cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

424
Views
0
Helpful
1
Replies
david.tran
Enthusiast

Cisco ISE 1.1.2 and Certfication Revocation List (CRL) checking

All,

I have 4 ISE appliances version 1.1.2  running in my networ called nodeA, nodeB, nodeC and nodeD. 

- NodeA is Primary Admin and Secondary Monitoring,

- NodeB is Secondary Admin and Primary Monitoring,

- NodeC is Policy node,

- NodeD is Policy node,

The ISE environment is tightly integrated with the company Microsoft Active Directory Windows 2008R2.  We import the company issue cert into the ISE for PEAP and CRL checking

Question:  How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server? 

I also have an ACS environment that also tightly integrated with Microsoft AD.   How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?

What will happen to the ISE and ACS environment if the CA Server becomes un-available?

I can't seem to find this question in either ISE or ACS documentation anywhere. 

Thank you.

1 REPLY 1
Max Wooks
Beginner

 

How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server?

          ISE checks CRL based on how you configure it. Admin > Certificates > Cert Store  Select your CA. From there you'll be able to edit the cert info. The last option is the CRL Configuration. You can set the download frequency.

How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?

         System Config > ACS Cert Setup > CRL    from there you'll be able to see/edit

What will happen to the ISE and ACS environment if the CA Server becomes un-available?

         Most likely the end of the world, but to be honest I'm not really sure. My assumption is If both the client and the ISE/ACS server already have their respective certs, they should still be able to work. Just no new certs or CRLs would be issued.

 

Documentation Sources:

ACS: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/sau.html

ISE: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

 

HTH

 

 

 

 

Content for Community-Ad