Working with Certificate Revocation Lists and Cisco ISE

-

Throughout my time working with Cisco ISE, I’ve come across a few different errors when configuring ISE to perform Certificate Revocation Lists (CRL) lookups using Microsoft’s Public Key Infrastructure (PKI). In this article I would like to show you how we can avoid CRL download issues that could ultimately stop an endpoint from authenticating onto a network when configured for Network Authentication Control (NAC).


CRL checking is useful for checking of expired certificates and when an environment has Cisco Identity Services Engine deployed for secure network access, this can be useful for ensuring revoked digital certificates are not reused when they’ve been revoked.
CRL lookups can be costly to your network because of the lookups that are performed and Online Certificate Status Protocol (OCSP) can be used as a more efficient way to check revoked certificates. However for the purpose of this article we will focus only on Certificate Revocation Lists.

In this article I will demonstrate how to configure Microsoft PKI and Internet Information Services (IIS) so that Cisco ISE can perform successful lookups when a user or machine authenticates to the network. As bugs sometimes affect the way services sometimes work, I have decided to list the software versions I’ll so that you can rule out any potential errors you may be seeing on your deployment of Cisco ISE.
  1. Cisco ISE 2.4 Patch 6
  2. Microsoft Server 2012 R2
Note: This article assumes that your environment is already configured to issue digital certificates.

Microsoft PKI

When ISE is configured to perform CRL lookups against a domain, a valid Certificate Revocation List Distribution Point URL (CRLDP) needs to be configured. The CRLDP should generally be configured for Issuing Certificate Authorities (CA) and this can either be in the form of an LDAP, HTTP or file share path. With that said, this demonstration attempts to keep configuration tasks simple by using the CA on the Domain Controller (DC).

When configured the PKI will publish revoked certificates to the Certificate Distribution Point (CDP). The CDP is in essence a file share that is configured to allow IIS communication with the CA for issuing CRL’s.

To configure a CDP for the CA follow these steps:
  1. On the server that is running your CA, navigate to Server Manager > Tools > Certification Authority

In the details pane click, right click on the name of the CA and select Properties
Select the Extensions tab and click Add to add a new location. In the Location field enter the following: http://crl.domain.co.uk/crlist/ (where <domain.co.uk> it is your domain).
On the same page under the Variable section insert the following variables:
  1. <CaName>
  2. <CRLNameSuffix>
  3. (Optional) <DeltaCRLAllowed>
Once inserted into your location path, finish off by entering .crl and press OK.
Select the URL that you just created and tick the following buttons:
  1. Include in CRLs. Clients use this to find Delta CRL Locations.
  2. Include in the CDP extension of issued certificates
Once selected, click Apply & Click No when asked if you want to restart certificate services.
Now we will configure the file share where the CRL’s will be shared. For the purpose of this demonstration, this is a file share location on the C: drive. Your file share location may be different.

On the same page click Add and enter the folder location of where the file share is located. We also want to add the following variables to the location too:
  1. <CaName>
  2. <CRLNameSuffix>
  3. (Optional) <DeltaCRLAllowed>
Once inserted into your location path, finish off by entering .crl and press OK.
Select the file share that you just created and tick the following buttons:
  1. Publish CRLs to this location
  2. Publish Delta CRLs to this location
Once selected, click Apply & Click Yes when asked if you want to restart certificate services.
If the file share that your referenced doesn’t yet exist, go ahead and create that before continuing.

Now we’ve created a new URL, we need to create a DNS record so that it can be resolved.
Head over to Server Manger > Tools > DNS
Under your domain create a New Host (A or AAAA)… and enter the URL you created earlier: http://crl.domain.co.uk and add the IP address of the CA server.
Close the DNS Manager, we don’t need to do anything else in this section.
Now we need to create the HTTP CRL Distribution to the file share we referenced earlier. To do this we need to make sure that the IIS role is installed. If the IIS role is not yet installed, please proceed to install it by following the instructions on the following link before continuing: https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/installing-iis-8-on-windows-server-2012

Once the IIS role is installed, navigate to Server Manager > Tools > Internet Information Services (IIS) Manager
For the purpose of this demonstration we will used the default web site however if your requirements are different it might be worth creating a new site.

Navigate to your domain > Sites > Default Web Site and right-click Add Virtual Directory. Give your virtual directory an alias and then specify the physical path of your file share.
In the middle pane double-click Directory Browsing and click Enable
In the left pane highlight the Alias folder that you just created and double-click Configuration Editor.

Navigate to system.webServer\security\requestFiltering and change allowDoubleEscaping from False to True.
Click Apply and we are done with IIS.

We now need to enable sharing of the file share. To do this navigate to your file share. For demonstration purposes I will use a folder on the C: drive.

Once on the folder, enter the Properties of the folder and click Sharing > Advanced Sharing and select Share this folder.
Click Permissions > Add > Object Types and select Computers, Groups and Users. Enter the object name for your server and press OK. Under Groups or User names, highlight your server and change the permissions to allow Full Control.
Click Apply and OK and again in Advanced Sharing. Click on the Security tab and click Edit > Object Types and select Computers, Groups and Users. Enter the object name for your server and press OK. Under Groups or User names, highlight your server and change the permissions to allow Full Control.
Click Apply and OK and exit out of the folder properties.
We are pretty much done with the server configurations now but we need to make sure that CRL’s are published to the file share that we’ve configured before moving onto ISE.
To do this navigate to Server Manger > Tools > Certification Authority
Navigate to your domain and right-click on Revoked Certificates > All Tasks > Publish. When prompt to select which type of CRL you would like to publish, select New CRL and press OK.

Now if you head over to the shared folder you should be able to see the revoked certificates. Bare in mind that if your environment doesn’t have any revoked certificates you won’t have anything in your folder. Below is an example of the folder populated with the CRL.

Configuring Cisco ISE for CRL Lookups

When configuring ISE for EAP-TLS the endpoint must trust the ISE certificate and the likewise, the server much trust the client. It is best practice to ensure that the domain Root CA and any intermediate CA’s are stored within the ISE trust store and the ISE full trust chain is trusted by the domain.

With that being said ensure that your ISE PAN has the server Root CA any Issuing CA’s stored in the trust store. You can check this by navigating to Administration > Certificates > Trusted Certificates and comparing certificate serial numbers. If the relevant CA’s are not in the ISE trust store go ahead and import them by clicking Import. You can navigate to the relevant certificates and import them one by one.

When using certificate authentication select the following usage options:
  1. Trust for authentication within ISE
  2. Trust for client authentication and Syslog
Our final step before testing is to enable Certificate Status Validation for the certificate/s that we should run the CRL check against.

Under Certificate Revocation List Configuration select Download CRL and enter the CRL Distribution List URL that was configured earlier when creating the URL. If you’re not familiar with the extensions that were used above, the <CaName> is the name of your Certificate Authority and the other two are not that important in this case. With that being said the URL should be something like the following: http://crl.domain.crld/CaName.crl – You can enter this into your server browser and you should be able to download the CRL.

If you have a preference as to when ISE should retrieve the CRL and how long it should wait if retrieval has failed, make the relevant changes or leave the settings as is.

If you are performing this on a live environment and you encounter issues with the CRL retrieval, machines and users will fail to authenticate to the network if being checked against the distribution URL. You can view any issues in the RADIUS live logs and bypass CRL verification until troubleshooting has been carried out. To bypass CRL verification for a specific certificate, select Bypass CRL Verification if CRL is not Received.

When you are happy with the settings for your trusted certificate, click Save and you are done.

Notable Observations Made

  1. If you decide to use port 443/HTTPS for the CRL URL and you want to issue a certificate ensure it is SHA-256. I’ve seen issues where SHA-1 certs don’t work properly with ISE (Probably a good thing as these are less secure).
  2. Ensure that the domain, URL is bypassed if you employ a proxy in your network.

Testing


To ensure that the CRL verification is working authenticate a machine or user to the network. If successful and CRL bypass is not selected, the machine or user should be able to successfully authenticate (dependent on configured policies). The screenshot below shows a successful user authentication using EAP-TLS with CRL verification on the CA.
As an additional test we can also revoke the user certificate and see what happens when the user needs to re-authenticate. The expected result is that when the CRL is queried, the user should be denied access because the certificate is revoked. This is shown in the screenshot below. 
ACCESS-SW1#show auth sessions int g0/23 details 
            Interface:  GigabitEthernet0/23
          MAC Address:  output omitted
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  user@wizkid.co.uk
               Status:  Unauthorized
               Domain:  UNKNOWN
       Oper host mode:  multi-auth
     Oper control dir:  in
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
    Common Session ID:  AC1000090000001901CC2DAD
      Acct Session ID:  Unknown
               Handle:  0xBD00000D
       Current Policy:  POLICY_Gi0/23

Method status list: 
       Method           State 

       mab              Stopped
       dot1x            Stopped
After running through this setup, it is possible that a lot of issues stem from the Microsoft server. If the full URL path isn’t specified then ISE won’t be able to verify the CRL. Another big issue could be the fact that the folder in which the CRL’s are sent to are not shared. I’ve yet to do more testing to find out how we could encounter more issues but if you’ve run into issues that you’ve fixed please comment below, I’d love to hear them.
Thank you for reading and I hope you find this useful.

#Cisco #MicrosoftPKI #CertificateRevocationListCiscoISE #networkwiizkiids #CiscoISE #MicrosoftServer2012R2PKI #Server2012R2 #MicrosoftPKIwithISE #Server12PKI #CertificateRevocationList #networkwizkid #ISECRLDistributionList #PKI #NetworkSecurity #CiscoISECRL #Server2012 #CertificateRevocationListISE #CRLwithISE #Security #TroubleshootISECertificateRevocation #TroubleshootISECRL #windows
Kelvin Charles - Network and Cyber Security Professional.

Popular Posts

Capturing EAPOL and RADIUS Using Wireshark

-
Image
In this article we are going to take a look at how to capture Extensible Authentication Protocol Over LAN (EAPOL) and Remote Authentication Dial-In User Service (RADIUS) packets using Wireshark. This article can be useful for troubleshooting 802.1x within your environment and can also be used for learning purposes. The following topology has been used to gather the required output for this article. Note: This article will only cover the switch configurations that are required to gather EAPOL and RADIUS configuration. Overview of the Topology The supplicant is configured to perform 802.1x using EAP-TLS as the authentication method The user certificate on the supplicant will be used for authentication The supplicant has Wireshark installed Cisco ISE is used for authentication and authorisation The supplicant is assigned to VLAN 10 upon authentication and all other endpoint ports are assigned to VLAN 99 Sniffer device is running Wireshark in order to capture RADIUS flows via SPAN 802.1x
Read more

Configuring Cisco Smart License Software

-
In this article, I would like to demonstrate how to configure Cisco Smart Licensing on the virtual Cisco Adaptive Security Appliance (ASAv). This post assumes that readers already have access to there own Smart Account and would like to know the process of applying licenses. Step 1: Generate ID Token Sign into your Cisco Software Portal: software.cisco.com and navigate to “Smart Software Licensing” You will now need to create an ID token for your device, this is required for communication between the device and the licensing authority. Follow the steps below to create a new token. Click Inventory >>> General >>> New Token and select your preferred options and enter a description for your token. Once you are happy with your token settings click Create Token . You should now have a token created which can be copied over to the device you wish to license. All commands and output from this point will be related to the ASA so please seek out further advice if you wish
Read more

Kali Linux :: CAM Table Overflow Attack Demonstration

-
Image
As part of my on-going studying for the CCNA Security 210 – 260 certification I have been exploring different types of network attacks, one of which is CAM table overflow attacks. In this article I would like to share what I have learnt and provide a demonstration of the attack carried out in a lab environment. To understand my demonstration, you first need to understand how a CAM table overflow attack works and what happens as a result of the attack.   Switches build Content Addressable Memory (CAM) tables based on mac-addresses and port numbers. When a switch receives a frame it checks the table to see if the source mac-address is already known, if the source mac-address is unknown the switch will add the mac-address to the table along with the port number. The switch then checks the destination layer two frame and if no entry exists the switch broadcasts the frame out of all ports except the port in which the frame was received. Presuming the destination mac-address wants to respond
Read more

Cisco :: FXOS Authentication Using TACACS

-
In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+. At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me. Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized. Requirements A ‘Device Administration’ license is required in order to use TACACS+ with
Read more

Configuring Remote Access VPN on Firepower

-
Image
In this article we are going to take a look at how to configure remote access VPN's on Firepower devices. This demonstration is based on the following lab environment: Cisco Virtual Firepower Management Center Cisco Virtual Firepower Threat Defense Cisco ISE 2.6 Windows host with AnyConnect VPN Windows Server 2019 (CA Server) All Firepower devices are running version 6.5 Note: ISE is used for authentication and authorization in the following lab however the configuration elements of ISE are out of scope for this demonstration. Generate a CSR for Remote Access VPN's Those accessing your network remotely need to trust the service you're running. Without the correct trust users could face issues connecting via VPN. With access to the FMC navigate to Objects > Object Management > PKI > Cert Enrollment Assuming you are opting for manual enrollment, select 'Manual' in Enrollment Type and copy the CA Certificate BASE-64 into the field. Now select the 'Certifi
Read more