You can use temp certs in (non-FIPS) Appliances. With 4.7, CAS and CAM don't trust each other temporary certificates by default. You need to upload each other certificates in the "Trusted Certificate Authorities" to establish a trust relationship between the Manager and Server.
Thanks, Syed -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Dennis Xu Sent: Wednesday, November 18, 2009 6:00 AM To: [email protected] Subject: Re: Fresh 4.7 install -- CAM says "no" to adding CAS Is it still ok to use temporary certificate (Perfigo signed) on CAM HA pair in 4.7? Dennis Xu Network Analyst Computing and Communication Services University of Guelph 5198244120 x 56217 ----- Original Message ----- From: "Dave Stempien" <[email protected]> To: [email protected] Sent: Wednesday, November 18, 2009 7:37:27 AM GMT -05:00 US/Canada Eastern Subject: Re: Fresh 4.7 install -- CAM says "no" to adding CAS I resolved this yesterday after many hours of tinkering. Posting back to the list for future reference... I assumed (wrongly) that using temporary certificates was sufficient when configuring authorization. I decided to sign new certs using our internal CA, added the CA to the Trusted CA list, and imported the signed certs back into each of the CAM/CAS HA pairs. Of course, since HA is also dependent upon having matching certs on each member of the HA-pair, HA was broken until all certs were finally synchronized. Temporary certs = OK for HA; Temporary certs = !OK for authorization. Finally, it appears that authorization is *required*, not optional as discussed in the documentation? This will probably break again with the NAC client which, I believe, requires certs to be signed by a well-known 3rd-party CA. Else, I will have to distribute our internal CA to the 12,000 workstations that we manage. Yuck. Hope this thread one day helps someone else... -- Dave On 11/17/09 1:01 PM, "David Stempien" <[email protected]> wrote: > Hi all, > > After a year-plus hiatus in evaluating NAC, I¹ve been told to dust off our > rather large junkpile of 3350s and give another evaluation a go. Seems like > the higher powers here are going to require NAC at some point, and we either > eat our own dog food or someone else¹s. Personally, I like knowing where my > Alpo comes from, so here I am. > > At last evaluation, we were using 4.1.8. At that time, the Active > Directory/SSO integration was too painful to bear, forcing us to shutter > this for awhile. Of course, we subsequently removed all our NAC gear from > maintenance to save a few jobs' worth of cash. You know, in these troubled > economic times and all... > > In the last few days, I installed 4.7 fresh on a HA-pair of CAMs and an > HA-pair of CASes. HA is working fine. However, when I try to add the HA > CAS pair to the HA CAM, I get, ³Failed to add server: Could not connect to > 10.145.143.3" <--- HA address of our CAS-pair. Seems like I can ping it > just fine from the CAM. > > I've tried using authorization and no-authorization techniques, made sure > the SSL certs were common within each HA pair, copied/pasted the DNs into > the authorization fields as suggested in Cisco's documentation, etc. I > rebooted each of the CAMs and CASes multiple times. I re-ran the perifgo > config script to ensure the master password was the same, and so on... Oh, > and I did install a license in the CAM for the CAS I'm trying to import! > > I'm going to try to sneak a new service request into TAC. Maybe even pester > our Cisco SE for some help if that doesn't work. In the meantime, does > anyone recognize my problem or have any tricks to share? I'm guessing this > new CAS/CAM association technique started around 4.5. > > I've been lurking in this mail list even though I myself haven't been active > in quite awhile. Seen lots of people leave for other solutions. Seen even > fewer discussions around 4.5+ releases. Hoping that this list isn't quite > dead yet! > > Thanks for any advice!
