Wireless Access

Reply
New Contributor

Crl fail open

Hi,

We are looking to use the clear pass crl functionality with EAP-TLS. It however is a little unclear on the way it is setup internally. If the crl file cannot be downloaded or is corrupt, will clear pass then fail all connections?

In other words does clear pass fail open or closed if the crl is not available?

Thanks,

T.
Contributor I

Re: Crl fail open

Hi,

A copy of the CRL is stored locally on the cppm servers. A crl contains an expiration date. After the expiration date is not valid the crl is not valid and needs to be updated. It important that the crl is updated before the expiration date. If the crl is expirated eap-tls authentication is rejected because the crl is not valid. Make sure you set the crl update interval correct. The base crl can be valid for a few weeks ( or longer ). You can publish a delta crl. This Will not effect the expiration date. If you set the update interval to 2 hours and the crl cannot be downloaded this is not an problem. There is only a problem when the crl is expirated.

Since cppm 6.6.7 ( I thought ) clearpass support Ocsp with fallback to crl. Ocsp is always a realtime lookup and not stored locally like crl.

Willem
Willem Bargeman
ACMX#935 | ACCX #822
New Contributor

Re: Crl fail open

Hi,

Thanks, we are aware how crl works, my question is,

If the local crl file expires and, due to network connectivity issues, the new crl cannot be downloaded, will clearpass deny or accept any incoming tls connections.

For example, with NPS, Cisco ISE and other radius servers you have the option to ignore a failed crl and allow connections to proceed. This is also know as failing open.

T.
Contributor I

Re: Crl fail open

Hi,

If the local copy of the CRL is expired authentications are rejected. There is no option to failopen when the CRL is expired.

Regards,
Willem
Willem Bargeman
ACMX#935 | ACCX #822
Contributor I

Re: Crl fail open

If the CRL is expired and you remove this from cppm authentication is possible again.

Willem
Willem Bargeman
ACMX#935 | ACCX #822
New Contributor

Re: Crl fail open

Willem,

Thanks for the info, much appreciated.

Is there a specific reason for not allowing this option, to fail open, or is it simply a use case that has not been considered?

T.
Contributor I

Re: Crl fail open

I don’t now because I’m not an Aruba employee. I never have seen issues with this because the CRL lifetime can be a long period.

Willem
Willem Bargeman
ACMX#935 | ACCX #822
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: