Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
0
Helpful
2
Replies

ISE 1.2 CRL

Go to solution
eric.lessard
Level 1
Level 1

‎09-12-2013 10:26 AM - edited ‎03-10-2019 08:53 PM

Hello,

Quick one this time...

What box is requesting the CRL? the ADM or the PSN?

am right to assum that the port 80 need to be open on the FW  from ADM or PSN  to the CRL location

Thx

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
aqjaved
Level 3
Level 3

‎09-23-2013 09:26 AM

ISE    supports two ways of checking the revocation status of a client  or  server   certificate that is issued by a particular CA. The first is  to  validate the   certificate using the Online Certificate Status  Protocol  (OCSP), which makes   a request to an OCSP service maintained  by the CA.  The second is to validate   the certificate against a  Certificate  Revocation List (CRL) which is   downloaded from the CA  into ISE. Both  of these methods can be enabled, in   which case OCSP is  used first, and  only if a status determination cannot be   made then  the CRL is used.

Please check the below links  which can be helpful in configurations:

Link-1

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

View solution in original post

0 Helpful
2 Replies 2

Go to solution
aqjaved
Level 3
Level 3

‎09-23-2013 09:26 AM

ISE    supports two ways of checking the revocation status of a client  or  server   certificate that is issued by a particular CA. The first is  to  validate the   certificate using the Online Certificate Status  Protocol  (OCSP), which makes   a request to an OCSP service maintained  by the CA.  The second is to validate   the certificate against a  Certificate  Revocation List (CRL) which is   downloaded from the CA  into ISE. Both  of these methods can be enabled, in   which case OCSP is  used first, and  only if a status determination cannot be   made then  the CRL is used.

Please check the below links  which can be helpful in configurations:

Link-1

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

0 Helpful

Go to solution
eric.lessard
Level 1
Level 1
In response to aqjaved

‎09-23-2013 09:31 AM

Thx Ageel,

After testing, all the box need to be able to acess the CRL, not only the PSN

second fact is that the HTTPS protocol needs to be binded to the CA root Cert in order to Download the CRL.

If your https is binded to a self sign, the Admin node wont be able to DL it

Thx

0 Helpful
Customers Also Viewed These Support Documents