Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5148
Views
22
Helpful
3
Replies

ISE and CRL Verification

Go to solution
M.G.
Level 1
Level 1

‎02-22-2022 02:44 AM

Hi team,

How can I verify that the CRL is actually downloaded in ISE, and it's being used.

I don't have the option to test with an endpoint that it's computer certificate is revoked.

 

Thank you,

M.G.

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-22-2022 05:57 AM

How can I verify that the CRL is actually downloaded in ISE, and it's being used.

-A couple of quick options to verify:

--The radius detailed live log should contain crl information in Steps data for an authenticated session.  Same goes for OCSP if using that. 

--Run a tcpdump from one of the PSNs, download pcap, search for http.

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 08:32 PM

Do you have a syslog server that you export logs to?

You should be seeing log messages about whether or not the CRL was added or failed:

 

image.png

View solution in original post

Go to solution
M.G.
Level 1
Level 1

‎03-06-2022 08:49 PM

Thank you Mike and Thomas,

I noticed that if CRL download is not successful you will get an alert in the Dashboard. In addition in the RADIUS live logs (depending on your config for the specific trusted certificate) , after "ISE will continue to CRL verification..." you will see "CRL verification Bypassed" in case CRL download was not successful.

The Syslog server messages clearly showed the addition of the CRL.  

Thanks again for your assistance.

 

M.G.

View solution in original post

3 Replies 3

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-22-2022 05:57 AM

How can I verify that the CRL is actually downloaded in ISE, and it's being used.

-A couple of quick options to verify:

--The radius detailed live log should contain crl information in Steps data for an authenticated session.  Same goes for OCSP if using that. 

--Run a tcpdump from one of the PSNs, download pcap, search for http.

Go to solution
thomas
Cisco Employee
Cisco Employee

‎03-06-2022 08:32 PM

Do you have a syslog server that you export logs to?

You should be seeing log messages about whether or not the CRL was added or failed:

 

image.png

Go to solution
M.G.
Level 1
Level 1

‎03-06-2022 08:49 PM

Thank you Mike and Thomas,

I noticed that if CRL download is not successful you will get an alert in the Dashboard. In addition in the RADIUS live logs (depending on your config for the specific trusted certificate) , after "ISE will continue to CRL verification..." you will see "CRL verification Bypassed" in case CRL download was not successful.

The Syslog server messages clearly showed the addition of the CRL.  

Thanks again for your assistance.

 

M.G.

Customers Also Viewed These Support Documents