cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7474
Views
0
Helpful
19
Replies

CRL Validation fails on ACS 5.2.0.26.3

MIKKO JARVELA
Level 1
Level 1

Hi,

We are using ACS v5.2.0.26.3 in 802.1X certificate based authentication. Now, when we added CRL functionality into ACS it fails in CRL validation and gives following error message:

LastErrorMessage=CRL PKI verification failed

Certificate Revocation list Url=http://crl.download.net/XXXX/deviceCA.crl

We have installed root, device and server certificates from CA, but for management we are still using self-signed certificate.

Question is, which certificate is used when validating downloaded CRL file - one used for EAP-TLS or one used for management interface?

How I can check which certificate ACS server is using for CRL validation?

/Mikko

19 Replies 19

Tarik Admani
VIP Alumni
VIP Alumni

The crl is used for the eap interface, because crl checking is a necessity to determine which users are still valid and which are revoked. So crl for the management doesnt apply because the management interface authenticates the user via the local admin database.

With regards to your crl url that you added, can you use the ip address that resolves to crl.download.net and try that instead?

Also if you go the ipbased url see if you can type in your browser and see if the crl file actually downloads.

Thanks,

Tarik

Tarik,

I think that there is small misunderstanding now.

ACS can download CRL without any problems, but it fails when it tries to validate contents of CRL using PKI. My question was (and still is), which certificates PKI is used for CRL content validation: one used for EAP-TLS or one used management (https)???

I tried to debug this process, but only error message which is related to this problem, is one from SSL informing about PKI failure.

/Mikko

Another question:

As ACS is using openssl for CRL validation, do ACS also expect that CRL file is in PEM format (which is default for openssl)??? In my case CA is publishing CRL in DER format, which can cause this problem.

/Mikko

P.S. This is actual error message from openssl:

Crypto,12/08/2011,13:28:11:523,ERROR,3006782368,NIL-CONTEXT,Crypto::Result=48, Crypto.SSL.verifyCRL - CRL verification failed - Alleged Issuer CN=XXX Root CA, CRL-CN=XXX Device CA,SSL.cpp:829

Crypto,12/08/2011,13:28:11:523,ERROR,3006782368,NIL-CONTEXT,Crypto::Result=48, CryptoLib.CSSL.addCRL - verification failed.,SSL.cpp:360

I am sure we need this file in pem format since openssl is what the ACS uses. Please make the changes to the file and try again.

Thanks,

Tarik

Hi,

Converted DER formatted CRL file to PEM - still same error message about PKI Validation failure.

Is there a way to check which CA certificate is used for CRL signature validation??

I'm afraid that ACS is using self-signed certificate, tagged to use with management connection for CRL signature validation, but I need to verify that first before ordering real certificates for all ACS servers.

/Mikko

Answering to my own question:

1. CRL is validated against management certificate.

2. CRL must be in PEM format.

/Mikko

ajay pandey
Level 1
Level 1

Hi,

Did you get this problem fixed. I am also facing same situation at moment and serching for solution ta moment.

Regards

Ajay

Hi Ajay,

Yes. As ACS has two certificates, one used for web gui and one for authentication (eap-tls), I noticed that management certificate is used for CRL validation, not that one, which is used for EAP-TLS.

This is very poorly documented in ACS manuals and I hope that Cisco improved documentation quality in ISE.

So make sure that management certificate is granted from CA generating CRLs, then it works without problems (EKU has to contain both server and client authentication key usage).

/Mikko

But do we have to configure somewhere CRL url's or it should work automatically.

I am using same certificate for mgmt & EAP-TLS purpose. I hope it should not cause any problems.

Regards

Ajay

Hi Mikko,

How could we verify that ACS 5.3 checking the CRL list while authenticating the clients. Is there any way to check which CRL is present in ACS 5.3 and does it is being used while authenticating the list.

Anyone if using CRL must be checkign this. Please suggest asap on this.

Regards

Ajay

Hi Ajay,

Answer to your both questions:

1. CRL is defined in "Users and Identity Stores"->"Certificate Authorities". As far as I have tested ACS does not read CRL information from certificate.

2. You will see message in ACS log files if CRL download/processing fails.

3. I tested CRL processing with dummy test certificate, which I installed to test PC and tried to access network.

/Mikko

Hello Mikko,

one question regarding

"So make sure that management certificate is granted from CA generating CRLs"

Does this mean, that CRL checking should be enabled for the management certificate/CA? (where i cannot see the reason why)

/Karsten

No, I think that I put it in wrong way.

When ACS has downloaded CRL from CA (or its frontend), it uses management certificate chain to check validity of downloaded CRL file. So if management certificate and CRL does not share same certificate chain, CRL is ignored and not processed.

CRL checking is needed only defined to CA/certificate used for EAP-TLS authentication (but unfortunately it does not use that information for CRL processing. I hope that this functionality is changed in ISE).

/Mikko

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: