Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1418
Views
0
Helpful
3
Replies

Question on logic behind ISE CRL validation (v1.4)

tlenzenh
Cisco Employee
Cisco Employee

‎01-31-2016 08:36 PM

Hi Team,

In the current design for my customer we are planning to use Certificate Status Validation for their trusted CA (under Certificates/Trusted Certificates). The customer claims that most CA servers implement the CRL checking in a way that authentications are still processed as long as the current cached CRL is valid and not expired. They don’t understand why ISE stops authenticating/authorising certificate based clients as soon as ISE fails to download the CRL from the CA server.

I explained them the 2 checkbox options for bypass CRL checks or ignore the invalid/expired option but that’s not exactly what they are after. They would think that as long as the locally cached copy of the last CRL download is still valid then we should continue to authenticate/authorise clients.

So they wanted to have someone from the BU providing an explanation for the logic behind that cause they think this is not in favour of running a highly available network.

Thanks in advance

Thomas

0 Helpful
3 Replies 3

hslai
Cisco Employee
Cisco Employee

‎01-31-2016 10:42 PM

Hi Thomas,

What your customer asking looks reasonable to me. Even for a successfully downloaded CRL, ISE will verify the CRL file is signed correctly. Only if the signature verification passes, ISE will replace the previous CRL file issued by the same CA.

Please note that the CRL files do not persist and need re-download when ISE restarts. Perhaps, this is what your customer is seeing.

Regards.

0 Helpful

tlenzenh
Cisco Employee
Cisco Employee
In response to hslai

‎01-31-2016 11:02 PM

Thanks a lot for the quick reply,

so if that is the case, then the next question the customer had was if what my testing revealed is normal and as per design or a bug...

Basically in my testing, if the CRL download fails then ISE would not authenticate any new clients with certificates. If I enable the bypass option then it will authenticate new clients even if CRL download failed. I believe that is as per design as it works like documented in the 1.4 administrator guide (page 696, table 50).

I guess what they are asking is to have clients still authenticated successfully even if that download fails and the bypass option NOT enabled/ticked. Does ISE cache the last downloaded CRL somewhere until a new download is made?

Specifically the customer said this:

  1. Do they (the BU) agree with our testing that it works the way we found (confirm our test results)
  2. Do they agree that the behaviour is less than optimal ?
  3. Was there a reason or rationale behind this behaviour?
  4. Is it in the roadmap to change?



Thanks again

Thomas


0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to tlenzenh

‎01-31-2016 11:13 PM

If you have a document or the like detailing how the tests are done (steps, etc.), please unicast me a copy to my Cisco email.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents