LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

December 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS December 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: CCAA Mac OS X testing problems
From:	"Prem Ananthakrishnan (prananth)" <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Tue, 5 Dec 2006 09:47:07 -0800
Content-Type:	text/plain
Parts/Attachments:	text/plain (71 lines)

Hey Dave,

I hit this issue when I was working with someone yesterday :). Can you
generate the certs on the CAS/CAM based on the DNS name as opposed to IP
and then try? Note that you will need to make sure that the DNS server
can resolve those names.
So, nslookup on the MACintosh device for the CAM/CAS names should work
to confirm.

Also, do not forget to reboot the CAM/CAS after you regenerate the SSL
certs.

In addition to this, you will need to add the root certificate issued by
www.perfigo.com to www.perfigo.com
To the key chain access. Under "Login" type and "X509Anchors" type.

Also, please make sure the certificate is valid and the time on the
client machine is in the range the certifcate was generated. For e.g, if
the cert was generated at 2:00 PM EST (validity startes from then), and
the time on the client machine is 11:00 AM EST, then this cause a
problem

Regards
Prem



-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of David Stempien
Sent: Tuesday, December 05, 2006 1:26 AM
To: [log in to unmask]
Subject: CCAA Mac OS X testing problems

I am testing the newly-released CCAA for Mac OS X on a couple of test
NAC servers I have setup.  Both CAS and CAM have been upgraded to 4.1.0.

Since these are test servers, I do not have a trusted certificate.  I am
able to log in using the Windows CCAA 4.1.0 client just fine as long as
I accept the un-trusted certificate each time, or elect to always trust
the un-trusted certificate.

However, in Mac OS X, I get the following error message:

"Cisco Clean Access Agent is having problem communicating with NAC
appliance server.

This could be caused by the Secured Transport Communication.  Please
make sure the certificate on the NAC appliance server is valid.  If the
NAC Appliance uses the temporary certificate, you have to install the
root certificate into certificate KeyChains."

[grammar comments aside...]

I have tried saving the perfigoca.crt into my Certificates keychain as
well as in the X509Anchors keychain.  I did the same with the
certificate generated by my test CAS which I dragged out of the
un-trusted warning from a Safari window.  However, I'm still getting the
same error message at login.

Since I can't seem to find any release notes or documentation for the
CCAA for Mac OS X, I'm hoping someone else may have some insight to
getting this to work.

Thanks,

--
Dave Stempien, Network Security Engineer University of Rochester Medical
Center Information Systems Division
585-784-6129

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU