cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

179
Views
5
Helpful
3
Replies
Beginner

Cisco ISE CRL check not working after certificate change.

Dear,

Something strange is happening with EAP-TLS and ISE CRL.

It's not something very common scenario our client has 2 CA as temporary solution to migrate to the new CA.

ISE is authenticating bot client certificate without any problem.

Now we are running into this strange behavior:

  1. The clients authenticate with the old CA certificate. (green report authentication success)
  2. The new certificate is pushed, and the old certificate is deleted. (the repeat counters goes up, even if we hit a different authorization policy => this is normal default behavior if result is the same )
  3. On the new CA we revoke the certificate that was received. (CRL is retrieved every 10 minute)
  4. The client stays connected even removal from wlc, session terminations, reauthentications, … waited 30 min… (repeat counter increases)
  5. Now here is the funny part if you disable the repeats successful authentication under admin => protocols =>radius. The client is directly disconnected.

We did the same test if the client started with the new certificated and that is working correctly.

It seems to me that ISE is taking a shortcut and not really checking the authentication when doing a repeated authentication.

I’m still looking into this maybe it can even be used as an exploit.

Kr

Niels

Everyone's tags (4)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Cisco ISE CRL check not working after certificate change.

Can you check whether ISE is enabled with session resume:

- Administration > System > Settings > Protocols > EAP-TLS > Enable EAP TLS Session Resume

- Policy > Policy Elements > Authentication > Allowed Protocols > Default Network Access (Or ones being used) > Allow EAP-TLS > Enable Stateless Session resume

Highlighted
Cisco Employee

Re: Cisco ISE CRL check not working after certificate change.

Correct. That is one of the feature characteristics:

When a user reconnects within the configured EAP-TLS session timeout period, ISE resumes the EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.

 

3 REPLIES 3
Cisco Employee

Re: Cisco ISE CRL check not working after certificate change.

Can you check whether ISE is enabled with session resume:

- Administration > System > Settings > Protocols > EAP-TLS > Enable EAP TLS Session Resume

- Policy > Policy Elements > Authentication > Allowed Protocols > Default Network Access (Or ones being used) > Allow EAP-TLS > Enable Stateless Session resume

Beginner

Re: Cisco ISE CRL check not working after certificate change.

Dear,

 

Thanks for your responds it's indeed enabled.

 

Does this mean we have to disconnect long enough before reconnecting in order to let de CRL work correctly?

 

Kr

 

Niels

Highlighted
Cisco Employee

Re: Cisco ISE CRL check not working after certificate change.

Correct. That is one of the feature characteristics:

When a user reconnects within the configured EAP-TLS session timeout period, ISE resumes the EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.