cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

926
Views
0
Helpful
2
Replies
bikespace
Beginner

ISE Certificate Revocation List

Hi All,

I've got a split domain setup, with 8 ISE nodes on the inside network, and 2 nodes on a DMZ in a different DNS domain.

When we first set this up a few months ago, it turned out that there was a bug that didn't allow multiple domains, and we tested a workaround at the time, so I'm guessing it's not too common yet (recent code releases (patch 4 and 1.1.2) fixed this issue, but.....

I've configured a CRL for the CA certs from the internal domain.

The ISE's on the DMZ have nothing to do with the internal domain, so I wouldn't have expected them to be interested in the CRL which is associated with a certificate (and chain) used on internal ISE's only.

Unfortunately though the DMZ ISE's are also trying to get to the CRL URL which is not accessible from the DMZ, so flagging up masses of errors. Any way of stopping individual PSN's from trying to do this?

Incidentally, even though the timeout to retry the download is hours, the external nodes seem to be retrying every 2-4 minutes.

I had to delete 18000 alarms today, so wasn't too pleased to find that you can only delete alarms 100 at a time???????????????

Cheers

2 REPLIES 2
jw.sl9
Beginner

A few questions:   

  • Are you using the same CA for each ISE? 
  • MS Enterprise CA?
  • I presume these are all part of the same deployment? 
  • You allow the Admin node to communicate with the DMZ nodes?

I hope you find this information useful, if it was satisfactory  for you, please mark the question as Answered.

Please rate post you consider useful.
-James


I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James
bikespace
Beginner

The internal nodes all use the same CA. The problem seems to be that even though the DMZ nodes have no need for the certificate in question, they still attempt download of the CRL.
The DMZ nodes use an external CA for which no CRL is currently set up.
All one deployment, split domain.
Admin talking to PSN through firewall. That communication is fine, but no way will DMZ node be able to talk to the internal CA.

Sent from Cisco Technical Support iPhone App

Content for Community-Ad