Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
726
Views
0
Helpful
2
Replies

Multiple CRLs

Go to solution
obrigg
Cisco Employee
Cisco Employee

‎09-02-2019 11:50 AM

Dear ISE team,

A customer has two CRL servers for redundancy reasons.

Is it possible to direct ISE to two different URLs to download the CRL from?

 

Regards,

Oren.

 

Screen Shot 2019-09-02 at 21.48.43.png

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-02-2019 12:02 PM

With OCSP, you can have a primary and secondary.  Not with CRL.  I would recommend using OCSP if at all possible.  It is more efficient and doesn't require ISE to download an entire CRL on an ongoing basis.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-02-2019 12:02 PM

With OCSP, you can have a primary and secondary.  Not with CRL.  I would recommend using OCSP if at all possible.  It is more efficient and doesn't require ISE to download an entire CRL on an ongoing basis.

0 Helpful

Go to solution
Arne Bier
VIP
VIP

‎09-02-2019 02:51 PM

If you're lucky enough to have a load balancer, then put up a VIP and have the load balancer farm out the CRL download requests to the servers. Perhaps you could even play some tricks with your DNS - use a CNAME that points to both of your servers. That would ensure that in the event of the first A record not responding, the second one would be used.  Works quite well in other use cases where we need to use a single FQDN for a system with multiple backend hosts.

 

 

0 Helpful
Customers Also Viewed These Support Documents