Cisco NAC, CAM & CAS New certificate. agents needs to be updated.

syedaltaf.shah · ‎09-12-2012

Hello there.

we have installed new temporary certificate on our CAM & CAS, but now the clients (Agents) needs to be updated with the same certificate.

every time i restart PC it asks for certificate and i have to accept and install the new certificate on each PC, we have 4k PCs.

is there anyway to push this certificate on all agents from CAM ?

syedaltaf.shah · ‎09-23-2012

Thanks Tarik...

The Secondary CAM came up and synched, i think database was erased, the log says. Peer database finished restoring. DB Connection pool to peer database is created.

seems working now.

Let me try One Agent PC. i will update you.

syedaltaf.shah · ‎09-23-2012

Dear Tarik,

the Agent PC still giving popup for username and password.?

both CAM & CAS are in HA (Active& Standby) now.

and Active Directory SSO Started also.

what could be the problem now ?

Tarik Admani · ‎09-23-2012

Syed,

It would be best to open a TAC case. The reason is that the client logs are encrypted and needs to be decrypted by TAC to find the reason the authentication fails.

Do you see any authentication failures in the event logs from the manager? Also on the CAS can you issue a "netstat -a | grep 8910" to see if the CAS is listening on that port?

Run this command in order to verify that the CAS now listens on TCP 8910 (used for Windows SSO).

[root@cs-ccas02 ~]#netstat -a | grep 8910
   tcp        0      0 *:8910                      *:*
   LISTEN

Try to see if this is the scenario:

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080884229.shtml#psd

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080884229.shtml#sso5

http://www.cisco.com/en/US/products/ps6128/products_configuration_example09186a0080884229.shtml

Thanks,

Tarik Admani
*Please rate helpful posts*

syedaltaf.shah · ‎09-23-2012

Hi Tarik,

There are no failure logs and after running the command it is showign nothing on NAC server,

but i can telnet on port 8910 from any Agent PC.

syedaltaf.shah · ‎09-23-2012

Dear Tarik,

now i can see the Authentication Failure log in CAM "Event Logs"

Authentication  Unable to login, [MAC Address ## IP Address] "User ID"

TAC case i cannot open, problem with contract it will take soem time to resolve this contract problem.

Please help me out here.

syedaltaf.shah · ‎09-25-2012

Dear Tarik,

Any update ?

syedaltaf.shah · ‎09-30-2012

Dear Tarik,

after tracing the event viewer in AD, found this error. can you trace the problem ?

below the error.

"while processing teh TGS request for the target server nacuser/moi.ae, the account getst322334@MOI.AE did not have suitable key for generating the kerberos ticket(missing key has an ID of 8) the requested etypes were 12 - 128 3 1 24 - 135. The accounts available etypes were 23- 133 -128 18 17 3 -140."""

any clue ?

Tarik Admani · ‎10-01-2012

Please use a different account and follow the steps on generating a kerberos ticket in this guide below. Also did you add any windows 2008 domain controllers in your domain while you were renewing the certificates on the NAC appliances?

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1115961

Thanks.

Tarik Admani
*Please rate helpful posts*

NAC: CAM Offline Update Procedure

Doc - Domina el Flujo de Paquetes en Cisco ACI: Casos Prácticos y Estrategia

Uso de memoria TCAM y CAM en los Routers y Switchs

Umbrella: SWG と Certificate Pinning の関係性について

3.7 Certificate Services