06-10-2010 07:08 AM - edited 02-21-2020 03:59 AM
Hello friends,
When i logged in NAC 4.7 i get this errors:
Warning: Current end entity certificate has expired or is due to expire in less than 30 days.
can anybody help me for this
06-20-2010 11:00 AM
Yes I did the same , is it wrong ? is not correct ?
Well, you can see the proof with my attached 2 screenshots :
You will see exactly how have i generated the certs!!!! ( i generated two certs,one on CAS and one on CAM respectively ) . Plz see the
screenshots attached. You can see in the screenshot i have used CN: 192.168.66.1 which is my CAS IP on CAM box via ssh ; Similarly i have
used CN:192.168.55.1 which is my CAM IP on CAS box via SSH access.
I have not used any email address or password and pressed enter simply.
Now, in GUI , i lauched browser in two tabs in internet explorer 8.0 and did the following:
On CAM (192.168.55.1):
======================
In X.509 section :-
--------------------
* Imported CAM generated cert in this section.
In Certifcate Authority:- (second tab)
---------------------------------------
* Imported CAS generated cert in this section.
On CAS (192.168.66.1):
=======================
In X.509 section :-
-----------------
* Imported CAS generated cert in this section.
In Certifcate Authority:- (second tab)
---------------------------------------
* Imported CAM generated cert in this section.
After all of the above, rebooted physically both the boxes, still SHOW "NOT CONNECTED"..... !!!! i dont know where i went wrong...
Also my old certs are not removing or deleting and says in use ! "Please see my previous post with old screenshots in it"
06-20-2010 02:15 PM
Kamran,
Try to generate the CAM cert on the CAM and the CAS cert on the CAS. I'm not sure why you're using the other box to generate the certs.
If this doesn't work for you, please get third party certs or use the GUI to generate certs.
Thanks,
Faisal
06-20-2010 08:18 PM
Well, sir i have only used cas and cam so far. There is no other box involved. The screenshots of my post have cas screenshot and cam screenshot showing the certs i generated. I used the same names,, since both appliances are unique so i think naming wont affect.
I will try to do the exercise again,
Just curious , "how can i disable active certiificate, it is not deleting and says it is in use " and time validity is yes !
????
thanks.
kamran !
06-20-2010 08:51 PM
Kamran,
You don't delete the existing certificate. When you import a new one, it replaces the old one. This is true for the X509 tab.
For the Trusted Certificate Store, remove the old CAS certificate from the CAM Trusted Certificate Store, and then re-import the new CAS cert in the CAM store. Likewise, remove all the old CAM certs from the CAS Trusted Certificate Store, and then import the CAM cert in the CAS's Trusted Certificate Store.
If all of this fails, then stick with the GUI option, since I'm not sure what you're doing wrong, and TAC won't be able to help you since this is unsupported procedure to begin with.
HTH,
Faisal
06-20-2010 09:54 PM
Ok. then I will try the whole process again.
Thanks for being there for me ....
Kamran !
(update you after this , sir ! )
06-20-2010 11:51 PM
06-21-2010 02:20 AM
I AM FACING "a new problem now "
1> I have to update the GPO for users to use NewCert.crt file ? right ? for the users to connect right !!!!
2> Does this solve the AD Users ? since as you know we have AD Integration to users.... ?
Please let me know..NAC ( CAS to CAM is showing connected now ! )
waiting for reply,
Kamran....
06-21-2010 02:21 AM
Well i have got success between CAS and CAM , but now i have another issue :
I AM FACING "a new problem now "
1> I have to update the GPO for users to use NewCert.crt file ? right ? for the users to connect right !!!!
2> Does this solve the AD Users ? since as you know we have AD Integration to users.... ?
Please let me know..NAC ( CAS to CAM is showing connected now ! )
waiting for reply,
Kamran....
06-21-2010 02:30 AM
Agent is not downloading ....... but CAM and CAS shows connected !!!
06-21-2010 02:33 AM
I am facing AGENT downloading issues:
what happens is as follows :
when people open browser, they go to 192.168.66.1 which is my cas / nas ..... it gives me option to wait or select myself to redirect, in both cases...i gives a page with nothing..and reports 500 http error.....
attaching a screenshot.
06-21-2010 04:42 AM
i checked a few things and here is the error :
In windows titlebar it says : HTTP 400 BAD REQUEST
In url window , the url redirects to automatically : https://nam/auth/perfigo_weblogin.jsp?cm=ws32vklm&uri=http%3A%2F%2F192.168.66.1%2F
Please note that i have nam : 192.168.55.1 and nas: 192.168.66.1
Now nam and nas are connected, but agent software is not downloading....
All of the following are working fine :
IP Filter | Started |
DHCP Forward | Started |
Active Directory SSO | Started |
06-21-2010 06:27 AM
To add more info :
here is what happening :
1. CERT between CAS and CAM shows "Connected"
2. I can access thru ssh and thru web both cas and cam.
issues after CERT :
3. Agent software is not downloading (this is 1 thing i observed ) ? i have no clue what i have to check or see for ????? since i only did the CERT thingy....
4 Those machines who already have agent, they can go to the authentication page, but their username / password is not working with local user database or with active directory ????
What are the things i should look into ???? please , i know you are expert, and can let me know the quickies to look for ..sir !!!! ( btw, my cert error of 30 days is gone, thanks to you ) , but ran into another issue ?????
anxiously waiting for you online...
kamran ~
06-21-2010 06:48 AM
Kamran,
Did you reboot your devices after installing the certs?
Faisal
06-21-2010 06:55 AM
Sir,
I have rebooted via ssh session both the appliances remotely.....twice today.
Moreover, interesting thing is, when i locally go to CAM/NAM and go to Auth Servers section, and take a auth test , for local users and for ad users, it goes "successful" in blue color ... but for real end-users it is not working .... ????
i have just now rebooted again , let us see...
any additinoal settings you want me to see or look for ?
TWO QUERIES:
============
* Right now we have not put the cert of the end-users,just testing with local user account "testuser"
* Is it important that for all users to authenticate or download the agent, certificate must be installed for end-usesr PCs ???
Thanks sir..waiting.
Kamran.
06-21-2010 06:59 AM
Kamran,
You're doing something wrong again. Why is the certificate named "NAM" on the CAS? Assuming that's just a mistake, can the end clients resolve NAM on their machines? When the redirect happens, it will try to resolve NAM and try to go to that page. So two things to confirm here:
- Can they resolve the name?
- Are they really supposed to be going to NAM?
Faisal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide