topic Re: When does ISE need to download CRL from http server or LdAP server? in Network Access Control

When does ISE need to download CRL from http server or LdAP server?

Herman2018 — Mon, 03 Aug 2020 12:44:55 GMT

Hi , anyone can please advise which scenarios ISE need to download CRL from the server? What is the purpose of CRL? Thanks in advance.

Re: When does ISE need to download CRL from http server or LdAP server?

Mike.Cifelli — Mon, 03 Aug 2020 13:06:00 GMT

Hi , anyone can please advise which scenarios ISE need to download CRL from the server?
-ISE can/should use CRLs to determine validity of certificate status. An example would be a certificate used in eap-tls for authentication purposes. You would want to verify that the cert is trusted and valid.
What is the purpose of CRL?
-Provides a downloadable list of revoked certificates. This list contains certs that the issuing CA has revoked before the scheduled expiration date and should no longer be trusted.
Lastly, AFAIK keep in mind that ISE cannot use delta CRLs.
HTH!

Re: When does ISE need to download CRL from http server or LdAP server?

Herman2018 — Tue, 04 Aug 2020 09:24:20 GMT

Thanks. @Mike.Cifelli . If don't use CRL, change certificate manually, is it also ok, right?

Re: When does ISE need to download CRL from http server or LdAP server?

Mike.Cifelli — Tue, 04 Aug 2020 12:54:06 GMT

I am not sure I follow your question. In your ISE trust store you can configure whether or not to use an OCSP profile or CRL download for the respective certificates.