NAC 4.7

Unanswered Question
Jun 10th, 2010

Hello friends,

When i logged in NAC 4.7 i  get this errors:

Warning: Current end entity certificate has expired or is due to expire in less than 30 days.

can anybody help me for this

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.5 (4 ratings)
Loading.
adamgibs7 Thu, 06/10/2010 - 13:24

Hello Faisal,

I knew u will be the one who will answer to this thread, u route me to Excellent thread, But i simple question,

openssl genrsa 1024 > NewPrivateKey.key ---------- > NewPrivateKey.key This is a command or this is input from us.I mean to say instead of NewPrivateKey.key can i write openssl genrsa 1024 > cisco.key

I m asking u becz i m not in front of NAM, i m writing from home and  all this commands belong to linux or unix i think.

Thanks

Faisal Sehbai Thu, 06/10/2010 - 14:17

Hi,

NewPrivatekey.key is just a filename. You can call it cisco.key if you'd like

HTH,

Faisal

adamgibs7 Fri, 06/11/2010 - 12:38

Hello Faisal,

In ur previous mail u have written:

Now you can take this NewCert.crt file and install it on the NAC devices using the GUI. Use WinSCP to copy the

file.

I did'nt understood the above line, Can u open the above line with simple language,i have read the book but i m very much new to NAC.

Which NAC devices???? i have only 1 NAM and 1 NAS. Are u speaking for High availabilty purposes to copy to another NAC devices or u mean to say NAS Server.

Faisal Sehbai Fri, 06/11/2010 - 20:02

Hi,

When I wrote NAC Devices, I meant for whichever device you were preparing that cert using openssl. Keep in mind that the whole procedure is completely unrelated to NAC. You can run those openssl commands on any linux/unix box or even Windows box and then take the certificate thus generated and import it on a NAC device. If you do this on another box, you have to do one additional step though, and that is to import the same certificate in the Trusted Certificate Authorities tab also.

Faisal

game123 Sat, 06/12/2010 - 20:06

thanks for the reply , yet wanted to confirm soemthing more , please do reply to them :

1>  According to the method you provided finally we have a .crt file and not a .pem file ? right ???

2> With this key embedded in crt file , can i use import feature of cas and cam to import them from gui, or how ,since my problem i think is not related only to AD Users , it is also associated between cas and cam inter communication also ?

3> i tried to execute this step :

       openssl x509 -req -days 1000 -in  NewCertRequest.csr -signkey NewKey.key -out NewCert.crt ,

but it gives me error of no such file or directory. ( plz see the attached . I COPY PASTE DITTO from your config on forum )

please let me know, since in 24 hrs i have to excute the task , thanks in advance !!! you are a life-saver!

waiting....

game123 Sat, 06/12/2010 - 11:19

Hi Faisal,

I am stuck with a situation at my client ....I was using standard perfigo cert and it gave me same warning as this message post of 30 days blah blah !!!

well, on the link and over the forum i found your suggseted solution in "red" about openssl and steps....

well i did it and got the following queries now ???? please help us and answer inline ...!

a> i have 1 nam and 1 nas  - version is latest 4.7.2  , do i need to execute the steps of OPENSSL you described on both the boxes? if both the boxes, then should nas be typed first or what , please explain, it be helpful to all of us needy new NAC Engineers.....

b> second question, is i tried to type in the commands you said ,, and while typing openssl  blah blah commands, it didnt accept the command in the line where you described about name.csr ???? i dont nkow why it said no such command or directory !!!!

c>can you make a simple pdf document as a resource to all of us and upload it for reference to use OPENSSL for atleast 3 yrs certificate for NAC Boxes... (  i know most of us will prefer openssl and sinc openssl module comes by default with NAC 4.7.2 , since public CA will a show stopper for msot clients during production phase)

Waiting with crossed fingers !!!!

Kamran ( A Netizen persuing ccie sec cert...)

Faisal Sehbai Sat, 06/12/2010 - 11:36

Kamran,

I thought I had it laid out pretty clearly. Please follow the example verbatim. Only replace the CAS's name with your CAS's name or IP address and it should give you the cert at the end. If this is too difficult, please use the GUI to generate the certs, though this way they will be only valid for 90 days.

Also you should do the same procedure on the CAM and CAS. The order doesn't matter. You can do CAS or CAM first.

HTH,

Faisal

game123 Sat, 06/12/2010 - 23:07

thanks for the reply , yet wanted  to confirm soemthing more , please do reply to them :

1>   According to the method you provided finally we have a .crt file and not  a .pem file ? right ???

2> With this key embedded in crt file ,  can i use import feature of cas and cam to import them from gui, or how  ,since my problem i think is not related only to AD Users , it is also  associated between cas and cam inter communication also ?

3> i  tried to execute this step :

       openssl x509 -req -days 1000 -in  NewCertRequest.csr -signkey  NewKey.key -out NewCert.crt ,

but it gives me error of no  such file or directory. ( plz see the attached . I COPY PASTE DITTO from  your config on forum )

please let me know, since in 24 hrs i have to  excute the task , thanks in advance !!! you are a life-saver!

waiting....

Faisal Sehbai Sun, 06/13/2010 - 05:06

Kamran,

1) Yes. It doesn't matter much, but yes, you'll have a crt file

2) Yes, you can then import the NewCert.crt file from the CAM and CAS gui

3) Fixed the typo in the original thread. Try it again now. You had pinpointed the problem in the screencapture you took.

HTH,

Faisal

game123 Sat, 06/19/2010 - 08:45

Dear Faisal,


1. I have generated the cert from posted method , first in CAM. And then generated another certificate in CAS respectively.

2. Used WinSCP and downloaded the files to my local PC from the CAS and CAM separately...

3. Uploaded/imported from CAM GUI, the CAS generated CRT file.

4. Uploaded/imported from CAS GUI , the CAM generated CRT file.


5. Well after this, rebooted the CAS,

6. Waited and logged on to the CAM to see the CCA Servers section. ( shows " not connected " ) ???


It is critical, could you plz point out the mistake...


My CAM ip: 192.168.55.1


My CAS ip : 192.168.66.1


Note: As you said in the post, while generating certificate via openssl in the CAM, i must use CAS ip address as common name. I did !!!! And same i did
      in CAS, i used CAM ip address as common name. Rest of the fields are same and correct.


All relevant files are attached !!!!


Kamran ..., anxiously waiting!

Faisal Sehbai Sat, 06/19/2010 - 15:49

Kamran,

Here's how the complete flow should be:

- Generate CAS cert on CAS

- Save it on your local machine and then install it on the CAS using the CAS admin GUI

- Reboot CAS

- Generate CAM cert on CAM

- Save it on your local machine and then install it on the CAM using the CAM admin GUI

- Reboot CAM

- Take the CAS cert and import it in the Trusted Certificate Store on the CAM. This is the second tab when you click on SSL in CAM GUI

- Take the CAM cert and import it in the Trusted Certificate Store on the CAS. This is the second tab when you click on SSL in CAS GUI

At this point the CAM and the CAS should be able to trust each others certificates.

Now what have you done differently from the above procedure?

HTH,

Faisal

game123 Sun, 06/20/2010 - 00:08

I followed exactly the steps you mentioned point by point , but following are screenshots ... ( i have physically even rebooted both the appliancs 3310 ) . NAC version is 4.7.2

Any guesses or files that i can upload for you to see or find the error exactly ?

* Please note that  I have committed the following:

1. Generated cert from CLI via SSH to the box on both CAS and CAM , same way...

2. I used common name 192.168.66.1(cas ip)  , on the cam box,  and Similarly  used common name 192.168.55.1(cam ip) on the cas box !

3. I imported the X.509 crt locally generated on CAM to the CAM Web GUI in SSL Section . And similarly imported X.509 crt locally generated on CAS to the CAS Web GUI in SSL Section.

4. In the 2nd tab of Trusted Authority, i have imported the CRT of CAS on CAM (reverse method) , and also the CRT of CAM on CAS box respectively....

5. Physically rebooted both the appliances. still NOT CONNECTED !!! Attached are screenshots.

Faisal Sehbai Sun, 06/20/2010 - 10:20

Kamran,

Confused about step 2 you listed. You used the CN of the CAS IP on the CAM, and the CN of the CAM IP on the CAS?

Faisal

game123 Sun, 06/20/2010 - 11:00

Yes I did the same , is it wrong ? is not correct ?

Well, you can see the proof with my attached 2 screenshots :

You will see exactly how have i generated the certs!!!! ( i generated two certs,one on CAS and one on CAM respectively ) . Plz see the

screenshots attached. You can see in the screenshot i have used CN: 192.168.66.1 which is my CAS IP on CAM box via ssh ; Similarly i have

used CN:192.168.55.1 which is my CAM IP on CAS box via SSH access.

I have not used any email address or password and pressed enter simply.

Now, in GUI , i lauched browser in two tabs in internet explorer 8.0 and did the following:

On CAM (192.168.55.1):
======================

In X.509 section :-
--------------------
* Imported CAM generated cert in this section.

In Certifcate Authority:- (second tab)
---------------------------------------

* Imported CAS generated cert in this section.


On CAS (192.168.66.1):
=======================

In X.509 section :-
-----------------
* Imported CAS generated cert in this section.

In Certifcate Authority:- (second tab)
---------------------------------------

* Imported CAM generated cert in this section.


After all of the above, rebooted physically both the boxes, still SHOW "NOT CONNECTED"..... !!!! i dont know where i went wrong...

Also my old certs are not removing or deleting and says in use ! "Please see my previous post with old screenshots in it"

Faisal Sehbai Sun, 06/20/2010 - 14:15

Kamran,

Try to generate the CAM cert on the CAM and the CAS cert on the CAS. I'm not sure why you're using the other box to generate the certs.

If this doesn't work for you, please get third party certs or use the GUI to generate certs.

Thanks,

Faisal

game123 Sun, 06/20/2010 - 20:18

Well, sir i have only used cas and cam so far. There is no other box involved. The screenshots of my post have cas screenshot and cam screenshot showing the certs i generated. I used the same names,, since both appliances are unique so i think naming wont affect.

I will try to do the exercise again,

Just curious , "how can  i disable active certiificate, it is not deleting and says it is in use " and time validity is yes !

????

thanks.

kamran !

Faisal Sehbai Sun, 06/20/2010 - 20:51

Kamran,

You don't delete the existing certificate. When you import a new one, it replaces the old one. This is true for the X509 tab.

For the Trusted Certificate Store, remove the old CAS certificate from the CAM Trusted Certificate Store, and then re-import the new CAS cert in the CAM store. Likewise, remove all the old CAM certs from the CAS Trusted Certificate Store, and then import the CAM cert in the CAS's Trusted Certificate Store.

If all of this fails, then stick with the GUI option, since I'm not sure what you're doing wrong, and TAC won't be able to help you since this is unsupported procedure to begin with.

HTH,

Faisal

game123 Sun, 06/20/2010 - 21:54

Ok. then I will try the whole process again.

Thanks for being there for me ....

Kamran !

(update you after this , sir ! )

game123 Mon, 06/21/2010 - 02:20

I AM FACING "a new problem now "

1>  I have to update the GPO for users to use NewCert.crt file  ? right ? for the users to connect right !!!!

2> Does this solve the AD Users ? since as you know we have AD Integration to users.... ?

Please let me know..NAC ( CAS to CAM is showing connected now ! )

waiting for reply,

Kamran....

game123 Mon, 06/21/2010 - 02:21

Well i have got success between CAS and CAM , but now i have another issue :

I AM FACING "a new problem now "

1>  I  have to update the GPO for users to use NewCert.crt file  ? right ? for  the users to connect right !!!!

2> Does this solve the AD Users ? since  as you know we have AD Integration to users.... ?

Please let  me know..NAC ( CAS to CAM is showing connected now ! )

waiting for  reply,

Kamran....

game123 Mon, 06/21/2010 - 02:30

Agent is not downloading ....... but CAM and CAS shows connected !!!

game123 Mon, 06/21/2010 - 02:33

I am facing AGENT downloading issues:

what happens is as follows :

when people open browser, they go to 192.168.66.1 which is my cas / nas ..... it gives me option to wait or select myself to redirect, in both cases...i gives a page with nothing..and reports 500 http error.....

attaching a screenshot.

game123 Mon, 06/21/2010 - 04:42

i checked a few things and here is the error :

In windows titlebar it says : HTTP 400 BAD REQUEST

In url window , the url redirects to  automatically : https://nam/auth/perfigo_weblogin.jsp?cm=ws32vklm&uri=http%3A%2F%2F192.168.66.1%2F

Please note that i have nam : 192.168.55.1 and nas: 192.168.66.1

Now nam and nas are connected, but agent software is not downloading....

All of the following are working fine :

IP FilterStarted
DHCP ForwardStarted
Active Directory SSOStarted
game123 Mon, 06/21/2010 - 06:27

To add more info :

here is what happening :

1. CERT between CAS and CAM shows  "Connected"

2. I can access thru ssh and thru web both cas and cam.

issues after CERT :

3. Agent software is not downloading (this is 1 thing i observed ) ? i have no clue what i have to check or see for ????? since i only did the CERT thingy....

4 Those machines who already have agent, they can go to the authentication page, but their username / password is not working with local user database or with active directory ????


What are the things i should look into ???? please , i know you are expert, and can let me know the quickies to look for ..sir !!!! ( btw, my cert error of 30 days is gone, thanks to you )  , but ran into another issue ?????

anxiously waiting for you online...

kamran ~

game123 Mon, 06/21/2010 - 06:55

Sir,

I have rebooted via ssh session both the appliances remotely.....twice today.

Moreover, interesting thing is, when i locally go to CAM/NAM and go to Auth Servers section, and take a auth test , for local users and for ad users, it goes "successful" in blue color ... but for real end-users it is not working .... ????

i have just now rebooted again , let us see...

any additinoal settings you want me to see or look for ?

TWO QUERIES:

============

* Right now we have not put the cert of the end-users,just testing with local user account "testuser"

* Is it important that for all users to authenticate or download the agent, certificate must be installed for end-usesr PCs ???

Thanks sir..waiting.

Kamran.

Faisal Sehbai Mon, 06/21/2010 - 06:59

Kamran,

You're doing something wrong again. Why is the certificate named "NAM" on the CAS? Assuming that's just a mistake, can the end clients resolve NAM on their machines? When the redirect happens, it will try to resolve NAM and try to go to that page. So two things to confirm here:

- Can they resolve the name?

- Are they really supposed to be going to NAM?

Faisal

game123 Mon, 06/21/2010 - 07:43

Well, you pointed out the right thing. Well, on the DNS we have entries like 192.168.55.1 to nam and 192.168.66.1 to nas

so endusers can ping nam and nas respectively with names and with ip addresses also.

If my cert is wrong, then how can i have a 192.168.55.1 (nam) and 192.168.66.1 (nas) are connected !

I know something went wrong between NAS and NAM connectivity , but even before redirection was supposed to take place right ....

Yes still we didnt put the NewCert.crt file (that was downloaded from NAM) is not put in user trusted root certificates...my friend has just done it , and we can only check tomorrow ....


if you think we should not use nam or nas names , then i will regenerate the certs and use IPs instead of names ...

Can you please read all of my points above and correct where i am wrong, please ! that be very kind of you...sir...

Kamran.

* i have imported the NAM( 192.168.55.1) details in .rar file and also NAS (192.168.66.1) details as well.

* do i have to import to users only NAM NewCert.crt file ? right !!!! it should be ok with this right ? please confirm.

Attachment: 
ahmed.gadi Sun, 06/12/2011 - 17:49

Faisel,

can you please tell me what do you mean by install it on CAS and the import it in Trusted Certificate Store on CAM ?

Generate CAS cert on CAS

- Save it on your local machine and then install it on the CAS using the CAS admin GUI

Reboot CAS

- Take the CAS cert and import it in the Trusted Certificate Store on theCAM. This is the second tab when you click on SSL in CAM GUI

Regards

Ahmed...

game123 Mon, 06/21/2010 - 07:47

Well, another query, is , while i play with certificates, do my confiuration of nam and nas will stay as it is or it will be deleted !!! can you plz confirm, i am running 4.7.2 ?

game123 Mon, 06/21/2010 - 08:07

Well, following your idea, i tried to swap the name from nam to nas in the url field and the page of Salaah Methanol ,for authentication came before me..!!!!

i think this is good right ?

Well, but how to fix it ?? i am too much perplexed since, my cert has finally got "connected " and i tried the same procedure then how come things went wrong ???

Sir,

i have 1 NAM (192.168.55.1) appliace + 1 NAS (192.168.66.1) appliance.

i did same steps of openssl that you defined on both the boxes ,even got connected.

how this redirection is giving error , how to fix it sir... even after this page, i am not proceeding....so definitely something went wrong again in certs

guide me please.....i know it is difficult for you to give 1 man so much time , but really, i value it and i am lucky to get assitance from you like this...

?????

waiting...crossed fingers!

game123 Mon, 06/21/2010 - 08:19

Sir,

if you can point out any of the screenshots that is wrong, please let me know....

If you pin point some errors or changes to be made , let me know,.... i have taken 3 screenshots of SSL section of NAM and 2 screenshots of NAS.

I am sure if you can highlight the things that should look different or needs change, i will be able to understand since i have tried making openssl already so there will be no problem in commands, but wanna know the error ... please see my attachment pictures...they are latest screenshots...!!!!

My MGR IP : 192.168.55.1

My SVR IP : 192.168.66.1

Kamran ..... !

Faisal Sehbai Mon, 06/21/2010 - 11:24

Kamran,

So from the screenshots it seems like on the CAM you have a certificate with the CN of NAS, and the CAS you have certificate installed with the CN of NAM.

Key question is if on the client you do a nslookup NAS, what IP is returned? If it's the IP of the NAM, then this is wrong. If it returns the IP of the NAS and you're still not getting redirected, then problem lies somewhere else.

You're overly complicating this. The NAM cert should go on the NAM and in the Trusted Cert Store on the NAS. The NAS cert should go on the NAS, and the Trusted Cert Store on the NAM. NAS should resolve to NAS's IP, and NAM should resolve to NAM's IP. Currently you have it inverted.

Faisal

game123 Mon, 06/21/2010 - 23:21

U rock !

LOOKS GREAT NOW ! CONFIGS ALSO STAYED........and even AGENT now downloading...I WILL CONTINUE TRYING FOR 1 MORE DAY AND UPDATE YOU .....

Faisal Sehbai Wed, 06/23/2010 - 12:05

Kamran,

The NAS cert, or in your case, whatever cert you have installed on your NAS (since you had a cert called NAM installed on the NAS)

HTH,

Faisal

game123 Sat, 06/26/2010 - 01:27

I have exported x.509 cert chain.pem from NAS and given to Shoaib( customer administrator on site) to push it via 2008 AD GPO to users, he will let me know soon. Thanks for the tip !

Well, my ccie lab exam. is in sept 2010 ..

Actions

This Discussion