Security

Reply
Highlighted
Occasional Contributor II

Check certificate in CRL

Hi,

I have a little confusion with CRL checking.

I have set wireless network with EAP-TLS authentication using personal certificate. There is url of CRL in the certificate and I also set this url to Clearpass to Certificates -> Revocation lists. Clearpass imported CRL correctly. 

Users are authenticated and allowed to connect to network. But when I check log in access tracker, there is line:

INFO RadiusServer.Radius - --> verify error:num=3:unable to get certificate CRL - ignoring

What does it mean? It seems like users certificate is not checked in CRL, but it is ignored and user is authenticated. Right?

Thanks

Kamil

 


Accepted Solutions
Highlighted
Contributor II

Re: Check certificate in CRL

Hi,

 

To verify a certificate chain, we require a CRL for each certificate in the chain starting from the root.

To do the CRL checks all the way up the chain, all CRLs of the chain should be uploaded including Root CRL.

So please add the CRL of the All intermediate and Root CA to the ClearPass.

 

 

Vikram Sonawane | ACCP | @Vikram_Sonawane

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Highlighted

Re: Check certificate in CRL

Hi,

 

ClearPass radius server will run CRL check for all the certificates (client cert + Intermediate CA(s) + Root) in the chain by default, based on the CRLs presence.

The error means that ClearPass failed to get CRL for one of the certificates in the chain (which could root or intermediate CA). 

 

If you have the correct CRL configured for the user cert, then the below error is not of the user cert (meaning- user cert auth will not succeed if it is revoked) and should be of intermediate or root CA. As Vikram suggested, you can configure the CRLs of all the certs in the chain to resolve this error.


@KamiB wrote:

Hi,

 

INFO RadiusServer.Radius - --> verify error:num=3:unable to get certificate CRL - ignoring

What does it mean? It seems like users certificate is not checked in CRL, but it is ignored and user is authenticated. Right?

Thanks

Kamil

 


Refer the service parameter "Check the validity of all certificates in the chain against CRLs" below link,

 

https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_serviceparamsradiusserver.htm


Thank you,
Saravanan

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post


All Replies
Highlighted
Contributor II

Re: Check certificate in CRL

Hi,

 

To verify a certificate chain, we require a CRL for each certificate in the chain starting from the root.

To do the CRL checks all the way up the chain, all CRLs of the chain should be uploaded including Root CRL.

So please add the CRL of the All intermediate and Root CA to the ClearPass.

 

 

Vikram Sonawane | ACCP | @Vikram_Sonawane

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Highlighted

Re: Check certificate in CRL

Hi,

 

ClearPass radius server will run CRL check for all the certificates (client cert + Intermediate CA(s) + Root) in the chain by default, based on the CRLs presence.

The error means that ClearPass failed to get CRL for one of the certificates in the chain (which could root or intermediate CA). 

 

If you have the correct CRL configured for the user cert, then the below error is not of the user cert (meaning- user cert auth will not succeed if it is revoked) and should be of intermediate or root CA. As Vikram suggested, you can configure the CRLs of all the certs in the chain to resolve this error.


@KamiB wrote:

Hi,

 

INFO RadiusServer.Radius - --> verify error:num=3:unable to get certificate CRL - ignoring

What does it mean? It seems like users certificate is not checked in CRL, but it is ignored and user is authenticated. Right?

Thanks

Kamil

 


Refer the service parameter "Check the validity of all certificates in the chain against CRLs" below link,

 

https://www.arubanetworks.com/techdocs/ClearPass/6.8/PolicyManager/index.htm#CPPM_UserGuide/Admin/ServerConfig_serviceparamsradiusserver.htm


Thank you,
Saravanan

**Did something you read in the Community solve a problem for you? If so, click "Accept as Solution" in the post.
NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.

View solution in original post

Highlighted
Occasional Contributor II

Re: Check certificate in CRL

This works. After adding CRL into root certificate there is no error in log.

Thank you both

Kamil

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: