Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE 1.2 CRL

Hello,

Quick one this time...

What box is requesting the CRL? the ADM or the PSN?

am right to assum that the port 80 need to be open on the FW  from ADM or PSN  to the CRL location

Thx

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: ISE 1.2 CRL

ISE    supports two ways of checking the revocation status of a client  or  server   certificate that is issued by a particular CA. The first is  to  validate the   certificate using the Online Certificate Status  Protocol  (OCSP), which makes   a request to an OCSP service maintained  by the CA.  The second is to validate   the certificate against a  Certificate  Revocation List (CRL) which is   downloaded from the CA  into ISE. Both  of these methods can be enabled, in   which case OCSP is  used first, and  only if a status determination cannot be   made then  the CRL is used.

Please check the below links  which can be helpful in configurations:

Link-1

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

2 REPLIES
Bronze

Re: ISE 1.2 CRL

ISE    supports two ways of checking the revocation status of a client  or  server   certificate that is issued by a particular CA. The first is  to  validate the   certificate using the Online Certificate Status  Protocol  (OCSP), which makes   a request to an OCSP service maintained  by the CA.  The second is to validate   the certificate against a  Certificate  Revocation List (CRL) which is   downloaded from the CA  into ISE. Both  of these methods can be enabled, in   which case OCSP is  used first, and  only if a status determination cannot be   made then  the CRL is used.

Please check the below links  which can be helpful in configurations:

Link-1

http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_man_cert.html

New Member

ISE 1.2 CRL

Thx Ageel,

After testing, all the box need to be able to acess the CRL, not only the PSN

second fact is that the HTTPS protocol needs to be binded to the CA root Cert in order to Download the CRL.

If your https is binded to a self sign, the Admin node wont be able to DL it

Thx

316
Views
0
Helpful
2
Replies
CreatePlease to create content