https://community.cisco.com/t5/network-access-control/ise-certificate-revocation-list/m-p/2106136#M146641 <HTML><HEAD></HEAD><BODY><P>A few questions:&nbsp;&nbsp;&nbsp; </P><UL><LI>Are you using the same CA for each ISE?&nbsp; </LI><LI>MS Enterprise CA?</LI><LI>I presume these are all part of the same deployment?&nbsp; </LI><LI>You allow the Admin node to communicate with the DMZ nodes?</LI></UL><P></P><P></P><P>I hope you find this information useful, if it was satisfactory&nbsp; for you, please mark the question as Answered. <BR /> <BR />Please rate post you consider useful. <BR />-James</P><DIV id="nuan_ria_plugin"><OBJECT height="0" id="plugin0" style="position: absolute; z-index: 1000;" type="application/x-dgnria" width="0"><PARAM name="tabId" /><PARAM name="counter" /></OBJECT></DIV></BODY></HTML> Thu, 06 Dec 2012 01:40:11 GMT jw.sl9 2012-12-06T01:40:11Z https://community.cisco.com/t5/network-access-control/ise-certificate-revocation-list/m-p/2106135#M146607 <P>Hi All,</P><P></P><P>I've got a split domain setup, with 8 ISE nodes on the inside network, and 2 nodes on a DMZ in a different DNS domain.</P><P>When we first set this up a few months ago, it turned out that there was a bug that didn't allow multiple domains, and we tested a workaround at the time, so I'm guessing it's not too common yet (recent code releases (patch 4 and 1.1.2) fixed this issue, but.....</P><P>I've configured a CRL for the CA certs from the internal domain.</P><P>The ISE's on the DMZ have nothing to do with the internal domain, so I wouldn't have expected them to be interested in the CRL which is associated with a certificate (and chain) used on internal ISE's only.</P><P>Unfortunately though the DMZ ISE's are also trying to get to the CRL URL which is not accessible from the DMZ, so flagging up masses of errors. Any way of stopping individual PSN's from trying to do this?</P><P></P><P>Incidentally, even though the timeout to retry the download is hours, the external nodes seem to be retrying every 2-4 minutes.</P><P></P><P>I had to delete 18000 alarms today, so wasn't too pleased to find that you can only delete alarms 100 at a time???????????????</P><P></P><P></P><P>Cheers</P> Mon, 11 Mar 2019 02:51:50 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-revocation-list/m-p/2106135#M146607 bikespace 2019-03-11T02:51:50Z https://community.cisco.com/t5/network-access-control/ise-certificate-revocation-list/m-p/2106136#M146641 <HTML><HEAD></HEAD><BODY><P>A few questions:&nbsp;&nbsp;&nbsp; </P><UL><LI>Are you using the same CA for each ISE?&nbsp; </LI><LI>MS Enterprise CA?</LI><LI>I presume these are all part of the same deployment?&nbsp; </LI><LI>You allow the Admin node to communicate with the DMZ nodes?</LI></UL><P></P><P></P><P>I hope you find this information useful, if it was satisfactory&nbsp; for you, please mark the question as Answered. <BR /> <BR />Please rate post you consider useful. <BR />-James</P><DIV id="nuan_ria_plugin"><OBJECT height="0" id="plugin0" style="position: absolute; z-index: 1000;" type="application/x-dgnria" width="0"><PARAM name="tabId" /><PARAM name="counter" /></OBJECT></DIV></BODY></HTML> Thu, 06 Dec 2012 01:40:11 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-revocation-list/m-p/2106136#M146641 jw.sl9 2012-12-06T01:40:11Z https://community.cisco.com/t5/network-access-control/ise-certificate-revocation-list/m-p/2106137#M146668 <HTML><HEAD></HEAD><BODY><P>The internal nodes all use the same CA. The problem seems to be that even though the DMZ nodes have no need for the certificate in question, they still attempt download of the CRL.<BR />The DMZ nodes use an external CA for which no CRL is currently set up.<BR />All one deployment, split domain.<BR />Admin talking to PSN through firewall. That communication is fine, but no way will DMZ node be able to talk to the internal CA.<BR /><BR />Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Mon, 17 Dec 2012 00:29:03 GMT https://community.cisco.com/t5/network-access-control/ise-certificate-revocation-list/m-p/2106137#M146668 bikespace 2012-12-17T00:29:03Z