11-19-2018 08:04 AM
Hi everyone,
My ISE 2.4 deployment is entirely distributed with dedicated nodes.
I have an intermediate CA's CRL distribution point (CDP) monitored in order to deny access to any authentication attempts by revoked certificates. That works just fine, however for some reason as of configuring this CRL check all the ISE nodes in my deployment try to reach this CDP periodically.
According to the Installation Guide Port Reference, only PSN nodes are meant to check CDPs.
https://www.cisco.com/c/dam/en/us/td/i/400001-500000/420001-430000/425001-426000/425863.jpg
Can someone explain why each persona needs to check with the CRL distribution point?
Thanks!
Solved! Go to Solution.
11-19-2018 09:28 PM
This is expected.
Such certificate validations are added for Common Criteria since ISE 2.0.
11-19-2018 12:06 PM
What use cases do you have set for the certificate you have installed into ISE from the CA? Do you have just the EAP Authentication use case?
11-19-2018 11:52 PM
At present I'm trying out a multi-use certificate for all the nodes so that they are both EAP and Admin.
11-19-2018 03:26 PM
I have not checked recently but I was also annoyed with ISE's automatic CDP interrogation. It would try to retrieve the CRL using LDAP (if that was published in the CDP). But this will never work because ISE doesn't bind to those LDAP servers. it should go for the http URL's instead.
It would also be nice to see what the CRL download state is for each cert - or to have some mechanism to see when ISE will next attempt a download.
Or just give up and use OCSP instead. :-) But that is not without its challenges either. Unless ISE supports OCSP stapling, I'd say that OCSP can become very network intensive.
11-19-2018 04:00 PM
11-19-2018 09:28 PM
This is expected.
Such certificate validations are added for Common Criteria since ISE 2.0.
11-19-2018 11:52 PM
Why would PAN or MnT nodes require to check the CRL distribution point?
It seems that if I block PSN traffic to the CDP, CRL validation isn't enforced, yet if I were to block PAN and MnT traffic to the CDP then CRL validation works just fine.
Also the MnT never opens a session with the CDP, it just sends TCP SYN all the time.
Any chance there is an official answer regarding which personas require to reach out to the CDP?
11-23-2018 06:54 AM
12-02-2018 07:44 AM
Hi everyone,
After a few days in the lab, it is now evident why all nodes should have access to the CRL distribution point.
Whenever TLS is needed, whether it is for EAP or for creating a secure syslog flow, if you configured a CDP for a trusted cert then that CDP will be checked before the handshake can be completed.
For PSN nodes towards supplicants for 802.1x that means PSNs need to check the CDP to know whether or not the supplicants can authenticate.
For the other ISE nodes, if you are sending secure syslog to your MnT nodes then the CDP is also checked. If you don't have access to your CDP, and you didn't enable "Bypass CRL Verification", then the handshake will fail between the MnT node (syslog server) and the syslog client.
Essentially this means that if you want to have secure syslog between your servers to your MnT nodes, all ISE nodes should have access to your CDP.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide