Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2100
Views
3
Helpful
6
Replies

NAC 4.7 CAS web login page url generation

Go to solution
tonymurphy30
Level 1
Level 1

‎11-17-2010 03:09 PM - edited ‎02-21-2020 04:09 AM

We have had third part certs generated for the CAS and the CAM and these have installed OK, along with the relevant root and intermediate certificates, and the CAS/CAM are communicating fine.

However when a user is redirected to the authentication page, the url generated is using the CN from the certificate..

https://al-nac.sitename.local.companyname.co.uk/auth/perfigo.......etc.

However the machine cannot resolve the url.

We cannot add dns entries for this url, we only administer the sitename.local domain.

Is there a way for the CAS to request the user to access a URL via an IP address?

If I requested a new certificate, but use the IP address instead of the machine name, would the auhentiation page be referenced by this?

Regards

Tony

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Lauren Sullivan
Level 1
Level 1
In response to tonymurphy30

‎11-18-2010 06:22 AM

Hi Tony,

Are these just for internal users?  If so, you may be better off with something like a internally generated cert (like from Microsoft CA) rather than an external one.  I don't believe they'll do IP address-based certs, either.

Thanks,

Lauren

View solution in original post

0 Helpful

Go to solution
Nate Austin
Cisco Employee
Cisco Employee
In response to tonymurphy30

‎11-18-2010 06:26 AM

Hi Tony,

Most third party CAs will not issue certificates to IP addresses because they can not verify that you own that IP address. Same with internal domain names like it seems you may be using. They can probably only verify the domain name of "company.co.uk" so they have to issue a cert to that name space.

If your clients can't resolve that full name, then you'll likely need to set up an internal CA to issue a certificate to either the local IP address or local hostname.

Thanks,
Nate

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Faisal Sehbai
Level 7
Level 7

‎11-17-2010 06:44 PM

Tony,

This is correct. The redirect will happen to whatever the CN is set to, so if you set the cert's CN to an IP address, the redirect will happen to that IP address.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Go to solution
tonymurphy30
Level 1
Level 1
In response to Faisal Sehbai

‎11-17-2010 11:30 PM

I'll give our certificate issuer a call this morning,however I'm sure they mentioned in the past they need a resolvable name to generate the certificate?

As when we asked for certificates for al-nam.sitename.local they have been unable to generate them, hence the CN=al-nac.sitename.local.company.co.uk

Is this the same for generating certificates against IP addresses?

Regards

Tony

0 Helpful

Go to solution
Lauren Sullivan
Level 1
Level 1
In response to tonymurphy30

‎11-18-2010 06:22 AM

Hi Tony,

Are these just for internal users?  If so, you may be better off with something like a internally generated cert (like from Microsoft CA) rather than an external one.  I don't believe they'll do IP address-based certs, either.

Thanks,

Lauren

0 Helpful

Go to solution
Nate Austin
Cisco Employee
Cisco Employee
In response to tonymurphy30

‎11-18-2010 06:26 AM

Hi Tony,

Most third party CAs will not issue certificates to IP addresses because they can not verify that you own that IP address. Same with internal domain names like it seems you may be using. They can probably only verify the domain name of "company.co.uk" so they have to issue a cert to that name space.

If your clients can't resolve that full name, then you'll likely need to set up an internal CA to issue a certificate to either the local IP address or local hostname.

Thanks,
Nate

0 Helpful

Go to solution
tonymurphy30
Level 1
Level 1
In response to Nate Austin

‎11-18-2010 08:05 AM

Thanks for all the replies. I'm going to have to go down the route of an internal CA - another can of worms!

Many thanks

Tony

PS. Nate, this is one of your SR's

0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7
In response to tonymurphy30

‎11-18-2010 08:22 AM

Tony,

Another data point which might or might not be helpful. I've had cases with customers before where DigiCert has given out certificates signed for IP addresses - so it does happen, not with all CAs though.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card