Is it still ok to use temporary certificate (Perfigo signed) on CAM HA pair in 4.7?
Dennis Xu
Network Analyst
Computing and Communication Services
University of Guelph
5198244120 x 56217
----- Original Message -----
From: "Dave Stempien" <[log in to unmask]>
To: [log in to unmask]
Sent: Wednesday, November 18, 2009 7:37:27 AM GMT -05:00 US/Canada Eastern
Subject: Re: Fresh 4.7 install -- CAM says "no" to adding CAS
I resolved this yesterday after many hours of tinkering. Posting back to
the list for future reference...
I assumed (wrongly) that using temporary certificates was sufficient when
configuring authorization. I decided to sign new certs using our internal
CA, added the CA to the Trusted CA list, and imported the signed certs back
into each of the CAM/CAS HA pairs. Of course, since HA is also dependent
upon having matching certs on each member of the HA-pair, HA was broken
until all certs were finally synchronized. Temporary certs = OK for HA;
Temporary certs = !OK for authorization. Finally, it appears that
authorization is *required*, not optional as discussed in the documentation?
This will probably break again with the NAC client which, I believe,
requires certs to be signed by a well-known 3rd-party CA. Else, I will have
to distribute our internal CA to the 12,000 workstations that we manage.
Yuck.
Hope this thread one day helps someone else...
-- Dave
On 11/17/09 1:01 PM, "David Stempien" <[log in to unmask]>
wrote:
> Hi all,
>
> After a year-plus hiatus in evaluating NAC, I¹ve been told to dust off our
> rather large junkpile of 3350s and give another evaluation a go. Seems like
> the higher powers here are going to require NAC at some point, and we either
> eat our own dog food or someone else¹s. Personally, I like knowing where my
> Alpo comes from, so here I am.
>
> At last evaluation, we were using 4.1.8. At that time, the Active
> Directory/SSO integration was too painful to bear, forcing us to shutter
> this for awhile. Of course, we subsequently removed all our NAC gear from
> maintenance to save a few jobs' worth of cash. You know, in these troubled
> economic times and all...
>
> In the last few days, I installed 4.7 fresh on a HA-pair of CAMs and an
> HA-pair of CASes. HA is working fine. However, when I try to add the HA
> CAS pair to the HA CAM, I get, ³Failed to add server: Could not connect to
> 10.145.143.3" <--- HA address of our CAS-pair. Seems like I can ping it
> just fine from the CAM.
>
> I've tried using authorization and no-authorization techniques, made sure
> the SSL certs were common within each HA pair, copied/pasted the DNs into
> the authorization fields as suggested in Cisco's documentation, etc. I
> rebooted each of the CAMs and CASes multiple times. I re-ran the perifgo
> config script to ensure the master password was the same, and so on... Oh,
> and I did install a license in the CAM for the CAS I'm trying to import!
>
> I'm going to try to sneak a new service request into TAC. Maybe even pester
> our Cisco SE for some help if that doesn't work. In the meantime, does
> anyone recognize my problem or have any tricks to share? I'm guessing this
> new CAS/CAM association technique started around 4.5.
>
> I've been lurking in this mail list even though I myself haven't been active
> in quite awhile. Seen lots of people leave for other solutions. Seen even
> fewer discussions around 4.5+ releases. Hoping that this list isn't quite
> dead yet!
>
> Thanks for any advice!
|