cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

154
Views
0
Helpful
5
Replies
Highlighted
Beginner

ISE 2.4 always using OCSP cache during certificate status check

I’m currently running ISE 2.4 patch 10 and using OCSP in combination with ISE in order to check the certificate status before a user is granted access to the network.

So when the certificate is revoked, the user shouldn't be able to login via it's certificate.

The issue I'm having is that when a certificate is revoked and a client sets up a new connection to the network, the ISE keeps checking its cache in order to verify the certificate instead of polling the PKI server.

When I manually clear the cache on the ISE and a user tries to login, the ISE directly checks the PKI server for its validity.

I have tried setting the Cache Entry Time To Live under the Response Cache settings to 1 minute and since that didn't work to 0 minutes, but even with 0 minutes its keeps checking in its cache.

 

Example with the Cache Entry TTL set to 0 minutes.

When a new connection is made from an existing user:

12568 Lookup user certificate status in OCSP cache - certificate for *Laptop*

12570 Lookup user certificate status in OCSP cache succeeded - certificate for *Laptop*

12554 OCSP status of user certificate is good - certificate for *Laptop*

 

When the cache is manually cleared, and the user reconnects and only then the ISE will check its PKI server.

12568  Lookup user certificate status in OCSP cache - certificate for *Laptop*

12569  User certificate status was not found in OCSP cache - certificate for *Laptop*

12988  Take OCSP servers list from OCSP service configuration - certificate for *Laptop*

12550  Sent an OCSP request to the primary OCSP server for the CA - External OCSP Server

12553  Received OCSP response - certificate for *Laptop*

12554  OCSP status of user certificate is good - certificate for *Laptop*

 

Is there anyone who has encountered this issue before or has an idea how to get the ISE to always check the PKI servers instead of its cache without manually clearing it?

Everyone's tags (2)
5 REPLIES 5
VIP Rising star

Re: ISE 2.4 always using OCSP cache during certificate status check

How do you have your Certificate Periodic Check Settings configured? You have the ability to enable checking ongoing sessions against auto retrieved CRL & setup periodic cert checks every hour. Under trust certs, your trusted chain, you can enable retrieving CRL every <> minutes/hours/days/weeks. Decreasing the timers should help your situation.
Cisco Employee

Re: ISE 2.4 always using OCSP cache during certificate status check

Besides what Mike.Cifelli said, An OCSP profile has a configurable TTL:

Screen Shot 2020-01-16 at 6.18.58 PM.png

Beginner

Re: ISE 2.4 always using OCSP cache during certificate status check

Hi hslai,

 

 

Thank you for your response. This is the setting that should work for us. We already have this configured to the value "0" which means that ISE should not cache the OCSP response according to Cisco documentation:

"Enter the time in minutes after which the cache entry expires.

Each response from the OCSP server holds a nextUpdate value. This value shows when the status of the certificate will be updated next on the server. When the OCSP response is cached, the two values (one from the configuration and another from response) are compared, and the response is cached for the period of time that is the lowest value of these two. If the nextUpdate value is 0, the response is not cached at all.

Cisco ISE will cache OCSP responses for the configured time. The cache is not replicated or persistent, so when Cisco ISE restarts, the cache is cleared.

The OCSP cache is used in order to maintain the OCSP responses and for the following reasons:

  • To reduce network traffic and load from the OCSP servers on an already-known certificate

  • To increase the performance of Cisco ISE by caching already-known certificate statuses

By default, the cache is set to 2 minutes for the internal CA OCSP client profile. If an endpoint authenticates a second time within 2 minutes of the first authentication, the OCSP cache is used and the OCSP responder is not queried. If the endpoint certificate has been revoked within the cache period, the previous OCSP status of Good will be used and the authentication succeeds. Setting the cache to 0 minutes prevents any responses from being cached. This option improves security, but decreases authentication performance."


Unfortunately ISE still uses OCSP cache after setting the value to 0:

cache entry ttl.PNG

Cisco Employee

Re: ISE 2.4 always using OCSP cache during certificate status check

Have you confirmed that the OCSP Responder is configured for your Trusted Root CA cert?

Screen Shot 2020-01-18 at 11.09.57 am.png

Cheers,

Greg

Cisco Employee

Re: ISE 2.4 always using OCSP cache during certificate status check

I would also suggest you to verify on the PKI server side itself. I used the OCSP service on Microsoft CA a while ago and it took a while to show a certificate as revoked.

Perhaps, you may use some other means to block the devices; e.g. putting them in a black-list group.