https://community.cisco.com/t5/network-access-control/ise-1-2-crl/m-p/2300950#M107423 <HTML><HEAD></HEAD><BODY><P>ISE&nbsp;&nbsp;&nbsp; supports two ways of checking the revocation status of a client&nbsp; or&nbsp; server&nbsp;&nbsp; certificate that is issued by a particular CA. The first is&nbsp; to&nbsp; validate the&nbsp;&nbsp; certificate using the Online Certificate Status&nbsp; Protocol&nbsp; (OCSP), which makes&nbsp;&nbsp; a request to an OCSP service maintained&nbsp; by the CA.&nbsp; The second is to validate&nbsp;&nbsp; the certificate against a&nbsp; Certificate&nbsp; Revocation List (CRL) which is&nbsp;&nbsp; downloaded from the CA&nbsp; into ISE. Both&nbsp; of these methods can be enabled, in&nbsp;&nbsp; which case OCSP is&nbsp; used first, and&nbsp; only if a status determination cannot be&nbsp;&nbsp; made then&nbsp; the CRL is used.</P><P></P><DIV> </DIV><DIV><STRONG>Please check the below links&nbsp; which can be helpful in configurations:</STRONG></DIV><P></P><P></P><P>Link-1</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html" rel="nofollow">http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html</A></P></BODY></HTML> Mon, 23 Sep 2013 16:26:42 GMT aqjaved 2013-09-23T16:26:42Z https://community.cisco.com/t5/network-access-control/ise-1-2-crl/m-p/2300949#M107386 <P>Hello,</P><P>Quick one this time...</P><P></P><P>What box is requesting the CRL? the ADM or the PSN?</P><P>am right to assum that the port 80 need to be open on the FW&nbsp; from ADM or PSN&nbsp; to the CRL location</P><P></P><P>Thx</P> Mon, 11 Mar 2019 03:53:38 GMT https://community.cisco.com/t5/network-access-control/ise-1-2-crl/m-p/2300949#M107386 eric.lessard 2019-03-11T03:53:38Z https://community.cisco.com/t5/network-access-control/ise-1-2-crl/m-p/2300950#M107423 <HTML><HEAD></HEAD><BODY><P>ISE&nbsp;&nbsp;&nbsp; supports two ways of checking the revocation status of a client&nbsp; or&nbsp; server&nbsp;&nbsp; certificate that is issued by a particular CA. The first is&nbsp; to&nbsp; validate the&nbsp;&nbsp; certificate using the Online Certificate Status&nbsp; Protocol&nbsp; (OCSP), which makes&nbsp;&nbsp; a request to an OCSP service maintained&nbsp; by the CA.&nbsp; The second is to validate&nbsp;&nbsp; the certificate against a&nbsp; Certificate&nbsp; Revocation List (CRL) which is&nbsp;&nbsp; downloaded from the CA&nbsp; into ISE. Both&nbsp; of these methods can be enabled, in&nbsp;&nbsp; which case OCSP is&nbsp; used first, and&nbsp; only if a status determination cannot be&nbsp;&nbsp; made then&nbsp; the CRL is used.</P><P></P><DIV> </DIV><DIV><STRONG>Please check the below links&nbsp; which can be helpful in configurations:</STRONG></DIV><P></P><P></P><P>Link-1</P><P></P><P><A href="http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html" rel="nofollow">http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html</A></P></BODY></HTML> Mon, 23 Sep 2013 16:26:42 GMT https://community.cisco.com/t5/network-access-control/ise-1-2-crl/m-p/2300950#M107423 aqjaved 2013-09-23T16:26:42Z https://community.cisco.com/t5/network-access-control/ise-1-2-crl/m-p/2300951#M107473 <HTML><HEAD></HEAD><BODY><P>Thx Ageel,</P><P></P><P>After testing, all the box need to be able to acess the CRL, not only the PSN</P><P>second fact is that the HTTPS protocol needs to be binded to the CA root Cert in order to Download the CRL.</P><P>If your https is binded to a self sign, the Admin node wont be able to DL it</P><P></P><P>Thx</P></BODY></HTML> Mon, 23 Sep 2013 16:31:55 GMT https://community.cisco.com/t5/network-access-control/ise-1-2-crl/m-p/2300951#M107473 eric.lessard 2013-09-23T16:31:55Z