-----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Kyle Torkelson Sent: Wednesday, January 27, 2010 3:30 PM To: [email protected] Subject: Re: IPSCA Certificate Revocation
Yep, I have new certificates from IPSCA and I have followed the Preferred Method #1: Step 1 (Preferred) When using a CA-signed CAS SSL certificate, check the "CRL Distribution Points" field of the certificate (including intermediate or root CA), and add the URL hosts to the allowed Host Policy of the Unauthenticated/Temporary/Quarantine Roles. This will allow the Agent to fetch the CRLs when logging in. I'm wondering if the rule I have setup isn't correct....I stated in my email earlier that I am using ".ipsca.com" and "ends" in my host traffic control policies... If anyone is using something different (since when you check the CRL distribution point of the cert) I see the following: For CAS & CAM cert: http://level101.ipsca.com/crl/ipsca2002CLASEA1.crl http://level102.ipsca.com/crl/ipscalevel1.crl For IPSCA Level 1 CA: http://level101.ipsca.com/crl/ipscalevel1.crl For IPSCA Global CA Root: http://crlglobal01.ipsca.com/crl/crlglobal01.crl I have verified that I can type each of these addresses into IE before logging in and I can download the CRL... Anyone with insights or using IPSCA let me know... Thanks Kyle Torkelson Senior Network Administrator -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Mike Diggins Sent: Wednesday, January 27, 2010 11:45 AM To: [email protected] Subject: Re: IPSCA Certificate Revocation Have you looked at this? http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/47rn.html#wp606982 -Mike On 27/01/2010 12:28 PM, Kyle Torkelson wrote: > I agree...All of a sudden a bunch of laptops that were working this month are > failing the Certificate Revocation...I have added and enabled ".ipsca.com" > and "ends" to the Unauthenticated/Temporary/Quarantine roles per the release > notes and config docs for 4.7.1 but it seems like this week I've had to turn > off the revocation checking on each client... > > Perhaps, IPSCA CRL site is experiencing problems?? Or, is this a Cisco > issue?? > > Kyle > > > > > -----Original Message----- > From: Cisco Clean Access Users and Administrators > [mailto:[email protected]] On Behalf Of Mike Diggins > Sent: Tuesday, January 26, 2010 5:50 PM > To: [email protected] > Subject: Re: IPSCA Certificate Revocation > > > I see this periodically with our Verisign certificates on CCA 4.1.10 > (Agent), but there doesn't seem to be any pattern to it. A computer > that is working fine will suddenly start getting Certificate > Revocation Check failures. Then it will start working again and all is fine. > > In 4.7.1 they allow you to turn off the CRL check, which I plan to do, > if we ever get there! > > -Mike > > > On Tue, 26 Jan 2010, Kyle Torkelson wrote: > >> >> Are any other schools getting the Certificate Revocation error when >> using IPSCA certificates? I thought that if I added the CRL >> distribution point as a host under Traffic Control for all of my User Roles >> to connect to that that would allow XP, Vista, and Windows 7 to connect to >> and check. However, I’ve had to start doing the “uncheck check for server >> and publisher cert revocation) as a temporary workaround. >> >> >> Any suggestions??? >> >>
