cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

287
Views
0
Helpful
1
Replies
Highlighted
Beginner

ACS and 802.1x

We're running ACS 3.3.2 and testing 802.1x using PEAP-MSChap (server-side only cert). We have 3rd party certs installed on ACS that include a CDP (CRL Distribution Point). Is there any risk that if we lose Internet connectivity ACS will not allow an 802.1x authentication to occur? In other words, does ACS ever validate it's own cert including comparison against the CRL, or is it a mute point?

1 REPLY 1
Highlighted
Cisco Employee

Re: ACS and 802.1x

Losing Internet connectivity won't affect your authentication. The ACS cert is valid for a specific time and that is defined in the cert when it's installed, you can see how long it's valid for by going under System Config - ACS Certificate Setup - Install ACS Certificate. ACS will continue to validate connections against this cert regardless of whether it has connectivity to the CA server.

It may validate itself against the CRL, but your CRL should never contain the ACS cert anyway, it that happens then you have serious issues to discuss wioth your CA vendor. It certainly won't automatically get included just because you lose connectivity or anything like that.