My ISE 2.4 deployment is entirely distributed with dedicated nodes.
I have an intermediate CA's CRL distribution point (CDP) monitored in order to deny access to any authentication attempts by revoked certificates. That works just fine, however for some reason as of configuring this CRL check all the ISE nodes in my deployment try to reach this CDP periodically.
According to the Installation Guide Port Reference, only PSN nodes are meant to check CDPs.
Can someone explain why each persona needs to check with the CRL distribution point?
Solved! Go to Solution.
I have not checked recently but I was also annoyed with ISE's automatic CDP interrogation. It would try to retrieve the CRL using LDAP (if that was published in the CDP). But this will never work because ISE doesn't bind to those LDAP servers. it should go for the http URL's instead.
It would also be nice to see what the CRL download state is for each cert - or to have some mechanism to see when ISE will next attempt a download.
Or just give up and use OCSP instead. :-) But that is not without its challenges either. Unless ISE supports OCSP stapling, I'd say that OCSP can become very network intensive.
Why would PAN or MnT nodes require to check the CRL distribution point?
It seems that if I block PSN traffic to the CDP, CRL validation isn't enforced, yet if I were to block PAN and MnT traffic to the CDP then CRL validation works just fine.
Also the MnT never opens a session with the CDP, it just sends TCP SYN all the time.
Any chance there is an official answer regarding which personas require to reach out to the CDP?
After a few days in the lab, it is now evident why all nodes should have access to the CRL distribution point.
Whenever TLS is needed, whether it is for EAP or for creating a secure syslog flow, if you configured a CDP for a trusted cert then that CDP will be checked before the handshake can be completed.
For PSN nodes towards supplicants for 802.1x that means PSNs need to check the CDP to know whether or not the supplicants can authenticate.
For the other ISE nodes, if you are sending secure syslog to your MnT nodes then the CDP is also checked. If you don't have access to your CDP, and you didn't enable "Bypass CRL Verification", then the handshake will fail between the MnT node (syslog server) and the syslog client.
Essentially this means that if you want to have secure syslog between your servers to your MnT nodes, all ISE nodes should have access to your CDP.