CLEANACCESS Archives

October 2006

CLEANACCESS@LISTSERV.MIAMIOH.EDU
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: cert problem
From:
"Rajesh Nair (rajnair)" <[log in to unmask]>
Reply To:
Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:
Thu, 26 Oct 2006 15:25:24 -0700
Content-Type:
text/plain
Parts/Attachments:
text/plain (111 lines) 
Mike, Bill,

That is why it has to be DNS.  It works as follows - client machine
tries to do an http request, for e.g. http://www.google.com.  IE first
resolves www.google.com via DNS and then tries to do an http get from
that IP address.  When this request comes to the CAS, it will redirect
the user to -https://<cas-ssl-domain>/auth/perfigo_weblogin.jsp. 

So, two things could be wrong - 

1) CAS's SSL domain is incorrectly specified as the xxx.xxx.53.xxx IP
address as opposed to the name (computer.berkeley.edu).  Look at CAM ->
CCA Servers -> (Manage) -> Network -> Certs and look at the 
"Current SSL Certificate Domain" value.  Can you check this to make sure
it is right?  Did you import the cert and key on both the machines in
the HA pair? 

2) CAS's SSL domain is correctly specified in the cert but when the CAS
asks the client machine to go to
https://computer.berkeley.edu/auth/perfigo_weblogin.jsp, the client
machine incorrectly resolves it to the xxx.xxx.53.xxx address.  If #1 is
not the culprit, do an "ipconfig /flushdns" on the client machine and
try this again. 

-Rajesh.

-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of King, Michael
Sent: Thursday, October 26, 2006 2:36 PM
To: [log in to unmask]
Subject: Re: cert problem

Bill..

The Capture URL should NOT be an IP address, but the DNS name.  The Cert
is generated as a DNS name, so that is why you are getting the client
warnings.

I'm unaware of where this should be set  (The DNS name verses the IP
address)

 

> -----Original Message-----
> From: Cisco Clean Access Users and Administrators 
> [mailto:[log in to unmask]] On Behalf Of William Doyle
> Sent: Thursday, October 26, 2006 3:57 PM
> To: [log in to unmask]
> Subject: Re: cert problem
> 
> Yes, I do.
> 
> Interestingly, in my earlier installation the url of the captured web 
> login page would be 
> https://computer.berkeley.edu/auth/perfigo_weblogin...etc but now it 
> is https://xxx.xxx.53.xxx/auth/..etc.  And, the .53 in the third octet

> should be .253. I checked the IPs of the pair and they have the proper

> IP
> 
> At 12:35 PM 10/26/2006, you wrote:
> >Bill,
> >
> >If you try a weblogin from IE, do you get a similar security 
> >warning/error or not?
> >
> >-Rajesh.
> >
> >-----Original Message-----
> >From: Cisco Clean Access Users and Administrators 
> >[mailto:[log in to unmask]] On Behalf Of William Doyle
> >Sent: Thursday, October 26, 2006 12:11 PM
> >To: [log in to unmask]
> >Subject: cert problem
> >
> >Goo Day,
> >
> >Sorry if this is a duplicate post.
> >
> >I upgraeded to 4.0.3 and am having a problem with certificates. I 
> >install ed a certificate from a root authority and everthing
> seems fine.
> >CCA indicat es that the certificate domain is computer.berkeley.edu.
> >
> >When attempting to log on using the agent I receive a cert warning 
> >statin g that the cert is issued by a root authority, the time is 
> >correct, but the
> >
> >name ia wrong. The cert details indicate the cert was issued to 
> >computer.berkeley.edu. An nslookup of computer.berkeley.edu
> returns the
> >
> >service IP of the failover pair.
> >
> >While I have failed logging in with a couple of different error 
> >messages,
> >
> >most of the time I can successfully log on. However, after
> logging on,
> >I
> >
> >
> >have consistently been unable to log off.
> >
> >Any ideas appreciated
> >
> >Bill Doyle
>

ATOM RSS1 RSS2