Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cannot download CRL to my ISE

Hello,

I have ise 1.2,  i have configured everything normally and i can browse to my CRL from any windows pc that is ok,  but still my ise cannot download the CRL, i get the following error on my ISE. please help me im totally stuck in this.   i have standalone CA

ise error msg>>>

 

Alarms: CRL Retrieval Failed          

Description: 
Unable to retrieve CRL from the server. This could occur if the specified url is unavailable.

Suggested Actions:
Please ensure that the download url is correct and is available for the service

Could not download Certificate Revocation List for certificate with CN=TrustedCA

5 REPLIES
Bronze

Cannot download CRL to my ISE

Certificate Revocation List Configuration area, do the  following:

a. http://www.cisco.com/en/US/i/templates/blank.gifCheck the Download CRL check  box for the Cisco ISE to download a CRL.

b. http://www.cisco.com/en/US/i/templates/blank.gifEnter the URL to download the CRL  from a CA in the URL Distribution text box. This field will be  automatically populated if it is specified in the certificate authority  certificate. The URL must begin with "http" or "https."

The CRL can be downloaded  automatically or periodically.

c. http://www.cisco.com/en/US/i/templates/blank.gifYou can configure the time interval  between downloads in minutes, hours, days, or weeks if you want the CRL  to be downloaded automatically before the previous CRL update expires.

d. http://www.cisco.com/en/US/i/templates/blank.gifConfigure the time interval in  minutes, hours, days, or weeks to wait before the Cisco ISE tries to  download the CRL again.

e. http://www.cisco.com/en/US/i/templates/blank.gifIf you uncheck the Bypass CRL  Verification if CRL is not Received check box, all client requests that  use certificates signed by the selected CA will be rejected until Cisco  ISE receives the CRL file. If you check this check box, the client  requests will be accepted before the CRL is received.

f. http://www.cisco.com/en/US/i/templates/blank.gifIf you uncheck the Ignore CRL that  is not yet valid or expired check box, Cisco ISE checks the CRL file for  the start date in the Effective Date field and the expiration date in  the Next Update field. If the CRL is not yet active or has expired, all  authentications that use certificates signed by this CA are rejected. If  you check this check box, Cisco ISE ignores the start date and  expiration date and continues to use the not yet active or expired CRL  and permits or rejects the EAP-TLS authentications based on the contents  of the CRL.

For complete  configuration, please check the below link.

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

Cisco Employee

Cannot download CRL to my ISE

Hi Imran,

  • Check to make sure that the CA services are up and running on the CA server.
  • Replace the certificate. For a trust certificate, contact the issuing Certificate Authority (CA). For a CA-signed local certificate, generate a CSR and have the CA create a new certificate. For a self-signed local certificate, use Cisco ISE to extend the expiration date. You can delete the certificate if it is no longer used.
  • Check if the configuration change is expected.
  • Ensure that the download URL is correct and is available for the service.

For more information, please visit the given link:

http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_mnt.html

New Member

Cannot download CRL to my ISE

CRL Retrieval Failed ---- Unable to  retrieve CRL from the server. This could occur if the specified CRL is  unavailable.--------- Ensure that the download URL is correct and is  available for the service.

New Member

Cannot download CRL to my ISE

We have the same issue and believe it is due to the ISE using the system proxy settings. According to the documentation, it should be possible to add exceptions, but I don't see these fields (ISE 1.2 patch 4)

Step 1 Choose Administration > System > Settings > Proxy.

Step 2 Enter the proxy IP address or DNS-resolvable host name in Proxy Address, and specify the port through which proxy traffic travels to and from Cisco ISE in Proxy Port.

Step 3 Enter the IP Address or Address range of hosts or domains to be bypassed in Bypass Proxy Settings for these Hosts & Domain.

Step 4 Enter the username and password used to authenticate to the proxy servers in the corresponding fields.

Step 5 Click Save.

New Member

Cannot download CRL to my ISE

I have the same problem, my CRL URL contained spaces and looks like ISE has problem with that. OCSP is workaround

3070
Views
0
Helpful
5
Replies