Cisco NAC, CAM & CAS New certificate. agents needs to be updated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-12-2012 10:50 PM - edited 03-10-2019 07:32 PM
Hello there.
we have installed new temporary certificate on our CAM & CAS, but now the clients (Agents) needs to be updated with the same certificate.
every time i restart PC it asks for certificate and i have to accept and install the new certificate on each PC, we have 4k PCs.
is there anyway to push this certificate on all agents from CAM ?
- Labels:
-
AAA
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2012 12:36 AM
Thanks Tarik...
The Secondary CAM came up and synched, i think database was erased, the log says. Peer database finished restoring. DB Connection pool to peer database is created.
seems working now.
Let me try One Agent PC. i will update you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2012 01:05 AM
Dear Tarik,
the Agent PC still giving popup for username and password.?
both CAM & CAS are in HA (Active& Standby) now.
and Active Directory SSO Started also.
what could be the problem now ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2012 11:10 AM
Syed,
It would be best to open a TAC case. The reason is that the client logs are encrypted and needs to be decrypted by TAC to find the reason the authentication fails.
Do you see any authentication failures in the event logs from the manager? Also on the CAS can you issue a "netstat -a | grep 8910" to see if the CAS is listening on that port?
Run this command in order to verify that the CAS now listens on TCP 8910 (used for Windows SSO).
[root@cs-ccas02 ~]#netstat -a | grep 8910 tcp 0 0 *:8910 *:* LISTEN
Try to see if this is the scenario:
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080884229.shtml#psd
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080884229.shtml#sso5
http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080884229.shtml
Thanks,
Tarik Admani
*Please rate helpful posts*
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2012 11:11 PM
Hi Tarik,
There are no failure logs and after running the command it is showign nothing on NAC server,
but i can telnet on port 8910 from any Agent PC.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2012 11:34 PM
Dear Tarik,
now i can see the Authentication Failure log in CAM "Event Logs"
Authentication Unable to login, [MAC Address ## IP Address] "User ID"
TAC case i cannot open, problem with contract it will take soem time to resolve this contract problem.
Please help me out here.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-25-2012 09:57 PM
Dear Tarik,
Any update ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2012 12:30 AM
Dear Tarik,
after tracing the event viewer in AD, found this error. can you trace the problem ?
below the error.
"while processing teh TGS request for the target server nacuser/moi.ae, the account getst322334@MOI.AE did not have suitable key for generating the kerberos ticket(missing key has an ID of 8) the requested etypes were 12 - 128 3 1 24 - 135. The accounts available etypes were 23- 133 -128 18 17 3 -140."""
any clue ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-01-2012 11:42 AM
Please use a different account and follow the steps on generating a kerberos ticket in this guide below. Also did you add any windows 2008 domain controllers in your domain while you were renewing the certificates on the NAC appliances?
Thanks.
Tarik Admani
*Please rate helpful posts*

- « Previous
- Next »