topic CRL Validation fails on ACS 5.2.0.26.3 in Network Access Control

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Mon, 11 Mar 2019 01:18:20 GMT

Hi,

We are using ACS v5.2.0.26.3 in 802.1X certificate based authentication. Now, when we added CRL functionality into ACS it fails in CRL validation and gives following error message:

LastErrorMessage=CRL PKI verification failed

Certificate Revocation list Url=http://crl.download.net/XXXX/deviceCA.crl

We have installed root, device and server certificates from CA, but for management we are still using self-signed certificate.

Question is, which certificate is used when validating downloaded CRL file - one used for EAP-TLS or one used for management interface?

How I can check which certificate ACS server is using for CRL validation?

/Mikko

CRL Validation fails on ACS 5.2.0.26.3

Tarik Admani — Sat, 13 Aug 2011 03:57:34 GMT

The crl is used for the eap interface, because crl checking is a necessity to determine which users are still valid and which are revoked. So crl for the management doesnt apply because the management interface authenticates the user via the local admin database.

With regards to your crl url that you added, can you use the ip address that resolves to crl.download.net and try that instead?

Also if you go the ipbased url see if you can type in your browser and see if the crl file actually downloads.

Thanks,

Tarik

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Mon, 15 Aug 2011 05:44:31 GMT

Tarik,

I think that there is small misunderstanding now.

ACS can download CRL without any problems, but it fails when it tries to validate contents of CRL using PKI. My question was (and still is), which certificates PKI is used for CRL content validation: one used for EAP-TLS or one used management (https)???

I tried to debug this process, but only error message which is related to this problem, is one from SSL informing about PKI failure.

/Mikko

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Mon, 15 Aug 2011 12:23:48 GMT

Another question:

As ACS is using openssl for CRL validation, do ACS also expect that CRL file is in PEM format (which is default for openssl)??? In my case CA is publishing CRL in DER format, which can cause this problem.

/Mikko

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Mon, 15 Aug 2011 12:29:40 GMT

P.S. This is actual error message from openssl:

Crypto,12/08/2011,13:28:11:523,ERROR,3006782368,NIL-CONTEXT,Crypto::Result=48, Crypto.SSL.verifyCRL - CRL verification failed - Alleged Issuer CN=XXX Root CA, CRL-CN=XXX Device CA,SSL.cpp:829

Crypto,12/08/2011,13:28:11:523,ERROR,3006782368,NIL-CONTEXT,Crypto::Result=48, CryptoLib.CSSL.addCRL - verification failed.,SSL.cpp:360

CRL Validation fails on ACS 5.2.0.26.3

Tarik Admani — Tue, 16 Aug 2011 04:39:04 GMT

I am sure we need this file in pem format since openssl is what the ACS uses. Please make the changes to the file and try again.

Thanks,

Tarik

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Tue, 16 Aug 2011 06:01:04 GMT

Hi,

Converted DER formatted CRL file to PEM - still same error message about PKI Validation failure.

Is there a way to check which CA certificate is used for CRL signature validation??

I'm afraid that ACS is using self-signed certificate, tagged to use with management connection for CRL signature validation, but I need to verify that first before ordering real certificates for all ACS servers.

/Mikko

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Tue, 08 Nov 2011 08:52:20 GMT

Answering to my own question:

1. CRL is validated against management certificate.

2. CRL must be in PEM format.

/Mikko

CRL Validation fails on ACS 5.2.0.26.3

ajay pandey — Wed, 04 Apr 2012 11:23:59 GMT

Hi,

Did you get this problem fixed. I am also facing same situation at moment and serching for solution ta moment.

Regards

Ajay

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Thu, 05 Apr 2012 05:44:00 GMT

Hi Ajay,

Yes. As ACS has two certificates, one used for web gui and one for authentication (eap-tls), I noticed that management certificate is used for CRL validation, not that one, which is used for EAP-TLS.

This is very poorly documented in ACS manuals and I hope that Cisco improved documentation quality in ISE.

So make sure that management certificate is granted from CA generating CRLs, then it works without problems (EKU has to contain both server and client authentication key usage).

/Mikko

CRL Validation fails on ACS 5.2.0.26.3

ajay pandey — Thu, 05 Apr 2012 08:45:21 GMT

But do we have to configure somewhere CRL url's or it should work automatically.

I am using same certificate for mgmt & EAP-TLS purpose. I hope it should not cause any problems.

Regards

Ajay

CRL Validation fails on ACS 5.2.0.26.3

ajay pandey — Fri, 06 Apr 2012 18:47:24 GMT

Hi Mikko,

How could we verify that ACS 5.3 checking the CRL list while authenticating the clients. Is there any way to check which CRL is present in ACS 5.3 and does it is being used while authenticating the list.

Anyone if using CRL must be checkign this. Please suggest asap on this.

Regards

Ajay

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Tue, 10 Apr 2012 07:40:10 GMT

Hi Ajay,

Answer to your both questions:

1. CRL is defined in "Users and Identity Stores"->"Certificate Authorities". As far as I have tested ACS does not read CRL information from certificate.

2. You will see message in ACS log files if CRL download/processing fails.

3. I tested CRL processing with dummy test certificate, which I installed to test PC and tried to access network.

/Mikko

CRL Validation fails on ACS 5.2.0.26.3

Karsten Jaschultowski — Mon, 16 Apr 2012 05:43:06 GMT

Hello Mikko,

one question regarding

"So make sure that management certificate is granted from CA generating CRLs"

Does this mean, that CRL checking should be enabled for the management certificate/CA? (where i cannot see the reason why)

/Karsten

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Mon, 16 Apr 2012 05:59:09 GMT

No, I think that I put it in wrong way.

When ACS has downloaded CRL from CA (or its frontend), it uses management certificate chain to check validity of downloaded CRL file. So if management certificate and CRL does not share same certificate chain, CRL is ignored and not processed.

CRL checking is needed only defined to CA/certificate used for EAP-TLS authentication (but unfortunately it does not use that information for CRL processing. I hope that this functionality is changed in ISE).

/Mikko

Re: CRL Validation fails on ACS 5.2.0.26.3

Karsten Jaschultowski — Mon, 16 Apr 2012 06:35:49 GMT

Hello Mikko,

thanks for clearing this.

Mit freundlichen Grüßen

Karsten Jaschultowski

Dipl.-Ing.

Teamleiter

Security Network Services

Tel.: +49 251 7133 2402

Fax.: +49 251 7133 92402

Mobil: +49 172 2623879

E-Mail: karsten.jaschultowski@vrnetze.de

VR Netze GmbH

Weseler Straße 480

48163 Münster

www.vrnetze.de

Geschäftsführer: Winfried Richert, Martin Schauer

Sitz: Münster/Westf., Registergericht: AG Münster, HRB 10235

Von: mjarvela

An: Karsten Jaschultowski

Datum: 16.04.2012 07:59

Betreff: - Re: CRL Validation fails on ACS

5.2.0.26.3

CRL Validation fails on ACS 5.2.0.26.3

ajay pandey — Sat, 21 Apr 2012 13:15:44 GMT

It actually works in ASC 5.3 and I had verified also that it works, In ACS actually CRL is downloaded based on time we specified in CRL download option time and it chekes the client certificate from CRL list, if client certificate is revoked and ACS downloaded the CRL after that it will not fail authetication of that client.

This is basic functionality of CRL and oit should always work

Regards

Ajay

CRL Validation fails on ACS 5.2.0.26.3

sez sharp — Mon, 18 Feb 2013 08:47:25 GMT

Hi Mikko,

Did you have to change the format of the CRL to get it to work with ACS? - or was the issue the CA chain used?

(the CRL %20 URL problem is another trip up point - on ACS the %20 entries in a http CRL path must be converted to whitespace character)

I'm using Microsoft PKI and trying to figure if I have to do 'something' to the format of the CRL to get ACS to be able to read it properly

Are you using Microsoft PKI and if so how/what did you change with respect to the CRL format?

thanks,

Sez

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA — Mon, 18 Feb 2013 09:37:29 GMT

Hi Sez,

I solved this problem by converting CRL file into .PEM format with openssl and I'm using this method in two cases; one where we are using Microsoft PKI and other where CA is unix based.

We didn't notice any problems with %20 conversion as I took care that there is no spaces in CRL URL.

So to summarize, conversion from .DER to .PEM is necessary (and this applies also to ISE installations).

/Mikko

CRL Validation fails on ACS 5.2.0.26.3

sez sharp — Mon, 18 Feb 2013 09:49:12 GMT

Thanks Mikko

But can't help groaning - would think that after all this time this would be taken care of under the hood of ACS (and definitley ISE!)

So to have a timely mechanism for CRL propogation for EAP/TLS we have to look at;

Set the Microsoft PKI to publish new CRL file (not a delta) on say daily basis and

Set a timed batch job to run oppenssl after that to do PEM conversion and

Set ACS to retrieve CRL after all that

Pity there not an app for that... 😞

ciao,

Sez