Thanks for that tip about the "Netscape Cert Type". I ran into that too.
It turns out that the Entrust Standard SSL certificate only supports the
"SSL Server" type. You have to buy their Advantage SSL certificate to
get both the "SSL Server" and "SSL Client" functionality.
I also ran into another weird problem. I had a Verisign certificate,
which uses an intermediate root CA certificate, on the NAS. I made sure
I added the root and intermediate CA certificate onto the NAM. When I
did the upgrade the NAS and NAM wouldn't talk. In the NAS and NAM logs
there were complaints about invalid chaining certificate. I checked the
Trusted Certifcate Authority on the NAS and the NAM and made sure the
intermediate and root CA Verisign certificate existed on both. I ended
up solving the problem by re-inputting the private key and CA-Signed
Certificate on the NAS. Once I did that and rebooted everything worked
fine. I also saw in the 4.1.6 NAS config guide that the cacerts file can
get corrupted. That may have been what happened during the upgrade. The
config guide recommends the following
If you check nslookup and date from the CAS, and both the DNS and
TIME settings on the CAS are correct, this can indicate that the
cacerts file on the CAS is corrupted. In this case, Cisco recommends
backing up the existing cacerts file from
/usr/java/j2sdk1.4/lib/security/cacerts, overriding it with the file
from /perfigo/common/conf/cacerts, then performing “service perfigo
restart” on the CAS.
------------------------------------------------------
Rob Chee, CCIE #8188 (R&S and Security)
Senior Network Consultant
Chesapeake NetCraftsmen, LLC.
Company Website: http://www.netcraftsmen.net
My Blog: http://cnc-networksecurity.blogspot.com
Mobile: 571-437-2829
------------------------------------------------------
Hall, Rand wrote:
Here's a 4.1.6 pre-install checklist item for you:
Make sure your certificates' "Netscape Cert Type" is not just "SSL Server".
They need to support Client for the new CAS-CAM Authentication. We were making use of IPSCA's free
edu certificates--which only support Server. As an aside, you get what you pay for. IPSCA support
is virtually unreachable. I've been waiting 5 days. Comodo was very responsive to my credit card
yesterday ;-)
Cheers,
Rand
--
Rand P. Hall * Director, Network Services
Merrimack College * SunGard Higher Education
315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000
Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com
CONFIDENTIALITY: This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.
-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On
Behalf Of Chris Evans
Sent: Thursday, August 07, 2008 10:07 AM
To: [email protected]
Subject: Re: 4.1.6 Software Posted
You need to insure that the CAM has the CA certificate corresponding to
the certificate issued to the CAS (there are options in the GUI in 4.1.6
to allow you to upload that certificate).
The CAS and CAM do not have to have certificates issued by the same CA,
but they both need to have the CA certificates for each other.
In code prior to 4.1.6, the CAS needed the CA certificate corresponding
to the certificate issued on the CAM (but the CAM didn't need the CA
certificate for the cert on the CAS). Most people used the
self-generated cert on the CAM, so the CA cert for this was already
"built in". In 4.1.6 code, the CAM likewise needs the CA certificate
for the certificate issued to the CAS - this is a new requirement and is
the limitation you'll likely run into.
Strictly speaking for it to function, you don't need to issue a new
certificate to the CAM if you are using the "perfigo-based" certificates
(but it needs the CA certificate corresponding to the certs on the
CASes!), but as implied elsewhere in the alias, it's a good security
practice to do so.
Hall, Rand wrote:
So, what are the ramifications for leaving the Perfigo certificate in place?
I have a "real" certificate installed on the CAS but not on the CAM. I'm
scheduled to update tomorrow morning but am not looking forward to being dead in the
water if the certificate is a deal-killer.
Cheers,
Rand
--
Rand P. Hall * Director, Network Services
Merrimack College * SunGard Higher Education
315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000
Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com
CONFIDENTIALITY: This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited. If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.
-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On
Behalf Of Muhammad Ismail
Sent: Wednesday, August 06, 2008 3:53 PM
To: [email protected]
Subject: Re: 4.1.6 Software Posted
We have installed the version 4.1.6 on a test environment. Does not look too
different from version 4.1.3.1. However, one thing you would notice right away
is a message with red text asking you make sure you have certificates for CAM
and CAS. See the message in screen shot.
Muhammad/.
Muhammad I. Ismail
Network Security Specialist
Western CT State University
(203) 837-8991 (O)
[EMAIL PROTECTED]
-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On
Behalf Of Eric Kenny
Sent: Wednesday, August 06, 2008 11:40 AM
To: [email protected]
Subject: Re: 4.1.6 Software Posted
Yes.
Eric J. Kenny
Network Analyst
Marist College
3399 North Rd.
Poughkeepsie, NY 12601
845.575.3820
On Aug 6, 2008, at 10:35 AM, Walt Howd wrote:
Has the 4.1.6 agent been released for 4.1.3 installations? We have
auto update of the agent disabled.
Walt
