Security

 View Only
  • 1.  Check certificate in CRL

    Posted Apr 07, 2020 03:59 AM

    Hi,

    I have a little confusion with CRL checking.

    I have set wireless network with EAP-TLS authentication using personal certificate. There is url of CRL in the certificate and I also set this url to Clearpass to Certificates -> Revocation lists. Clearpass imported CRL correctly. 

    Users are authenticated and allowed to connect to network. But when I check log in access tracker, there is line:

    INFO RadiusServer.Radius - --> verify error:num=3:unable to get certificate CRL - ignoring

    What does it mean? It seems like users certificate is not checked in CRL, but it is ignored and user is authenticated. Right?

    Thanks

    Kamil

     



  • 2.  RE: Check certificate in CRL
    Best Answer

    Posted Apr 07, 2020 10:47 AM

    Hi,

     

    To verify a certificate chain, we require a CRL for each certificate in the chain starting from the root.

    To do the CRL checks all the way up the chain, all CRLs of the chain should be uploaded including Root CRL.

    So please add the CRL of the All intermediate and Root CA to the ClearPass.

     

     



  • 3.  RE: Check certificate in CRL
    Best Answer

    Posted Apr 07, 2020 06:13 PM

    Hi,

     

    ClearPass radius server will run CRL check for all the certificates (client cert + Intermediate CA(s) + Root) in the chain by default, based on the CRLs presence.

    The error means that ClearPass failed to get CRL for one of the certificates in the chain (which could root or intermediate CA). 

     

    If you have the correct CRL configured for the user cert, then the below error is not of the user cert (meaning- user cert auth will not succeed if it is revoked) and should be of intermediate or root CA. As Vikram suggested, you can configure the CRLs of all the certs in the chain to resolve this error.


    @KamiB wrote:

    Hi,

     

    INFO RadiusServer.Radius - --> verify error:num=3:unable to get certificate CRL - ignoring

    What does it mean? It seems like users certificate is not checked in CRL, but it is ignored and user is authenticated. Right?

    Thanks

    Kamil

     


    Refer the service parameter "Check the validity of all certificates in the chain against CRLs" below link,

     

    https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_serviceparamsradiusserver.htm



  • 4.  RE: Check certificate in CRL

    Posted Apr 08, 2020 09:20 AM

    This works. After adding CRL into root certificate there is no error in log.

    Thank you both

    Kamil