02-22-2022 02:44 AM
Hi team,
How can I verify that the CRL is actually downloaded in ISE, and it's being used.
I don't have the option to test with an endpoint that it's computer certificate is revoked.
Thank you,
M.G.
Solved! Go to Solution.
02-22-2022 05:57 AM
How can I verify that the CRL is actually downloaded in ISE, and it's being used.
-A couple of quick options to verify:
--The radius detailed live log should contain crl information in Steps data for an authenticated session. Same goes for OCSP if using that.
--Run a tcpdump from one of the PSNs, download pcap, search for http.
03-06-2022 08:32 PM
Do you have a syslog server that you export logs to?
You should be seeing log messages about whether or not the CRL was added or failed:
03-06-2022 08:49 PM
Thank you Mike and Thomas,
I noticed that if CRL download is not successful you will get an alert in the Dashboard. In addition in the RADIUS live logs (depending on your config for the specific trusted certificate) , after "ISE will continue to CRL verification..." you will see "CRL verification Bypassed" in case CRL download was not successful.
The Syslog server messages clearly showed the addition of the CRL.
Thanks again for your assistance.
M.G.
02-22-2022 05:57 AM
How can I verify that the CRL is actually downloaded in ISE, and it's being used.
-A couple of quick options to verify:
--The radius detailed live log should contain crl information in Steps data for an authenticated session. Same goes for OCSP if using that.
--Run a tcpdump from one of the PSNs, download pcap, search for http.
03-06-2022 08:32 PM
Do you have a syslog server that you export logs to?
You should be seeing log messages about whether or not the CRL was added or failed:
03-06-2022 08:49 PM
Thank you Mike and Thomas,
I noticed that if CRL download is not successful you will get an alert in the Dashboard. In addition in the RADIUS live logs (depending on your config for the specific trusted certificate) , after "ISE will continue to CRL verification..." you will see "CRL verification Bypassed" in case CRL download was not successful.
The Syslog server messages clearly showed the addition of the CRL.
Thanks again for your assistance.
M.G.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide