Cisco NAC, CAM & CAS New certificate. agents needs to be updated

syedaltaf.shah · ‎09-12-2012

Hello there.

we have installed new temporary certificate on our CAM & CAS, but now the clients (Agents) needs to be updated with the same certificate.

every time i restart PC it asks for certificate and i have to accept and install the new certificate on each PC, we have 4k PCs.

is there anyway to push this certificate on all agents from CAM ?

Tarik Admani · ‎09-13-2012

Syed,

You can try to push a GPO in order to push the CAS temp certificate. Do you have an internal CA to issue the right cert?

Also depending on what version you are on, the self signed cert is only good for 90 days.

Thanks,

Tarik Admani
*Please rate helpful posts*

syedaltaf.shah · ‎09-15-2012

Thanks Tarik,

i have generated this certificate from NAC Manager and imported on both of NAC Servers, But now clients asking for this certificate.

So i have to push this same certificate usgin GPO?

Tarik Admani · ‎09-16-2012

Syed,

That is one way but it is not the best way since you are essentially pushing a self signed certificate and are making the design of PKI a lot more challenging than it should be. I assume you run active directory (by referring to GPO)? If so, why dont you add the certificate authority role to one of your domain controllers and use autoenrollment so that all your member machines are given a certificate. Not only does this help push the root certificate out to all your clients. It helps you have an internal pki where you can issue certs to your CAM and CAS and can use a root CA to manage the trusts between these applications.

Tarik Admani
*Please rate helpful posts*

syedaltaf.shah · ‎09-16-2012

Dear Tariq,

we are using one of our AD as CA for our organization, i tried to import the CA issued by AD but it is not importing, the NAC server is giving me error No Private Key found etc.

Can you please guide me step by step how to do that?
i will replace all the Certificates on NAC Server & Manager. do i have to install new certificates issued by CA ?
If you can polease tell me step by step shall be very thankful

syedaltaf.shah · ‎09-16-2012

Dear Tarik,

The guide http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/cam48ug.pdf
here is v much confusing. first it says export CSR and import the Certificate to Server then it says import PEM to CAM. ?
is it like this ?
1. Export CSR from both CAM & CAS ? get 2 seperate certificates fro both ???? and import the corresponding certificates to each other ?

or i have to export one certificate request from cas or CAM and import the certificate issued by CA to both of them ?

Tarik Admani · ‎09-16-2012

Since these are two separate servers you will have to generate a csr for the manager and the server.

Then export both csr and submit them the ca for signing.

After this you will need to download the certificate in pem format.

Install the root certificate in the trusted certificate authority section on both the cas and cam.

Install the signed certificates on the cam and cas.

Please make sure if you created the csr using dns name that there it is the fqdn and that it is resolvable.

Let me know if this clears your confusion.

As always please remember to rate any posts that are helpful.

Tarik Admani

syedaltaf.shah · ‎09-16-2012

thanks Tarik,

ok, the CA is windows server and there is no option to download PAM format.

2nd what do you mean by root certificate ?

This is what i have done so far.

Created CSR from CAS & CAM and sent to CA, after they have sent me both the certificates and installed both in CAS & CAM respectively with adding the Private Key (editing the cert file and pasting the private key after the cert)

Now NAC Servers connected to CAM & are on HA Also. but client agents are not doing any activity. it looks like NAC Agents are disconnected or disable or idle. ???

syedaltaf.shah · ‎09-16-2012

dear tarik,

is there any clear documentation for installing the certificate on CAM & CAS?

just to make it correct. below the configuration which i did for creating CSR

CN: CAM IP ADDRESS

OU: NetworkSecurity

O: MOL

and in CAS i have give the CN: CAM IP Address aswel.

please correct me if any mistake.

thanks.

Tarik Admani · ‎09-18-2012

Syed,

i though i responded a long time ago. Here are the guides:

CAM -

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_admin.html#wp1078189

CAS -

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/s_admin.html#wp1040111

Thanks,

Tarik Admani
*Please rate helpful posts*

syedaltaf.shah · ‎09-18-2012

Dear Tarik,

i have followed the steps in the guide , still not working.

can you please explain how to create """

2.

Construct a PEM-encoded X.509 certificate chain""" ????

Tarik Admani · ‎09-18-2012

Yes,

You will have to open your certificates with a notepad or word pad.

Starting with server cert you will copy and paste the intermediate and then the root cert and then save. Then upload to the device.

Thanks,

Sent from Cisco Technical Support iPad App

Tarik Admani · ‎09-18-2012

Syed here is a good write up n how to do this.

http://www.digicert.com/ssl-support/pem-ssl-creation.htm

Sent from Cisco Technical Support iPad App

syedaltaf.shah · ‎09-19-2012

Hi tarik,

i followed the steps, imported the certificates successfully, CAM connected to CAS. and CAS are in HA also.

now i have 2 problems.

1. when Agent PC logins, it goes to authentication VLAN, and after some time the NAC login window popups, the domain user id and password not working, we have to put NAC Local username and password.

2. when i login to NAC Manager. there is one message ""WARNING! Closed connections to peer [192.168.0.253] database! Please restart peer node to bring databases in sync!! """"

any help please?

syedaltaf.shah · ‎09-22-2012

Hello Tarik ??
Any update??

Cisco NAC, CAM & CAS New certificate. agents needs to be updated.