Solved: Re: ISE 2.4 CRL's: Using LDAP to fetch CRL's for AD-joined ISE servers

Nadav · ‎12-17-2020

Hi everyone,

I have a distributed deployment of ISE with AD-joined ISE nodes. At present I've been using http to fetch CRL's which was trivial, but I've been asked to see if this can be done via LDAP.

The CA-side of things has been configured to add the LDAP path as the CDP for certificates. I'm interested in the ISE side.

So far I haven't had to use LDAP at all for ISE since they are AD-joined.

Can you list all the steps required to fetch CRL via LDAP? For example: Do I need to create an external identity source towards LDAP servers before configuring CRL via LDAP?

Thanks!

hslai · ‎12-22-2020

It should work if the CRL is accessible at a URI with anonymous LDAP access.

View solution in original post

Nadav · ‎12-22-2020

Any ideas? I honestly can't find an example of this online.

hslai · ‎12-22-2020

It should work if the CRL is accessible at a URI with anonymous LDAP access.

Nadav · ‎12-29-2020

Thanks. So it's not supported without anonymous LDAP binding?

Arne Bier · ‎01-05-2021

Hi @Nadav

ISE has no config method to allow you to specify the LDAP bind information for CRL retrieval. ISE supports LDAP binding for authentication to LDAP servers only.

I ran into this some years ago - ISE tries to bind anonymously to the LDAP URI in the CDP - but by default I don't think most (or any) CA's (e.g. Microsoft CA) allow anonymous LDAP binding. The result is that the ISE logs get spammed with all these messages.

I seem to remember that if you hard code the CRL into the ISE trusted certificate, then ISE will dutifully fetch the CRL at the configured interval. But I don't remember if that stops the LDAP binding attempts ...

If your CA publishes the CRL in other formats (e.g. via http) then tell ISE to manually download the CRL. Even if you put the http URL into the CDP of the certificate, ISE doesn't care about it - it only seems to care about the LDAP URI.

Disclaimer: last time I looked into this was ISE 2.3