Solved: Re: NAC v4.7.1 - Cannot add CAS to CAM - SSL error

m.yost · ‎12-28-2009

I have a freshly re-imaged CAM and CAS that was imaged with the v4.7.1 image. Upon doing this, I am unable to add the CAS to the CAM. So far, I've worked with TAC and they can't seem to figure out the issue either.

Stuff that was done after the install:

- Installed CAM and CAS licenses

- Ensured Self-Generated SSL certificate DN point's to the IP of the respective device (if the CAM it points to the CAM's IP....)

- Under Trusted CA's, both CAM and CAS were missing the Perfigo entry. Imported the Perfigo CA entry from a different CAS that had it already.

EMAILADDRESS=info@perfigo.com, CN=www.perfigo.com, OU=Product, O="Perfigo, Inc.", L=San Francisco, ST=California, C=US

- Both CAM and CAS point to a DNS server which has the forward and reverse DNS entries setup for the CAM and CAS

- Verified that CAM can ping CAS by IP and by hostname and FQDN

- Verified that the time on the CAM and CAS are in Sync and are correct

- Verified the secret password matches on both CAM and CAS by looking at the /root/.perfigo/secret file (/root/.perfigo/master as well) and ensuring the strings match

The logs throw the following:

Could not connect to 10.1.2.19

SSLManager: server's certificate chain verification failed CN=10.1.2.19, OU=XXX, O=XXX, L=XXX, ST=XX, C=XX:No trusted certificate found

Any ideas???

Parminder Sian · ‎12-28-2009

Hey,

Cisco NAC Appliance Release 4.7(0) no longer contains the "www.perfigo.com" Certificate Authority in the .ISO or upgrade image. Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(0).

In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/47rn.html#wp826817

Regards,

Parminder Sian

View solution in original post

Parminder Sian · ‎12-28-2009

Hey,

Cisco NAC Appliance Release 4.7(0) no longer contains the "www.perfigo.com" Certificate Authority in the .ISO or upgrade image. Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(0).

In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.

http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/47/47rn.html#wp826817

Regards,

Parminder Sian

m.yost · ‎12-29-2009

Yea, I figured it out about 10 minutes after I posted that. I had seen some people post about adding the certs to the cert store on both sides, but wasn't sure how to do that. Once I realized the people were referring to the cert store as the Trusted Certificate Authority link it all worked.

kysersosai · ‎02-02-2010

Hello,

I don't understand the following from the 4.7.1 NAC Rel Notes

Administrators requiring the "www.perfigo.com" CA in the network must manually import the CA from a local machine following installation or upgrade to Release 4.7(x).

1. Which local mahine

2. Where on the local machine do i get the cert

3. Do I need it perfigo root ca in the X509 store or just the Trusted

4. If i have HA pairs do i import the temp generated VIP cert or the appliance specific cert

5. Do i import both CAS into each cam and vice cersa

Sorry about all the questions but any help would be appreciated

Thank You Kindly

rodrigo.antunes · ‎03-12-2010

Hi,

I didn´t understand too.

I´m implementing NAC for the first time. So, i´m reading the Config Guide to have sucess in the installation. But i can´t progress because i can´t add NAS to NAM. The message "Failed to add server: Could not connect to 192.168.25.105" appears.

About the certifications, i understand that on the first contact it´s not necessary.

Do you have some news about this problem?

Thanks!!!

Rodrigo Antunes

moraes00@yahoo.com.br

rodrigoantunes.rj@gmail.com

lacznosc · ‎03-13-2010

I know that in NAC 4.7.0 version you must add CAM certificate to Trusted Authorities of CAS and vice-versa then you can add CAS to CAM.

The default perfigo certificate are not included in a new NAC software version.

The first connection was done by perfigo certificates in older NAC software version.

kysersosai · ‎03-13-2010

Not sure if you are having the same issue but mine was the firewall. Everyone tell you about adding the certs to both the CAM and the CAS. But if you have your firewall setup for v4.5 where you only needed to allow DNS access for the CAM you'll run into problems. The CAS needs DNS access.

See my post in Network Mgmt

https://supportforums.cisco.com/thread/2003289?tstart=0

Cheers

Kyser

Faisal Sehbai · ‎02-06-2010

Hello,

Not sure what local machine you're referring to, but if you want the perfigo root certificate from which the pre-4.7 certificates were signed with, you can download it from here: http://www.employees.org/~basti/perfigoca.cer

If you plan to use certificates signed by perfigo on your CAS, then you will need to import the above mentioned certificate on your client machines connecting to that CAS so they don't get the warning messages.

Ping if you have more questions!

HTH,

Faisal

sathappan · ‎04-13-2010

Hi,

we are also facing the same issue . please share with us on solving the issue.

with thanks

sathappan