NAC v4.7.1 - Cannot add CAS to CAM - SSL error

Answered Question
Dec 28th, 2009

I have a freshly re-imaged CAM and CAS that was imaged with the v4.7.1 image.  Upon doing this, I am unable to add the CAS to the CAM.  So far, I've worked with TAC and they can't seem to figure out the issue either.

Stuff that was done after the install:

- Installed CAM and CAS licenses

-  Ensured Self-Generated SSL certificate DN point's to the IP of the respective  device (if the CAM it points to the CAM's IP....)

- Under Trusted  CA's, both CAM and CAS were missing the Perfigo entry.  Imported the  Perfigo CA entry from a different CAS that had it already.

  [email protected], CN=www.perfigo.com, OU=Product, O="Perfigo, Inc.", L=San Francisco, ST=California, C=US

- Both CAM and CAS point to a DNS server which has the forward and reverse DNS entries setup for the CAM and CAS

- Verified that CAM can ping CAS by IP and by hostname and FQDN

- Verified that the time on the CAM and CAS are in Sync and are correct

- Verified the secret password matches on both CAM and CAS by looking at the /root/.perfigo/secret file (/root/.perfigo/master as well) and ensuring the strings match

The logs throw the following:

Could not connect to 10.1.2.19

SSLManager: server's certificate chain verification failed CN=10.1.2.19, OU=XXX, O=XXX, L=XXX, ST=XX, C=XX:No trusted certificate found

Any ideas???

Correct Answer by Parminder Sian about 7 years 1 month ago

Hey,

Cisco NAC Appliance Release 4.7(0) no longer contains the "www.perfigo.com" Certificate Authority in the .ISO or upgrade image. Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(0).

In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/47rn.html#wp826817

Regards,

Parminder Sian

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Parminder Sian Mon, 12/28/2009 - 21:34

Hey,

Cisco NAC Appliance Release 4.7(0) no longer contains the "www.perfigo.com" Certificate Authority in the .ISO or upgrade image. Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(0).

In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/47rn.html#wp826817

Regards,

Parminder Sian

m.yost Tue, 12/29/2009 - 06:22

Yea, I figured it out about 10 minutes after I posted that.  I had seen some people post about adding the certs to the cert store on both sides, but wasn't sure how to do that.  Once I realized the people were referring to the cert store as the Trusted Certificate Authority link it all worked.

kysersosai Tue, 02/02/2010 - 05:29

Hello,

I don't understand the following from the 4.7.1 NAC Rel Notes

Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(x).

1. Which local mahine

2. Where on the local machine do i get the cert

3. Do I need it perfigo root ca in the X509 store or just the Trusted

4. If i have HA pairs do i import the temp generated VIP cert or the appliance specific cert

5. Do i import both CAS into each cam and vice cersa

Sorry about all the questions but any help would be appreciated

Thank You Kindly

kysersosai Sat, 03/13/2010 - 16:30

Not sure if you are having the same issue but mine was the firewall. Everyone tell you about adding the certs to both the CAM and the CAS. But if you have your firewall setup for v4.5  where you only needed to allow DNS access for the CAM you'll run into problems. The CAS needs DNS access.

See my post in Network Mgmt

https://supportforums.cisco.com/thread/2003289?tstart=0

Cheers

Kyser

Faisal Sehbai Sat, 02/06/2010 - 21:39

Hello,

Not sure what local machine you're referring to, but if you want the perfigo root certificate from which the pre-4.7 certificates were signed with, you can download it from here: http://www.employees.org/~basti/perfigoca.cer

If you plan to use certificates signed by perfigo on your CAS, then you will need to import the above mentioned certificate on your client machines connecting to that CAS so they don't get the warning messages.

Ping if you have more questions!

HTH,

Faisal

sathappan Tue, 04/13/2010 - 02:34

Hi,

we are also facing the same issue . please share with us on solving the issue.

with thanks

sathappan

Actions

This Discussion