Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
595
Views
0
Helpful
1
Replies

Cisco ISE 1.1.2 and Certfication Revocation List (CRL) checking

david.tran
Level 4
Level 4

‎11-19-2013 11:08 AM - edited ‎03-10-2019 09:06 PM

All,

I have 4 ISE appliances version 1.1.2  running in my networ called nodeA, nodeB, nodeC and nodeD. 

- NodeA is Primary Admin and Secondary Monitoring,

- NodeB is Secondary Admin and Primary Monitoring,

- NodeC is Policy node,

- NodeD is Policy node,

The ISE environment is tightly integrated with the company Microsoft Active Directory Windows 2008R2.  We import the company issue cert into the ISE for PEAP and CRL checking

Question:  How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server? 

I also have an ACS environment that also tightly integrated with Microsoft AD.   How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?

What will happen to the ISE and ACS environment if the CA Server becomes un-available?

I can't seem to find this question in either ISE or ACS documentation anywhere. 

Thank you.

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Max Wooks
Level 1
Level 1

‎07-17-2014 12:57 AM

 

How often does the ISE perform CRL checking with the Certiticate Authority (CA) Server?

          ISE checks CRL based on how you configure it. Admin > Certificates > Cert Store  Select your CA. From there you'll be able to edit the cert info. The last option is the CRL Configuration. You can set the download frequency.

How often does the ACS peform CRL checking with the Certificate Authority (CA) Server?

         System Config > ACS Cert Setup > CRL    from there you'll be able to see/edit

What will happen to the ISE and ACS environment if the CA Server becomes un-available?

         Most likely the end of the world, but to be honest I'm not really sure. My assumption is If both the client and the ISE/ACS server already have their respective certs, they should still be able to work. Just no new certs or CRLs would be issued.

 

Documentation Sources:

ACS: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/sau.html

ISE: http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

 

HTH

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents