Security

 View Only
  • 1.  ClearPass CRL check

    Posted Nov 25, 2021 11:00 AM
    Edited by danger Nov 25, 2021 11:50 AM
    Hi, 
    One of my clients has CPPM installed and authenticating users on the wired with EAP-TLS. They  upload a CRL file/URL to administration > certificates > revocation list, this is from their internal PKI. This is valid for 30 days and at the moment they are looking at their internal PKI server to make it valid for more than 2 years. Anyway after the 30 days have gone past this entry is not valid anymore and every user is not able to connect. If we enable the option in CPPM revocation list: "Enable to Bypass proxy server" will this allow the users to connect if the CRL cert location is expired?

    In the Authentication method they have EAP TLS with the following options:
    Verify certificate using OCSP:  None
    Override OCSP URL from client: disabled 
    I would of thought the above option would have bypassed the CRL check but it did not seem to make a difference. After 30 days the users were not able to connect. 

    Thanks,


  • 2.  RE: ClearPass CRL check

    Posted Nov 25, 2021 11:50 AM
    Edited by Herman Robers Nov 25, 2021 11:51 AM
    If you have the option to use OCSP, go for that option.

    Otherwise, can't you download the CRL from the PKI? The preferred option (after OCSP) is to add the URL for the CRL in ClearPass, and ClearPass will automatically update it from that URL. Manually uploading a CRL file is probably not what you want.

    And the bypass proxy option is for the CRL/OCSP retrieval from ClearPass. By default, it will use an HTTP proxy if you configure that on system-level. With the bypass option you can have ClearPass get to the OCSP/CRL server directly, ignoring the proxy settings.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------