Procedure to quarantine devices based on a certificate revocation list.
By default, the certificate revocation list (CRL)-based quarantine feature is disabled.
Before you begin
-
From the Cisco SD-WAN Manager menu, choose . Select an option and choose enterprise mode to enable the CRL (certificate revocation list).
-
In the Controller Certificate Authorization field, choose Enterprise Root Certificate, or
-
In the Hardware WAN Edge Certificate Authorization field, choose Enterprise Certificate (signed by Enterprise CA), or
-
In the WAN Edge Cloud Certificate Authorization field, choose Manual (Enterprise CA - recommended).
-
-
Make a note of the URL of the CA CRL.
Procedure
| 1. | From the Cisco SD-WAN Manager menu, choose . |
|
| 2. | On the Administration Settings page, select Edit near Certificate Revocation List. |
|
| 3. | Select CRL-Based Quarantine. |
|
| 4. | In the CRL Server URL field, enter the URL of the CRL that you created on your secure server. |
|
| 5. | In the Retrieval Interval field, enter the interval, in hours, for retrieving the CRL. Possible values: 1 to 24 Default: 24 hours |
|
| 6. | Select VPN 0 or VPN 512. SD-WAN Manager connects to a server to retrieve the CRL through the VPN 0 or VPN 512 interface. |
|
| 7. | Select Save. At the configured interval, SD-WAN Manager polls the CRL server for the latest CRL. It uses this list to determine whether to quarantine devices. |
If the CRL is disabled in earlier releases, the CRL remains disabled after upgrading to the Cisco vManage Release 20.11.1. If the CRL was enabled in a release prior to Cisco vManage Release 20.11.1, then after upgrading to Cisco vManage Release 20.11.1, the certificate revocation option is enabled with VPN0 as the default.