On Cisco’s network security solutions Web page, you’ll find the following list of Cisco technologies, all of which play a part in the complete Cisco NAC solution:
Advanced Services for Network Security
Cisco Security Agent (CSA)
Cisco Security Monitoring, Analysis and Response System (MARS)
Cisco Trust Agent 2.0 (CTA)
Cisco Secure Access Control Server for Windows (ACS)
Cisco Secure Access Control Server Solution Engine (ACS)
CiscoWorks Interface Configuration Manager (ICM)
CiscoWorks Security Information Management Solution (CW-SIMS)
Cisco VPN 3000 Series Concentrators
Cisco Unified Wireless Network
Cisco Catalyst switches
Cisco NAC Appliance
The single most popular piece of the Cisco NAC solution has been the Cisco NAC Appliance. As evident from the name itself, Cisco NAC Appliance is an appliance-based solution that offers fast deployment, policy management, and enforcement of security policies.
With the Cisco NAC Appliance, you can opt for an in-band or out-of-band solution. The in-band solution is for smaller deployments. As your network grows into a more campus environment, you may not be able to keep the in-band design. In that case, you can move to the out-of-band deployment scenario.
Here are some advantages of the Cisco NAC Appliance:
Identity: At the point of authentication, the Cisco NAC Appliance recognizes users, as well as their devices and their responsibility in the network.
Compliance: Cisco NAC Appliance also takes into account whether machines are compliant with security policies or not. This includes enforcing operating system updates, antivirus definitions, firewall settings, and antispyware software definitions.
Quarantine: If the machines attempting to gain access don’t meet the policies of the network, the Cisco NAC Appliance can quarantine these machines and bring them into compliance (by applying patches or changing settings), before releasing them onto the network.
How to fix Certificate errors on the CAM/CAS after upgrade to 4.1.6
Version 4.1.6 of Cisco NAC Appliance was released on July 31st.
This release was mainly a bug fix release, but did include a security enhancement that encrypts all traffic between the CAS and CAM using SSL. Below is a copy of a document that will be posted to Cisco.com soon. Just wanted to get it out there now to possibly help some folks. Sorry that the formatting isn't coming across as well as I hoped, but this should just be temporary until it gets published.
This document describes how to fix certificate errors on the CAM/CAS with version 4.1.6. These errors will be found in either /perfigo/logs/perfigo-redirect.log0.log.0 or /perfigo/logs/perfigo-log0.log.0. An example of one of the errors is below:
SEVERE: RMISocketFactory:Creating RMI socket failed to host 10.1.20.10:sun.security.validator.ValidatorException: Certificate chaining error Aug 1, 2008 1:41:22 PM com.perfigo.wlan.web.admin.ConnectorClient connect SEVERE: Communication Exception : java.rmi.ConnectIOException: Exception creating connection to: 10.1.20.10; nested exception is: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Certificate chaining error
These errors are a result of security enhancements made in 4.1.6. In 4.1.6, the CAS and CAM both act as client and server to each other, and require that they trust each other. This results in each requiring the root and intermediate certificates of the other. For example, if the CAS has a Verisign certificate and the CAM has a Perfigo (temporary) certificate, then both the CAS and CAM would need the Verisign chain (root and intermediates) and the Perfigo root.
1.First, backup any installed certificates that are not temporary certificates. a)On the CAM, open the web interface and go to Administration > CCA Manager > SSL > X509 Certificate. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to Administration > SSL > X509 Certificate. b)Choose 'Export CSR/Private Key/Certificate' from the drop down. c)Click 'Export' next to Currently Installed Certificate and save this file. d)Click 'Export' next to Currently Installed Private Key and save this file.
2.After the backup, if the CAS and CAM are not already using temporary certificates, generate them. a)On the CAM, open the web interface and go to Administration > CCA Manager > SSL > X509 Certificate. On the CAS, go directly to the web interface via https://<CAS IP>/admin then go to Administration > SSL > X509 Certificate. b)Choose 'Generate Temporary Certificate' from the drop down. c)Fill out the fields listed and click 'Generate'. NOTE - This no longer requires a reboot to take effect.
3.Next, remove all Trusted Certificate Authorities from the CAS and CAM. This will make it easier to manage and improve security. a)On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate Authorities. On the CAS, go to Administration > SSL > Trusted Certificate Authorities. b)Create a filter to exclude the Perfigo certificate. Click the drop down 'Add filter...' and choose 'Distinguished Name'. Change the drop down 'contains' to be 'contains not' and type 'Perfigo', then click 'Filter'. c)Drop down the number 10 next to Delete Selected and choose 100. d)Check the box right below the number that will select all CA’s in the list and click 'Delete Selected'. e)It will then show the other 50+ CA's. Click the box again and click 'Delete Selected'.
4.After removing all of the Certificate Authorities, the root and intermediate certificates need to be imported. a)On the CAM, go to Administration > CCA Manager > SSL > Trusted Certificate Authorities. On the CAS, go to Administration > SSL > Trusted Certificate Authorities. b)Click on the 'Browse' button and choose the Root Certificate first. The subject and issuer should be set to the same value. c)Click Import, and the CA should appear in the list below. d)Perform the same procedure for any intermediate certificates.
5.Install the CAS and CAM certificates backed up in the first step. a)On the CAM, open the web interface and go to Administration > CCA Manager > SSL > X509 Certificate. On the CAS, go directly to the web interface via https://<CAS IP>/admin, and then go to Administration > SSL > X509 Certificate. b)Choose 'Import Certificate' from the drop down. c)Click 'Browse' and choose the certificate saved from step 1, then click 'Upload'. d)Click 'Browse' again and choose the private key that was saved from step 1. On the file type drop down choose 'Private Key' and then click 'Upload'. e)Now click 'Verify and Install Uploaded Certificates'.
NOTE: There is one error message that will not be fixed by these procedures. If the logs contain the following message, the certificate provider will need to be contacted, and the certificate will need to be reissued with the Netscape Cert Type field set to be both SSL Server and SSL client.
SEVERE: SSLFilter:access deniedCN=cas1.domain.com, OU=Information Technologies, O=Company, ST=State, C=US:Netscape cert type does not permit use for SSL client
I have gone over the scaling guide and the install guide but it's never been clear to me why the fully distributed deployment PAN needs to have so much CPU and memory. The job of the PAN is to keep the database synchronised with all the other...
We have Cisco Asa5516-x at the data center that makes site to site vpn tunnels with remote offices, recently we are observing some of the site VPN tunnels and any connect clients are getting disconnect 1- we have 8 site to site vpn tunnels with...
Hello,We recently changes our firewall policies on our FMC to block a lot more countries by GeoLocation then we ever have. In the same coin my company does a lot of international business, mostly with Germany, Finland, Norway, Japan, Spain, Canada. W...
Hey guys! We are configuring a site-to-site to a Check Point gateway. Although it initially appears to be working, with phase 1 and phase 2 being successful, the phase 2 portion keeps restarting. All we can see from the log is that the router is send...