NAC Certificates

Similar Messages

• NAC Certificate Expired

  I saw this message in my CAM:
  Warning: Current and entity certificate has expired or is due to expire in less than 30 days
  I know this is due to SSL certificate is ready to expire.. but i want to know what is the result if the certifcate expried after 30 days.
  would CAS fail to operate?
  would CAM fail to control CAS?

  The CAS needs to communicate with the CAM to authenticate and posture assess unauthenticated users.
  Depending on how you have fallback configured on your CAS, when it loses connection with the CAM (due to the CAM's cert expiring), it will either allow all connections, no connections, or allow already authenticated connections (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1098561).  By default, it will allow access only for already authenticated connections.

• NAC certificate

  Hi All,
  we ordered certificate for CAS only based on documentation. when connect from wired network, it shows CAS IP address on IE and doesn't display warning page and everything works fine. but when connect from wireless, it redirect to CAM IP address and obviously there is no signed certificate for CAM and warning page is shown up. do we need to order certificate for CAM as well?
  thanks
  Alex

  Hi,
  The clients will communicate with the CAM if they need to download the agent for example and yes, in this situations you also need to trust the CAM cert ortherwise the security warning will show up.
  It is good practice to have signed certs on the CAM and CAS and usually from the same CA.
  So, in resume, i would say yes, if you do not want security warnings, then you should install also a cert on the CAM.
  HTH,
  Tiago
  If  this helps you and/or  answers your question please mark the question  as "answered" and/or rate it, so other users can easily find it.

• Problem add CAS in CAM NAC 4.7 SSL certificate

  Hello,
  I have a problem with NAC 4.7, I cant add CAS in CAM, I imported the certified of www.perfigo.com and it doesnt work, i reboot the NAM and NAS and nothing.
  Any suggest?
  Best Regards

  Hi,
  Do this.
  Go to the CAM GUI. Browse to CCA Manager -> SSL. Check the box marked CCA Manager Certificate and click on Export. Save this file as CAMCert.pem
  Go to the CAS admin page by going to https://IP_ADDRESS_OF_CAS/admin Click on SSL. Check the box marked CCA Server Certificate and click Export. Save this file as CASCert.pem
  On the CAS page, click on Trusted Certificate Authorities, click on Browse, and choose the CAMCert.pem. Click on Import
  On the CAM page, click on CCA Manager -> SSL -> Trusted Certificate Authorities, click on Browse, and choose the CASCert.pem. Click on Import.
  Now try to add one to the other.
  HTH,
  Faisal

• NAC 4.7.2 (OOB VGW)) MAC certificate validation slow

  We have been seeing some odd behavior with certificate validation with MAC OSx device running the installed agent.
  When a user enters their userid and password  they sometimes will get a SSL cert error. If the user clicks on login multiple times they will eventually certify and join the trusted network.
  I did a packet capture of a machine that was experiencing the problem.
  The packet capture showed the MAC making a DNS query for the Verisign server's IP address and the DNS server returns the correct answer. The expected connection to the Verisign server never occurs. (The ssl cert error on the MAC shows up about now.)
  If login is clicked (several times) and you go through the cycle again eventually the connection to the Verisign server is established the certificate is validated and user is placed into the trusted vlan.
  Has anybody else experienced this? Any ideas?

  Faisal,
  I reviewed my work including where I performed my captures. The capture I did initially was between the CAS and the outside world - our routing core.
  I decided to span a port a MAC was connected to and performed another capture.
  Lo and behold the MAC was actually trying to connect to the Verisign server based on IP address of the forward DNS lookup send originally from the MAC.
  I thought about the process and I believe that NAC has to do a reverse lookup on the IP address so that it can compare the server name against host filter I built to allow the traffic.
  The filter was based on the forward lookup so it was something like "ends with crl.verisign.com"
  When I did a reverse lookup I discovered most of the servers returned something like "crl.indv10.verisign.com" which of course did not match the filter I had created. Traffic blocked.
  I changed the filter to just "ends with verisign.com" and it worked 95% of the time.
  Why only 95%?
  One of the servers had an IP address that was outside the 199.x.x.172 pattern most of them use and it did not return a name when the reverse lookup occurred. I finally ended up adding that as IP address as a filter.
  No problems now.
  Later!
  Bob

• NAC SSL CERTIFICATE WARNING

  Hello there,
  I have implemented NAC on my network. I've deployed OOB Virtual Gateway. It used to work fine when i had ver 4.6. My office relocated where everything change including the IP addreses we used on LAN. During the relocation the SSL certificated also expired. Before activating NAC on the new site i decided to upgrade to the current version (4.8) and also installed new certificates (Obtained from internal Microsoft CA Server). The problem is that i'm getting the security Warning 'The certificate you are viewing does not match the name of the site you are trying to view'. I used the ETH0 IP of the CAS in the certificate request. Both ETH1 and ETH0 are having the same IP. Any assistance please. I've tried to request the certificate again, import it and reboot the CAS but the warning keeps on appearing to users.
  regards,
  Stanslaus.

  Ok, it looks like your IE security settings are very tight.
  When the agent starts it will try discover the CAS using the discovery host sending HTTP to the discovery host IP address.
  What happens is that the CAS will spoof this communication and reply to the agent itself. It seems that this action is making your PC to trigger this alarm.
  I guess this is anoying...
  These was see first internally in 4.6 version and was supposed to be fixed in 4.7 and later versions.
  I would advise you to open a TAC case and we can follow up on you to check if there is anything to be done on the agent or PC to get rid of this.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• NAC CAM/CAS Temporary Certificate expired

  Hello Guys,
  I have a high availability pairs of NAC(CAM/CAS), Last 3 months I generate temporary certificate and now it is expired.
  Do I need to generate again a new temporary certificate and delete the old one? Is there any certificate that can give me lifetime certificate?

  Hi,
  Yes, 4.8 has been out for a bit now. Download it here: http://bit.ly/dwaXlc
  Release notes, including the new features, the bug fixes and the upgrade instructions for 4.8 are here: http://bit.ly/9inkeW
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• Ssl certificate for cisco NAC

  Hello All,
  Gurus,out there please help me understand how do i update the SSL certificate on cisco NAC appliance (clean access mananger/clean access server).
  how to check when is the certificate being expired.
  thanks in advance.

  Please have a look at the following link:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_admin.html#wp1078189
  On the CAM interface, you can export the current certificate and see its validity:
  Administration > Clean Access Manager >> SSL > X509 Certificate >> Select Cert and hit 'Export'
  Please rate if you find the input helpful
  Regards
  Farrukh

• NAC SSL Certificates

  Hello there,
  I installed NAC and cutover to production env. without changing the perfigo root certificate. This is because i had no CA server.
  Now i've got a win 2003 Standalone root CA Server configured. What is the impact on requesting certificate from this CA and install it on the NAC server and Manager?
  regards,
  Stanslaus.

  Thanks Faisal.
  I have tried to access the links but i'm getting the bellow message from both URLs.
  Forbidden File or Application
  The file or application you are trying to access may require additional entitlement or you are trying to access a file with an invalid name. Additional entitlement levels are granted based on a users relationship with Cisco on a per-application basis.
  If you feel you have reached this page in error, please try one of the following methods to locate your document:
  1. If you are manually entering the URL into your browser location bar, be sure to include the file name of the page you are trying to access (file names typically end in .htm, .html or .shtml).
  2. Use the Search feature located in the upper right section of this page.
  3. Return to the Cisco.com Home or select a primary site area from the top navigation bar.
  4. Consult with your Cisco Account Manager to confirm you have the appropriate entitlement to access this page.
  If you would like to contact someone about this problem, please click on the Contacts & Feedback link below.

• NAC SSL certificate Issue

  I recently applied a signed certificate to both the CAM and CAS. ever since then I have been having problems with the system. In the perfigo logs on the CAM I receive a lot of messages with "Certificate chaining error" in them. My question is what is the best way to roll back the signed certificates to the self signed ones? Any other suggestions would be greatly appreciated.
  Thanks in advance.

  Hi Giles,
  Thanks for te update. The problem I am facing is:-I have 2 SSL certificates on my ACE and I have also configured 2 server farms (farm1 and farm2)each associated with ssl certificate, now the problem i am facing is when we access the farm2 serverfarm we are issued the certificate of farm1 wereas i need to be getting the certificate from the farm2.
  Thanks in advance.
  Regards
  Sum

• Urgent - NAC+ACS+Web-Auth in Wired environment - https redirection - Certificate Issue

  Hi everyone.
  I'm seting up an environment which uses Web-Auth for my wired and wireless networks. I have followed the exact same steps in this Cisco page to get it working:
  http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/app_note_c27-577490.html
  I'm only testing the wired environment right now.
  I plug a PC to a port, and I try to get access to a randon internet page (for example www.cisco.com) . It is automatically redirected to authentication page. I type the username and password, but, when authentication passes, it goes automatically to https version of the page, which brings me to the problem. I have to add an exception (continue on this webpage option on IE) to that page in order to continue with the authentication and get the access to the internet. I'm attaching the steps I have to perform:
  I think it is related to Certificate, but I'm not quite sure which or where. I'd like to have some advices from you to avoid this problem. I'm not planning to buy any certificates, so if I could skip the https would be great.
  Thanks a bunch for your help
  Victor Alves

  You need a certificate that your client will trust.
  Easy way is to buy one from an official source. All PC browsers have a list of the major cert vendors so that's automatically trusted.
  You could issue the certificate yourself also, for free :
  -Self signed : the signing authority is the switch ... That means you need all your PCs to trust all your switches. Manual operation ...
  -You create an enterprise CA and create a certificate for all your switches : you just need your clients to trust your enterprise CA so that's still a manual task but a simpler one.
  When laptops are integrated in a domain, it's usually easier to create your CA on windows server and push the certificates to the clients automatically

• SSL VPN with machine certificate authentication

  Hi All,
  I've configured a VPN profile for an Anyconnect VPN connection on my test environment. I've enabled AAA (RSA) and certificate authentication, configured the RSA servers correctly and uploaded the root and issuing certificates. I managed to get this working with machine certificates using a Microsoft PKI. With crypto debugging enabled I can see the CERT API thread wake up and correctly authenticate the certificate. So far so good....
  Now I configured the same on our production environment and can't get it to work!! The anyconnect client shows an error: "certificate validation failure"
  The strange thing is that the crypto debugging doesn't give me one single line of output. It looks like the certificate doesn't even reach the ASA. My question is, what is stopping the "CERT API thread" I mentioned before from waking up and validating the certificate?? Does someone have an explenation for that?
  btw. We have other VPN configurations on the same production/live ASA's with certificate authentication the are working and show up in the debugging.
  Thanks in advance for your help
  Hardware is ASA5540, software version 8.2(5).
  Some pieces of the configuration below:
  group-policy VPN4TEST-Policy internal
  group-policy VPN4TEST-Policy attributes
    wins-server value xx.xx.xx.xx
  dns-server value xx.xx.xx.xx
  vpn-simultaneous-logins 1
  vpn-idle-timeout 60
  vpn-filter value VPN4TEST_allow_access
  vpn-tunnel-protocol IPSec svc webvpn
  group-lock none
  ipsec-udp enable
  ipsec-udp-port 10000
  split-tunnel-policy tunnelall
  default-domain value cs.ad.klmcorp.net
  vlan 44
  nac-settings none
  address-pools value VPN4TEST-xxx
  webvpn
    svc modules value vpngina
    svc profiles value KLM-SSL-VPN-VPN4TEST
  tunnel-group VPN4TEST-VPN type remote-access
  tunnel-group VPN4TEST-VPN general-attributes
  address-pool VPN4TEST-xxx
  authentication-server-group RSA-7-Authent
  default-group-policy VPN4TEST-Policy
  tunnel-group VPN4TEST-VPN webvpn-attributes
  authentication aaa certificate
  group-alias VPN4TEST-ANYCONNECT enable

  Forgot to mention, I'm using the same laptop in both situations (test and production). Tested with anyconnect versions 3.1.02.040 and 3.0.0.629.

• NAC firmware upgrade from 4.1.3 to 4.7 or 4.8, anyone?

  I currently have 1 CAS 3310 Failover Bundle for Wireless user, and 1 CAM Lite Failover Bundle for management.
  ACAS, CAM and Clean Access Agents are running 4.1.3. We are considering an upgrade in particular because some end-users machine are soon to be Windows 7. Our authenticaion for users is provided by AD SSO.
  I would like to know your experience when doing such a major jump (4.1.3 to 4.8.1). Looking for gotchas and known issues. Also what the incremetal upgrade path look like.
  I was thinking we can go 4.1.3 -> 4.6.1-> 4.8.1. Any other way or recommendation. CIsco is highly recommending we go to 4.8.1 if all possioblem.
  I am also aware that we need to create new root  certificates.
  Appreciate input.
  Thanks,
  Rosa

  Hi,
  Yes, that is the correct upgrade path: 4.1.3 -> 4.6.1 -> 4.8.1.
  I would recomend you to go through the Release notes for 4.6.1 and 4.8.1 for all the known gotchas and detailed upgrade process.
  Gotchas/changes/upgrade process for 4.6.1: http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/461/461rn.html#wp65900.
  Gotchas/changes/upgrade process for 4.8.1:http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/481rn.html#wp65900.
  Regarding the certificates, you should not use the self signed certs due to security reasons, and they should only be used for lab purposes.
  This means that it still works with the self signed, but you need to import the CAS cert into the CAM trusted certification authorities and vice-versa, so that the CAM trusts the CAS cert and vice-versa.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

• Cisco NAC server hang issue

  Hi All Cisco NAC Experts,  I am currently experiencing a Cisco NAC NAC3315-SVR hang issue.
  The issue was already happened for few time on the same server and the symptom when NAC server hung includes no response to ICMP ping, no response to SSH request, no response for access request to CAS management page via https, HA pair was detected down from its HA neighbor and triggered failover to secondary CAS.
  The CAS server was recovered after manually power cycle the hardware. 
  After went through the attachment CAS logs, I found all the services and logging service were stopped when the issue happening but unfortunately there is no any suspicious activity was logged down before or during the issue happening.
  I have also tried to search on Cisco Bug Toolkit but no similar case was found, I believe it was not caused by software bug due to the software version 4.8.1 is running in my company for years and only one CAS server having the issue.
  That will be great if any one can help me out for the same.
  Thanks,
  Eric

  Hi Bro
  This could be a problem with the certificate in that Cisco NAC appliance itself. My suggestion is to redo the certificate generation between the CAS CAM and CA Server. If this still doesn’t work, it could also be due to overload/broadcast storm on the LAN portion. This can be verified via Wireshark.
  If all else fail, then a hardware swap would seem like the next best thing.

• NAC Agent Login Dialog Not Appearing - ISE 1.1.1 issue ?

  Agent Fails to Initiate Posture Assessment
  The NAC agent is properly installed on a Windoes 7 , IE 9 machine, the certificates from ISE ADM PRI are installed in trustable certificate store in the client machine but is a selfsigned ISE certificate.
  The reports / USER / Profiling report says the Provisioning Agent has completed the assessment ok.
  The redirected URL is working fine (SEE Evidence)
  We are always prompted to install the NAC agent again or looking at the additional prompted information wait for the NAC agent to load and complete.
  The operations status remains with postering status pending forever and nothing else happens.
  Symptoms or Issue
  The agent login dialog box does not appear to the user following client provisioning.
  Conditions Cisco Says this issue can generally take place during the posture assessment phase of any user
  authentication session.
  Cisco Advises as Possible Causes There are multiple possible causes for this type of issue. See the following
  Resolution descriptions for details of what was already tested by us and please see the atached files for your switch configuration and evidences. .
  CISCO SUGGESTED POSSIBLE CAUSES AND RESOLUTIONS
  Resolution • Ensure that the agent is running on the client machine. ALL TESTED OK
  • Ensure that the Cisco IOS release on the switch is equal to or more recent than
  Cisco IOS Release 12.2.(53)SE. - OK
  • Ensure that the discovery host address on the Cisco NAC agent or Mac OS X
  agent is pointing to the Cisco ISE FQDN. (Right-click on the NAC agent icon,
  choose Properties, and check the discovery host.) - OK (See evidence)
  • Ensure that the access switch allows Swiss communication between Cisco ISE
  and the end client machine. Limited access ACL applied for the session should
  allow Swiss ports: ALL CONFIGURED as CISCO GUIDELINES OK (SEE EVIDENCE)
  • If the agent login dialog still does not appear, it could be a certificate issue.
  Ensure that the certificate that is used for Swiss communication on the end client
  is in the Cisco ISE certificate trusted list. (ALL CHECKED OK SEE EVIDENCE)
  • Ensure that the default gateway is reachable from the client machine. (TESTED OK)

  Hi.
  Can you paste all the ACLs on your switch especially the webauth redirect ACL which should deny traffic towards the PSN.
  regards
  Zubair