Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9201
Views
5
Helpful
5
Replies

Cannot download CRL to my ISE

Imran Ahmad
Level 2
Level 2

‎10-06-2013 05:10 AM - edited ‎03-10-2019 08:58 PM

Hello,

I have ise 1.2,  i have configured everything normally and i can browse to my CRL from any windows pc that is ok,  but still my ise cannot download the CRL, i get the following error on my ISE. please help me im totally stuck in this.   i have standalone CA

ise error msg>>>

 

Alarms: CRL Retrieval Failed          

Description: 
Unable to retrieve CRL from the server. This could occur if the specified url is unavailable.

Suggested Actions:
Please ensure that the download url is correct and is available for the service

Could not download Certificate Revocation List for certificate with CN=TrustedCA

2 people had this problem
Labels:
0 Helpful
5 Replies 5

aqjaved
Level 3
Level 3

‎10-07-2013 09:03 AM

Certificate Revocation List Configuration area, do the  following:

a. http://www.cisco.com/en/US/i/templates/blank.gifCheck the Download CRL check  box for the Cisco ISE to download a CRL.

b. http://www.cisco.com/en/US/i/templates/blank.gifEnter the URL to download the CRL  from a CA in the URL Distribution text box. This field will be  automatically populated if it is specified in the certificate authority  certificate. The URL must begin with "http" or "https."

The CRL can be downloaded  automatically or periodically.

c. http://www.cisco.com/en/US/i/templates/blank.gifYou can configure the time interval  between downloads in minutes, hours, days, or weeks if you want the CRL  to be downloaded automatically before the previous CRL update expires.

d. http://www.cisco.com/en/US/i/templates/blank.gifConfigure the time interval in  minutes, hours, days, or weeks to wait before the Cisco ISE tries to  download the CRL again.

e. http://www.cisco.com/en/US/i/templates/blank.gifIf you uncheck the Bypass CRL  Verification if CRL is not Received check box, all client requests that  use certificates signed by the selected CA will be rejected until Cisco  ISE receives the CRL file. If you check this check box, the client  requests will be accepted before the CRL is received.

f. http://www.cisco.com/en/US/i/templates/blank.gifIf you uncheck the Ignore CRL that  is not yet valid or expired check box, Cisco ISE checks the CRL file for  the start date in the Effective Date field and the expiration date in  the Next Update field. If the CRL is not yet active or has expired, all  authentications that use certificates signed by this CA are rejected. If  you check this check box, Cisco ISE ignores the start date and  expiration date and continues to use the not yet active or expired CRL  and permits or rejects the EAP-TLS authentications based on the contents  of the CRL.

For complete  configuration, please check the below link.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

Muhammad Munir
Level 5
Level 5

‎10-07-2013 10:13 PM

Hi Imran,

  • Check to make sure that the CA services are up and running on the CA server.
  • Replace the certificate. For a trust certificate, contact the issuing Certificate Authority (CA). For a CA-signed local certificate, generate a CSR and have the CA create a new certificate. For a self-signed local certificate, use Cisco ISE to extend the expiration date. You can delete the certificate if it is no longer used.
  • Check if the configuration change is expected.
  • Ensure that the download URL is correct and is available for the service.

For more information, please visit the given link:

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mnt.html

0 Helpful

blenka
Level 3
Level 3

‎10-10-2013 01:17 PM

CRL Retrieval Failed ---- Unable to  retrieve CRL from the server. This could occur if the specified CRL is  unavailable.--------- Ensure that the download URL is correct and is  available for the service.

0 Helpful

networks.comms
Level 1
Level 1

‎11-27-2013 03:54 AM

We have the same issue and believe it is due to the ISE using the system proxy settings. According to the documentation, it should be possible to add exceptions, but I don't see these fields (ISE 1.2 patch 4)

Step 1 Choose Administration > System > Settings > Proxy.

Step 2 Enter the proxy IP address or DNS-resolvable host name in Proxy Address, and specify the port through which proxy traffic travels to and from Cisco ISE in Proxy Port.

Step 3 Enter the IP Address or Address range of hosts or domains to be bypassed in Bypass Proxy Settings for these Hosts & Domain.

Step 4 Enter the username and password used to authenticate to the proxy servers in the corresponding fields.

Step 5 Click Save.

0 Helpful

Karel Navratil
Level 1
Level 1

‎11-28-2013 07:59 AM

I have the same problem, my CRL URL contained spaces and looks like ISE has problem with that. OCSP is workaround

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents