cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

96
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

How does ISE 2.4 treat a certificate in an 'on-hold' state?

How does ISE handle a certificate presented for endpoint authentication where the certificate is in an 'on-hold' state?  With this be treated the same as if the certificate was expired?

 

Thanks,

Joe

Everyone's tags (4)
1 REPLY 1
Highlighted
Collaborator

Re: How does ISE 2.4 treat a certificate in an 'on-hold' state?

Hi,

   

    By "on-hold" you mean you go to your CA and revoke the certificate with "hold" reason? If so, the certificate is still revoked by the CA and published in CRL or advertised via OCSP, the difference is that you can unrevoke it at a later point in time. What happens, is that unless you delete the certificate from the users's store, and it is still valid, it will still be used by his 802.1x profile and presented to ISE. If you have ISE configured to download the CRL or use OCSP, it will see the certificate is revoked and disallow access. ISE doesn't care about the reason of the revocation.

   Never tested this exact setup, with "hold" reason, but this is the way it should work.

 

Regards,

Cristian Matei.