Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5497
Views
10
Helpful
8
Replies

NAC v4.7.1 - Cannot add CAS to CAM - SSL error

Go to solution
m.yost
Level 1
Level 1

‎12-28-2009 07:50 PM - edited ‎02-21-2020 03:50 AM

I have a freshly re-imaged CAM and CAS that was imaged with the v4.7.1 image.  Upon doing this, I am unable to add the CAS to the CAM.  So far, I've worked with TAC and they can't seem to figure out the issue either.

Stuff that was done after the install:

- Installed CAM and CAS licenses

-  Ensured Self-Generated SSL certificate DN point's to the IP of the respective  device (if the CAM it points to the CAM's IP....)

- Under Trusted  CA's, both CAM and CAS were missing the Perfigo entry.  Imported the  Perfigo CA entry from a different CAS that had it already.

  EMAILADDRESS=info@perfigo.com, CN=www.perfigo.com, OU=Product, O="Perfigo, Inc.", L=San Francisco, ST=California, C=US

- Both CAM and CAS point to a DNS server which has the forward and reverse DNS entries setup for the CAM and CAS

- Verified that CAM can ping CAS by IP and by hostname and FQDN

- Verified that the time on the CAM and CAS are in Sync and are correct

- Verified the secret password matches on both CAM and CAS by looking at the /root/.perfigo/secret file (/root/.perfigo/master as well) and ensuring the strings match

The logs throw the following:

Could not connect to 10.1.2.19

SSLManager: server's certificate chain verification failed CN=10.1.2.19, OU=XXX, O=XXX, L=XXX, ST=XX, C=XX:No trusted certificate found

Any ideas???

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Parminder Sian
Level 1
Level 1

‎12-28-2009 09:34 PM

Hey,

Cisco NAC Appliance Release 4.7(0) no longer contains the "www.perfigo.com" Certificate Authority in the .ISO or upgrade image. Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(0).

In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/47rn.html#wp826817

Regards,

Parminder Sian

View solution in original post

8 Replies 8

Go to solution
Parminder Sian
Level 1
Level 1

‎12-28-2009 09:34 PM

Hey,

Cisco NAC Appliance Release 4.7(0) no longer contains the "www.perfigo.com" Certificate Authority in the .ISO or upgrade image. Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(0).

In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/47rn.html#wp826817

Regards,

Parminder Sian

Go to solution
m.yost
Level 1
Level 1
In response to Parminder Sian

‎12-29-2009 06:22 AM

Yea, I figured it out about 10 minutes after I posted that.  I had seen some people post about adding the certs to the cert store on both sides, but wasn't sure how to do that.  Once I realized the people were referring to the cert store as the Trusted Certificate Authority link it all worked.

Go to solution
kysersosai
Level 1
Level 1
In response to m.yost

‎02-02-2010 05:29 AM

Hello,

I don't understand the following from the 4.7.1 NAC Rel Notes

Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(x).

1. Which local mahine

2. Where on the local machine do i get the cert

3. Do I need it perfigo root ca in the X509 store or just the Trusted

4. If i have HA pairs do i import the temp generated VIP cert or the appliance specific cert

5. Do i import both CAS into each cam and vice cersa

Sorry about all the questions but any help would be appreciated

Thank You Kindly

0 Helpful

Go to solution
rodrigo.antunes
Level 1
Level 1
In response to kysersosai

‎03-12-2010 05:47 PM

Hi,

I didn´t understand too.

I´m implementing NAC for the first time. So, i´m reading the Config Guide to have sucess in the installation. But i can´t progress because i can´t add NAS to NAM. The message "Failed to add server: Could not connect to 192.168.25.105" appears.

About the certifications, i understand that on the first contact it´s not necessary.

Do you have some news about this problem?

Thanks!!!

Rodrigo Antunes

moraes00@yahoo.com.br

rodrigoantunes.rj@gmail.com

0 Helpful

Go to solution
lacznosc
Level 1
Level 1
In response to rodrigo.antunes

‎03-13-2010 02:01 PM

I know that in NAC 4.7.0 version you must add CAM certificate to Trusted Authorities of CAS and vice-versa then you can add CAS to CAM.

The default perfigo certificate are not included in a new NAC software version.

The first connection was done by perfigo certificates in older NAC software version.

0 Helpful

Go to solution
kysersosai
Level 1
Level 1
In response to rodrigo.antunes

‎03-13-2010 04:30 PM

Not sure if you are having the same issue but mine was the firewall. Everyone tell you about adding the certs to both the CAM and the CAS. But if you have your firewall setup for v4.5  where you only needed to allow DNS access for the CAM you'll run into problems. The CAS needs DNS access.

See my post in Network Mgmt

https://supportforums.cisco.com/thread/2003289?tstart=0

Cheers

Kyser

0 Helpful

Go to solution
Faisal Sehbai
Level 7
Level 7

‎02-06-2010 09:39 PM

Hello,

Not sure what local machine you're referring to, but if you want the perfigo root certificate from which the pre-4.7 certificates were signed with, you can download it from here: http://www.employees.org/~basti/perfigoca.cer

If you plan to use certificates signed by perfigo on your CAS, then you will need to import the above mentioned certificate on your client machines connecting to that CAS so they don't get the warning messages.

Ping if you have more questions!

HTH,

Faisal

0 Helpful

Go to solution
sathappan
Level 1
Level 1

‎04-13-2010 02:34 AM

Hi,

we are also facing the same issue . please share with us on solving the issue.

with thanks

sathappan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card