Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

CA problem with NAC

Hello there,

I'm using Internal CA (Microsoft Win 2003 CA) to provide SSL certificates to NAC. The problem is that, end users are still getting warnings on login to the network the same way as when i was using the Perfigo Certificate. I've tried to install the server certificate to clients but still the CA is seems to be untrusted. Does this mean that i have to buy certificates from trusted Authorities like Verisign or still there is something i can do to my CA? Please help.

regards,

Stanslaus.

2 ACCEPTED SOLUTIONS

Accepted Solutions

Re: CA problem with NAC

Stanslaus,

If you click on that link, does it tell you to download a cert?

If so, take that file to the client and double click on it. It should install in the correct store automatically.

HTH,

Faisal

Re: CA problem with NAC

Stanslaus,

The second problem will come up if you're trying to access the device in question with a name that is different than what the cert says the name should be. For example if your cas is named cas1.abc.com and you try to access it with the url consisting of the ip address for that CAS, you will see that message. Ensure that the CN you have for the certificate is what you're using to access the CAS and you shouldn't see that problem.

HTH,

Faisal

9 REPLIES

Re: CA problem with NAC

Stanslaus,

You need to take the Root certificate and install that on the clients.

HTH,

Faisal

Re: CA problem with NAC

Hi Faisal,

Thanks for your reply. See the attachment. When on clients i click on "

To trust certificates issued from this certification authority, install this CA certificate.'". I'm not very good on setup PKI. How do i get and install the root certificate. My CA is Standalone Root CA.

Thanks.

Stanslaus.

Re: CA problem with NAC

Stanslaus,

If you click on that link, does it tell you to download a cert?

If so, take that file to the client and double click on it. It should install in the correct store automatically.

HTH,

Faisal

Re: CA problem with NAC

Hi Faisal,

Happy new year 2010!!.

I was on leave and had no time to work on this.

Thanks for your assistance. I had two warnings one was that "The Certificate was not from a trusted authority" (Resolved by you last reply) and the other is saying that "The Certificate does not match the site you are viewing". This is still persisting. Please if you know the reason.

regards,

Stanslaus.

Re: CA problem with NAC

Stanslaus,

The second problem will come up if you're trying to access the device in question with a name that is different than what the cert says the name should be. For example if your cas is named cas1.abc.com and you try to access it with the url consisting of the ip address for that CAS, you will see that message. Ensure that the CN you have for the certificate is what you're using to access the CAS and you shouldn't see that problem.

HTH,

Faisal

Re: CA problem with NAC

Thanks Faisal,

At the begining i created Certificate requests using FQDN of the appliances as CN. Although i could access the appliances using FQDNs for some reasons CAS was redirecting using IP Address. I've recreated the Certificates using IPs as CNs and now it is working fine. Thank you very much for your support.

regards,

Stanslaus.

New Member

Re: CA problem with NAC

Hello. Could you help on how you managed to get the Microsoft CA to issue

certificates for NAC. I'm having trouble installing them in NAC and am not sure that I am requesting them correctly.

Thanks

Victor

Re: CA problem with NAC

Hi Victor,

What error are you getting during the certificate import? You need to create a        X509 Certification Request  (for CAS and also for CAM) under the SSL certificate section. Export the request (remember to select the Private Key also during the export of the request).

Then follow the steps in the following link:

http://technet.microsoft.com/en-us/library/cc736590%28WS.10%29.aspx

After getting the certificate follow steps to import the certificate outlined in the NAC configuration Guide.

regards,

Stanslaus.

New Member

Re: CA problem with NAC

Hello

I have managed to solved the problem. I had to convert the certificates supplied by the Microsoft CA from DER to PEM.

Victor

828
Views
5
Helpful
9
Replies