Security

Reply
Frequent Contributor I

CRL distribution to ClearPass subscribers

Hi

 

A customer with a ClearPass cluster with five nodes experienced some authentication issues due to a Publisher failure.

The problem was that during the failure of the Publisher one CRL from the internal PKI expired and the Subscribers didn´t downloaded a fresh CRL from the CRL distribution point.

 

Should the CRL be downloaded by each node in the cluster or the Publisher and then distributed to the Subscribers?

The CRL is configured to be downloaded every hour, but from what I have seen it's only downloaded when the CRL expires.

Shouldn't the option to download the CRL every hour force a download of the CRL regardless if it has changed or not?

 

In this case the CRL have 14 days validity time and are issued one a week. But the new CRL isn't downloaded even though a new is available.

 

The cluster is running on ClearPass 6.6.8 on CP-HW-25K and upgrade to 6.7.x is in the pipeline.

 

 



Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP
Highlighted
MVP Guru

Re: CRL distribution to ClearPass subscribers

You should consider moving to OCSP but if not possible then use a standby Publisher

>From the user guide :
https://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/Cluster%20Deployment/Standby_publisher.htm
Functions Lost When the Publisher Is Down

When the active Publisher goes out of service, the following ClearPass Policy Manager functions are temporarily lost:

*

AirGroup and MACTrac enrollment



*

Certificate creation and revocation



*

Certificate revocation list updates



*

ClearPass Exchange outbound enforcement



*

General ClearPass Policy Manager and ClearPass Guest configuration changes



*

ClearPass Guest account creation



*

Mobile device management endpoint polling and ingestion



*

Onboarding functionality



Not sure if this functionality exist in 6.6 but in 6.7 you can set the CRL to get updated in a certain of time


Sent from Mail for Windows 10
Thank you

Victor Fabian
Lead Mobility Architect @WEI
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Frequent Contributor I

Re: CRL distribution to ClearPass subscribers

Thank you for the information.

 

In this case there was a standby Publisher configured but for some reason the failover failed.

Why this happend is something we will investigate further.



Best Regards
Jonas Hammarbäck | Aranya AB
Network Architect, ACMA, ACMP, ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: