PIX 501 & certificate revocation list (crl) from microsoft ca

mkalat · ‎04-05-2002

I have a test enviroment were I use smartcards with certificates issued by a microsoft (w2k) CA and Cisco vpn client 3.5.1 to log on to my network (active directory w2k). Everything works fine. However when I revoke certificates on my CA the client still can log on to the network through the vpn gateway (pix 501). So the pix doesn't get the crl?? or can't handle the crl?? Does anybody know how to configure the pix 501 so that it obtains the microsoft crl?????

I use the line:

ca configure acsserver ra 1 20 crloptional

in my config. When I remove crloptional the client can't log on to the network because the pix 501 reject the client.

cjacinto · ‎04-06-2002

Look on the client certificate and see if the certification revocation point is the same as you have set it up in the MS CA server. The pix would normally query the CA server for the crl via ldap, so you have to make sure the CRL is configured for LDAP publication on the MS CA server.

7pautore · ‎04-26-2002

Did you declare a CA? with the ca identity command and make sure that the :ca_script_location has the right path to your CA (verify your certificates and see where are they pointing to)

maha · ‎05-07-2002

Hi,

I am facing the same problem. I would appreciate the help if you have found any solution for this.

Regards,

maha