Hi
A customer with a ClearPass cluster with five nodes experienced some authentication issues due to a Publisher failure.
The problem was that during the failure of the Publisher one CRL from the internal PKI expired and the Subscribers didn´t downloaded a fresh CRL from the CRL distribution point.
Should the CRL be downloaded by each node in the cluster or the Publisher and then distributed to the Subscribers?
The CRL is configured to be downloaded every hour, but from what I have seen it's only downloaded when the CRL expires.
Shouldn't the option to download the CRL every hour force a download of the CRL regardless if it has changed or not?
In this case the CRL have 14 days validity time and are issued one a week. But the new CRL isn't downloaded even though a new is available.
The cluster is running on ClearPass 6.6.8 on CP-HW-25K and upgrade to 6.7.x is in the pipeline.