04-03-2020 01:58 PM
Customer using certification authentication for ASA Anyconnect VPN clients. They have also attempted to enable cert revocation either via CRL (revocation-check crl) or OCSP (revocation-check ocsp). Regardless of how they enable it clients can still authenticate with revoked certs. The ASDM log shows the following --> "certificate chain was successfully validated with warning revocation status was not checked." MS is the CA. ASA version is 9.6(3)1.
It seems the ASA thinks that it is NOT configured to check for cert revocation.
Any thoughts on what might be misconfigured? Thanks for any help.
04-04-2020 12:59 AM - edited 04-04-2020 01:03 AM
Hi,
Have you check what is the enabled CRL method (ldap/http) and what certificate told where CRL is published?
I had some cases where was access right problems in CRL server. There was IIS configuration that says you must
authenticate if you want to read CRL and when ASA tries to get CRL, then IIS gives access denied.
Also I suggest that you try to debug, command is (if I remember right) crypto ca crl request <Truspoint>
Here is nice article howto configure CRL checking: http://www.securesenses.net/2013/04/cisco-asa-certificate-revocation.html
Br,
Ville
04-04-2020 03:20 AM - edited 04-04-2020 03:21 AM
Hi,
Either you're hitting a bug, to there is something misconfigured. Validate your OCP/CRL configuration, check this document for reference. Post the output of the following debugs, first for a user with a valid certificate, second for a user with a revoked certificate.
debug crypto ca transactions 7
debug crypto ca messages 7
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide