cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5474
Views
10
Helpful
39
Replies

NAC 4.7

adamgibs7
Level 6
Level 6

Hello friends,

When i logged in NAC 4.7 i  get this errors:

Warning: Current end entity certificate has expired or is due to expire in less than 30 days.

can anybody help me for this

39 Replies 39

Faisal Sehbai
Level 7
Level 7

Hi,

That means your certs are about to expire. Are you using the self-signed certs on CCA?

If so, look at this thread to generate certs which are longer than the default 90 days certs. If you have CA-signed certs, talk to them to get the devices re-certed.

https://supportforums.cisco.com/thread/2024945?tstart=30

HTH,

Faisal

Hello Faisal,

I knew u will be the one who will answer to this thread, u route me to Excellent thread, But i simple question,

openssl genrsa 1024 > NewPrivateKey.key ---------- > NewPrivateKey.key This is a command or this is input from us.I mean to say instead of NewPrivateKey.key can i write openssl genrsa 1024 > cisco.key

I m asking u becz i m not in front of NAM, i m writing from home and  all this commands belong to linux or unix i think.

Thanks

Hi,

NewPrivatekey.key is just a filename. You can call it cisco.key if you'd like

HTH,

Faisal

Hello Faisal,

In ur previous mail u have written:

Now you can take this NewCert.crt file and install it on the NAC devices using the GUI. Use WinSCP to copy the

file.

I did'nt understood the above line, Can u open the above line with simple language,i have read the book but i m very much new to NAC.

Which NAC devices???? i have only 1 NAM and 1 NAS. Are u speaking for High availabilty purposes to copy to another NAC devices or u mean to say NAS Server.

Hi,

When I wrote NAC Devices, I meant for whichever device you were preparing that cert using openssl. Keep in mind that the whole procedure is completely unrelated to NAC. You can run those openssl commands on any linux/unix box or even Windows box and then take the certificate thus generated and import it on a NAC device. If you do this on another box, you have to do one additional step though, and that is to import the same certificate in the Trusted Certificate Authorities tab also.

Faisal

thanks for the reply , yet wanted to confirm soemthing more , please do reply to them :

1>  According to the method you provided finally we have a .crt file and not a .pem file ? right ???

2> With this key embedded in crt file , can i use import feature of cas and cam to import them from gui, or how ,since my problem i think is not related only to AD Users , it is also associated between cas and cam inter communication also ?

3> i tried to execute this step :

       openssl x509 -req -days 1000 -in  NewCertRequest.csr -signkey NewKey.key -out NewCert.crt ,

but it gives me error of no such file or directory. ( plz see the attached . I COPY PASTE DITTO from your config on forum )

please let me know, since in 24 hrs i have to excute the task , thanks in advance !!! you are a life-saver!

waiting....

Hi Faisal,

I am stuck with a situation at my client ....I was using standard perfigo cert and it gave me same warning as this message post of 30 days blah blah !!!

well, on the link and over the forum i found your suggseted solution in "red" about openssl and steps....

well i did it and got the following queries now ???? please help us and answer inline ...!

a> i have 1 nam and 1 nas  - version is latest 4.7.2  , do i need to execute the steps of OPENSSL you described on both the boxes? if both the boxes, then should nas be typed first or what , please explain, it be helpful to all of us needy new NAC Engineers.....

b> second question, is i tried to type in the commands you said ,, and while typing openssl  blah blah commands, it didnt accept the command in the line where you described about name.csr ???? i dont nkow why it said no such command or directory !!!!

c>can you make a simple pdf document as a resource to all of us and upload it for reference to use OPENSSL for atleast 3 yrs certificate for NAC Boxes... (  i know most of us will prefer openssl and sinc openssl module comes by default with NAC 4.7.2 , since public CA will a show stopper for msot clients during production phase)

Waiting with crossed fingers !!!!

Kamran ( A Netizen persuing ccie sec cert...)

Kamran,

I thought I had it laid out pretty clearly. Please follow the example verbatim. Only replace the CAS's name with your CAS's name or IP address and it should give you the cert at the end. If this is too difficult, please use the GUI to generate the certs, though this way they will be only valid for 90 days.

Also you should do the same procedure on the CAM and CAS. The order doesn't matter. You can do CAS or CAM first.

HTH,

Faisal

thanks for the reply , yet wanted  to confirm soemthing more , please do reply to them :

1>   According to the method you provided finally we have a .crt file and not  a .pem file ? right ???

2> With this key embedded in crt file ,  can i use import feature of cas and cam to import them from gui, or how  ,since my problem i think is not related only to AD Users , it is also  associated between cas and cam inter communication also ?

3> i  tried to execute this step :

       openssl x509 -req -days 1000 -in  NewCertRequest.csr -signkey  NewKey.key -out NewCert.crt ,

but it gives me error of no  such file or directory. ( plz see the attached . I COPY PASTE DITTO from  your config on forum )

please let me know, since in 24 hrs i have to  excute the task , thanks in advance !!! you are a life-saver!

waiting....

Kamran,

1) Yes. It doesn't matter much, but yes, you'll have a crt file

2) Yes, you can then import the NewCert.crt file from the CAM and CAS gui

3) Fixed the typo in the original thread. Try it again now. You had pinpointed the problem in the screencapture you took.

HTH,

Faisal

Dear Faisal,


1. I have generated the cert from posted method , first in CAM. And then generated another certificate in CAS respectively.

2. Used WinSCP and downloaded the files to my local PC from the CAS and CAM separately...

3. Uploaded/imported from CAM GUI, the CAS generated CRT file.

4. Uploaded/imported from CAS GUI , the CAM generated CRT file.


5. Well after this, rebooted the CAS,

6. Waited and logged on to the CAM to see the CCA Servers section. ( shows " not connected " ) ???


It is critical, could you plz point out the mistake...


My CAM ip: 192.168.55.1


My CAS ip : 192.168.66.1


Note: As you said in the post, while generating certificate via openssl in the CAM, i must use CAS ip address as common name. I did !!!! And same i did
      in CAS, i used CAM ip address as common name. Rest of the fields are same and correct.


All relevant files are attached !!!!


Kamran ..., anxiously waiting!

Kamran,

Here's how the complete flow should be:

- Generate CAS cert on CAS

- Save it on your local machine and then install it on the CAS using the CAS admin GUI

- Reboot CAS

- Generate CAM cert on CAM

- Save it on your local machine and then install it on the CAM using the CAM admin GUI

- Reboot CAM

- Take the CAS cert and import it in the Trusted Certificate Store on the CAM. This is the second tab when you click on SSL in CAM GUI

- Take the CAM cert and import it in the Trusted Certificate Store on the CAS. This is the second tab when you click on SSL in CAS GUI

At this point the CAM and the CAS should be able to trust each others certificates.

Now what have you done differently from the above procedure?

HTH,

Faisal

I followed exactly the steps you mentioned point by point , but following are screenshots ... ( i have physically even rebooted both the appliancs 3310 ) . NAC version is 4.7.2

Any guesses or files that i can upload for you to see or find the error exactly ?

* Please note that  I have committed the following:

1. Generated cert from CLI via SSH to the box on both CAS and CAM , same way...

2. I used common name 192.168.66.1(cas ip)  , on the cam box,  and Similarly  used common name 192.168.55.1(cam ip) on the cas box !

3. I imported the X.509 crt locally generated on CAM to the CAM Web GUI in SSL Section . And similarly imported X.509 crt locally generated on CAS to the CAS Web GUI in SSL Section.

4. In the 2nd tab of Trusted Authority, i have imported the CRT of CAS on CAM (reverse method) , and also the CRT of CAM on CAS box respectively....

5. Physically rebooted both the appliances. still NOT CONNECTED !!! Attached are screenshots.

Kamran,

Confused about step 2 you listed. You used the CN of the CAS IP on the CAM, and the CN of the CAM IP on the CAS?

Faisal

Review Cisco Networking for a $25 gift card