Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1202
Views
0
Helpful
2
Replies

ISE Certificate Revocation List

bikespace
Level 1
Level 1

‎12-05-2012 05:07 PM - edited ‎03-10-2019 07:51 PM

Hi All,

I've got a split domain setup, with 8 ISE nodes on the inside network, and 2 nodes on a DMZ in a different DNS domain.

When we first set this up a few months ago, it turned out that there was a bug that didn't allow multiple domains, and we tested a workaround at the time, so I'm guessing it's not too common yet (recent code releases (patch 4 and 1.1.2) fixed this issue, but.....

I've configured a CRL for the CA certs from the internal domain.

The ISE's on the DMZ have nothing to do with the internal domain, so I wouldn't have expected them to be interested in the CRL which is associated with a certificate (and chain) used on internal ISE's only.

Unfortunately though the DMZ ISE's are also trying to get to the CRL URL which is not accessible from the DMZ, so flagging up masses of errors. Any way of stopping individual PSN's from trying to do this?

Incidentally, even though the timeout to retry the download is hours, the external nodes seem to be retrying every 2-4 minutes.

I had to delete 18000 alarms today, so wasn't too pleased to find that you can only delete alarms 100 at a time???????????????

Cheers

Labels:
0 Helpful
2 Replies 2

jw.sl9
Level 1
Level 1

‎12-05-2012 05:40 PM

A few questions:   

  • Are you using the same CA for each ISE? 
  • MS Enterprise CA?
  • I presume these are all part of the same deployment? 
  • You allow the Admin node to communicate with the DMZ nodes?

I hope you find this information useful, if it was satisfactory  for you, please mark the question as Answered.

Please rate post you consider useful.
-James

I hope you find this information useful, if it was satisfactory for you, please mark the question as Answered. Please rate post you consider useful. -James
0 Helpful

bikespace
Level 1
Level 1

‎12-16-2012 04:29 PM

The internal nodes all use the same CA. The problem seems to be that even though the DMZ nodes have no need for the certificate in question, they still attempt download of the CRL.
The DMZ nodes use an external CA for which no CRL is currently set up.
All one deployment, split domain.
Admin talking to PSN through firewall. That communication is fine, but no way will DMZ node be able to talk to the internal CA.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents