Cisco Community
English
Register
Great changes are coming to Cisco Community in July. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco Secure ACS unable to retrieve Certificate Revocation List for an Intermediate certificate authority

Labels:
1302
Views
0
Helpful
0
Comments
TCC_2
Advocate
‎06-17-2009 10:12 PM
edited on: ‎02-21-2020 ‎09:54 PM

Core issue

This issue is due to presence of Cisco bug ID CSCeg20752.

In this issue, ACS passes authentication for EAP-TLS users, even though their certificate is revoked. Normal authentication of users works fine, but the Certificate Revocation List (CRL) is not downloaded or parsed.

This issue is typically observed in multi-tiered CA environment where the certificates are issued and revoked on intermediate CAs that are subordinate to the root CA. In this setup, it is not possible to add the intermediate CA into the Certificate Trust List. This makes it not trust CRLs created by the intermediate CA.

Resolution

Workaround for this issue is to design CA infrastructure as standalone CA or do nor use CRLs.

In order to resolve this issue, upgrade Cisco Secure ACS to software version 3.3(3.11) or later. In order to download the suggested software version, visit Cisco Downloads.


Features & Tasks

Certificate Revocation List (CRL)

Protocol / Ports

EAP-TLS

0 Helpful
Latest Contents
Firepower 2110 FXOS GUI
Created by derebake on 06-24-2022 07:11 PM
0
0
0
0
Hello. I have a FPR2110-NGFW-K9 that is running cisco-asa-fp2k.9.16.2.14.SPA however I have not yet installed the ASA application. The box is currently just running the fxos lfbff:   I am trying to access the Firepower Chassis Manager GUI. I hav... view more
Changing cipher for ssh access
Created by zshowip on 06-24-2022 01:36 PM
6
5
6
5
Hi We have cisco switch. In order to access these switch (it may be old switch or old CRT)  via ssh, some cipher need to change. Can we change these cipher via the command below to add or delete any of there cipher? the command is like below. I tried... view more
Cisco FDM RA VPN No Internet Access
Created by AhmadZ on 06-24-2022 01:17 PM
10
0
10
0
Hi All, I have configured RA VPN with anyconnect on my Cisco FDM. Whenever I connect to VPN, I have no internet access. What is missing?I also have another question. How can I relate a user to a specific group policy. for example I want user A to hav... view more
User Monitoring with AD on Firepower
Created by 00u18jg7x27DHjRMh5d7 on 06-24-2022 01:00 PM
4
0
4
0
I have been attempting to set up user monitoring on our Cisco Firepower device so we can see usernames instead of IP addresses under monitoring. It works with the VPN connection but not for internal traffic. What could I be overlooking or does this requir... view more
Cisco SSL FIPS mode in ISE 3.1 patch-3
Created by adamscottmaster2013 on 06-24-2022 10:57 AM
0
0
0
0
My SNS-3615 is running ISE 3.1 patch-3 with FIPs mode DISABLED; --> Administration --> System  --> Settings --> FIPs mode disabled. However, from the ISE 3.1 patch-3 server, whenever I ssh into my external CentOS-7 Linux server, that... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Content for Community-Ad