Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
1479
Views
0
Helpful
0
Comments

Cisco Secure ACS unable to retrieve Certificate Revocation List for an Intermediate certificate authority

TCC_2
Level 10
Level 10

‎06-17-2009 10:12 PM - edited ‎02-21-2020 09:54 PM

Core issue

This issue is due to presence of Cisco bug ID CSCeg20752.

In this issue, ACS passes authentication for EAP-TLS users, even though their certificate is revoked. Normal authentication of users works fine, but the Certificate Revocation List (CRL) is not downloaded or parsed.

This issue is typically observed in multi-tiered CA environment where the certificates are issued and revoked on intermediate CAs that are subordinate to the root CA. In this setup, it is not possible to add the intermediate CA into the Certificate Trust List. This makes it not trust CRLs created by the intermediate CA.

Resolution

Workaround for this issue is to design CA infrastructure as standalone CA or do nor use CRLs.

In order to resolve this issue, upgrade Cisco Secure ACS to software version 3.3(3.11) or later. In order to download the suggested software version, visit Cisco Downloads.


Features & Tasks

Certificate Revocation List (CRL)

Protocol / Ports

EAP-TLS

Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents