Home » Cisco » 300-209 » Which statement about CRL configuration is correct?
Which statement about CRL configuration is correct?
A. CRL checking is enabled by default.
B. The Cisco ASA relies on HTTPS access to procure the CRL list.
C. The Cisco ASA relies on LDAP access to procure the CRL list.
D. The Cisco Secure ACS can be configured as the CRL server.
Correct Answer: C
Explanation/Reference:
Explanation:
ASA SSLVPN deployment guide:
The security appliance supports various authentication methods: RSA one-time passwords, Radius, Kerberos, LDAP, NT Domain, TACACS, Local/Internal, digital certificates, and a combination of both authentication and certificates.
LDAP
By default OSCP and CRL disabled :
sh run all crypto ca trust
crypto ca trustpoint ASDM-Mgmt
revocation-check none
From link below
The ASA can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a configurable amount of time for each trustpoint.
So I guess the question about way to get CRL from CA. So in this case answer C is correct.
I agree with A.
Hi,
from Cisco Book
Revocation Check
On the Revocation Check tab, you have the option to turn off certificate revocation
checking or leave it at the default of on. However, by default, no revocation-checking
methods are chosen, and the check box to consider a certificate valid if the CRL cannot
be retrieved is selected, meaning that all certificates, by default, are considered valid by
the CA.
From me answer is more A
It make more sense for me because they can rely on https or ldap but its not true that they rely by default.
What do you think?
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/cert_cfg.html
CRLs
CRLs provide the ASA with one way of determining whether a certificate that is within its valid time range has been revoked by the issuing CA. CRL configuration is part of configuration of a trustpoint.
You can configure the ASA to make CRL checks mandatory when authenticating a certificate by using the revocation-check crl command. You can also make the CRL check optional by using the revocation-check crl none command, which allows the certificate authentication to succeed when the CA is unavailable to provide updated CRL data.
The ASA can retrieve CRLs from CAs using HTTP, SCEP, or LDAP. CRLs retrieved for each trustpoint are cached for a configurable amount of time for each trustpoint.