According to this post, when the CRL expires, all authentications (I assume for the specific issuer) are rejected.
My assumption would be that if you remove the CRL, that CRL checking is just disabled, and you can do that best before the CRL expires to prevent downtime. If you can't afford the risk, I would have this verified (tested in lab) by your Aruba partner or Aruba support.
Please be advised that OCSP would be preferred over CRL, and for OCSP there is an 'optional' setting that allows a fail-open if the OCSP stops responding.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jan 26, 2022 08:22 PM
From: Christopher Johnson
Subject: EAP-TLS Failure Due To Expired CRL (URL Download)
If we remove the CRL URL configuration (SecureW2 PKI), will this bypass the CRL check? And if so, will removing it after expiration be effective or would it have to be done prior to CRL expiration - say in middle of an outage.
Not recommended I know, but background: the past 2 weeks our Clearpass Admin has been working with senior engineering on database issues that have affected random operator redirects, device registration delays (6 hours), endpoint updates, and most recently the CRL wasn't able to update for about 7 hours in middle of the night (resulting in outage for onboarded individuals). And we're still in a holding pattern, but nothing they've tried has resolved our issues. Yet the EAP-TLS auths are the biggest concern on our mind
---------------------------------
Chris
---------------------------------