topic Re: ISE CRL Distribution URL using LDAP Path in Network Access Control

ISE CRL Distribution URL using LDAP Path

dm2020 — Mon, 17 Feb 2020 16:51:17 GMT

Hi All,

Does anyone know if ISE supports CRL checking from an LDAP path as opposed to a http path? I have looked through the documentation and I cant see this mentioned anywhere.

Thank you

Re: ISE CRL Distribution URL using LDAP Path

Arne Bier — Tue, 18 Feb 2020 02:11:09 GMT

Ages ago I looked into the logs to figure out how CRL works in ISE, and I noticed that by default, ISE looks into the CDP (CRL Distribution Point) and picks out the LDAP URL and tries to bind to it. It fails of course because there is no setup for this option. I don't know if this is still the case in ISE 2.6. The manual option is to specify a http URL and I don't see any options to bind to an LDAP repository.

Re: ISE CRL Distribution URL using LDAP Path

hslai — Fri, 21 Feb 2020 21:43:05 GMT

ISE validates CRLs for two purposes and each done its own way.

1. A CRL configured with a trusted root CA. This is to validate the end-entity certificates issued by this CA chain for EAP-TLS or other cert-based authentications, etc. For this, only the configured CRL is checked and the URL can be of LDAP but only anonymous binding works.

2. Auto-validation of ISE server certificates used for inter-ISE-node communications. For this, ISE extracts the CRL distribution Point (CDP) from the server certificates and attempts to validate. Again, only anonymous binding works, if using LDAP URL.