Working with Certificate Revocation Lists and Cisco ISE
Throughout my time working with Cisco ISE, I’ve come across a few different errors when configuring ISE to perform Certificate Revocation Lists (CRL) lookups using Microsoft’s Public Key Infrastructure (PKI). In this article I would like to show you how we can avoid CRL download issues that could ultimately stop an endpoint from authenticating onto a network when configured for Network Authentication Control (NAC). CRL checking is useful for checking of expired certificates and when an environment has Cisco Identity Services Engine deployed for secure network access, this can be useful for ensuring revoked digital certificates are not reused when they’ve been revoked. CRL lookups can be costly to your network because of the lookups that are performed and Online Certificate Status Protocol (OCSP) can be used as a more efficient way to check revoked certificates. However for the purpose of this article we will focus only on Certificate Revocation Lists. In this article I will demonstrate