LISTSERV - CLEANACCESS Archives - LISTSERV.MIAMIOH.EDU

CLEANACCESS Archives

January 2011

CLEANACCESS@LISTSERV.MIAMIOH.EDU

	LISTSERV Archives
	CLEANACCESS Home
	CLEANACCESS January 2011

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Mac OS X 10.4.x/NAC Server Certificates
From:	Terry Mitchell <[log in to unmask]>
Reply To:	Cisco Clean Access Users and Administrators <[log in to unmask]>
Date:	Thu, 6 Jan 2011 13:51:00 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (48 lines)

Wondering if anyone had experienced this issue after a server certificate
renewal (version 4.8/latest 4.8.0.569 Mac Agent) and could point me in the
right direction. In advance, I'm not a Mac person. :-)

Over the Christmas break, NAC server certs were renewed (Entrust signed).
The PC's (all flavors) and OS X v10.6.x didn't miss a beat with the new
certificate; no obvious login/authentication issues. With OSX 10.5.8, we had
to manually import certs to allow agent login a la:

Run Safari on the Mac; Safari displays a "Safari can't verify the identity
of the website "our.nac.server" warning. Click on "Show Certificate",
check-mark "Always trust "our.nac.server" when connecting to
"our.nac.server". Click continue. Provide the password required "to make
changes to your Certificate Trust Settings" (machine specific).

Confirmed an intermediateCA Entrust Certification Authority - L1C
certificate and "our.nac.server" certificate has been added to the "login"
KeyChain in Keychain Access.

At this point re-launch the Mac OSX CCA Agent client. Not elegant but
appears to work.

With Mac OSX versions in the 10.4.x branch, the above does not work for us.
:-( e.g. OS X 10.4.11; Safari 4.1.2 (4533.18.5); Keychain 3.3 (25367)

Doing an "Always trust "our.nac.server" when connecting to "our.nac.server"
import with Safari adds the "our.nac.server" certificate and "Entrust
Certification Authority - L1C" (intermediateCA) to the login Keychain; the
RootCA appears in X509Anchors. Unfortunately, re-launching Safari again
suggests that the cert is still not trusted and again provides a "Safari
can't verify the identity of the website "our.nac.server" warning on
subsequent launches.

RootCA: Entrust.net Certification Authority (2048)
IntermediateCA: Entrust Certification Authority - L1C

On attempting to login via the Agent, the agent screen disappears for a
couple of seconds upon login, then reappears requesting login credentials.

Since it's a supported O/S with a supported Agent, wondering if anyone has
seen this? It might be less a NAC issue and more of a Mac-ignorant issue
relating to my understanding of Keychain and cert. imports on the local
machine.  

Thanks in advance.

Terry

ATOM RSS1 RSS2

LISTSERV.MIAMIOH.EDU