Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
758
Views
0
Helpful
1
Replies

ISE 2.0 CRL Verification with LDAP Path

Michael Kirchner
Level 1
Level 1

‎04-07-2016 07:33 AM - edited ‎03-10-2019 11:39 PM

Hi community,

I have currently the problem that my customer wants to enable CRL verification. Ehe CRL is only published into the Active Directory.

Regarding the ISE documentation ldap is supported as a CRL Path.

Unfortunately the CRL is not retrieved:

ldap://CN=User%20CA,CN=pki,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=AD,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint

I also tried:

ldap://CN=User%20CA,CN=pki,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=AD,DC=local

Has anyone tried LDAP as a CRL path before in ISE or any idea troubleshooting this?

Best Regards

Michael

Labels:
0 Helpful
1 Reply 1

Joseph Johnson
Level 1
Level 1

‎04-08-2016 07:42 PM

A couple of things to check:

1. Do you have access to another machine with either a machine/user certificate or a secure internal web page with a certificate from the internal CA? You can double check the path for the CRL by examining the certificate extension. You should be able to copy the URI directly from there and drop it into ISE.

2. Is the ISE node joined to the domain where the CRL resides? It must have read access to the path. That's why it is sometimes easier to publish the CRL to IIS because you can allow anonymous access without worrying about domain membership or tweaking AD permissions.

0 Helpful
Customers Also Viewed These Support Documents