from 1 to 999.
Response Cache
Table 7-8 OCSP Servers Page
Option Description