Subject: | |
From: | |
Reply To: | |
Date: | Thu, 6 Jan 2011 13:51:00 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Wondering if anyone had experienced this issue after a server certificate
renewal (version 4.8/latest 4.8.0.569 Mac Agent) and could point me in the
right direction. In advance, I'm not a Mac person. :-)
Over the Christmas break, NAC server certs were renewed (Entrust signed).
The PC's (all flavors) and OS X v10.6.x didn't miss a beat with the new
certificate; no obvious login/authentication issues. With OSX 10.5.8, we had
to manually import certs to allow agent login a la:
Run Safari on the Mac; Safari displays a "Safari can't verify the identity
of the website "our.nac.server" warning. Click on "Show Certificate",
check-mark "Always trust "our.nac.server" when connecting to
"our.nac.server". Click continue. Provide the password required "to make
changes to your Certificate Trust Settings" (machine specific).
Confirmed an intermediateCA Entrust Certification Authority - L1C
certificate and "our.nac.server" certificate has been added to the "login"
KeyChain in Keychain Access.
At this point re-launch the Mac OSX CCA Agent client. Not elegant but
appears to work.
With Mac OSX versions in the 10.4.x branch, the above does not work for us.
:-( e.g. OS X 10.4.11; Safari 4.1.2 (4533.18.5); Keychain 3.3 (25367)
Doing an "Always trust "our.nac.server" when connecting to "our.nac.server"
import with Safari adds the "our.nac.server" certificate and "Entrust
Certification Authority - L1C" (intermediateCA) to the login Keychain; the
RootCA appears in X509Anchors. Unfortunately, re-launching Safari again
suggests that the cert is still not trusted and again provides a "Safari
can't verify the identity of the website "our.nac.server" warning on
subsequent launches.
RootCA: Entrust.net Certification Authority (2048)
IntermediateCA: Entrust Certification Authority - L1C
On attempting to login via the Agent, the agent screen disappears for a
couple of seconds upon login, then reappears requesting login credentials.
Since it's a supported O/S with a supported Agent, wondering if anyone has
seen this? It might be less a NAC issue and more of a Mac-ignorant issue
relating to my understanding of Keychain and cert. imports on the local
machine.
Thanks in advance.
Terry
|
|
|