Dear,
Something strange is happening with EAP-TLS and ISE CRL.
It's not something very common scenario our client has 2 CA as temporary solution to migrate to the new CA.
ISE is authenticating bot client certificate without any problem.
Now we are running into this strange behavior:
- The clients authenticate with the old CA certificate. (green report authentication success)
- The new certificate is pushed, and the old certificate is deleted. (the repeat counters goes up, even if we hit a different authorization policy => this is normal default behavior if result is the same )
- On the new CA we revoke the certificate that was received. (CRL is retrieved every 10 minute)
- The client stays connected even removal from wlc, session terminations, reauthentications, … waited 30 min… (repeat counter increases)
- Now here is the funny part if you disable the repeats successful authentication under admin => protocols =>radius. The client is directly disconnected.
We did the same test if the client started with the new certificated and that is working correctly.
It seems to me that ISE is taking a shortcut and not really checking the authentication when doing a repeated authentication.
I’m still looking into this maybe it can even be used as an exploit.
Kr
Niels