CLEANACCESS Archives

August 2012

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: Apple Safari users get certificate warning from CAS server
From:
Steve Stockmal <[log in to unmask]>
Reply To:
Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:
Mon, 27 Aug 2012 09:45:44 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (97 lines) 
We had an issue just last week where we were getting certificate revocation errors across the Enterprise.

This ended up being due to a change in the GoDaddy CRL IP.  We have crl.godaddy.com and certificates.godaddy.com host entries but as the IP was noted in our firewall as now the "old" IP, we had issues.

Take a look at this valuable link under the "Access to CRL and OCSP Services".....

http://support.godaddy.com/help/article/6723/verifying-a-certificates-validity-on-your-computer

We ended up adding all host entries as well as all IP Policies to all of these hosts in our Managers.  Our firewall guys added these as well.

I checked with GoDaddy support and they do NOT have an email subscription service you can join to be notified of IP and/or hostname changes.

Fun, fun fun!


Steve Stockmal
Enterprise Network Services
Intermountain Healthcare
4646 West Lake Park Blvd.
Salt Lake City, UT  84120
Office: (801) 442-6023
[log in to unmask]
ITIL V3 Foundations





-----Original Message-----
From: Cisco Clean Access Users and Administrators [mailto:[log in to unmask]] On Behalf Of Kurt Huenemann
Sent: Monday, August 27, 2012 7:31 AM
To: [log in to unmask]
Subject: Re: Apple Safari users get certificate warning from CAS server

Just a "me too" to say that we had to add crl.godaddy.com and ocsp.godaddy.com entries to get our MacOS 10.7.4 users online.

Also, MacOS 10.8 users have to relax their default Gatekeeper settings in order to download the NAC Agent.

Those two items got most of our Mac users online during move-in weekend here.

Kurt E. Huenemann
Heidelberg University
Tiffin, Ohio 44883

Do not ever e-mail your password to anyone.
CNIT will never ask for your password in an e-mail.



On Mon, Jul 9, 2012 at 1:27 PM, Dennis Xu <[log in to unmask]> wrote:
>
> We already had all the crl.* entries. Adding the ocsp.* entries fixed the issue for us.
>
> Thanks!
>
> ---
> Dennis Xu
> Network Analyst, Computing and Communication Services University of 
> Guelph
> 5198244120 x 56217
>
> ----- Original Message -----
> From: "Don Nightingale" <[log in to unmask]>
> To: [log in to unmask]
> Sent: Monday, July 9, 2012 11:29:15 AM
> Subject: Re: Apple Safari users get certificate warning from CAS 
> server
>
> Macs started using ocsp by default in the latest release.  The servers 
> used aren't in the default allowed hosts list for the 
> unauthenticated/temp roles.
>
> Try adding the ocsp.* host entries for your cert provider in the 
> unauthenticated and temp roles.  This cleared up the problem for us 
> (CCA 4.8.2).
>
> --
> Don
>
>
>
> On 7/9/2012 11:07 AM, Kelly Slone wrote:
> > I have noticed the same issue with a new cert we have installed for 
> > our guest wireless implementation of ISE.  The "invalid certificate 
> > issuer" error is only seen from clients running 10.7.x Lion that are 
> > using Safari.  We do not see this issue on ipads, iphones, windows 
> > machines, or other OS X versions even including the latest developers seed of 10.8 Mountain Lion.
> >
> > Thank you,
> >
> > Kelly Slone, B.S., MCP
> > Telecom Specialist II
> > Marshall University Computing Services Drinko Library DL 434A
> > Office:  304-696-6109
> > Helpdesk:  304-696-3200
> > [log in to unmask]

ATOM RSS1 RSS2