topic Cannot download CRL to my ISE in Network Access Control

Cannot download CRL to my ISE

Imran Ahmad — Mon, 11 Mar 2019 03:58:10 GMT

Hello,

I have ise 1.2, i have configured everything normally and i can browse to my CRL from any windows pc that is ok, but still my ise cannot download the CRL, i get the following error on my ISE. please help me im totally stuck in this. i have standalone CA

ise error msg>>>

Alarms: CRL Retrieval Failed

Description:
Unable to retrieve CRL from the server. This could occur if the specified url is unavailable.

Suggested Actions:
Please ensure that the download url is correct and is available for the service

Could not download Certificate Revocation List for certificate with CN=TrustedCA

Cannot download CRL to my ISE

aqjaved — Mon, 07 Oct 2013 16:03:24 GMT

Certificate Revocation List Configuration area, do the following:

a. Check the Download CRL check box for the Cisco ISE to download a CRL.

b. Enter the URL to download the CRL from a CA in the URL Distribution text box. This field will be automatically populated if it is specified in the certificate authority certificate. The URL must begin with "http" or "https."

The CRL can be downloaded automatically or periodically.

c. You can configure the time interval between downloads in minutes, hours, days, or weeks if you want the CRL to be downloaded automatically before the previous CRL update expires.

d. Configure the time interval in minutes, hours, days, or weeks to wait before the Cisco ISE tries to download the CRL again.

e. If you uncheck the Bypass CRL Verification if CRL is not Received check box, all client requests that use certificates signed by the selected CA will be rejected until Cisco ISE receives the CRL file. If you check this check box, the client requests will be accepted before the CRL is received.

f. If you uncheck the Ignore CRL that is not yet valid or expired check box, Cisco ISE checks the CRL file for the start date in the Effective Date field and the expiration date in the Next Update field. If the CRL is not yet active or has expired, all authentications that use certificates signed by this CA are rejected. If you check this check box, Cisco ISE ignores the start date and expiration date and continues to use the not yet active or expired CRL and permits or rejects the EAP-TLS authentications based on the contents of the CRL.

For complete configuration, please check the below link.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

Cannot download CRL to my ISE

Muhammad Munir — Tue, 08 Oct 2013 05:13:36 GMT

Hi Imran,

Check to make sure that the CA services are up and running on the CA server.
Replace the certificate. For a trust certificate, contact the issuing Certificate Authority (CA). For a CA-signed local certificate, generate a CSR and have the CA create a new certificate. For a self-signed local certificate, use Cisco ISE to extend the expiration date. You can delete the certificate if it is no longer used.
Check if the configuration change is expected.
Ensure that the download URL is correct and is available for the service.

For more information, please visit the given link:

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mnt.html

Cannot download CRL to my ISE

blenka — Thu, 10 Oct 2013 20:17:18 GMT

CRL Retrieval Failed ---- Unable to retrieve CRL from the server. This could occur if the specified CRL is unavailable.--------- Ensure that the download URL is correct and is available for the service.

Cannot download CRL to my ISE

networks.comms — Wed, 27 Nov 2013 11:54:56 GMT

We have the same issue and believe it is due to the ISE using the system proxy settings. According to the documentation, it should be possible to add exceptions, but I don't see these fields (ISE 1.2 patch 4)

Step 1 Choose Administration > System > Settings > Proxy.

Step 2 Enter the proxy IP address or DNS-resolvable host name in Proxy Address, and specify the port through which proxy traffic travels to and from Cisco ISE in Proxy Port.

Step 3 Enter the IP Address or Address range of hosts or domains to be bypassed in Bypass Proxy Settings for these Hosts & Domain.

Step 4 Enter the username and password used to authenticate to the proxy servers in the corresponding fields.

Step 5 Click Save.

Cannot download CRL to my ISE

Karel Navratil — Thu, 28 Nov 2013 15:59:59 GMT

I have the same problem, my CRL URL contained spaces and looks like ISE has problem with that. OCSP is workaround