In User Management -> User Roles -> Traffic Controls put the IP addresses of your Certificate Authorities in the Unauthenticated role (or your equivalent). Also a handy place for things like update.nai.com and ftp.nai.com for anti-virus updates.
-Tim --- Tim Cantin, Senior Network Engineer Wellesley College, IS/Technology Infrastructure Group 223 Simpson Hall East, 106 Central Street Wellesley, Massachusetts 02481-8203 http://www.wellesley.edu/~tcantin/ <BLOCKED::http://www.wellesley.edu/~tcantin/> phone: (781)283-3520 fax: (781)283-3682 From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Dale Harville Sent: Thursday, March 06, 2008 4:07 PM To: [email protected] Subject: Re: revocation list How do you open up the filters? Dale Harville Network Administrator Galveston College 4015 Ave Q. Galveston, TX 77550 409-944-1356 _____ From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Mike King Sent: Thursday, March 06, 2008 1:21 PM To: [email protected] Subject: Re: revocation list Hi Shane. Yes, you have to open up the filters to allow clients to contact your CA to get the CRL. But this is not a Cisco requirement. This is a Microsoft Internet Explorer requirement. CCAA uses IE to perform the http part of the session. So if your IE is configured to check for a CRL, then CCAA will need it. You can disable it in IE advanced options, and IE won't require it anymore. But the better answer is to just allow access to it. Mike
