Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
284
Views
0
Helpful
0
Replies

ISE 1.3 failover to CRL in the event of a OCSP failure

sfm
Level 1
Level 1

ā€Ž06-19-2015 01:30 PM - edited ā€Ž03-10-2019 10:49 PM

Hello,

We are running 1.3.0.876 of ISE. We are doing EAP-TLS for wireless authentication. We are using a third-party for certificate authentication. We have had three instances in the past six months where OCSP replies from this third-party have failed. During these OCSP failures, wireless authentications have failed.

We have both OCSP and CRL configured in the certificate under Certificate Status Validation. Within this section, the statement "To verify certificates, enable the methods below. If both are enabled, OCSP will always be tried first" leads me to believe that in the case of a OCSP failure that CRL will be used.

This has not seemed to be the case in any of our failures. In all our outages, the fix was to disable OCSP verification via clicking the "Validate against OCSP Service" radio button. We have verified that CRL is working without issue.

Am I incorrect in believing that the ISE should fail over to CRL if it does not receive a OCSP response? If so, how is this controlled? I don't see any configuration for timeout duration or number of failures before switching over to CRL.

 

Thanks in advance

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents