I resolved this yesterday after many hours of tinkering. Posting back to the list for future reference...
I assumed (wrongly) that using temporary certificates was sufficient when configuring authorization. I decided to sign new certs using our internal CA, added the CA to the Trusted CA list, and imported the signed certs back into each of the CAM/CAS HA pairs. Of course, since HA is also dependent upon having matching certs on each member of the HA-pair, HA was broken until all certs were finally synchronized. Temporary certs = OK for HA; Temporary certs = !OK for authorization. Finally, it appears that authorization is *required*, not optional as discussed in the documentation? This will probably break again with the NAC client which, I believe, requires certs to be signed by a well-known 3rd-party CA. Else, I will have to distribute our internal CA to the 12,000 workstations that we manage. Yuck. Hope this thread one day helps someone else... -- Dave On 11/17/09 1:01 PM, "David Stempien" <[email protected]> wrote: > Hi all, > > After a year-plus hiatus in evaluating NAC, I¹ve been told to dust off our > rather large junkpile of 3350s and give another evaluation a go. Seems like > the higher powers here are going to require NAC at some point, and we either > eat our own dog food or someone else¹s. Personally, I like knowing where my > Alpo comes from, so here I am. > > At last evaluation, we were using 4.1.8. At that time, the Active > Directory/SSO integration was too painful to bear, forcing us to shutter > this for awhile. Of course, we subsequently removed all our NAC gear from > maintenance to save a few jobs' worth of cash. You know, in these troubled > economic times and all... > > In the last few days, I installed 4.7 fresh on a HA-pair of CAMs and an > HA-pair of CASes. HA is working fine. However, when I try to add the HA > CAS pair to the HA CAM, I get, ³Failed to add server: Could not connect to > 10.145.143.3" <--- HA address of our CAS-pair. Seems like I can ping it > just fine from the CAM. > > I've tried using authorization and no-authorization techniques, made sure > the SSL certs were common within each HA pair, copied/pasted the DNs into > the authorization fields as suggested in Cisco's documentation, etc. I > rebooted each of the CAMs and CASes multiple times. I re-ran the perifgo > config script to ensure the master password was the same, and so on... Oh, > and I did install a license in the CAM for the CAS I'm trying to import! > > I'm going to try to sneak a new service request into TAC. Maybe even pester > our Cisco SE for some help if that doesn't work. In the meantime, does > anyone recognize my problem or have any tricks to share? I'm guessing this > new CAS/CAM association technique started around 4.5. > > I've been lurking in this mail list even though I myself haven't been active > in quite awhile. Seen lots of people leave for other solutions. Seen even > fewer discussions around 4.5+ releases. Hoping that this list isn't quite > dead yet! > > Thanks for any advice!
