Oh, one other thing, authentication is taking place on the CAM, the CAM must be able to resolve the DNS name...
[EMAIL PROTECTED] ~]# nslookup crl.verisign.com Server: 150.216.1.250 Address: 150.216.1.250#53 Non-authoritative answer: crl.verisign.com canonical name = crl.verisign.net. Name: crl.verisign.net Address: 199.7.54.190 [EMAIL PROTECTED] ~]# nslookup certificates.godaddy.com Server: 150.216.1.250 Address: 150.216.1.250#53 Non-authoritative answer: certificates.godaddy.com canonical name = pkiweb-v05.prod.mesa1.secureserver.net. Name: pkiweb-v05.prod.mesa1.secureserver.net Address: 64.202.160.39 This has not been 100 per cent effective for us. What works every time is using the IP instead of the host name. When I look in the sniffer trace, I see the client resolving the name so I can't explain it. I started to open a TAC case the other day, but still testing. Tried several variations on the host name, "ends with" and "contains", besides "equals", but the IP is the only method that works every time. -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Speight, Howard Sent: Friday, September 21, 2007 10:58 To: [email protected] Subject: Re: Revocation message with Vista and IE7 This thread was covered a couple of weeks ago, the fix is to check/add the CA to the unauthenticated role and temporary roles. If the cert doesn't have the CRL information included the only recourse is uncheck the box on the client. I believe it was the default for Vista and IE7 until the last patch Tuesday? Hope that helps... Howard -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Stanclift, Michael Sent: Friday, September 21, 2007 09:53 To: [email protected] Subject: Re: Revocation message with Vista and IE7 There is an option in IE7 under the security settings that you can turn off that is something to the effect of "check for security certificate revocation" that will stop the error from showing up. We have the same problem though and have not been able to figure out why it happens. I don't think the option is even available in IE6 and in IE7 on XP I think it's already turned off by default. Michael Stanclift Network Analyst Rockhurst University Conway Hall, Office 415 1100 Rockhurst Road Kansas City, Missouri 64110 (816) 501-4231 -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Dale Harville Sent: Friday, September 21, 2007 8:34 AM To: [email protected] Subject: Revocation message with Vista and IE7 I have Clean Access Version 4.1.2.1 running in-band mode. Whenever a student with a Windows Vista laptop running IE7 connects and after the password has been verified, they get a message "Revocation Information for the security Certificate for this site is not available. Do you want to proceed?" No mater how many times they hit yes, they never get past this screen. IF they close the box, they are thrown into the temporary access group. Laptops running Windows XP and IE6 work just fine. Any idea why this is? Dale Harville Network Administrator Infrastructure Operations Galveston College Information Technology 4015 Ave Q Galveston, TX. 77550 Voice: (409) 944-1356 Fax: (409) 944-1356 Email: [EMAIL PROTECTED] Monday-Friday 8:00am - 5:00pm CST "Try not to become a man of success, but rather try to become a man of value." Albert Einstein
