I have a freshly re-imaged CAM and CAS that was imaged with the v4.7.1 image. Upon doing this, I am unable to add the CAS to the CAM. So far, I've worked with TAC and they can't seem to figure out the issue either.
Stuff that was done after the install:
- Installed CAM and CAS licenses
- Ensured Self-Generated SSL certificate DN point's to the IP of the respective device (if the CAM it points to the CAM's IP....)
- Under Trusted CA's, both CAM and CAS were missing the Perfigo entry. Imported the Perfigo CA entry from a different CAS that had it already.
- Both CAM and CAS point to a DNS server which has the forward and reverse DNS entries setup for the CAM and CAS
- Verified that CAM can ping CAS by IP and by hostname and FQDN
- Verified that the time on the CAM and CAS are in Sync and are correct
- Verified the secret password matches on both CAM and CAS by looking at the /root/.perfigo/secret file (/root/.perfigo/master as well) and ensuring the strings match
The logs throw the following:
Could not connect to 10.1.2.19
SSLManager: server's certificate chain verification failed CN=10.1.2.19, OU=XXX, O=XXX, L=XXX, ST=XX, C=XX:No trusted certificate found
Cisco NAC Appliance Release 4.7(0) no longer contains the "www.perfigo.com" Certificate Authority in the .ISO or upgrade image. Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(0).
In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.