cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
572
Views
3
Helpful
6
Replies
Beginner

NAC 4.7 CAS web login page url generation

We have had third part certs generated for the CAS and the CAM and these have installed OK, along with the relevant root and intermediate certificates, and the CAS/CAM are communicating fine.

However when a user is redirected to the authentication page, the url generated is using the CN from the certificate..

https://al-nac.sitename.local.companyname.co.uk/auth/perfigo.......etc.

However the machine cannot resolve the url.

We cannot add dns entries for this url, we only administer the sitename.local domain.

Is there a way for the CAS to request the user to access a URL via an IP address?

If I requested a new certificate, but use the IP address instead of the machine name, would the auhentiation page be referenced by this?

Regards

Tony

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Re: NAC 4.7 CAS web login page url generation

Hi Tony,

Are these just for internal users?  If so, you may be better off with something like a internally generated cert (like from Microsoft CA) rather than an external one.  I don't believe they'll do IP address-based certs, either.

Thanks,

Lauren

Cisco Employee

Re: NAC 4.7 CAS web login page url generation

Hi Tony,

Most third party CAs will not issue certificates to IP addresses because they can not verify that you own that IP address. Same with internal domain names like it seems you may be using. They can probably only verify the domain name of "company.co.uk" so they have to issue a cert to that name space.

If your clients can't resolve that full name, then you'll likely need to set up an internal CA to issue a certificate to either the local IP address or local hostname.

Thanks,
Nate

6 REPLIES 6
Rising star

Re: NAC 4.7 CAS web login page url generation

Tony,

This is correct. The redirect will happen to whatever the CN is set to, so if you set the cert's CN to an IP address, the redirect will happen to that IP address.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily

Beginner

Re: NAC 4.7 CAS web login page url generation

I'll give our certificate issuer a call this morning,however I'm sure they mentioned in the past they need a resolvable name to generate the certificate?

As when we asked for certificates for al-nam.sitename.local they have been unable to generate them, hence the CN=al-nac.sitename.local.company.co.uk

Is this the same for generating certificates against IP addresses?

Regards

Tony

Highlighted

Re: NAC 4.7 CAS web login page url generation

Hi Tony,

Are these just for internal users?  If so, you may be better off with something like a internally generated cert (like from Microsoft CA) rather than an external one.  I don't believe they'll do IP address-based certs, either.

Thanks,

Lauren

Cisco Employee

Re: NAC 4.7 CAS web login page url generation

Hi Tony,

Most third party CAs will not issue certificates to IP addresses because they can not verify that you own that IP address. Same with internal domain names like it seems you may be using. They can probably only verify the domain name of "company.co.uk" so they have to issue a cert to that name space.

If your clients can't resolve that full name, then you'll likely need to set up an internal CA to issue a certificate to either the local IP address or local hostname.

Thanks,
Nate

Beginner

Re: NAC 4.7 CAS web login page url generation

Thanks for all the replies. I'm going to have to go down the route of an internal CA - another can of worms!

Many thanks

Tony

PS. Nate, this is one of your SR's

Rising star

Re: NAC 4.7 CAS web login page url generation

Tony,

Another data point which might or might not be helpful. I've had cases with customers before where DigiCert has given out certificates signed for IP addresses - so it does happen, not with all CAs though.

HTH,

Faisal

--

If you find this post helpful, please rate so others can find the answer easily