NAC CA agent SSL error

Answered Question
Jun 18th, 2009

Currently running

CAM: 4.5.0 lite

Current Windows Clean Access Agent Version: 4.5.0.0

Current Windows Clean Access Agent Patch Version: 4.5.0.0

Current Macintosh Clean Access Agent Version: 4.5.0.0

Current Cisco NAC Web Agent Version: 4.5.0

(The clean access windows agent installed on the host laptop (Vista Enterprise) is version 4.5.1.0)

CAS mode: L2 OOB virtual GW

The setup is in lab conditions for a proof of concept.

The following scenario happens every time a new authentication is attempted from a vista host running the clean access agent.

-------------

I plug the host into the nac controlled switch port

I receive an ip address though my auth vlan and dhcp pool

Cisco clean access agent pops up on screen as per normal

I enter my user and pass and click login

I get a "security alert" pop up stating "Revocation information for the security certificate for this site is not available. Do you want to proceed?"

There are 3 buttons to choose from: yes, no, view certificates

I click yes, but the error message does not disappear,... no matter how many times you click yes,...the error stays on the screen, preventing you from proceeding with the login.

So I click no

The Clean access agent then states "Network Error!, Detail: SSL certificate REV failed[12057]"

My only option is to click 'close' button so I do

This closes down the clean access agent but the agent instantly pops buck up on my screen requesting user and pass again.

I enter the correct user and pass and click login

I get a new security alert pop up that states "This page requires a secure connection which includes server authentication." "The certificate issuer for this site is untrusted or unknown, Do you with to proceed?"

My options to click are, yes, no, view certificate or more info

I click yes, the security alert disappears and clean access now states that I have successfully logged into the network.

It refreshes my IP address and places me in the correct vlan based on the role for my username.

-------------

I have checked the event logs, all my access attempts are accepted, (on the 2nd try obviously), but there are no errors in the CAM about this SSL issue.

I do however get a red text warning on the summary page of the CAM that states the following, which I'm not sure if it has any impact into my issue.

'Warning: The end entity certificate issued by 'www.perfigo.com' is suited for lab environments only. You must import a third-party end entity certificate for your Clean Access Manager and Clean Access Server(s) before deploying Cisco NAC Appliance in a production environment. Please check your Clean Access Server(s)and standby Clean Access Manager for similar messages.

Warning: The current Trusted Certificate Authority 'www.perfigo.com' is suited for lab environments only. Cisco recommends importing a third-party Certificate Authority. Please check your Clean Access Server(s) and standby Clean Access Manager for similar messages.'

My questions are,

-Why wont the CAA accept the first authentication attempt?

-How do I remove the first security alert?

-How can I resolve the CCA so that I just log in once without having to click no and wait for CAA to pop up a 2nd time?

Thanks all

I have this problem too.
0 votes

The basic problem is that the client cannot verify the root of the certificate for your CAS.

I'm guessing that since you still have the perfigo warning that you have not installed a valid certificate on the CAS. If you did, you need to remove the perfigo certificate. If you install a valid cert, you need to remove the Perfigo cert.

Once you have a valid cert installed, make sure that the client can access the root certificate server from the AUTH VLAN. That should get rid of both messages.

If you cannot provide access to the certificate server, then you cannot get rid of the second message, but you can get rid of the first message (the one that sticks you in a loop).

That message (the first one) is caused because the option to check for the certificate revocation in IE has been enabled. This option was disabled by default in XP but is enabled by default in Vista. The option is disabled in Internet Options > Advanced Tab > Check for server certificate revocation.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer

The basic problem is that the client cannot verify the root of the certificate for your CAS.

I'm guessing that since you still have the perfigo warning that you have not installed a valid certificate on the CAS. If you did, you need to remove the perfigo certificate. If you install a valid cert, you need to remove the Perfigo cert.

Once you have a valid cert installed, make sure that the client can access the root certificate server from the AUTH VLAN. That should get rid of both messages.

If you cannot provide access to the certificate server, then you cannot get rid of the second message, but you can get rid of the first message (the one that sticks you in a loop).

That message (the first one) is caused because the option to check for the certificate revocation in IE has been enabled. This option was disabled by default in XP but is enabled by default in Vista. The option is disabled in Internet Options > Advanced Tab > Check for server certificate revocation.

Actions

This Discussion