Hello Neno,

good point - I forgot to mention, that I'm using OCSP as well. Perhaps I explain the use case for CRLs in the combination with OCSP.

Assume a PSN node in a remote office. The OCSP server is only available in the central site and not in every remote office.

If the WAN connection towards the office fails, there is no connection to the OCSP server. Also I don't want to accept EAP-TLS client sessions if the OSCP server in unavailable and skip certificate checking.

This is when CRLs come into place. If the OSCP server is unavailable the downloaded CRL is checked. Assuming a CRL lifetime of one week and an overlap of CRL creation of  ~three days, I have ~ three days to fix the WAN connectivity.

So thanks for the hint. But in my opinion there are valid use cases to use both mechanisms in combination.

Ahh best of both worlds! :) Thank you for the explanation on the CRL + OCSP. That makes a lot of sense! (+5 from me!)

Back to your question:

1. For OCSP: I would recommend you check the report that I referenced above and see if that gives your the information needed

2. For CRL: I am afraid I am not aware of a way to confirm that things have worked :) And yes, you are correct that you will can be notified when a retrieval fails. That is done via an alarm called "CRL Retrieval Failed" and it is located at: Administration > System > Settings > Alarm Settings. You need to make sure that the alarm is enabled and that you have an e-mail configured for the notifications to work. 

So with that being said, I guess you will have to assume that if you are not getting notifications about the alarm then everything is working fine :)

 Thank you for rating helpful posts!

Hi Neno,

thanks for your answer. Regardless of the Alarm settings, the CRL download failed event is always logged.

Example Syslog:

Category Name: RADIUS Diagnostics

Message Class: CRL

Message Code:  12831

Message Text:  Unable to download CRL

There are much more notifications with different conditions, which can be reviewed under:

Administration > System > Logging > Message Catalog

Just type in "CRL" as the filter for the "Message Text" column.

Back to my original request.

I was just wondering of a successful CRL download is in some log file. If I login to ADE-OS there are tons of different log files if I issue a "show logging ..." on the command line. I just don't know where to search.

Another potential location would be in the GUI under "Operations > Troubleshoot > Download Logs"

There are all debug log files (also tons of them) for each ISE node in the deployment. There must be a CRL download indication in one of these files.

Perhaps a TAC engineer of Cisco is reading this and exactly knows where to search for it :)

Yes, perhaps someone from Cisco and/or someone that knows about this can chime in :)