NAC Certificate Expired

szekahungdanny · ‎05-24-2010

I saw this message in my CAM:

Warning: Current and entity certificate has expired or is due to expire in less than 30 days

I know this is due to SSL certificate is ready to expire.. but i want to know what is the result if the certifcate expried after 30 days.

would CAS fail to operate?

would CAM fail to control CAS?

Faisal Sehbai · ‎05-24-2010

You're using temp certs more than likely. Move to signed certs to fix this. To answer your question, yes the cam will not be able to control the cas if either party has an expired cert

Posted from my mobile device.

szekahungdanny · ‎05-25-2010

how about the CAS??? would it immediate drop all connections??

or it could function normal and just the CAM fail to control CAS.?

Lauren Sullivan · ‎05-25-2010

The CAS needs to communicate with the CAM to authenticate and posture assess unauthenticated users.

Depending on how you have fallback configured on your CAS, when it loses connection with the CAM (due to the CAM's cert expiring), it will either allow all connections, no connections, or allow already authenticated connections (http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/412/cas/s_addSrvr.html#wp1098561). By default, it will allow access only for already authenticated connections.