Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
477
Views
0
Helpful
7
Replies

Cisco ISE 3.2.0.542 External Identity Store Cert Auth via Proxy

KatoNakatomi
Level 1
Level 1

‎04-17-2024 05:55 AM

We have implemented 802.1x with machine certificate authentication.

The certificate validation is via OCSP and the question is does Cisco ISE support connection to OSCP via a Web Proxy? The assumption is that the connection would be using the system proxy settings

However, OCSP is no listed in the notes as one affected by the Proxy Setting

Notes: The following functionalities are impacted by the proxy settings

  • Partner Mobile Management
  • Endpoint Profiler Feed Service Update
  • Endpoint Posture Update
  • Endpoint Posture Agent Resources Download
  • CRL (Certificate Revocation List) Download
  • SMS Message Transmission
  • Social Login
  • Rest Auth Service - Azure AD
  • pxGrid Cloud
  • TrustSec Integration for Meraki
  • pxGrid Direct

 

0 Helpful
7 Replies 7

Aref Alsouqi
VIP
VIP

‎04-17-2024 06:14 AM

OCSP does not require any download and it is not using the traditional CRL method, so I don't believe there will be any problem with OCSP. The list you provided refers explicitly to the CRL method, not OCSP.

0 Helpful

KatoNakatomi
Level 1
Level 1
In response to Aref Alsouqi

‎04-17-2024 06:38 AM

The challenge is we need the ISE connection to the OCSP server go through a Web Proxy? Is this supported?

 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to KatoNakatomi

‎04-17-2024 06:45 AM

I can't see why not.

0 Helpful

Arne Bier
VIP
VIP

‎04-17-2024 07:18 PM

@KatoNakatomi - where is the OCSP server located? Normally the web proxy is used to allow ISE to access web resources outside of the company intranet. But if the client certs are issued by the company PKI, then should be no need to go via a proxy. But interesting to note, that there is no mention of OCSP in the ISE web proxy setup.  Probably something you could test in the lab (run a tcpdump on the ISE node).

 

0 Helpful

KatoNakatomi
Level 1
Level 1
In response to Arne Bier

‎04-18-2024 12:04 AM

The OCSP server is an externally hosted outside the organisation, thus requiring the web traffic to traverse a web proxy. We will try the tcpdump on ISE nodes or have the team check the DNS servers if there is any record of the ISE node trying to resolve the external OCSP domain.

0 Helpful

KatoNakatomi
Level 1
Level 1

‎04-23-2024 12:50 AM

Cisco TAC has advised OCSP connections through a web proxy is not supported by Cisco ISE.

0 Helpful

Aref Alsouqi
VIP
VIP
In response to KatoNakatomi

‎04-23-2024 02:13 AM

Thanks for sharing this info. Did they provide any documentation link that you can share for that?

0 Helpful
Customers Also Viewed These Support Documents