cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1650
Views
5
Helpful
3
Replies

Cisco ISE CRL check not working after certificate change.

Niels Marien
Level 1
Level 1

Dear,

Something strange is happening with EAP-TLS and ISE CRL.

It's not something very common scenario our client has 2 CA as temporary solution to migrate to the new CA.

ISE is authenticating bot client certificate without any problem.

Now we are running into this strange behavior:

  1. The clients authenticate with the old CA certificate. (green report authentication success)
  2. The new certificate is pushed, and the old certificate is deleted. (the repeat counters goes up, even if we hit a different authorization policy => this is normal default behavior if result is the same )
  3. On the new CA we revoke the certificate that was received. (CRL is retrieved every 10 minute)
  4. The client stays connected even removal from wlc, session terminations, reauthentications, … waited 30 min… (repeat counter increases)
  5. Now here is the funny part if you disable the repeats successful authentication under admin => protocols =>radius. The client is directly disconnected.

We did the same test if the client started with the new certificated and that is working correctly.

It seems to me that ISE is taking a shortcut and not really checking the authentication when doing a repeated authentication.

I’m still looking into this maybe it can even be used as an exploit.

Kr

Niels

2 Accepted Solutions

Accepted Solutions

howon
Cisco Employee
Cisco Employee

Can you check whether ISE is enabled with session resume:

- Administration > System > Settings > Protocols > EAP-TLS > Enable EAP TLS Session Resume

- Policy > Policy Elements > Authentication > Allowed Protocols > Default Network Access (Or ones being used) > Allow EAP-TLS > Enable Stateless Session resume

View solution in original post

Correct. That is one of the feature characteristics:

When a user reconnects within the configured EAP-TLS session timeout period, ISE resumes the EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.

 

View solution in original post

3 Replies 3

howon
Cisco Employee
Cisco Employee

Can you check whether ISE is enabled with session resume:

- Administration > System > Settings > Protocols > EAP-TLS > Enable EAP TLS Session Resume

- Policy > Policy Elements > Authentication > Allowed Protocols > Default Network Access (Or ones being used) > Allow EAP-TLS > Enable Stateless Session resume

Dear,

 

Thanks for your responds it's indeed enabled.

 

Does this mean we have to disconnect long enough before reconnecting in order to let de CRL work correctly?

 

Kr

 

Niels

Correct. That is one of the feature characteristics:

When a user reconnects within the configured EAP-TLS session timeout period, ISE resumes the EAP-TLS session and reauthenticates the user with TLS handshake only, without a certificate check.