 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Thu, 28 Jan 2010 10:28:44 -0500 |
| Content-Type: | text/plain |
| Parts/Attachments: |
|
|
-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of Kyle Torkelson
Sent: Wednesday, January 27, 2010 3:30 PM
To: [log in to unmask]
Subject: Re: IPSCA Certificate Revocation
Yep, I have new certificates from IPSCA and I have followed the Preferred Method #1:
Step 1 (Preferred) When using a CA-signed CAS SSL certificate, check the "CRL Distribution Points" field of the certificate (including intermediate or root CA), and add the URL hosts to the allowed Host Policy of the Unauthenticated/Temporary/Quarantine Roles. This will allow the Agent to fetch the CRLs when logging in.
I'm wondering if the rule I have setup isn't correct....I stated in my email earlier that I am using ".ipsca.com" and "ends" in my host traffic control policies...
If anyone is using something different (since when you check the CRL distribution point of the cert) I see the following:
For CAS & CAM cert:
http://level101.ipsca.com/crl/ipsca2002CLASEA1.crl
http://level102.ipsca.com/crl/ipscalevel1.crl
For IPSCA Level 1 CA:
http://level101.ipsca.com/crl/ipscalevel1.crl
For IPSCA Global CA Root:
http://crlglobal01.ipsca.com/crl/crlglobal01.crl
I have verified that I can type each of these addresses into IE before logging in and I can download the CRL...
Anyone with insights or using IPSCA let me know...
Thanks
Kyle Torkelson
Senior Network Administrator
-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of Mike Diggins
Sent: Wednesday, January 27, 2010 11:45 AM
To: [log in to unmask]
Subject: Re: IPSCA Certificate Revocation
Have you looked at this?
http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/47rn.html#wp606982
-Mike
On 27/01/2010 12:28 PM, Kyle Torkelson wrote:
> I agree...All of a sudden a bunch of laptops that were working this month are failing the Certificate Revocation...I have added and enabled ".ipsca.com" and "ends" to the Unauthenticated/Temporary/Quarantine roles per the release notes and config docs for 4.7.1 but it seems like this week I've had to turn off the revocation checking on each client...
>
> Perhaps, IPSCA CRL site is experiencing problems?? Or, is this a Cisco issue??
>
> Kyle
>
>
>
>
> -----Original Message-----
> From: Cisco Clean Access Users and Administrators
> [mailto:[log in to unmask]] On Behalf Of Mike Diggins
> Sent: Tuesday, January 26, 2010 5:50 PM
> To: [log in to unmask]
> Subject: Re: IPSCA Certificate Revocation
>
>
> I see this periodically with our Verisign certificates on CCA 4.1.10
> (Agent), but there doesn't seem to be any pattern to it. A computer
> that is working fine will suddenly start getting Certificate
> Revocation Check failures. Then it will start working again and all is fine.
>
> In 4.7.1 they allow you to turn off the CRL check, which I plan to do,
> if we ever get there!
>
> -Mike
>
>
> On Tue, 26 Jan 2010, Kyle Torkelson wrote:
>
>>
>> Are any other schools getting the Certificate Revocation error when
>> using IPSCA certificates? I thought that if I added the CRL
>> distribution point as a host under Traffic Control for all of my User Roles to connect to that that would allow XP, Vista, and Windows 7 to connect to and check. However, I’ve had to start doing the “uncheck check for server and publisher cert revocation) as a temporary workaround.
>>
>>
>> Any suggestions???
>>
>>
|
|
|
