I'm glad to hear that so many people have had success with
this upgrade.
Unfortunately, ours did not go so well.
Our CAM is an HA-pair, each with it's self-generated SSL
cert (apparently signed by www.perfigo.com). We have two
test standalone CASes, each with a similarly self-generated
cert. Then we have a production CAS HA-pair, which share a
Verisign chained cert for the pair's service FQDN.
The root CA and chained combination *are* included in
the CAM, as well as both units of the CAS HA-pair.
Unfortunately, that didn't quite cut the mustard, and
the upgrade broke the connection between the HA-CAM and
the HA-CAS. After nearly five(!) hours of priority 1
TAC handling, we finally got the connection back by
regenerating the (now discouraged) self-generated
www.perfigo.com-signed cert. We generated this on one
unit of the HA-CAS for the service IP and then copied it
to the other.
Speaking of which, we often get the following message
when trying to login to the /admin interface on our HA
CAS boxes.
We'll get the following error:
The link that you requested is not present on this Clean
Access System. If you reached this page by following a
link from the user interface of the Clean Access Manager
or Server, then please report this as a bug.
This happens on the individual IP for each CAS, and
sometimes on the service IP. It's inconsistent, and
sometimes survives reboots, and sometimes survives
browser clearing/restarting. Truly a new "feature" that
we're not able to pin down yet. But... suffice it to
say, it makes managing the boxes a bit difficult when
you can't login to the darn things.
Anyway, we'll try some of the suggestions made here.
Want a laugh? One of the early suggestions made by TAC
was that I should put official Verisign certs on all
the devices. *sigh*
Thank goodness for this list.
- Christopher
======================
On Sat, 16 Aug 2008 (13:57 -0400), Rob Chee wrote:
> Date: Sat, 16 Aug 2008 13:57:33 -0400
> From: Rob Chee <[EMAIL PROTECTED]>
> Reply-To: Cisco Clean Access Users and Administrators
> <[email protected]>
> To: [email protected]
> Subject: Re: [CLEANACCESS] 4.1.6 Software Posted
>
> Thanks for that tip about the "Netscape Cert Type". I ran into that too. It
> turns out that the Entrust Standard SSL certificate only supports the "SSL
> Server" type. You have to buy their Advantage SSL certificate to get both the
> "SSL Server" and "SSL Client" functionality.
>
> I also ran into another weird problem. I had a Verisign certificate, which
> uses an intermediate root CA certificate, on the NAS. I made sure I added the
> root and intermediate CA certificate onto the NAM. When I did the upgrade the
> NAS and NAM wouldn't talk. In the NAS and NAM logs there were complaints about
> invalid chaining certificate. I checked the Trusted Certifcate Authority on
> the NAS and the NAM and made sure the intermediate and root CA Verisign
> certificate existed on both. I ended up solving the problem by re-inputting
> the private key and CA-Signed Certificate on the NAS. Once I did that and
> rebooted everything worked fine. I also saw in the 4.1.6 NAS config guide that
> the cacerts file can get corrupted. That may have been what happened during
> the upgrade. The config guide recommends the following
>
> If you check nslookup and date from the CAS, and both the DNS and
> TIME settings on the CAS are correct, this can indicate that the
> cacerts file on the CAS is corrupted. In this case, Cisco recommends
> backing up the existing cacerts file from
> /usr/java/j2sdk1.4/lib/security/cacerts, overriding it with the file
> from /perfigo/common/conf/cacerts, then performing ?service perfigo
> restart? on the CAS.
>
>
> ------------------------------------------------------
> Rob Chee, CCIE #8188 (R&S and Security)
> Senior Network Consultant
> Chesapeake NetCraftsmen, LLC.
> Company Website: http://www.netcraftsmen.net
> My Blog: http://cnc-networksecurity.blogspot.com
> Mobile: 571-437-2829
> ------------------------------------------------------
>
>
> Hall, Rand wrote:
> > Here's a 4.1.6 pre-install checklist item for you:
> >
> > Make sure your certificates' "Netscape Cert Type" is not just "SSL Server".
> > They need to support Client for the new CAS-CAM Authentication. We were
> > making use of IPSCA's free edu certificates--which only support Server. As
> > an aside, you get what you pay for. IPSCA support is virtually unreachable.
> > I've been waiting 5 days. Comodo was very responsive to my credit card
> > yesterday ;-)
> >
> >
> > Cheers,
> > Rand
> >
> > --
> > Rand P. Hall * Director, Network Services
> > Merrimack College * SunGard Higher Education
> > 315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000
> > Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com
> >
> > CONFIDENTIALITY: This e-mail (including any attachments) may contain
> > confidential, proprietary and privileged information, and unauthorized
> > disclosure or use is prohibited. If you received this e-mail in error,
> > please notify the sender and delete this e-mail from your system.
> >
> >
> > -----Original Message-----
> > From: Cisco Clean Access Users and Administrators
> > [mailto:[EMAIL PROTECTED] On Behalf Of Chris Evans
> > Sent: Thursday, August 07, 2008 10:07 AM
> > To: [email protected]
> > Subject: Re: 4.1.6 Software Posted
> >
> > You need to insure that the CAM has the CA certificate corresponding to the
> > certificate issued to the CAS (there are options in the GUI in 4.1.6 to
> > allow you to upload that certificate).
> >
> > The CAS and CAM do not have to have certificates issued by the same CA, but
> > they both need to have the CA certificates for each other.
> >
> > In code prior to 4.1.6, the CAS needed the CA certificate corresponding to
> > the certificate issued on the CAM (but the CAM didn't need the CA
> > certificate for the cert on the CAS). Most people used the self-generated
> > cert on the CAM, so the CA cert for this was already "built in". In 4.1.6
> > code, the CAM likewise needs the CA certificate for the certificate issued
> > to the CAS - this is a new requirement and is the limitation you'll likely
> > run into.
> >
> > Strictly speaking for it to function, you don't need to issue a new
> > certificate to the CAM if you are using the "perfigo-based" certificates
> > (but it needs the CA certificate corresponding to the certs on the CASes!),
> > but as implied elsewhere in the alias, it's a good security practice to do
> > so.
> >
> > Hall, Rand wrote:
> >
> > > So, what are the ramifications for leaving the Perfigo certificate in
> > > place?
> > >
> > > I have a "real" certificate installed on the CAS but not on the CAM. I'm
> > > scheduled to update tomorrow morning but am not looking forward to being
> > > dead in the water if the certificate is a deal-killer.
> > >
> > >
> > > Cheers,
> > > Rand
> > >
> > > --
> > > Rand P. Hall * Director, Network Services
> > > Merrimack College * SunGard Higher Education
> > > 315 Turnpike Street, North Andover MA 01845 * Tel 978-837-5000
> > > Fax 978-837-5383 * [EMAIL PROTECTED] * www.sungardhe.com
> > >
> > > CONFIDENTIALITY: This e-mail (including any attachments) may contain
> > > confidential, proprietary and privileged information, and unauthorized
> > > disclosure or use is prohibited. If you received this e-mail in error,
> > > please notify the sender and delete this e-mail from your system.
> > >
> > >
> > > -----Original Message-----
> > > From: Cisco Clean Access Users and Administrators
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Muhammad Ismail
> > > Sent: Wednesday, August 06, 2008 3:53 PM
> > > To: [email protected]
> > > Subject: Re: 4.1.6 Software Posted
> > >
> > > We have installed the version 4.1.6 on a test environment. Does not look
> > > too different from version 4.1.3.1. However, one thing you would notice
> > > right away is a message with red text asking you make sure you have
> > > certificates for CAM and CAS. See the message in screen shot.
> > >
> > >
> > > Muhammad/.
> > >
> > > Muhammad I. Ismail
> > > Network Security Specialist
> > > Western CT State University
> > > (203) 837-8991 (O)
> > > [EMAIL PROTECTED]
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: Cisco Clean Access Users and Administrators
> > > [mailto:[EMAIL PROTECTED] On Behalf Of Eric Kenny
> > > Sent: Wednesday, August 06, 2008 11:40 AM
> > > To: [email protected]
> > > Subject: Re: 4.1.6 Software Posted
> > >
> > > Yes.
> > >
> > > Eric J. Kenny
> > > Network Analyst
> > > Marist College
> > > 3399 North Rd.
> > > Poughkeepsie, NY 12601
> > > 845.575.3820
> > >
> > > On Aug 6, 2008, at 10:35 AM, Walt Howd wrote:
> > >
> > >
> > > > Has the 4.1.6 agent been released for 4.1.3 installations? We have
> > > > auto update of the agent disabled.
> > > >
> > > > Walt
> > > >
> > >
> >
> >
