09-12-2012 10:50 PM - edited 03-10-2019 07:32 PM
Hello there.
we have installed new temporary certificate on our CAM & CAS, but now the clients (Agents) needs to be updated with the same certificate.
every time i restart PC it asks for certificate and i have to accept and install the new certificate on each PC, we have 4k PCs.
is there anyway to push this certificate on all agents from CAM ?
09-13-2012 07:28 AM
Syed,
You can try to push a GPO in order to push the CAS temp certificate. Do you have an internal CA to issue the right cert?
Also depending on what version you are on, the self signed cert is only good for 90 days.
Thanks,
Tarik Admani
*Please rate helpful posts*
09-15-2012 09:35 PM
Thanks Tarik,
i have generated this certificate from NAC Manager and imported on both of NAC Servers, But now clients asking for this certificate.
So i have to push this same certificate usgin GPO?
09-16-2012 12:15 AM
Syed,
That is one way but it is not the best way since you are essentially pushing a self signed certificate and are making the design of PKI a lot more challenging than it should be. I assume you run active directory (by referring to GPO)? If so, why dont you add the certificate authority role to one of your domain controllers and use autoenrollment so that all your member machines are given a certificate. Not only does this help push the root certificate out to all your clients. It helps you have an internal pki where you can issue certs to your CAM and CAS and can use a root CA to manage the trusts between these applications.
Tarik Admani
*Please rate helpful posts*
09-16-2012 12:37 AM
Dear Tariq,
we are using one of our AD as CA for our organization, i tried to import the CA issued by AD but it is not importing, the NAC server is giving me error No Private Key found etc.
Can you please guide me step by step how to do that?
i will replace all the Certificates on NAC Server & Manager. do i have to install new certificates issued by CA ?
If you can polease tell me step by step shall be very thankful
09-16-2012 01:26 AM
Dear Tarik,
The guide http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/cam48ug.pdf
here is v much confusing. first it says export CSR and import the Certificate to Server then it says import PEM to CAM. ?
is it like this ?
1. Export CSR from both CAM & CAS ? get 2 seperate certificates fro both ???? and import the corresponding certificates to each other ?
or i have to export one certificate request from cas or CAM and import the certificate issued by CA to both of them ?
09-16-2012 06:37 AM
Since these are two separate servers you will have to generate a csr for the manager and the server.
Then export both csr and submit them the ca for signing.
After this you will need to download the certificate in pem format.
Install the root certificate in the trusted certificate authority section on both the cas and cam.
Install the signed certificates on the cam and cas.
Please make sure if you created the csr using dns name that there it is the fqdn and that it is resolvable.
Let me know if this clears your confusion.
As always please remember to rate any posts that are helpful.
Tarik Admani
09-16-2012 10:28 PM
thanks Tarik,
ok, the CA is windows server and there is no option to download PAM format.
2nd what do you mean by root certificate ?
This is what i have done so far.
Created CSR from CAS & CAM and sent to CA, after they have sent me both the certificates and installed both in CAS & CAM respectively with adding the Private Key (editing the cert file and pasting the private key after the cert)
Now NAC Servers connected to CAM & are on HA Also. but client agents are not doing any activity. it looks like NAC Agents are disconnected or disable or idle. ???
09-16-2012 11:40 PM
dear tarik,
is there any clear documentation for installing the certificate on CAM & CAS?
just to make it correct. below the configuration which i did for creating CSR
CN: CAM IP ADDRESS
OU: NetworkSecurity
O: MOL
and in CAS i have give the CN: CAM IP Address aswel.
please correct me if any mistake.
thanks.
09-18-2012 02:44 PM
Syed,
i though i responded a long time ago. Here are the guides:
CAM -
CAS -
Thanks,
Tarik Admani
*Please rate helpful posts*
09-18-2012 09:53 PM
Dear Tarik,
i have followed the steps in the guide , still not working.
can you please explain how to create """
2.
Construct a PEM-encoded X.509 certificate chain""" ????
09-18-2012 10:08 PM
Yes,
You will have to open your certificates with a notepad or word pad.
Starting with server cert you will copy and paste the intermediate and then the root cert and then save. Then upload to the device.
Thanks,
Sent from Cisco Technical Support iPad App
09-18-2012 10:13 PM
Syed here is a good write up n how to do this.
http://www.digicert.com/ssl-support/pem-ssl-creation.htm
Sent from Cisco Technical Support iPad App
09-19-2012 02:06 AM
Hi tarik,
i followed the steps, imported the certificates successfully, CAM connected to CAS. and CAS are in HA also.
now i have 2 problems.
1. when Agent PC logins, it goes to authentication VLAN, and after some time the NAC login window popups, the domain user id and password not working, we have to put NAC Local username and password.
2. when i login to NAC Manager. there is one message ""WARNING! Closed connections to peer [192.168.0.253] database! Please restart peer node to bring databases in sync!! """"
any help please?
09-22-2012 09:54 PM
Hello Tarik ??
Any update??
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide