cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

6306
Views
0
Helpful
19
Replies
Highlighted

Re: CRL Validation fails on ACS 5.2.0.26.3

Hello Mikko,

thanks for clearing this.

Mit freundlichen Grüßen

Karsten Jaschultowski

--

Dipl.-Ing.

Teamleiter

Security Network Services

Tel.: +49 251 7133 2402

Fax.: +49 251 7133 92402

Mobil: +49 172 2623879

E-Mail: karsten.jaschultowski@vrnetze.de

VR Netze GmbH

Weseler Straße 480

48163 Münster

www.vrnetze.de

Geschäftsführer: Winfried Richert, Martin Schauer

Sitz: Münster/Westf., Registergericht: AG Münster, HRB 10235

Von: mjarvela

An: Karsten Jaschultowski

Datum: 16.04.2012 07:59

Betreff: - Re: CRL Validation fails on ACS

5.2.0.26.3

Highlighted
Beginner

CRL Validation fails on ACS 5.2.0.26.3

It actually works in ASC 5.3 and I had verified also that it works, In ACS actually CRL is downloaded based on time we specified in CRL download option time and it chekes the client certificate from CRL list, if client certificate is revoked and ACS downloaded the CRL after that it will not fail authetication of that client.

This is basic functionality of CRL and oit should always work

Regards

Ajay

Highlighted
Beginner

CRL Validation fails on ACS 5.2.0.26.3

Hi Mikko,

Did you have to change the format of the CRL to get it to work with ACS? - or was the issue the CA chain used?

(the CRL %20 URL problem is another trip up point - on ACS the %20 entries in a http CRL path must be converted to whitespace character)

I'm using Microsoft PKI and trying to figure if I have to do 'something' to the format of the CRL to get ACS to be able to read it properly

Are you using Microsoft PKI and if so how/what did you change with respect to the CRL format?

thanks,

Sez

Highlighted
Beginner

CRL Validation fails on ACS 5.2.0.26.3

Hi Sez,

I solved this problem by converting CRL file into .PEM format with openssl and I'm using this method in two cases; one where we are using Microsoft PKI and other where CA is unix based.

We didn't notice any problems with %20 conversion as I took care that there is no spaces in CRL URL.

So to summarize, conversion from .DER to .PEM is necessary (and this applies also to ISE installations).

/Mikko

Beginner

CRL Validation fails on ACS 5.2.0.26.3

Thanks Mikko

But can't help groaning - would think that after all this time this would be taken care of under the hood of ACS (and definitley ISE!)

So to have a timely mechanism for CRL propogation for EAP/TLS we have to look at;

Set the Microsoft PKI to publish new CRL file (not a delta) on say daily basis and

Set a timed batch job to run oppenssl after that to do PEM conversion and

Set ACS to retrieve CRL after all that

Pity there not an app for that... :-(

ciao,

Sez