After a couple hours on the phone with TAC, we were able to resolve our ongoing issue with the "revocation" pop-up box and IPSCA certificates. As some of you know, IPSCA had their root CA expire on December 29, 2009 and started to issue new certs signed by a new root CA around December 15. These first newly signed certs had the incorrect CRL URL in the CRL Distribution Points field. After opening a support case with IPSCA, they admitted that the first certs signed were wrong and then asked me to create a new request.
I've now upgraded to 4.7.2 and after importing these newly signed certs that have the correct CRL URL in the CRL Distribution Points field, I no longer am getting the "revocation" pop-up. I believe we were seeing an issue that was fixed in 4.7.2 (Cisco BugID CSCsy37405) that was erring out on the incorrect URL so I can't say that it was completely Cisco's or IPSCA's fault. It was the classic finger pointing game but the issue has now been resolved. I've now been able to turn on the checkboxes for server and publisher certificate revocation in all editions of Windows XP, Vista, and 7 and get uninterrupted Cisco NAC. Now, if only Firefox and Mac/Safari and any other 3rd party browsers would include IPSCA in their SSL keystores/keychains we'd be all set. Even though IPSCA is free, free does come at a cost! :) Hope this helps anyone else out there... [cid:[email protected]]<mailto:[email protected]>
<<inline: image002.jpg>>
