cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
629
Views
2
Helpful
2
Replies

Proactive alarm for CRL expiration

giosif
Cisco Employee
Cisco Employee

Hello,

Can someone please confirm whether ISE currently raises a proactive alarm when the latest CRL downloaded is getting near its expiration date?

Basically, I am looking for the same behaviour as the "Certificate Expiration" alarm for certs, but applyed to CRL's.

My initial investigation indicates such an alarm doesn't currently exist.

Given that, in the situation where ISE downloads the CRL and it has expired, the default behaviour of ISE is to reject all authentications related to the CA which issued the CRL, I think this kind of proactive alarming would be very useful.

I am aware that, strictly speaking, CRL maintenance is not ISE's role and I also know of the "

1 ACCEPTED SOLUTION

Accepted Solutions

giosif
Cisco Employee
Cisco Employee

Thank you for the response!

I think I understand the functionalities you mention above but, in my view, they are all reactive - i.e. after the CRL is downloaded and found expired (or, for the alarms you mention, the CRL was valid but it contained one or more of the certificates used for secure LDAP / Syslog), an alarm is raised.

Also, ISE downloading the CRL minutes before expiration still doesn't proactively alarm on the CRL expiring until it has actually expired.

And, by that time, endpoints are already being denied access to the network.

I will go ahead and raise an enhancement bug.

Thanks again!

UPDATE: For reference, the bug ID for the enhancement is CSCvi09036.

View solution in original post

2 REPLIES 2

hslai
Cisco Employee
Cisco Employee

ISE download CRL based on the CRL configuration of the trusted certificate and can be either based on minutes before expiration or at a set interval. And, ISE has an alarm on CRL download failures. There are also alarms on "Secure LDAP connection reconnect due to CRL found revoked certificate" and on "Secure syslog connection reconnect due to CRL found revoked certificate". The complete list is at ISE admin > administration > System > Settings > Alarm Settings

If none above sufficient to cover your use case, please open an enhancement bug.

giosif
Cisco Employee
Cisco Employee

Thank you for the response!

I think I understand the functionalities you mention above but, in my view, they are all reactive - i.e. after the CRL is downloaded and found expired (or, for the alarms you mention, the CRL was valid but it contained one or more of the certificates used for secure LDAP / Syslog), an alarm is raised.

Also, ISE downloading the CRL minutes before expiration still doesn't proactively alarm on the CRL expiring until it has actually expired.

And, by that time, endpoints are already being denied access to the network.

I will go ahead and raise an enhancement bug.

Thanks again!

UPDATE: For reference, the bug ID for the enhancement is CSCvi09036.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: