cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

568
Views
5
Helpful
2
Replies
dm2020
Beginner

ISE CRL Distribution URL using LDAP Path

Hi All,

 

Does anyone know if ISE supports CRL checking from an LDAP path as opposed to a http path? I have looked through the documentation and I cant see this mentioned anywhere.

 

Thank you

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

ISE validates CRLs for two purposes and each done its own way.

1. A CRL configured with a trusted root CA. This is to validate the end-entity certificates issued by this CA chain for EAP-TLS or other cert-based authentications, etc. For this, only the configured CRL is checked and the URL can be of LDAP but only anonymous binding works.

2. Auto-validation of ISE server certificates used for inter-ISE-node communications. For this, ISE extracts the CRL distribution Point (CDP) from the server certificates and attempts to validate. Again, only anonymous binding works, if using LDAP URL.

 

View solution in original post

2 REPLIES 2
Arne Bier
VIP Advisor

Ages ago I looked into the logs to figure out how CRL works in ISE, and I noticed that by default, ISE looks into the CDP (CRL Distribution Point) and picks out the LDAP URL and tries to bind to it. It fails of course because there is no setup for this option. I don't know if this is still the case in ISE 2.6.  The manual option is to specify a http URL and I don't see any options to bind to an LDAP repository.

hslai
Cisco Employee

ISE validates CRLs for two purposes and each done its own way.

1. A CRL configured with a trusted root CA. This is to validate the end-entity certificates issued by this CA chain for EAP-TLS or other cert-based authentications, etc. For this, only the configured CRL is checked and the URL can be of LDAP but only anonymous binding works.

2. Auto-validation of ISE server certificates used for inter-ISE-node communications. For this, ISE extracts the CRL distribution Point (CDP) from the server certificates and attempts to validate. Again, only anonymous binding works, if using LDAP URL.

 

View solution in original post

Content for Community-Ad