02-17-2020 08:51 AM
Hi All,
Does anyone know if ISE supports CRL checking from an LDAP path as opposed to a http path? I have looked through the documentation and I cant see this mentioned anywhere.
Thank you
Solved! Go to Solution.
02-21-2020 01:43 PM
ISE validates CRLs for two purposes and each done its own way.
1. A CRL configured with a trusted root CA. This is to validate the end-entity certificates issued by this CA chain for EAP-TLS or other cert-based authentications, etc. For this, only the configured CRL is checked and the URL can be of LDAP but only anonymous binding works.
2. Auto-validation of ISE server certificates used for inter-ISE-node communications. For this, ISE extracts the CRL distribution Point (CDP) from the server certificates and attempts to validate. Again, only anonymous binding works, if using LDAP URL.
02-17-2020 06:11 PM
Ages ago I looked into the logs to figure out how CRL works in ISE, and I noticed that by default, ISE looks into the CDP (CRL Distribution Point) and picks out the LDAP URL and tries to bind to it. It fails of course because there is no setup for this option. I don't know if this is still the case in ISE 2.6. The manual option is to specify a http URL and I don't see any options to bind to an LDAP repository.
02-21-2020 01:43 PM
ISE validates CRLs for two purposes and each done its own way.
1. A CRL configured with a trusted root CA. This is to validate the end-entity certificates issued by this CA chain for EAP-TLS or other cert-based authentications, etc. For this, only the configured CRL is checked and the URL can be of LDAP but only anonymous binding works.
2. Auto-validation of ISE server certificates used for inter-ISE-node communications. For this, ISE extracts the CRL distribution Point (CDP) from the server certificates and attempts to validate. Again, only anonymous binding works, if using LDAP URL.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: