Oh, one other thing, authentication is taking place on the CAM, the CAM
must be able to resolve the DNS name...
[root@smartmanager2 ~]# nslookup crl.verisign.com
Server: 150.216.1.250
Address: 150.216.1.250#53
Non-authoritative answer:
crl.verisign.com canonical name = crl.verisign.net.
Name: crl.verisign.net
Address: 199.7.54.190
[root@smartmanager2 ~]# nslookup certificates.godaddy.com
Server: 150.216.1.250
Address: 150.216.1.250#53
Non-authoritative answer:
certificates.godaddy.com canonical name =
pkiweb-v05.prod.mesa1.secureserver.net.
Name: pkiweb-v05.prod.mesa1.secureserver.net
Address: 64.202.160.39
This has not been 100 per cent effective for us. What works every time
is using the IP instead of the host name. When I look in the sniffer
trace, I see the client resolving the name so I can't explain it. I
started to open a TAC case the other day, but still testing. Tried
several variations on the host name, "ends with" and "contains", besides
"equals", but the IP is the only method that works every time.
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Speight, Howard
Sent: Friday, September 21, 2007 10:58
To: [log in to unmask]
Subject: Re: Revocation message with Vista and IE7
This thread was covered a couple of weeks ago, the fix is to check/add
the CA to the unauthenticated role and temporary roles. If the cert
doesn't have the CRL information included the only recourse is uncheck
the box on the client. I believe it was the default for Vista and IE7
until the last patch Tuesday?
Hope that helps...
Howard
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Stanclift, Michael
Sent: Friday, September 21, 2007 09:53
To: [log in to unmask]
Subject: Re: Revocation message with Vista and IE7
There is an option in IE7 under the security settings that you can turn
off that is something to the effect of "check for security certificate
revocation" that will stop the error from showing up. We have the same
problem though and have not been able to figure out why it happens.
I don't think the option is even available in IE6 and in IE7 on XP I
think it's already turned off by default.
Michael Stanclift
Network Analyst
Rockhurst University
Conway Hall, Office 415
1100 Rockhurst Road
Kansas City, Missouri 64110
(816) 501-4231
-----Original Message-----
From: Cisco Clean Access Users and Administrators
[mailto:[log in to unmask]] On Behalf Of Dale Harville
Sent: Friday, September 21, 2007 8:34 AM
To: [log in to unmask]
Subject: Revocation message with Vista and IE7
I have Clean Access Version 4.1.2.1 running in-band mode. Whenever a
student with a Windows Vista laptop running IE7 connects and after the
password has been verified, they get a message "Revocation Information
for the security Certificate for this site is not available. Do you
want to proceed?" No mater how many times they hit yes, they never get
past this screen. IF they close the box, they are thrown into the
temporary access group. Laptops running Windows XP and IE6 work just
fine. Any idea why this is?
Dale Harville
Network Administrator
Infrastructure Operations
Galveston College Information Technology
4015 Ave Q
Galveston, TX. 77550
Voice: (409) 944-1356
Fax: (409) 944-1356
Email: [log in to unmask]
Monday-Friday 8:00am - 5:00pm CST
"Try not to become a man of success, but rather try to become a man of
value." Albert Einstein
|
