Good Day,
For what it's worth...
Did a re-install of the servers with the same cert and the problem
persisted. Then, did a re-install of the managers (no change to
servers) and the redirect page resovled to the cert name.
Bill
At 03:25 PM 10/26/2006, you wrote:
>Mike, Bill,
>
>That is why it has to be DNS. It works as follows - client machine
>tries to do an http request, for e.g. http://www.google.com. IE first
>resolves www.google.com via DNS and then tries to do an http get from
>that IP address. When this request comes to the CAS, it will redirect
>the user to -https://<cas-ssl-domain>/auth/perfigo_weblogin.jsp.
>
>So, two things could be wrong -
>
>1) CAS's SSL domain is incorrectly specified as the xxx.xxx.53.xxx IP
>address as opposed to the name (computer.berkeley.edu). Look at CAM ->
>CCA Servers -> (Manage) -> Network -> Certs and look at the
>"Current SSL Certificate Domain" value. Can you check this to make sure
>it is right? Did you import the cert and key on both the machines in
>the HA pair?
>
>2) CAS's SSL domain is correctly specified in the cert but when the CAS
>asks the client machine to go to
>https://computer.berkeley.edu/auth/perfigo_weblogin.jsp, the client
>machine incorrectly resolves it to the xxx.xxx.53.xxx address. If #1 is
>not the culprit, do an "ipconfig /flushdns" on the client machine and
>try this again.
>
>-Rajesh.
>
>-----Original Message-----
>From: Cisco Clean Access Users and Administrators
>[mailto:[log in to unmask]] On Behalf Of King, Michael
>Sent: Thursday, October 26, 2006 2:36 PM
>To: [log in to unmask]
>Subject: Re: cert problem
>
>Bill..
>
>The Capture URL should NOT be an IP address, but the DNS name. The Cert
>is generated as a DNS name, so that is why you are getting the client
>warnings.
>
>I'm unaware of where this should be set (The DNS name verses the IP
>address)
>
>
>
> > -----Original Message-----
> > From: Cisco Clean Access Users and Administrators
> > [mailto:[log in to unmask]] On Behalf Of William Doyle
> > Sent: Thursday, October 26, 2006 3:57 PM
> > To: [log in to unmask]
> > Subject: Re: cert problem
> >
> > Yes, I do.
> >
> > Interestingly, in my earlier installation the url of the captured web
> > login page would be
> > https://computer.berkeley.edu/auth/perfigo_weblogin...etc but now it
> > is https://xxx.xxx.53.xxx/auth/..etc. And, the .53 in the third octet
>
> > should be .253. I checked the IPs of the pair and they have the proper
>
> > IP
> >
> > At 12:35 PM 10/26/2006, you wrote:
> > >Bill,
> > >
> > >If you try a weblogin from IE, do you get a similar security
> > >warning/error or not?
> > >
> > >-Rajesh.
> > >
> > >-----Original Message-----
> > >From: Cisco Clean Access Users and Administrators
> > >[mailto:[log in to unmask]] On Behalf Of William Doyle
> > >Sent: Thursday, October 26, 2006 12:11 PM
> > >To: [log in to unmask]
> > >Subject: cert problem
> > >
> > >Goo Day,
> > >
> > >Sorry if this is a duplicate post.
> > >
> > >I upgraeded to 4.0.3 and am having a problem with certificates. I
> > >install ed a certificate from a root authority and everthing
> > seems fine.
> > >CCA indicat es that the certificate domain is computer.berkeley.edu.
> > >
> > >When attempting to log on using the agent I receive a cert warning
> > >statin g that the cert is issued by a root authority, the time is
> > >correct, but the
> > >
> > >name ia wrong. The cert details indicate the cert was issued to
> > >computer.berkeley.edu. An nslookup of computer.berkeley.edu
> > returns the
> > >
> > >service IP of the failover pair.
> > >
> > >While I have failed logging in with a couple of different error
> > >messages,
> > >
> > >most of the time I can successfully log on. However, after
> > logging on,
> > >I
> > >
> > >
> > >have consistently been unable to log off.
> > >
> > >Any ideas appreciated
> > >
> > >Bill Doyle
> >
|
