Security

Hi

 

A customer with a ClearPass cluster with five nodes experienced some authentication issues due to a Publisher failure.

The problem was that during the failure of the Publisher one CRL from the internal PKI expired and the Subscribers didn´t downloaded a fresh CRL from the CRL distribution point.

 

Should the CRL be downloaded by each node in the cluster or the Publisher and then distributed to the Subscribers?

The CRL is configured to be downloaded every hour, but from what I have seen it's only downloaded when the CRL expires.

Shouldn't the option to download the CRL every hour force a download of the CRL regardless if it has changed or not?

 

In this case the CRL have 14 days validity time and are issued one a week. But the new CRL isn't downloaded even though a new is available.

 

The cluster is running on ClearPass 6.6.8 on CP-HW-25K and upgrade to 6.7.x is in the pipeline.

 

 

You should consider moving to OCSP but if not possible then use a standby Publisher

>From the user guide :
https://www.arubanetworks.com/techdocs/ClearPass/Aruba_DeployGd_HTML/Content/Cluster%20Deployment/Standby_publisher.htm
Functions Lost When the Publisher Is Down

When the active Publisher goes out of service, the following ClearPass Policy Manager functions are temporarily lost:

*

AirGroup and MACTrac enrollment



*

Certificate creation and revocation



*

Certificate revocation list updates



*

ClearPass Exchange outbound enforcement



*

General ClearPass Policy Manager and ClearPass Guest configuration changes



*

ClearPass Guest account creation



*

Mobile device management endpoint polling and ingestion



*

Onboarding functionality



Not sure if this functionality exist in 6.6 but in 6.7 you can set the CRL to get updated in a certain of time


Sent from Mail for Windows 10

Thank you for the information.

 

In this case there was a standby Publisher configured but for some reason the failover failed.

Why this happend is something we will investigate further.