05-28-2020 06:41 AM
I am in the process of implementing 802.1x for our wired infrastructure. Laptops are using certificates from a local CA for authentication. I am at the point of implementing CRL. I successfully added the CRL settings but I am finding there are some details that could be adjusted to improve security.
My CA server has two CRL: a long term CRL and a delta. The delta is set to update twice a day. The long term CRL updates weekly. Can ISE point to both? If so, how? If not, which CRL is recommended?
My ISE server is set to check for a new CRL every 2 hours. In addition, I have ISE check ongoing sessions against the CRL set for every 2 hours.
I feel like the time settings on my ISE server are reasonable. I think the CA's CRL updates should be more frequent. I don't see the value in the delta CRL. Any recommendations on the frequency?
I have asked my CA administrator about OCSP. They haven't implemented OCSP at this point.
Solved! Go to Solution.
05-28-2020 03:40 PM
05-28-2020 03:40 PM
Hi,
As far as I’m aware ISE does not support Delta CRLs.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide