This is great, any chance we could get a flavor of this walking us through all pre-cautionary measures to do with our certificates pre-upgrade?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cat Hoffman Network Infrastructure & Security Engineer Office of Information Technology Valparaiso University 1700 Chapel Drive, B13 Kretzmann Hall Valparaiso, IN, 46383 Phone: (219) 464-6101 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ http://photos.cathoffman.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ >>> From: Nevin Absher <[EMAIL PROTECTED]> To: <[email protected]> Date: 8/18/2008 4:37 PM Subject: Re: 4.1.6 Software Posted Hi Christopher, I'm in the process of getting a document posted to cisco.com that will help fix the problems that some folks are seeing with certificates after upgrading to 4.1.6. I'm not sure exactly how long it will take to get published so I've put a copy of it on our shiny new support wiki. If you go to http://supportwiki.cisco.com and search for 'nac certificate' it should be the first entry in the list. It's not exactly pretty, but the content is there. Hopefully this will get you where you need to be. Thanks, Nevin Christopher Chin wrote: > I'm glad to hear that so many people have had success with > this upgrade. > > Unfortunately, ours did not go so well. > > Our CAM is an HA-pair, each with it's self-generated SSL > cert (apparently signed by www.perfigo.com). We have two > test standalone CASes, each with a similarly self-generated > cert. Then we have a production CAS HA-pair, which share a > Verisign chained cert for the pair's service FQDN. > > The root CA and chained combination *are* included in > the CAM, as well as both units of the CAS HA-pair. > > Unfortunately, that didn't quite cut the mustard, and > the upgrade broke the connection between the HA-CAM and > the HA-CAS. After nearly five(!) hours of priority 1 > TAC handling, we finally got the connection back by > regenerating the (now discouraged) self-generated > www.perfigo.com-signed cert. We generated this on one > unit of the HA-CAS for the service IP and then copied it > to the other. > > Speaking of which, we often get the following message > when trying to login to the /admin interface on our HA > CAS boxes. > > We'll get the following error: > > The link that you requested is not present on this Clean > Access System. If you reached this page by following a > link from the user interface of the Clean Access Manager > or Server, then please report this as a bug. > > This happens on the individual IP for each CAS, and > sometimes on the service IP. It's inconsistent, and > sometimes survives reboots, and sometimes survives > browser clearing/restarting. Truly a new "feature" that > we're not able to pin down yet. But... suffice it to > say, it makes managing the boxes a bit difficult when > you can't login to the darn things. > > Anyway, we'll try some of the suggestions made here. > > Want a laugh? One of the early suggestions made by TAC > was that I should put official Verisign certs on all > the devices. *sigh* > > Thank goodness for this list. > > - Christopher > > ====================== > > On Sat, 16 Aug 2008 (13:57 -0400), Rob Chee wrote: > > >> Date: Sat, 16 Aug 2008 13:57:33 -0400 >> From: Rob Chee <[EMAIL PROTECTED]> >> Reply-To: Cisco Clean Access Users and Administrators >> <[email protected]> >> To: [email protected] >> Subject: Re: [CLEANACCESS] 4.1.6 Software Posted >> >> Thanks for that tip about the "Netscape Cert Type". I ran into that too. It >> turns out that the Entrust Standard SSL certificate only supports the "SSL >> Server" type. You have to buy their Advantage SSL certificate to get both the >> "SSL Server" and "SSL Client" functionality. >> >> I also ran into another weird problem. I had a Verisign certificate, which >> uses an intermediate root CA certificate, on the NAS. I made sure I added the >> root and intermediate CA certificate onto the NAM. When I did the upgrade the >> NAS and NAM wouldn't talk. In the NAS and NAM logs there were complaints >> about >> invalid chaining certificate. I checked the Trusted Certifcate Authority on >> the NAS and the NAM and made sure the intermediate and root CA Verisign >> certificate existed on both. I ended up solving the problem by re-inputting >> the private key and CA-Signed Certificate on the NAS. Once I did that and >> rebooted everything worked fine. I also saw in the 4.1.6 NAS config guide >> that >> the cacerts file can get corrupted. That may have been what happened during >> the upgrade. The config guide recommends the following >> >> If you check nslookup and date from the CAS, and both the DNS and >> TIME settings on the CAS are correct, this can indicate that the >> cacerts file on the CAS is corrupted. In this case, Cisco recommends >> backing up the existing cacerts file from >> /usr/java/j2sdk1.4/lib/security/cacerts, overriding it with the file >> from /perfigo/common/conf/cacerts, then performing ?service perfigo >> restart? on the CAS. >> >> >> ------------------------------------------------------ >> Rob Chee, CCIE #8188 (R&S and Security) >> Senior Network Consultant >> Chesapeake NetCraftsmen, LLC. >> Company Website: http://www.netcraftsmen.net >> My Blog: http://cnc-networksecurity.blogspot.com >> Mobile: 571-437-2829 >> ------------------------------------------------------ >> >> >> Hall, Rand wrote: >> >>> Here's a 4.1.6 pre-install checklist item for you: >>> >>> Make sure your certificates' "Netscape Cert Type" is not just "SSL Server". >>> They need to support Client for the new CAS-CAM Authentication. We were >>> making use of IPSCA's free edu certificates--which only support Server. As >>> an aside, you get what you pay for. IPSCA support is virtually unreachable. >>> I've been waiting 5 days. Comodo was very responsive to my credit card >>> yesterday ;-) >>> >>> >>> Cheers, >>> Rand >>> >>> -- >>> Rand P. Hall * Director, Network Services >>> Merrimack College * SunGard Higher Education >>> 315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000 >>> Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com >>> >>> CONFIDENTIALITY: This e-mail (including any attachments) may contain >>> confidential, proprietary and privileged information, and unauthorized >>> disclosure or use is prohibited. If you received this e-mail in error, >>> please notify the sender and delete this e-mail from your system. >>> >>> >>> -----Original Message----- >>> From: Cisco Clean Access Users and Administrators >>> [mailto:[EMAIL PROTECTED] On Behalf Of Chris Evans >>> Sent: Thursday, August 07, 2008 10:07 AM >>> To: [email protected] >>> Subject: Re: 4.1.6 Software Posted >>> >>> You need to insure that the CAM has the CA certificate corresponding to the >>> certificate issued to the CAS (there are options in the GUI in 4.1.6 to >>> allow you to upload that certificate). >>> >>> The CAS and CAM do not have to have certificates issued by the same CA, but >>> they both need to have the CA certificates for each other. >>> >>> In code prior to 4.1.6, the CAS needed the CA certificate corresponding to >>> the certificate issued on the CAM (but the CAM didn't need the CA >>> certificate for the cert on the CAS). Most people used the self-generated >>> cert on the CAM, so the CA cert for this was already "built in". In 4.1.6 >>> code, the CAM likewise needs the CA certificate for the certificate issued >>> to the CAS - this is a new requirement and is the limitation you'll likely >>> run into. >>> >>> Strictly speaking for it to function, you don't need to issue a new >>> certificate to the CAM if you are using the "perfigo-based" certificates >>> (but it needs the CA certificate corresponding to the certs on the CASes!), >>> but as implied elsewhere in the alias, it's a good security practice to do >>> so. >>> >>> Hall, Rand wrote: >>> >>> >>>> So, what are the ramifications for leaving the Perfigo certificate in >>>> place? >>>> >>>> I have a "real" certificate installed on the CAS but not on the CAM. I'm >>>> scheduled to update tomorrow morning but am not looking forward to being >>>> dead in the water if the certificate is a deal-killer. >>>> >>>> >>>> Cheers, >>>> Rand >>>> >>>> -- >>>> Rand P. Hall * Director, Network Services >>>> Merrimack College * SunGard Higher Education >>>> 315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000 >>>> Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com >>>> >>>> CONFIDENTIALITY: This e-mail (including any attachments) may contain >>>> confidential, proprietary and privileged information, and unauthorized >>>> disclosure or use is prohibited. If you received this e-mail in error, >>>> please notify the sender and delete this e-mail from your system. >>>> >>>> >>>> -----Original Message----- >>>> From: Cisco Clean Access Users and Administrators >>>> [mailto:[EMAIL PROTECTED] On Behalf Of Muhammad Ismail >>>> Sent: Wednesday, August 06, 2008 3:53 PM >>>> To: [email protected] >>>> Subject: Re: 4.1.6 Software Posted >>>> >>>> We have installed the version 4.1.6 on a test environment. Does not look >>>> too different from version 4.1.3.1. However, one thing you would notice >>>> right away is a message with red text asking you make sure you have >>>> certificates for CAM and CAS. See the message in screen shot. >>>> >>>> >>>> Muhammad/. >>>> >>>> Muhammad I. Ismail >>>> Network Security Specialist >>>> Western CT State University >>>> (203) 837-8991 (O) >>>> [EMAIL PROTECTED] >>>> >>>> >>>> >>>> -----Original Message----- >>>> From: Cisco Clean Access Users and Administrators >>>> [mailto:[EMAIL PROTECTED] On Behalf Of Eric Kenny >>>> Sent: Wednesday, August 06, 2008 11:40 AM >>>> To: [email protected] >>>> Subject: Re: 4.1.6 Software Posted >>>> >>>> Yes. >>>> >>>> Eric J. Kenny >>>> Network Analyst >>>> Marist College >>>> 3399 North Rd. >>>> Poughkeepsie, NY 12601 >>>> 845.575.3820 >>>> >>>> On Aug 6, 2008, at 10:35 AM, Walt Howd wrote: >>>> >>>> >>>> >>>>> Has the 4.1.6 agent been released for 4.1.3 installations? We have >>>>> auto update of the agent disabled. >>>>> >>>>> Walt >>>>> >>>>> >>>> >>>> >>> >>>
