cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Question on logic behind ISE CRL validation (v1.4)

tlenzenh
Cisco Employee
Cisco Employee

Hi Team,

In the current design for my customer we are planning to use Certificate Status Validation for their trusted CA (under Certificates/Trusted Certificates). The customer claims that most CA servers implement the CRL checking in a way that authentications are still processed as long as the current cached CRL is valid and not expired. They don’t understand why ISE stops authenticating/authorising certificate based clients as soon as ISE fails to download the CRL from the CA server.

I explained them the 2 checkbox options for bypass CRL checks or ignore the invalid/expired option but that’s not exactly what they are after. They would think that as long as the locally cached copy of the last CRL download is still valid then we should continue to authenticate/authorise clients.

So they wanted to have someone from the BU providing an explanation for the logic behind that cause they think this is not in favour of running a highly available network.

Thanks in advance

Thomas

3 REPLIES 3

hslai
Cisco Employee
Cisco Employee

Hi Thomas,

What your customer asking looks reasonable to me. Even for a successfully downloaded CRL, ISE will verify the CRL file is signed correctly. Only if the signature verification passes, ISE will replace the previous CRL file issued by the same CA.

Please note that the CRL files do not persist and need re-download when ISE restarts. Perhaps, this is what your customer is seeing.

Regards.

Thanks a lot for the quick reply,

so if that is the case, then the next question the customer had was if what my testing revealed is normal and as per design or a bug...

Basically in my testing, if the CRL download fails then ISE would not authenticate any new clients with certificates. If I enable the bypass option then it will authenticate new clients even if CRL download failed. I believe that is as per design as it works like documented in the 1.4 administrator guide (page 696, table 50).

I guess what they are asking is to have clients still authenticated successfully even if that download fails and the bypass option NOT enabled/ticked. Does ISE cache the last downloaded CRL somewhere until a new download is made?

Specifically the customer said this:

  1. Do they (the BU) agree with our testing that it works the way we found (confirm our test results)
  2. Do they agree that the behaviour is less than optimal ?
  3. Was there a reason or rationale behind this behaviour?
  4. Is it in the roadmap to change?



Thanks again

Thomas


If you have a document or the like detailing how the tests are done (steps, etc.), please unicast me a copy to my Cisco email.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: