Ted - Thanks for this, we also noticed that Macs seem to be checking the OCSP url. This was the failure we were seeing from the clients. I went through the entire certificate chain to verify each url is accessible from the Unauthenticated and Temporary roles.
Jason Meador Network Engineer Santa Clara University 408-551-1847 (desk) [email protected]>>> "Roberge, Ted" <[email protected]> 5/21/2012 12:23 PM >>> Here at UCI I think we found a permanent fix. We tested what I feel is a fix for this problem. Simply put, we needed to add the following hosts in both the temporary and unauthenticated roles; (user roles->Policies ->Unauthenticated and temporary -> Host). This problem, according to many blogs and posts, affects systems that are primarily behind proxy’s or NAC devices. The CA simply could not phone home. crl.thawte.com ocsp.thawte.com crl.verisign.net ocsp.verisign.net crl.usertrust.com ocsp.usertrust.com crl.incommon.org ocsp.incommon.org We use Thawte certificates, but you should make entries based on your specific certificates (comodo?). We did add in Verisign just to be safe. This was developed by our team here at UCI and then tested and verified by our Cisco TAC manager. Once I added in verisign, then our phone calls and emails stopped. I “In my world of Information Technology, if you aren’t moving forward, you’re moving backwards.” Ted Roberge Director, Information Technology Office of Information Technology Student Housing, University of California, Irvine Irvine, CA 92697 From: Cisco Clean Access Users and Administrators [mailto:[email protected]] On Behalf Of Jason Meador Sent: Monday, May 21, 2012 11:53 AM To: [email protected] Subject: Re: Lion 10.7.4 update problem Has this problem gotten worse for people over the weekend? Our helpdesk is seeing this issue with much more frequency today. Our case number is 621777213. We are having to trust both the root Comodo certificate and the CAS' certificate to get people working. Jason Meador Network Engineer Santa Clara University 408-551-1847 (desk) [email protected]>>> Matt Perez<[email protected]> 5/16/2012 5:38 AM >>> We are having the same issue and I have an open SR with Cisco. My case # is SR 621701005. I have a clean install of 10.7.4 that I'm working with and I have not tried any of the fixes to have a machine to replicate the issue.
