Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1410
Views
5
Helpful
3
Replies

Cisco ISE CRL check not working after certificate change.

Go to solution
Niels Marien
Level 1
Level 1

‎03-11-2019 04:05 AM

Dear,

Something strange is happening with EAP-TLS and ISE CRL.

It's not something very common scenario our client has 2 CA as temporary solution to migrate to the new CA.

ISE is authenticating bot client certificate without any problem.

Now we are running into this strange behavior:

  1. The clients authenticate with the old CA certificate. (green report authentication success)
  2. The new certificate is pushed, and the old certificate is deleted. (the repeat counters goes up, even if we hit a different authorization policy => this is normal default behavior if result is the same )
  3. On the new CA we revoke the certificate that was received. (CRL is retrieved every 10 minute)
  4. The client stays connected even removal from wlc, session terminations, reauthentications, … waited 30 min… (repeat counter increases)
  5. Now here is the funny part if you disable the repeats successful authentication under admin => protocols =>radius. The client is directly disconnected.

We did the same test if the client started with the new certificated and that is working correctly.

It seems to me that ISE is taking a shortcut and not really checking the authentication when doing a repeated authentication.

I’m still looking into this maybe it can even be used as an exploit.

Kr

Niels

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎03-13-2019 03:41 PM

Can you check whether ISE is enabled with session resume:

- Administration > System > Settings > Protocols > EAP-TLS > Enable EAP TLS Session Resume

- Policy > Policy Elements > Authentication > Allowed Protocols > Default Network Access (Or ones being used) > Allow EAP-TLS > Enable Stateless Session resume

View solution in original post

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Niels Marien

‎06-29-2019 09:55 AM

Correct. That is one of the feature characteristics:

When a user reconnects within the configured EAP-TLS session timeout period, ISE resumes the EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.

 

View solution in original post

3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎03-13-2019 03:41 PM

Can you check whether ISE is enabled with session resume:

- Administration > System > Settings > Protocols > EAP-TLS > Enable EAP TLS Session Resume

- Policy > Policy Elements > Authentication > Allowed Protocols > Default Network Access (Or ones being used) > Allow EAP-TLS > Enable Stateless Session resume

0 Helpful

Go to solution
Niels Marien
Level 1
Level 1
In response to howon

‎06-19-2019 04:38 AM

Dear,

 

Thanks for your responds it's indeed enabled.

 

Does this mean we have to disconnect long enough before reconnecting in order to let de CRL work correctly?

 

Kr

 

Niels

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Niels Marien

‎06-29-2019 09:55 AM

Correct. That is one of the feature characteristics:

When a user reconnects within the configured EAP-TLS session timeout period, ISE resumes the EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.

 

Customers Also Viewed These Support Documents