https://community.cisco.com/t5/network-access-control/ise-and-crl-verification/m-p/4565127#M573261 <P>Do you have a syslog server that you export logs to?</P> <P>You should be seeing log messages about whether or not the CRL was added or failed:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/145514iD52E9AD91E1B4410/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Mon, 07 Mar 2022 04:32:09 GMT thomas 2022-03-07T04:32:09Z https://community.cisco.com/t5/network-access-control/ise-and-crl-verification/m-p/4557133#M572913 <P>Hi team,</P><P>How can I verify that the CRL is actually downloaded in ISE, and it's being used.</P><P>I don't have the option to test with an endpoint that it's computer certificate is revoked.</P><P>&nbsp;</P><P>Thank you,</P><P>M.G.</P> Tue, 22 Feb 2022 10:44:58 GMT https://community.cisco.com/t5/network-access-control/ise-and-crl-verification/m-p/4557133#M572913 M.G. 2022-02-22T10:44:58Z https://community.cisco.com/t5/network-access-control/ise-and-crl-verification/m-p/4557322#M572917 <P><SPAN>How can I verify that the CRL is actually downloaded in ISE, and it's being used.</SPAN></P> <P><SPAN>-A couple of quick options to verify:</SPAN></P> <P><SPAN>--The radius detailed live log should contain crl information in Steps data for an authenticated session.&nbsp; Same goes for OCSP if using that.&nbsp;</SPAN></P> <P><SPAN>--Run a tcpdump from one of the PSNs, download pcap, search for http.</SPAN></P> Tue, 22 Feb 2022 13:57:08 GMT https://community.cisco.com/t5/network-access-control/ise-and-crl-verification/m-p/4557322#M572917 Mike.Cifelli 2022-02-22T13:57:08Z https://community.cisco.com/t5/network-access-control/ise-and-crl-verification/m-p/4565127#M573261 <P>Do you have a syslog server that you export logs to?</P> <P>You should be seeing log messages about whether or not the CRL was added or failed:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/145514iD52E9AD91E1B4410/image-size/large?v=v2&amp;px=999" role="button" title="image.png" alt="image.png" /></span></P> Mon, 07 Mar 2022 04:32:09 GMT https://community.cisco.com/t5/network-access-control/ise-and-crl-verification/m-p/4565127#M573261 thomas 2022-03-07T04:32:09Z https://community.cisco.com/t5/network-access-control/ise-and-crl-verification/m-p/4565130#M573264 <P>Thank you Mike and Thomas,</P><P>I noticed that if CRL download is not successful you will get an alert in the Dashboard. In addition in the RADIUS live logs (depending on your config for the specific trusted certificate) , after "ISE will continue to CRL verification..." you will see "CRL verification Bypassed" in case CRL download was not successful.</P><P>The Syslog server messages clearly showed the addition of the CRL.&nbsp;&nbsp;</P><P>Thanks again for your assistance.</P><P>&nbsp;</P><P>M.G.</P> Mon, 07 Mar 2022 04:49:22 GMT https://community.cisco.com/t5/network-access-control/ise-and-crl-verification/m-p/4565130#M573264 M.G. 2022-03-07T04:49:22Z