It does help indeed, looks like I lucked out on that one! Thanks for posting!
From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Kyle Torkelson Sent: Tuesday, February 16, 2010 11:06 AM To: [email protected] Subject: Re: IPSCA Certificate Revocation Howard Go 4 fields down to "CRL Distribution Points." You can see on my attached goodcrl.jpg and badcrl.jpg that the badcrl.jpg has the old IPSCA2002CLASEA1.crl (revocation list) which if you remember was the old Intermediate CA that they no longer use since the Root CA expired in 2009. The goodcrl.jpg references the new hierarchy of the Level 1 CA that is the intermediate to their Global Root CA. Hopefully, you won't have to get new certs...Takes about a day but I had their support look up my old ticket number so that I didn't have to create a new signing request in NAC. Figured if I didn't have to boot all of my users in NAC by going the temporary certificate route the better. This way, IPSCA just sent me an updated cert and I just had to browse to it, import it, and NAC started using it immediately. Hope this helps... [cid:[email protected]]<mailto:[email protected]> From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Speight, Howard Sent: Tuesday, February 16, 2010 9:39 AM To: [email protected] Subject: Re: IPSCA Certificate Revocation I got this on December 29th, how does that URL look? These machines have not been deployed... From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Kyle Torkelson Sent: Tuesday, February 16, 2010 9:49 AM To: [email protected] Subject: Re: IPSCA Certificate Revocation After a couple hours on the phone with TAC, we were able to resolve our ongoing issue with the "revocation" pop-up box and IPSCA certificates. As some of you know, IPSCA had their root CA expire on December 29, 2009 and started to issue new certs signed by a new root CA around December 15. These first newly signed certs had the incorrect CRL URL in the CRL Distribution Points field. After opening a support case with IPSCA, they admitted that the first certs signed were wrong and then asked me to create a new request. I've now upgraded to 4.7.2 and after importing these newly signed certs that have the correct CRL URL in the CRL Distribution Points field, I no longer am getting the "revocation" pop-up. I believe we were seeing an issue that was fixed in 4.7.2 (Cisco BugID CSCsy37405) that was erring out on the incorrect URL so I can't say that it was completely Cisco's or IPSCA's fault. It was the classic finger pointing game but the issue has now been resolved. I've now been able to turn on the checkboxes for server and publisher certificate revocation in all editions of Windows XP, Vista, and 7 and get uninterrupted Cisco NAC. Now, if only Firefox and Mac/Safari and any other 3rd party browsers would include IPSCA in their SSL keystores/keychains we'd be all set. Even though IPSCA is free, free does come at a cost! :) Hope this helps anyone else out there... [cid:[email protected]]<mailto:[email protected]>
<<inline: image001.jpg>>
