cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1018
Views
0
Helpful
7
Replies

NAC 4.7.2 (OOB VGW)) MAC certificate validation slow

Robert Slusar
Level 1
Level 1

We have been seeing some odd behavior with certificate validation with MAC OSx device running the installed agent.

When a user enters their userid and password  they sometimes will get a SSL cert error. If the user clicks on login multiple times they will eventually certify and join the trusted network.

I did a packet capture of a machine that was experiencing the problem.

The packet capture showed the MAC making a DNS query for the Verisign server's IP address and the DNS server returns the correct answer. The expected connection to the Verisign server never occurs. (The ssl cert error on the MAC shows up about now.)

If login is clicked (several times) and you go through the cycle again eventually the connection to the Verisign server is established the certificate is validated and user is placed into the trusted vlan.

Has anybody else experienced this? Any ideas?

7 Replies 7

Faisal Sehbai
Level 7
Level 7

Rob,

Can you verify whether the CRL sites for Verisign are allowed in the Host traffic policies in the Unauthenticated and Temporary Roles?

Faisal

Hi Faisal!

They are allowed. The behavior of the problem is that the MAC never attempts to connect to the Verisign servers. No packets are leaving the MAC(s) headed toward Verisign.

(Until we click on login several times.)

Bob Slusar

Sr. Network Engineer

Enterprise Networks

OfficeMax, Inc.

(630) 864-5558

Rob,

That's bizarre! Can you collect a debug log from the MAC in question and post here.

Thanks,

Faisal

Hi Faisal, I'm one of Bob's co-workers at OfficeMax in the Macintosh Support group. Does the CCAAgent application have a debug mode or is there already a logfile being collected somewhere? Thanks!

Robb Gibson

Rob,

Instructions on collecting the debugs from a MAC:

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/473rn.html#wp926582

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Attached is the event.log file from ~/Library/Application Support/Cisco Systems/CCAAgent folder. This Mac was unable to connect to the NAC server with repeated VeriSign certification errors. I was able to log into the NAC server through the web client.

Faisal,

I reviewed my work including where I performed my captures. The capture I did initially was between the CAS and the outside world - our routing core.

I decided to span a port a MAC was connected to and performed another capture.

Lo and behold the MAC was actually trying to connect to the Verisign server based on IP address of the forward DNS lookup send originally from the MAC.

I thought about the process and I believe that NAC has to do a reverse lookup on the IP address so that it can compare the server name against host filter I built to allow the traffic.

The filter was based on the forward lookup so it was something like "ends with crl.verisign.com"

When I did a reverse lookup I discovered most of the servers returned something like "crl.indv10.verisign.com" which of course did not match the filter I had created. Traffic blocked.

I changed the filter to just "ends with verisign.com" and it worked 95% of the time.

Why only 95%?

One of the servers had an IP address that was outside the 199.x.x.172 pattern most of them use and it did not return a name when the reverse lookup occurred. I finally ended up adding that as IP address as a filter.

No problems now.

Later!

Bob

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: