https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5072495#M588830 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/255804">@KatoNakatomi</a>&nbsp;- where is the OCSP server located? Normally the web proxy is used to allow ISE to access web resources outside of the company intranet. But if the client certs are issued by the company PKI, then should be no need to go via a proxy. But interesting to note, that there is no mention of OCSP in the ISE web proxy setup.&nbsp; Probably something you could test in the lab (run a tcpdump on the ISE node).</P> <P>&nbsp;</P> Thu, 18 Apr 2024 02:18:30 GMT Arne Bier 2024-04-18T02:18:30Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5071886#M588811 <P>We have implemented 802.1x with machine certificate authentication.</P><P>The certificate validation is via OCSP and the question is does Cisco ISE support connection to OSCP via a Web Proxy? The assumption is that the connection would be using the system proxy settings</P><P>However, OCSP is no listed in the notes as one affected by the Proxy Setting</P><P><SPAN class=""><SPAN class="">Notes:&nbsp;</SPAN><SPAN class="">The following functionalities are impacted by the proxy settings</SPAN></SPAN></P><UL><LI>Partner Mobile Management</LI><LI>Endpoint Profiler Feed Service Update</LI><LI>Endpoint Posture Update</LI><LI>Endpoint Posture Agent Resources Download</LI><LI>CRL (Certificate Revocation List) Download</LI><LI>SMS Message Transmission</LI><LI>Social Login</LI><LI>Rest Auth Service - Azure AD</LI><LI>pxGrid Cloud</LI><LI>TrustSec Integration for Meraki</LI><LI>pxGrid Direct</LI></UL><P>&nbsp;</P> Wed, 17 Apr 2024 12:55:05 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5071886#M588811 KatoNakatomi 2024-04-17T12:55:05Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5071926#M588813 <P>OCSP does not require any download and it is not using the traditional CRL method, so I don't believe there will be any problem with OCSP. The list you provided refers explicitly to the CRL method, not OCSP.</P> Wed, 17 Apr 2024 13:14:37 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5071926#M588813 Aref Alsouqi 2024-04-17T13:14:37Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5071964#M588814 <P>The challenge is we need the ISE connection to the OCSP server go through a Web Proxy? Is this supported?</P><P>&nbsp;</P> Wed, 17 Apr 2024 13:38:21 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5071964#M588814 KatoNakatomi 2024-04-17T13:38:21Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5071987#M588815 <P>I can't see why not.</P> Wed, 17 Apr 2024 13:45:13 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5071987#M588815 Aref Alsouqi 2024-04-17T13:45:13Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5072495#M588830 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/255804">@KatoNakatomi</a>&nbsp;- where is the OCSP server located? Normally the web proxy is used to allow ISE to access web resources outside of the company intranet. But if the client certs are issued by the company PKI, then should be no need to go via a proxy. But interesting to note, that there is no mention of OCSP in the ISE web proxy setup.&nbsp; Probably something you could test in the lab (run a tcpdump on the ISE node).</P> <P>&nbsp;</P> Thu, 18 Apr 2024 02:18:30 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5072495#M588830 Arne Bier 2024-04-18T02:18:30Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5072613#M588834 <P>The OCSP server is an externally hosted outside the organisation, thus requiring the web traffic to traverse a web proxy. We will try the tcpdump on ISE nodes or have the team check the DNS servers if there is any record of the ISE node trying to resolve the external OCSP domain.</P> Thu, 18 Apr 2024 07:04:24 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5072613#M588834 KatoNakatomi 2024-04-18T07:04:24Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5075838#M588917 <P>Cisco TAC has advised OCSP connections through a web proxy is not supported by Cisco ISE.</P> Tue, 23 Apr 2024 07:50:53 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5075838#M588917 KatoNakatomi 2024-04-23T07:50:53Z https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5075955#M588921 <P>Thanks for sharing this info. Did they provide any documentation link that you can share for that?</P> Tue, 23 Apr 2024 09:13:28 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-3-2-0-542-external-identity-store-cert-auth-via-proxy/m-p/5075955#M588921 Aref Alsouqi 2024-04-23T09:13:28Z