NAC SSL CERTIFICATE WARNING

IT_Data_CorporateNet · ‎01-24-2011

Hello there,

I have implemented NAC on my network. I've deployed OOB Virtual Gateway. It used to work fine when i had ver 4.6. My office relocated where everything change including the IP addreses we used on LAN. During the relocation the SSL certificated also expired. Before activating NAC on the new site i decided to upgrade to the current version (4.8) and also installed new certificates (Obtained from internal Microsoft CA Server). The problem is that i'm getting the security Warning 'The certificate you are viewing does not match the name of the site you are trying to view'. I used the ETH0 IP of the CAS in the certificate request. Both ETH1 and ETH0 are having the same IP. Any assistance please. I've tried to request the certificate again, import it and reboot the CAS but the warning keeps on appearing to users.

regards,

Stanslaus.

Tiago Antunes · ‎01-28-2011

Hi,

Are you using Hostname or IP based certificates?

If you are using hostname, have you updated the DNS entries with the new IP address?

Is the DNS resolutio nresolving to the expected IP address?

If you are using High Availability, did you used the VIP/hostname?

HTH,
Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

IT_Data_CorporateNet · ‎01-31-2011

Hi Tiago,

I requested the certificate using the IP address and not the hostname. Also i have standalone Server and Manager. I do not have any HA. I have try to use the hostname to request the certificate again but the same problem is happening. I have the hostname configured properly in our DNS and i can ping the Server using the hostname. Is there any way i can see logs on how the NAC agent is communicating to the Server (e.g what URL is it using etc. )? I know it is using internet explorer but dont know how the communication is done.

regards,

Stanslaus.

arumugasamy · ‎01-31-2011

Go to

https://CAS IP/admin/

Monitoring > support logs > SWISS Communication Logging

Thx

sami

Tiago Antunes · ‎01-31-2011

Hi,

You can check the CAS logs by setting up Trace loglevel on https://cas_ip_address/admin/Monitoring > Support Logs.

Then do an authentication attempt and collect the last day logs.

The Server logs are located at \perfigo\access\tomcat\logs\nac_server.log.

If you can upload them here and we can take a look.

HTH,
Tiago

IT_Data_CorporateNet · ‎01-31-2011

Hi Tiago,

It seems the agent is using the hostname. I havent managed to know why the warning is comming. Please see the attached file for the logs.

regards,

Stanslaus.

Tiago Antunes · ‎01-31-2011

Hi,

Looks like CAS is returning "vtl-cas01.VODACOMTZ.com" as the hostname to resolve...

Can you check if this hostname is resolved by DNS to the CAS IP address?

Can you also send us the agent support logs to take a look?

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

IT_Data_CorporateNet · ‎01-31-2011

Yes, that is correct. It replies with the correct IP of CAS as below:

Z:\>ping vtl-cas01.VODACOMTZ.com

Pinging vtl-cas01.VODACOMTZ.com [10.12.0.20] with 32 bytes of data:
Reply from 10.12.0.20: bytes=32 time<1ms TTL=63
Reply from 10.12.0.20: bytes=32 time<1ms TTL=63
Reply from 10.12.0.20: bytes=32 time<1ms TTL=63
Reply from 10.12.0.20: bytes=32 time<1ms TTL=63

Ping statistics for 10.12.0.20:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Z:\>

Find the attached Client Logs as well.

regards,

Stanslaus.

Tiago Antunes · ‎01-31-2011

Indeed,

Everything looks ok also on the client logs.

And we can see that you are able to authenticate successfully without any problem...

Can you please explain exactly where and how are you getting this warining message?

Can you send us a screenshot?

BR,

Tiago

IT_Data_CorporateNet · ‎01-31-2011

The warning appears before the Client pops-up (For ADSSO). See the attachment. So everytime users logged in they have to say yes to the Alert. It doesnt matter even if you cancel it. I remember this was happening in the Lab enviroment when we were using the Certificate from Perfigo. But clears after starting using CA signed certificate from our internal CA.

Stanslaus.

Tiago Antunes · ‎01-31-2011

Ok, it looks like your IE security settings are very tight.

When the agent starts it will try discover the CAS using the discovery host sending HTTP to the discovery host IP address.

What happens is that the CAS will spoof this communication and reply to the agent itself. It seems that this action is making your PC to trigger this alarm.

I guess this is anoying...

These was see first internally in 4.6 version and was supposed to be fixed in 4.7 and later versions.

I would advise you to open a TAC case and we can follow up on you to check if there is anything to be done on the agent or PC to get rid of this.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.