Cisco Secure ACS unable to retrieve Certificate Revocation List for an Intermediate certificate authority

Document

Wed, 07/22/2009 - 19:26
Jun 17th, 2009
User Badges:
  • Gold, 750 points or more

Core issue

This issue is due to presence of Cisco bug ID CSCeg20752.

In this issue, ACS passes authentication for EAP-TLS users, even though their certificate is revoked. Normal authentication of users works fine, but the Certificate Revocation List (CRL) is not downloaded or parsed.

This issue is typically observed in multi-tiered CA environment where the certificates are issued and revoked on intermediate CAs that are subordinate to the root CA. In this setup, it is not possible to add the intermediate CA into the Certificate Trust List. This makes it not trust CRLs created by the intermediate CA.


Resolution

Workaround for this issue is to design CA infrastructure as standalone CA or do nor use CRLs.

In order to resolve this issue, upgrade Cisco Secure ACS to software version 3.3(3.11) or later. In order to download the suggested software version, visit Cisco Downloads.


Features & Tasks

Certificate Revocation List (CRL)


Protocol / Ports

EAP-TLS

Loading.

Actions

This Document

Related Content