topic Cisco NAC, CAM & CAS New certificate. agents needs to be updated in Network Access Control

Cisco NAC, CAM & CAS New certificate. agents needs to be updated.

syedaltaf.shah — Mon, 11 Mar 2019 02:32:33 GMT

Hello there.

we have installed new temporary certificate on our CAM & CAS, but now the clients (Agents) needs to be updated with the same certificate.

every time i restart PC it asks for certificate and i have to accept and install the new certificate on each PC, we have 4k PCs.

is there anyway to push this certificate on all agents from CAM ?

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

Tarik Admani — Thu, 13 Sep 2012 14:28:29 GMT

Syed,

You can try to push a GPO in order to push the CAS temp certificate. Do you have an internal CA to issue the right cert?

Also depending on what version you are on, the self signed cert is only good for 90 days.

Thanks,

Tarik Admani
*Please rate helpful posts*

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Sun, 16 Sep 2012 04:35:46 GMT

Thanks Tarik,

i have generated this certificate from NAC Manager and imported on both of NAC Servers, But now clients asking for this certificate.

So i have to push this same certificate usgin GPO?

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

Tarik Admani — Sun, 16 Sep 2012 07:15:09 GMT

Syed,

That is one way but it is not the best way since you are essentially pushing a self signed certificate and are making the design of PKI a lot more challenging than it should be. I assume you run active directory (by referring to GPO)? If so, why dont you add the certificate authority role to one of your domain controllers and use autoenrollment so that all your member machines are given a certificate. Not only does this help push the root certificate out to all your clients. It helps you have an internal pki where you can issue certs to your CAM and CAS and can use a root CA to manage the trusts between these applications.

Tarik Admani
*Please rate helpful posts*

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Sun, 16 Sep 2012 07:37:07 GMT

Dear Tariq,

we are using one of our AD as CA for our organization, i tried to import the CA issued by AD but it is not importing, the NAC server is giving me error No Private Key found etc.

Can you please guide me step by step how to do that?
i will replace all the Certificates on NAC Server & Manager. do i have to install new certificates issued by CA ?
If you can polease tell me step by step shall be very thankful

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Sun, 16 Sep 2012 08:26:25 GMT

Dear Tarik,

The guide http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/cam48ug.pdf
here is v much confusing. first it says export CSR and import the Certificate to Server then it says import PEM to CAM. ?
is it like this ?
1. Export CSR from both CAM & CAS ? get 2 seperate certificates fro both ???? and import the corresponding certificates to each other ?

or i have to export one certificate request from cas or CAM and import the certificate issued by CA to both of them ?

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

Tarik Admani — Sun, 16 Sep 2012 13:37:20 GMT

Since these are two separate servers you will have to generate a csr for the manager and the server.

Then export both csr and submit them the ca for signing.

After this you will need to download the certificate in pem format.

Install the root certificate in the trusted certificate authority section on both the cas and cam.

Install the signed certificates on the cam and cas.

Please make sure if you created the csr using dns name that there it is the fqdn and that it is resolvable.

Let me know if this clears your confusion.

As always please remember to rate any posts that are helpful.

Tarik Admani

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Mon, 17 Sep 2012 05:28:11 GMT

thanks Tarik,

ok, the CA is windows server and there is no option to download PAM format.

2nd what do you mean by root certificate ?

This is what i have done so far.

Created CSR from CAS & CAM and sent to CA, after they have sent me both the certificates and installed both in CAS & CAM respectively with adding the Private Key (editing the cert file and pasting the private key after the cert)

Now NAC Servers connected to CAM & are on HA Also. but client agents are not doing any activity. it looks like NAC Agents are disconnected or disable or idle. ???

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Mon, 17 Sep 2012 06:40:08 GMT

dear tarik,

is there any clear documentation for installing the certificate on CAM & CAS?

just to make it correct. below the configuration which i did for creating CSR

CN: CAM IP ADDRESS

OU: NetworkSecurity

O: MOL

and in CAS i have give the CN: CAM IP Address aswel.

please correct me if any mistake.

thanks.

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

Tarik Admani — Tue, 18 Sep 2012 21:44:51 GMT

Syed,

i though i responded a long time ago. Here are the guides:

CAM -

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_admin.html#wp1078189

CAS -

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_admin.html#wp1040111

Thanks,

Tarik Admani
*Please rate helpful posts*

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Wed, 19 Sep 2012 04:53:28 GMT

Dear Tarik,

i have followed the steps in the guide , still not working.

can you please explain how to create """

Construct a PEM-encoded X.509 certificate chain""" ????

Re: Cisco NAC, CAM & CAS New certificate. agents needs to be upd

Tarik Admani — Wed, 19 Sep 2012 05:08:05 GMT

Yes,

You will have to open your certificates with a notepad or word pad.

Starting with server cert you will copy and paste the intermediate and then the root cert and then save. Then upload to the device.

Thanks,

Sent from Cisco Technical Support iPad App

Re: Cisco NAC, CAM & CAS New certificate. agents needs to be upd

Tarik Admani — Wed, 19 Sep 2012 05:13:12 GMT

Syed here is a good write up n how to do this.

http://www.digicert.com/ssl-support/pem-ssl-creation.htm

Sent from Cisco Technical Support iPad App

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Wed, 19 Sep 2012 05:20:02 GMT

Thanks tarik,

to summarize it. i did the following.

1. Create CSR on both CAS & CAM.(in both CSR the Domain name or IP will be CAM IP Address)

2. Export only the CSR File (Selecting the first check box) not the key for sending to CA.

3. Send both the files to CA to get Certificates.

4. after receiving the Certs from CA, edit the Certificate file in text editor (Paste the Private Key & certificate of CA) and save the file. in this way there will be 3 things in this file (Certificate (generated from CSR by CA), CA Certificate & Private key). Repeate the same for CAS & CAM.

5. Import the Certificate chain files created to CAS & CAM Respectively (means import to CAS the CAS file & to CAM the CAM file created)

Please correct me if there is something i am missing?

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Wed, 19 Sep 2012 09:06:23 GMT

Hi tarik,

i followed the steps, imported the certificates successfully, CAM connected to CAS. and CAS are in HA also.

now i have 2 problems.

1. when Agent PC logins, it goes to authentication VLAN, and after some time the NAC login window popups, the domain user id and password not working, we have to put NAC Local username and password.

2. when i login to NAC Manager. there is one message ""WARNING! Closed connections to peer [192.168.0.253] database! Please restart peer node to bring databases in sync!! """"

any help please?

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Sun, 23 Sep 2012 04:54:27 GMT

Hello Tarik ??
Any update??

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

Tarik Admani — Sun, 23 Sep 2012 06:01:50 GMT

Syed,

You should not have to paste the private key in the ceritifcate. All you need to do is import the root ceritifcate in the CAM and CAS trusted CA store.

You should be able to get the certificates installed after you import the root certificate.

Thanks,

Tarik Admani
*Please rate helpful posts*

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Sun, 23 Sep 2012 06:07:06 GMT

Thanks Tarik,
Now the CAS is connected to CAM and Both CAS are in HA working. but the only problem is users are not aunthenticating with AD, when the PC restarts the user goes to unauthenticated VLAN and the NAC Popups for username and Password, when i put NAC local user and password it works, but Domain user and Password is not working. in CAM Authentication screen i can see Active Directory SSO Server "Started"

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

Tarik Admani — Sun, 23 Sep 2012 06:13:49 GMT

When you generated the certificates did you use ip address (if so did you use the VIP) if hostname (did you use the hostname only).

Before ADSSO was working just fine but after you updated the certs ADSSO doesnt work?

If you can not logn with AD credentials then that is a seperate issue and you will have to add an LDAP auth provider in the CAM and configure the user login page to set the defautl auth provide as LDAP.

Check your unauthenticated role to make sure that there arent any DC that may have been missed.

Please make sure that the certs are in the right place and the dns resolves just fine.

Tarik Admani
*Please rate helpful posts*

Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah — Sun, 23 Sep 2012 06:20:23 GMT

Tarik,

Thanks again for quick reply,

ADSSO Was working fine before Certificates expired. i have generated certificate request using IP addresses.

and yes it is VIP.

the Auth Servers configured as "Active Directory SSO".

there has been nothing changed beside certificate import & exports.
what else could be the issue ?