cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1439
Views
0
Helpful
1
Replies

ISE and CRL

rmeans
Level 3
Level 3

I am in the process of implementing 802.1x for our wired infrastructure.  Laptops are using certificates from a local CA for authentication.  I am at the point of implementing CRL.  I successfully added the CRL settings but I am finding there are some details that could be adjusted to improve security.

 

My CA server has two CRL: a long term CRL and a delta.  The delta is set to update twice a day.  The long term CRL updates weekly.  Can ISE point to both?  If so, how?  If not, which CRL is recommended?

 

My ISE server is set to check for a new CRL every 2 hours.  In addition, I have ISE check ongoing sessions against the CRL set for every 2 hours.

 

I feel like the time settings on my ISE server are reasonable.  I think the CA's CRL updates should be more frequent.  I don't see the value in the delta CRL.  Any recommendations on the frequency?

 

I have asked my CA administrator about OCSP.  They haven't implemented OCSP at this point.

 

 

1 Accepted Solution

Accepted Solutions

Aileron88
Level 1
Level 1

Hi,

 

As far as I’m aware ISE does not support Delta CRLs. 

Thanks

View solution in original post

1 Reply 1

Aileron88
Level 1
Level 1

Hi,

 

As far as I’m aware ISE does not support Delta CRLs. 

Thanks