forced CRL refresh/update with EAP-TLS

forced CRL refresh/update with EAP-TLS

Post by Paul » Thu, 12 Feb 2004 07:47:48


Short of waiting until W2K or W2K3 IAS has detected that
the CRL has expired - and therefore retrieved a new one,
how can the CRL stored by IAS be updated (or deleted to
force a read/refresh).
 
 
 

forced CRL refresh/update with EAP-TLS

Post by Xuemei Ba » Thu, 12 Feb 2004 09:20:22

IAS does not store CRL. Each client certificate has a CRL distribution
points, which is a URL link that publishes the CRL for that cert. IAS goes
that site to check the client cert's revocation.

--
=========================================================
This post is provided AS IS with no warranties, and confer no rights
=========================================================

 
 
 

forced CRL refresh/update with EAP-TLS

Post by Sam Salhi » Thu, 12 Feb 2004 09:39:53

There is no way to force the revocation process, You can modify the period
from the normal length to smaller periods
This applies to the CRL And to the Delta CRL

Depending on CRL for user dialin permission is NOT a good idea. If you want
to disable a person from VPN/DIALUP/Wireless, disable their dial in
permissions/delete/expire/disable the account



--
===========================================================
This posting is provided "AS IS" with no warranties and confers no rights
===========================================================
 
 
 

forced CRL refresh/update with EAP-TLS

Post by Paul » Thu, 12 Feb 2004 09:44:04

I am familiar with CRL DP...but many products have a way
to have some "control" on caching this so that CRL
retrieval does not become a authentication throttle due
CRL retrieval - especially if the CRL DP has not changed.

The information at URL
http://www.yqcomputer.com/
url=/technet/prodtechnol/winxppro/deploy/ed80211.asp would
imply that IAS does indeed store a CRL (see the following).

"By default the IAS server uses the CRL distribution
points in the certificates. However, it is also possible
to store a local copy of the CRL on the IAS server. In
this case, the local CRL is used during certificate
revocation checking. If a new CRL is manually published to
the Active Directory, the local CRL on the IAS server is
not updated. The local CRL is updated when it expires.
This can create a situation wherein a certificate is
revoked, the CRL is manually published, but the IAS server
still allows the connection because the local CRL has not
yet been updated."

Which seems to imply both are possible.
distribution
that cert. IAS goes
confer no rights
message
 
 
 

forced CRL refresh/update with EAP-TLS

Post by Sam Salhi » Fri, 13 Feb 2004 01:51:15

The storage of the local CRL has nothing to do with IAS.
IAS does NOT store anything, the PKI infrastructure does that, IAS is just a
consumer of that


--
===========================================================
This posting is provided "AS IS" with no warranties and confers no rights
===========================================================
 
 
 

forced CRL refresh/update with EAP-TLS

Post by anonymou » Sat, 21 Feb 2004 10:34:06

y understanding of CRL processing is that any application
call CryptoAPI for CRL processing, and that the CA
software makes CRL information available for CRL
processing as applications so request.

The URL from the MSFT site I posted previously included
the words "it is also possible
which would not seem consistent with your comment of IAS
not storing anything.

It does not make sense to me that IAS would store anything
either. It does however make sense that the CryptoAPI
processing that IAS does call could in fact store or cache
the CRL - much in the same way that IIS does. (see
http://support.microsoft.com/default.aspx?scid=kb;EN-
US;289749 for a discussion about CRL caching and IIS).

How can I force a flush or ensure that the CRL DP in the
cert. is "freshly" retrieved - as opposed to a potentially
stale one inside CryptoAPI - so that IAS will block
someone.

Thanks....

I suggest that IAS needs to make the correct sort of
CryptoAPI calls.
that, IAS is just a
=
confers no rights
=
message
changed.
would
following).
to
server
not
CRL
that
one,
to
 
 
 

forced CRL refresh/update with EAP-TLS

Post by Sam Salhi » Sun, 22 Feb 2004 04:48:28

AS doesn't store the CRL, PKI does. This CRL is not flushable. although,
the metadata in a specific certificate can be modified to point to a file
IAS uses certificate to identify and validate the user credentials. It
doesn't use the certificate to authorize the user. It needs an account in AD
that the certificate maps to.
I will say it again, Restricting access based on certificate revocation IS
NOT RECOMMENDED!
Disable/lock/expire/remove dial in the user account instead


--
===========================================================
This posting is provided "AS IS" with no warranties and confers no rights
===========================================================


< XXXX@XXXXX.COM > wrote in message
news:12a9201c3f751$a1746f80$ XXXX@XXXXX.COM ...