Here's a 4.1.6 pre-install checklist item for you: Make sure your certificates' "Netscape Cert Type" is not just "SSL Server". They need to support Client for the new CAS-CAM Authentication. We were making use of IPSCA's free edu certificates--which only support Server. As an aside, you get what you pay for. IPSCA support is virtually unreachable. I've been waiting 5 days. Comodo was very responsive to my credit card yesterday ;-)
Cheers, Rand -- Rand P. Hall * Director, Network Services Merrimack College * SunGard Higher Education 315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000 Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system. -----Original Message----- From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] On Behalf Of Chris Evans Sent: Thursday, August 07, 2008 10:07 AM To: [email protected] Subject: Re: 4.1.6 Software Posted You need to insure that the CAM has the CA certificate corresponding to the certificate issued to the CAS (there are options in the GUI in 4.1.6 to allow you to upload that certificate). The CAS and CAM do not have to have certificates issued by the same CA, but they both need to have the CA certificates for each other. In code prior to 4.1.6, the CAS needed the CA certificate corresponding to the certificate issued on the CAM (but the CAM didn't need the CA certificate for the cert on the CAS). Most people used the self-generated cert on the CAM, so the CA cert for this was already "built in". In 4.1.6 code, the CAM likewise needs the CA certificate for the certificate issued to the CAS - this is a new requirement and is the limitation you'll likely run into. Strictly speaking for it to function, you don't need to issue a new certificate to the CAM if you are using the "perfigo-based" certificates (but it needs the CA certificate corresponding to the certs on the CASes!), but as implied elsewhere in the alias, it's a good security practice to do so. Hall, Rand wrote: > So, what are the ramifications for leaving the Perfigo certificate in place? > > I have a "real" certificate installed on the CAS but not on the CAM. I'm > scheduled to update tomorrow morning but am not looking forward to being dead > in the water if the certificate is a deal-killer. > > > Cheers, > Rand > > -- > Rand P. Hall * Director, Network Services > Merrimack College * SunGard Higher Education > 315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000 > Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com > > CONFIDENTIALITY: This e-mail (including any attachments) may contain > confidential, proprietary and privileged information, and unauthorized > disclosure or use is prohibited. If you received this e-mail in error, > please notify the sender and delete this e-mail from your system. > > > -----Original Message----- > From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] > On Behalf Of Muhammad Ismail > Sent: Wednesday, August 06, 2008 3:53 PM > To: [email protected] > Subject: Re: 4.1.6 Software Posted > > We have installed the version 4.1.6 on a test environment. Does not look too > different from version 4.1.3.1. However, one thing you would notice right > away is a message with red text asking you make sure you have certificates > for CAM and CAS. See the message in screen shot. > > > Muhammad/. > > Muhammad I. Ismail > Network Security Specialist > Western CT State University > (203) 837-8991 (O) > [EMAIL PROTECTED] > > > > -----Original Message----- > From: Cisco Clean Access Users and Administrators [mailto:[EMAIL PROTECTED] > On Behalf Of Eric Kenny > Sent: Wednesday, August 06, 2008 11:40 AM > To: [email protected] > Subject: Re: 4.1.6 Software Posted > > Yes. > > Eric J. Kenny > Network Analyst > Marist College > 3399 North Rd. > Poughkeepsie, NY 12601 > 845.575.3820 > > On Aug 6, 2008, at 10:35 AM, Walt Howd wrote: > > >> Has the 4.1.6 agent been released for 4.1.3 installations? We have >> auto update of the agent disabled. >> >> Walt >> > >
