• Advertisement

NAC CA agent SSL error

Firewalls, PIX, ASA, VPN, Access Control List, User Authentication, Data Encryption and Best Practices.

NAC CA agent SSL error

Postby Guest » Mon Jan 01, 2007 4:43 pm


Currently running

CAM: 4.5.0 lite

Current Windows Clean Access Agent Version:        4.5.0.0

Current Windows Clean Access Agent Patch Version:      4.5.0.0

Current Macintosh Clean Access Agent Version:      4.5.0.0

Current Cisco NAC Web Agent Version:      4.5.0

(The clean access windows agent installed on the host laptop (Vista Enterprise) is version 4.5.1.0)

CAS mode: L2 OOB virtual GW

The setup is in lab conditions for a proof of concept.

The following scenario happens every time a new authentication is attempted from a vista host running the clean access agent.

-------------

I plug the host into the nac controlled switch port

I receive an ip address though my auth vlan and dhcp pool

Cisco clean access agent pops up on screen as per normal

I enter my user and pass and click login

I get a "security alert" pop up stating "Revocation information for the security certificate for this site is not available. Do you want to proceed?"

There are 3 buttons to choose from: yes, no, view certificates

I click yes, but the error message does not disappear,... no matter how many times you click yes,...the error stays on the screen, preventing you from proceeding with the login.

So I click no

The Clean access agent then states "Network Error!, Detail: SSL certificate REV failed[12057]"

My only option is to click 'close' button so I do

This closes down the clean access agent but the agent instantly pops buck up on my screen requesting user and pass again.

I enter the correct user and pass and click login

I get a new security alert pop up that states "This page requires a secure connection which includes server authentication." "The certificate issuer for this site is untrusted or unknown, Do you with to proceed?"

My options to click are, yes, no, view certificate or more info

I click yes, the security alert disappears and clean access now states that I have successfully logged into the network.

It refreshes my IP address and places me in the correct vlan based on the role for my username.

-------------

I have checked the event logs, all my access attempts are accepted, (on the 2nd try obviously), but there are no errors in the CAM about this SSL issue.

I do however get a red text warning on the summary page of the CAM that states the following, which I'm not sure if it has any impact into my issue.

'Warning: The end entity certificate issued by 'www.perfigo.com' is suited for lab environments only. You must import a third-party end entity certificate for your Clean Access Manager and Clean Access Server(s) before deploying Cisco NAC Appliance in a production environment. Please check your Clean Access Server(s)and standby Clean Access Manager for similar messages.

Warning: The current Trusted Certificate Authority 'www.perfigo.com' is suited for lab environments only. Cisco recommends importing a third-party Certificate Authority. Please check your Clean Access Server(s) and standby Clean Access Manager for similar messages.'

My questions are,

-Why wont the CAA accept the first authentication attempt?

-How do I remove the first security alert?

-How can I resolve the CCA so that I just log in once without having to click no and wait for CAA to pop up a 2nd time?

Thanks all

Guest
 

Advertisement

Re:NAC CA agent SSL error

Postby Guest » Mon Jan 01, 2007 5:10 pm


The basic problem is that the client cannot verify the root of the certificate for your CAS. 

I'm guessing that since you still have the perfigo warning that you have not installed a valid certificate on the CAS.  If you did, you need to remove the perfigo certificate.  If you install a valid cert, you need to remove the Perfigo cert.

Once you have a valid cert installed, make sure that the client can access the root certificate server from the AUTH VLAN.  That should get rid of both messages.

If you cannot provide access to the certificate server, then you cannot get rid of the second message, but you can get rid of the first message (the one that sticks you in a loop).

That message (the first one) is caused because the option to check for the certificate revocation in IE has been enabled.  This option was disabled by default in XP but is enabled by default in Vista.  The option is disabled in Internet Options > Advanced Tab > Check for server certificate revocation.

Guest
 

Re:NAC CA agent SSL error

Postby Guest » Mon Jan 01, 2007 6:43 pm


Thanks Michael, that worked.

Cheers.

Dale

Guest
 

Re:NAC CA agent SSL error

Postby Guest » Mon Jan 01, 2007 8:05 pm


No problem, glad I could help.

Cheers!

Guest
 

Re: NAC CA agent SSL error

Postby guest » Wed Apr 04, 2012 1:11 am

I also facing somewhat similar prblm

Daily when I switch on my computer, I get a security alert which says-"This page requires a secure connection which includes server authentication." "The certificate issuer for this site is untrusted or unknown, Do you with to proceed?"

there are 3 options to choose from:yes,no,view certificate ,among which 'no' option is the default one

when i click on yes button the NAC agent pops up and when i provide the login credentials it gets authenticated and i get full network access

But if i click no then NAC agent never pops up

I wanted to know that is there any way to remove this security alert and also is there any way to make ' yes' as the default option

I am using self-signed certificates for both CAS and CAM
guest
Hello I'm new here
 
Posts: 2
Joined: Wed Apr 04, 2012 12:54 am

Next


  • Advertisement


Similar topics


Return to Cisco Security

Who is online

Users browsing this forum: Bing [Bot] and 2 guests

cron