cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1208
Views
5
Helpful
2
Replies

ISE CRL Distribution URL using LDAP Path

dm2020
Level 1
Level 1

Hi All,

 

Does anyone know if ISE supports CRL checking from an LDAP path as opposed to a http path? I have looked through the documentation and I cant see this mentioned anywhere.

 

Thank you

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

ISE validates CRLs for two purposes and each done its own way.

1. A CRL configured with a trusted root CA. This is to validate the end-entity certificates issued by this CA chain for EAP-TLS or other cert-based authentications, etc. For this, only the configured CRL is checked and the URL can be of LDAP but only anonymous binding works.

2. Auto-validation of ISE server certificates used for inter-ISE-node communications. For this, ISE extracts the CRL distribution Point (CDP) from the server certificates and attempts to validate. Again, only anonymous binding works, if using LDAP URL.

 

View solution in original post

2 Replies 2

Arne Bier
VIP
VIP

Ages ago I looked into the logs to figure out how CRL works in ISE, and I noticed that by default, ISE looks into the CDP (CRL Distribution Point) and picks out the LDAP URL and tries to bind to it. It fails of course because there is no setup for this option. I don't know if this is still the case in ISE 2.6.  The manual option is to specify a http URL and I don't see any options to bind to an LDAP repository.

hslai
Cisco Employee
Cisco Employee

ISE validates CRLs for two purposes and each done its own way.

1. A CRL configured with a trusted root CA. This is to validate the end-entity certificates issued by this CA chain for EAP-TLS or other cert-based authentications, etc. For this, only the configured CRL is checked and the URL can be of LDAP but only anonymous binding works.

2. Auto-validation of ISE server certificates used for inter-ISE-node communications. For this, ISE extracts the CRL distribution Point (CDP) from the server certificates and attempts to validate. Again, only anonymous binding works, if using LDAP URL.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: