Re: 4.1.6 Software Posted

[Chris Evans]

Also note that I used the term "CA cert" loosely here, assuming a 
standalone CA.  If you are using a tiered CA setup, you'll need the 
intermediate CA certs of the chain as well as the root CA cert.

Chris
Chris Evans wrote:
You need to insure that the CAM has the CA certificate corresponding 
to the certificate issued to the CAS (there are options in the GUI in 
4.1.6 to allow you to upload that certificate).

The CAS and CAM do not have to have certificates issued by the same 
CA, but they both need to have the CA certificates for each other.

In code prior to 4.1.6, the CAS needed the CA certificate 
corresponding to the certificate issued on the CAM (but the CAM didn't 
need the CA certificate for the cert on the CAS).  Most people used 
the self-generated cert on the CAM, so the CA cert for this was 
already "built in".  In 4.1.6 code, the CAM likewise needs the CA 
certificate for the certificate issued to the CAS - this is a new 
requirement and is the limitation you'll likely run into.

Strictly speaking for it to function, you don't need to issue a new 
certificate to the CAM if you are using the "perfigo-based" 
certificates (but it needs the CA certificate corresponding to the 
certs on the CASes!), but as implied elsewhere in the alias, it's a 
good security practice to do so.

Hall, Rand wrote:
So, what are the ramifications for leaving the Perfigo certificate in 
place?

I have a "real" certificate installed on the CAS but not on the CAM. 
I'm scheduled to update tomorrow morning but am not looking forward 
to being dead in the water if the certificate is a deal-killer.


Cheers,
Rand

--
Rand P. Hall * Director, Network Services
Merrimack College * SunGard Higher Education
315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000
Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com

CONFIDENTIALITY:  This e-mail (including any attachments) may contain
confidential, proprietary and privileged information, and unauthorized
disclosure or use is prohibited.  If you received this e-mail in error,
please notify the sender and delete this e-mail from your system.


-----Original Message-----
From: Cisco Clean Access Users and Administrators 
[mailto:[EMAIL PROTECTED] On Behalf Of Muhammad Ismail
Sent: Wednesday, August 06, 2008 3:53 PM
To: CLEANACCESS@LISTSERV.MUOHIO.EDU
Subject: Re: 4.1.6 Software Posted

We have installed the version 4.1.6 on a test environment. Does not 
look too different from version 4.1.3.1. However, one thing you would 
notice right away is a message with red text asking you make sure you 
have certificates for CAM and CAS. See the message in screen shot.


Muhammad/.

Muhammad I. Ismail
Network Security Specialist
Western CT State University
(203) 837-8991 (O)
[EMAIL PROTECTED]



-----Original Message-----
From: Cisco Clean Access Users and Administrators 
[mailto:[EMAIL PROTECTED] On Behalf Of Eric Kenny
Sent: Wednesday, August 06, 2008 11:40 AM
To: CLEANACCESS@LISTSERV.MUOHIO.EDU
Subject: Re: 4.1.6 Software Posted

Yes.

Eric J. Kenny
Network Analyst
Marist College
3399 North Rd.
Poughkeepsie, NY 12601
845.575.3820

On Aug 6, 2008, at 10:35 AM, Walt Howd wrote:

 
Has the 4.1.6 agent been released for 4.1.3 installations? We have
auto update of the agent disabled.

Walt