In addition to checking the server certificate‘s validity (signatures, expiration date, uses), the switch also checks the revocation status of each certificate in the chain using the Online Certificate Status Protocol (OCSP).
The following rules are enforced:
Beginning with ExtremeXOS 31.6, you can configure RADIUS over TLS OCSP attributes (nonce, override, and ocsp-nocheck, respectively) using the following commands:
OCSP nonce cryptographically binds an OCSP request and an OCSP response with an id-pkix-ocsp-nonce extension to prevent replay attacks.
OCSP override configures one HTTP Online Certificate Status Protocol (OSCP) override URL for a RADIUS TLS server.
When OCSP-nocheck is done for a peer certificate, ExtremeXOS sends the OCSP request to the OCSP server. The OCSP response is signed by the OCSP responder/signer. The response also comes along with the certificate of the OCSP signer. When ExtremeXOS receives the response, it only checks whether the status of the peer certificate is not revoked.