topic Hi Johannes- in Network Access Control

ISE 1.4 CRL download verification

Johannes Luther — Mon, 11 Mar 2019 06:36:36 GMT

Hi ISE professionals,

today I have a very simple question and hopefully someone will enlighten me 🙂

Let's assume I configured a trusted CA certificate with a CRL distribution URL and I download the CRL some time before it expires.

How can I verify if this actually worked? Of course when CRL download fails I assume I get a Error Message. But what I want is a log message somewhere to verify that it worked.

Has anybody an idea if there is a log file or report where I can verify the download?

Hi Johannes-

nspasov — Thu, 24 Mar 2016 03:19:09 GMT

Hi Johannes-

Let me start by saying that you should look into configuring OCSP (Online Certificate Status Protocol) instead of CRL (Certificate Revocation List). There are many benefits to it. I am not a PKI expert so I will let you google it and consult the a PKI/Cryptography expert but below is a good link about it:

https://www.fir3net.com/Security/Concepts-and-Terminology/certificate-revocation.html

One of the benefits of OCSP is the Diagnostic Report in ISE located under Operations > Reports > Diagnostics > OSCP Monitoring. You can schedule that report and run it let's say every morning and have ISE send you a copy 🙂

You can configure ISE to automatically check sessions against the CRL/OCSP list by going to:

Administration > System > Certificates > Certificate Management >Certificate Periodic Check Settings

I hope this helps!

Thank you for rating helpful posts!

Hello Neno,

Johannes Luther — Thu, 24 Mar 2016 06:43:41 GMT

Hello Neno,

good point - I forgot to mention, that I'm using OCSP as well. Perhaps I explain the use case for CRLs in the combination with OCSP.

Assume a PSN node in a remote office. The OCSP server is only available in the central site and not in every remote office.

If the WAN connection towards the office fails, there is no connection to the OCSP server. Also I don't want to accept EAP-TLS client sessions if the OSCP server in unavailable and skip certificate checking.

This is when CRLs come into place. If the OSCP server is unavailable the downloaded CRL is checked. Assuming a CRL lifetime of one week and an overlap of CRL creation of ~three days, I have ~ three days to fix the WAN connectivity.

So thanks for the hint. But in my opinion there are valid use cases to use both mechanisms in combination.

Ahh best of both worlds! :)

nspasov — Thu, 24 Mar 2016 07:51:14 GMT

Ahh best of both worlds! 🙂 Thank you for the explanation on the CRL + OCSP. That makes a lot of sense! (+5 from me!)

Back to your question:

1. For OCSP: I would recommend you check the report that I referenced above and see if that gives your the information needed

2. For CRL: I am afraid I am not aware of a way to confirm that things have worked 🙂 And yes, you are correct that you will can be notified when a retrieval fails. That is done via an alarm called "CRL Retrieval Failed" and it is located at: Administration > System > Settings > Alarm Settings. You need to make sure that the alarm is enabled and that you have an e-mail configured for the notifications to work.

So with that being said, I guess you will have to assume that if you are not getting notifications about the alarm then everything is working fine 🙂

Thank you for rating helpful posts!

Hi Neno,

Johannes Luther — Thu, 24 Mar 2016 08:22:31 GMT

Hi Neno,

thanks for your answer. Regardless of the Alarm settings, the CRL download failed event is always logged.

Example Syslog:

Category Name: RADIUS Diagnostics

Message Class: CRL

Message Code: 12831

Message Text: Unable to download CRL

There are much more notifications with different conditions, which can be reviewed under:

Administration > System > Logging > Message Catalog

Just type in "CRL" as the filter for the "Message Text" column.

Back to my original request.

I was just wondering of a successful CRL download is in some log file. If I login to ADE-OS there are tons of different log files if I issue a "show logging ..." on the command line. I just don't know where to search.

Another potential location would be in the GUI under "Operations > Troubleshoot > Download Logs"

There are all debug log files (also tons of them) for each ISE node in the deployment. There must be a CRL download indication in one of these files.

Perhaps a TAC engineer of Cisco is reading this and exactly knows where to search for it 🙂

Yes, perhaps someone from

nspasov — Thu, 24 Mar 2016 17:59:10 GMT

Yes, perhaps someone from Cisco and/or someone that knows about this can chime in 🙂