Solved: ISE 2.4 P4: Why do all nodes try to reach the CRL distribution point?

Nadav · ‎11-19-2018

Hi everyone,

My ISE 2.4 deployment is entirely distributed with dedicated nodes.

I have an intermediate CA's CRL distribution point (CDP) monitored in order to deny access to any authentication attempts by revoked certificates. That works just fine, however for some reason as of configuring this CRL check all the ISE nodes in my deployment try to reach this CDP periodically.

According to the Installation Guide Port Reference, only PSN nodes are meant to check CDPs.

https://www.cisco.com/c/dam/en/us/td/i/400001-500000/420001-430000/425001-426000/425863.jpg

Can someone explain why each persona needs to check with the CRL distribution point?

Thanks!

hslai · ‎11-19-2018

This is expected.

Such certificate validations are added for Common Criteria since ISE 2.0.

View solution in original post

paul · ‎11-19-2018

What use cases do you have set for the certificate you have installed into ISE from the CA? Do you have just the EAP Authentication use case?

Nadav · ‎11-19-2018

At present I'm trying out a multi-use certificate for all the nodes so that they are both EAP and Admin.

Arne Bier · ‎11-19-2018

I have not checked recently but I was also annoyed with ISE's automatic CDP interrogation. It would try to retrieve the CRL using LDAP (if that was published in the CDP). But this will never work because ISE doesn't bind to those LDAP servers. it should go for the http URL's instead.

It would also be nice to see what the CRL download state is for each cert - or to have some mechanism to see when ISE will next attempt a download.

Or just give up and use OCSP instead. :-) But that is not without its challenges either. Unless ISE supports OCSP stapling, I'd say that OCSP can become very network intensive.

paul · ‎11-19-2018

You will get alarms with the CRL download fails. I guess I really haven't put too much thought into this since CRL download are so insignificant to the performance of the ISE system and the performance of the server hosting the CRLs. It is a file fetch every few minutes/hours/whatever you have the CRL fetch set for.

hslai · ‎11-19-2018

This is expected.

Such certificate validations are added for Common Criteria since ISE 2.0.

Nadav · ‎11-19-2018

Why would PAN or MnT nodes require to check the CRL distribution point?

It seems that if I block PSN traffic to the CDP, CRL validation isn't enforced, yet if I were to block PAN and MnT traffic to the CDP then CRL validation works just fine.

Also the MnT never opens a session with the CDP, it just sends TCP SYN all the time.

Any chance there is an official answer regarding which personas require to reach out to the CDP?

Nadav · ‎11-23-2018

Any ideas?

Nadav · ‎12-02-2018

Hi everyone,

After a few days in the lab, it is now evident why all nodes should have access to the CRL distribution point.

Whenever TLS is needed, whether it is for EAP or for creating a secure syslog flow, if you configured a CDP for a trusted cert then that CDP will be checked before the handshake can be completed.

For PSN nodes towards supplicants for 802.1x that means PSNs need to check the CDP to know whether or not the supplicants can authenticate.

For the other ISE nodes, if you are sending secure syslog to your MnT nodes then the CDP is also checked. If you don't have access to your CDP, and you didn't enable "Bypass CRL Verification", then the handshake will fail between the MnT node (syslog server) and the syslog client.

Essentially this means that if you want to have secure syslog between your servers to your MnT nodes, all ISE nodes should have access to your CDP.