Solved: ISE CRL Distribution URL using LDAP Path

dm2020 · ‎02-17-2020

Hi All,

Does anyone know if ISE supports CRL checking from an LDAP path as opposed to a http path? I have looked through the documentation and I cant see this mentioned anywhere.

Thank you

hslai · ‎02-21-2020

ISE validates CRLs for two purposes and each done its own way.

1. A CRL configured with a trusted root CA. This is to validate the end-entity certificates issued by this CA chain for EAP-TLS or other cert-based authentications, etc. For this, only the configured CRL is checked and the URL can be of LDAP but only anonymous binding works.

2. Auto-validation of ISE server certificates used for inter-ISE-node communications. For this, ISE extracts the CRL distribution Point (CDP) from the server certificates and attempts to validate. Again, only anonymous binding works, if using LDAP URL.

View solution in original post

Arne Bier · ‎02-17-2020

Ages ago I looked into the logs to figure out how CRL works in ISE, and I noticed that by default, ISE looks into the CDP (CRL Distribution Point) and picks out the LDAP URL and tries to bind to it. It fails of course because there is no setup for this option. I don't know if this is still the case in ISE 2.6. The manual option is to specify a http URL and I don't see any options to bind to an LDAP repository.

hslai · ‎02-21-2020

ISE validates CRLs for two purposes and each done its own way.

1. A CRL configured with a trusted root CA. This is to validate the end-entity certificates issued by this CA chain for EAP-TLS or other cert-based authentications, etc. For this, only the configured CRL is checked and the URL can be of LDAP but only anonymous binding works.

2. Auto-validation of ISE server certificates used for inter-ISE-node communications. For this, ISE extracts the CRL distribution Point (CDP) from the server certificates and attempts to validate. Again, only anonymous binding works, if using LDAP URL.