Wireless Access

last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Crl fail open

This thread has been viewed 2 times
  • 1.  Crl fail open

    Posted Dec 28, 2017 05:48 AM

    We are looking to use the clear pass crl functionality with EAP-TLS. It however is a little unclear on the way it is setup internally. If the crl file cannot be downloaded or is corrupt, will clear pass then fail all connections?

    In other words does clear pass fail open or closed if the crl is not available?



  • 2.  RE: Crl fail open

    Posted Dec 28, 2017 08:12 AM

    A copy of the CRL is stored locally on the cppm servers. A crl contains an expiration date. After the expiration date is not valid the crl is not valid and needs to be updated. It important that the crl is updated before the expiration date. If the crl is expirated eap-tls authentication is rejected because the crl is not valid. Make sure you set the crl update interval correct. The base crl can be valid for a few weeks ( or longer ). You can publish a delta crl. This Will not effect the expiration date. If you set the update interval to 2 hours and the crl cannot be downloaded this is not an problem. There is only a problem when the crl is expirated.

    Since cppm 6.6.7 ( I thought ) clearpass support Ocsp with fallback to crl. Ocsp is always a realtime lookup and not stored locally like crl.


  • 3.  RE: Crl fail open

    Posted Dec 28, 2017 11:44 AM

    Thanks, we are aware how crl works, my question is,

    If the local crl file expires and, due to network connectivity issues, the new crl cannot be downloaded, will clearpass deny or accept any incoming tls connections.

    For example, with NPS, Cisco ISE and other radius servers you have the option to ignore a failed crl and allow connections to proceed. This is also know as failing open.


  • 4.  RE: Crl fail open

    Posted Dec 28, 2017 12:01 PM

    If the local copy of the CRL is expired authentications are rejected. There is no option to failopen when the CRL is expired.


  • 5.  RE: Crl fail open

    Posted Dec 28, 2017 12:17 PM
    If the CRL is expired and you remove this from cppm authentication is possible again.


  • 6.  RE: Crl fail open

    Posted Dec 28, 2017 03:12 PM

    Thanks for the info, much appreciated.

    Is there a specific reason for not allowing this option, to fail open, or is it simply a use case that has not been considered?


  • 7.  RE: Crl fail open

    Posted Dec 28, 2017 03:54 PM
    I don’t now because I’m not an Aruba employee. I never have seen issues with this because the CRL lifetime can be a long period.