I don't think you should have multiple URLs for a CRL. What may work is to have a round-robin DNS (multiple A records for same FQDN) to different servers that host the (same) CRL, and ClearPass should try another A record. It also depends how the CRL download fails, but CRL services should be rock-solid. And if CRL server can't be reached, it takes some time (validity time of the CRL) before there should be rejected authentications.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Aug 25, 2023 08:08 AM
From: alexs-nd
Subject: Multiple CRL URLS for single CRL list
Sadly we are using CRLs to check for cert revocation and not OCSOP. Currently we specify a single URL to pull down the CRL.
We have multiple URLs that can access different copies of the same CRL
With the current 1 url setup if cppm fails to download the CRL list, the default is to reject any TLS auths ... as we found out.
Can we specify multiple URLs for the same CRL list? What happens if 1 url fail and the othrer succeeds ?
A