Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 501 & certificate revocation list (crl) from microsoft ca

I have a test enviroment were I use smartcards with certificates issued by a microsoft (w2k) CA and Cisco vpn client 3.5.1 to log on to my network (active directory w2k). Everything works fine. However when I revoke certificates on my CA the client still can log on to the network through the vpn gateway (pix 501). So the pix doesn't get the crl?? or can't handle the crl?? Does anybody know how to configure the pix 501 so that it obtains the microsoft crl?????

I use the line:

ca configure acsserver ra 1 20 crloptional

in my config. When I remove crloptional the client can't log on to the network because the pix 501 reject the client.

3 REPLIES
Cisco Employee

Re: PIX 501 & certificate revocation list (crl) from microsoft c

Look on the client certificate and see if the certification revocation point is the same as you have set it up in the MS CA server. The pix would normally query the CA server for the crl via ldap, so you have to make sure the CRL is configured for LDAP publication on the MS CA server.

New Member

Re: PIX 501 & certificate revocation list (crl) from microsoft c

Did you declare a CA? with the ca identity command and make sure that the :ca_script_location has the right path to your CA (verify your certificates and see where are they pointing to)

New Member

Re: PIX 501 & certificate revocation list (crl) from microsoft c

Hi,

I am facing the same problem. I would appreciate the help if you have found any solution for this.

Regards,

maha

188
Views
0
Helpful
3
Replies