Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2256
Views
15
Helpful
4
Replies

ISE 2.4 CRL's: Using LDAP to fetch CRL's for AD-joined ISE servers

Go to solution
Nadav
Level 7
Level 7

‎12-17-2020 12:34 AM

Hi everyone,

 

I have a distributed deployment of ISE with AD-joined ISE nodes. At present I've been using http to fetch CRL's which was trivial, but I've been asked to see if this can be done via LDAP.

The CA-side of things has been configured to add the LDAP path as the CDP for certificates. I'm interested in the ISE side.

So far I haven't had to use LDAP at all for ISE since they are AD-joined. 

 

Can you list all the steps required to fetch CRL via LDAP? For example: Do I need to create an external identity source towards LDAP servers before configuring CRL via LDAP? 

 

Thanks!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-22-2020 05:56 PM

It should work if the CRL is accessible at a URI with anonymous LDAP access.

View solution in original post

4 Replies 4

Go to solution
Nadav
Level 7
Level 7

‎12-22-2020 02:33 AM

Any ideas? I honestly can't find an example of this online.

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee

‎12-22-2020 05:56 PM

It should work if the CRL is accessible at a URI with anonymous LDAP access.

Go to solution
Nadav
Level 7
Level 7
In response to hslai

‎12-29-2020 11:38 AM

Thanks. So it's not supported without anonymous LDAP binding?

Go to solution
Arne Bier
VIP
VIP
In response to Nadav

‎01-05-2021 01:50 PM

Hi @Nadav 

 

ISE has no config method to allow you to specify the LDAP bind information for CRL retrieval. ISE supports LDAP binding for authentication to LDAP servers only.

 

I ran into this some years ago - ISE tries to bind anonymously to the LDAP URI in the CDP - but by default I don't think most (or any) CA's (e.g. Microsoft CA) allow anonymous LDAP binding. The result is that the ISE logs get spammed with all these messages.

I seem to remember that if you hard code the CRL into the ISE trusted certificate, then ISE will dutifully fetch the CRL at the configured interval. But I don't remember if that stops the LDAP binding attempts ...

If your CA publishes the CRL in other formats (e.g. via http) then tell ISE to manually download the CRL. Even if you put the http URL into the CDP of the certificate, ISE doesn't care about it - it only seems to care about the LDAP URI.

 

Disclaimer: last time I looked into this was ISE 2.3

 

 

Customers Also Viewed These Support Documents