I am in the process of implementing 802.1x for our wired infrastructure. Laptops are using certificates from a local CA for authentication. I am at the point of implementing CRL. I successfully added the CRL settings but I am finding there are some details that could be adjusted to improve security.
My CA server has two CRL: a long term CRL and a delta. The delta is set to update twice a day. The long term CRL updates weekly. Can ISE point to both? If so, how? If not, which CRL is recommended?
My ISE server is set to check for a new CRL every 2 hours. In addition, I have ISE check ongoing sessions against the CRL set for every 2 hours.
I feel like the time settings on my ISE server are reasonable. I think the CA's CRL updates should be more frequent. I don't see the value in the delta CRL. Any recommendations on the frequency?
I have asked my CA administrator about OCSP. They haven't implemented OCSP at this point.
