Sadly we are using CRLs to check for cert revocation and not OCSOP. Currently we specify a single URL to pull down the CRL.
We have multiple URLs that can access different copies of the same CRL
With the current 1 url setup if cppm fails to download the CRL list, the default is to reject any TLS auths ... as we found out.
Can we specify multiple URLs for the same CRL list? What happens if 1 url fail and the othrer succeeds ?
I don't think you should have multiple URLs for a CRL. What may work is to have a round-robin DNS (multiple A records for same FQDN) to different servers that host the (same) CRL, and ClearPass should try another A record. It also depends how the CRL download fails, but CRL services should be rock-solid. And if CRL server can't be reached, it takes some time (validity time of the CRL) before there should be rejected authentications.
© Copyright 2023 Hewlett Packard Enterprise Development LPAll Rights Reserved.