Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10335
Views
0
Helpful
4
Replies

How to Configure CRL URL in ISE 2.4 or Above

Go to solution
pcno
Level 1
Level 1

‎06-14-2020 04:28 AM - edited ‎06-14-2020 04:57 AM

Hi,
I am using a cloud Issuing and Root CA for a client Auth certificate. Cloud CA issue the certificate to local machine personal store & ISE validate the common name with AD and give access based on Authorisation profile....... But ISE is not Checking the CRL list, If I revoke a certificate in Cloud CA the same certificate still works for the WIFI profile.

I have the BASE & DELTA CRL URL And I have configured DELTA URL in the OCSP client profile but I am not able to see an option where I can specify ISE to check in this CRL list before client Authentication.


Please help me by giving a step by step instruction on how to configure this CRL URL in ISE 2.4+ & a policy set which Check the CRL list before it gives access to the client.

Preview file
112 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to pcno

‎06-15-2020 06:07 AM

Client certificate has just the issuing CA cert in the cert chain, so ISE should have this issuing CA cert with CRL configuration.
If the cert chain have 2 cert in the chain then add the CRL check on the CA server cert (root/issuing CA), which has issued that CRL.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎06-14-2020 04:34 PM

To have ISE perform certificate validation during authentication, you must configure the OCSP/CRL settings in the Root CA certificate used by the clients.

Screen Shot 2020-06-15 at 9.27.44 am.png

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to Greg Gibbs

‎06-14-2020 05:22 PM

Just to add here, delta CRL is not supported on ISE. So you need to use base CRL.

0 Helpful

Go to solution
pcno
Level 1
Level 1
In response to Greg Gibbs

‎06-15-2020 04:51 AM

Thank you  Greg Gibbs & Poongarg,

I have configured CRL Base in the Trusted store of ISE. Can you please answer my doubt.. If a client certificate chain has 1 issuing CA and 1 root CA do I need to configure CRL URL in both cert inside trusted store of ISE or only in the Root Certificate ?

One more thing I got a cert from cloud CA (Computer cert) in cert chain I can Only see Issuing CA name nothing else So which I only need to configure the issuing CA with CRL right? Check the attachment.

Thanks.

Preview file
39 KB
0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee
In response to pcno

‎06-15-2020 06:07 AM

Client certificate has just the issuing CA cert in the cert chain, so ISE should have this issuing CA cert with CRL configuration.
If the cert chain have 2 cert in the chain then add the CRL check on the CA server cert (root/issuing CA), which has issued that CRL.
0 Helpful
Customers Also Viewed These Support Documents