Re: NAC 4.7.2 (OOB VGW)) MAC certificate validation slow

Robert Slusar · ‎09-21-2010

We have been seeing some odd behavior with certificate validation with MAC OSx device running the installed agent.

When a user enters their userid and password they sometimes will get a SSL cert error. If the user clicks on login multiple times they will eventually certify and join the trusted network.

I did a packet capture of a machine that was experiencing the problem.

The packet capture showed the MAC making a DNS query for the Verisign server's IP address and the DNS server returns the correct answer. The expected connection to the Verisign server never occurs. (The ssl cert error on the MAC shows up about now.)

If login is clicked (several times) and you go through the cycle again eventually the connection to the Verisign server is established the certificate is validated and user is placed into the trusted vlan.

Has anybody else experienced this? Any ideas?

Faisal Sehbai · ‎09-22-2010

Rob,

Can you verify whether the CRL sites for Verisign are allowed in the Host traffic policies in the Unauthenticated and Temporary Roles?

Faisal

Robert Slusar · ‎09-22-2010

Hi Faisal!

They are allowed. The behavior of the problem is that the MAC never attempts to connect to the Verisign servers. No packets are leaving the MAC(s) headed toward Verisign.

(Until we click on login several times.)

Bob Slusar

Sr. Network Engineer

Enterprise Networks

OfficeMax, Inc.

(630) 864-5558

Faisal Sehbai · ‎09-22-2010

Rob,

That's bizarre! Can you collect a debug log from the MAC in question and post here.

Thanks,

Faisal

robbgibson · ‎09-28-2010

Hi Faisal, I'm one of Bob's co-workers at OfficeMax in the Macintosh Support group. Does the CCAAgent application have a debug mode or is there already a logfile being collected somewhere? Thanks!

Robb Gibson

Faisal Sehbai · ‎09-29-2010

Rob,

Instructions on collecting the debugs from a MAC:

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/473rn.html#wp926582

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

robbgibson · ‎10-06-2010

Attached is the event.log file from ~/Library/Application Support/Cisco Systems/CCAAgent folder. This Mac was unable to connect to the NAC server with repeated VeriSign certification errors. I was able to log into the NAC server through the web client.

Robert Slusar · ‎10-27-2010

Faisal,

I reviewed my work including where I performed my captures. The capture I did initially was between the CAS and the outside world - our routing core.

I decided to span a port a MAC was connected to and performed another capture.

Lo and behold the MAC was actually trying to connect to the Verisign server based on IP address of the forward DNS lookup send originally from the MAC.

I thought about the process and I believe that NAC has to do a reverse lookup on the IP address so that it can compare the server name against host filter I built to allow the traffic.

The filter was based on the forward lookup so it was something like "ends with crl.verisign.com"

When I did a reverse lookup I discovered most of the servers returned something like "crl.indv10.verisign.com" which of course did not match the filter I had created. Traffic blocked.

I changed the filter to just "ends with verisign.com" and it worked 95% of the time.

Why only 95%?

One of the servers had an IP address that was outside the 199.x.x.172 pattern most of them use and it did not return a name when the reverse lookup occurred. I finally ended up adding that as IP address as a filter.

No problems now.

Later!

Bob