Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
1
Replies

How does ISE 2.4 treat a certificate in an 'on-hold' state?

joonder
Cisco Employee
Cisco Employee

‎03-10-2020 10:39 AM

How does ISE handle a certificate presented for endpoint authentication where the certificate is in an 'on-hold' state?  With this be treated the same as if the certificate was expired?

 

Thanks,

Joe

0 Helpful
1 Reply 1

Cristian Matei
VIP Alumni
VIP Alumni

‎03-10-2020 11:48 AM

Hi,

   

    By "on-hold" you mean you go to your CA and revoke the certificate with "hold" reason? If so, the certificate is still revoked by the CA and published in CRL or advertised via OCSP, the difference is that you can unrevoke it at a later point in time. What happens, is that unless you delete the certificate from the users's store, and it is still valid, it will still be used by his 802.1x profile and presented to ISE. If you have ISE configured to download the CRL or use OCSP, it will see the certificate is revoked and disallow access. ISE doesn't care about the reason of the revocation.

   Never tested this exact setup, with "hold" reason, but this is the way it should work.

 

Regards,

Cristian Matei.

0 Helpful
Customers Also Viewed These Support Documents