Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Failover NAC Server with CA cert - Help

Hi everybody.

I have worked with projects of NAC, but recently working with Failover have some doubts.

Speaking in an easy to understand exactly what processes to configure failover with certificates generated by CA?

1 - CA to be the domain?

Let's take an easy example:
I Have CAS01 (real ip) and CAS02 (real IP)

2 - CAS01 I access the tab "X509 Certification Request" and generate CSR with the information:

CN = CAS.domain; CAS = (ip service)

3 - I selected the private key + Certificate request and click in Export (save)= CSR.pem Certificate request generated by CAS01 and import this file to the CA in which will generate the certificate.cert (based on the CSR and the private key CAS01).

4 - After the file certificate.cert in hand, I care for this CAS01 (X509 Certificate tab) + root.cert (CA = certificate of Trusted Certificate Authorities tab).

5 - I'll do the failover configurations in this tab to complete steps in CAS01.

------------------------------------------CAS02 ----------------------------------------

Now come the questions:

According to documentation, I use the same certificate+privatekey and care for the CAS02.
But when I do this because I had message like "private key not found".

In others case, when I exported the  certicate + private key(CAS01 - x509 certificate TAB) and Imported to the CAS02, the CAS02 takes the IP Service and CAS01 and CAS02 were inaccessible.  : 0 What is the correct way when using certificates generated by CA??



We can describe in detail the processes in CAS02??
Is there any case incorrect in CAS01??

1 REPLY

Re: Failover NAC Server with CA cert - Help

Tiago,

Please reveiw this document first: http://bit.ly/aGr7bw

In case of CA signed certificates, you would follow the same procedure. The only difference is that before you start installing the certificate, make sure that the root certificate from the CA is installed in the Trusted Certificate Authorities of both the CASs. Once that is in place, generate the cert from one CAS, and then install the pvk+cert on both.

HTH,

Faisal

204
Views
0
Helpful
1
Replies
CreatePlease to create content