Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance

581

582

583

584

585

586

587

588

589

590

14-22

Cisco NAC Appliance - Clean Access Manager Configuration Guide

OL-28003-01

Chapter 14 Administering the CAM

Manage CAM SSL Certificates

Note Starting with Cisco NAC Appliance Release 4.8, the CAM or CAS generates event log messages to

indicate the certificate expiry in addition to the message displayed in the CAM/CAS web console.

No Web Login Redirect/CAS Cannot Establish Secure Connection to CAM

The following client connection errors can occur if the CAS does not trust the certificate of the CAM,

or vice-versa:

• No redirect after web login— users continue to see the login page after entering user credentials

• Agent users attempting login get the following error: “Clean Access Server could not establish a

secure connection to the Clean Access Manager at <IPaddress or domain>.”

These errors typically indicate one of the following certificate-related issues:

• The time difference between the CAM and CAS is greater than 5 minutes

• Invalid IP address

• Invalid domain name

• CAM is unreachable

To identify common issues:

1. Check the CAM’s certificate and verify it has not been generated with the IP address of the CAS.

2. Check the time set on the CAM and CAS. The time set on the CAM and the CAS must be 5 minutes

apart or less.

To resolve these issues:

1. Set the time on the CAM and CAS correctly first (see Set System Time, page 14-5)

2. Ensure you export the certificate from your CAM, save it on a machine accessible from your CAS,

and import the exported certificate on the CAS, and repeat the process in reverse to ensure the CAS

certificate also resides on the CAM.

3. Regenerate the certificate on the CAS using the correct IP address or domain.

4. Reboot the CAS.

5. Regenerate the certificate on the CAM using the correct IP address or domain.

6. Reboot the CAM.

Note If you check nslookup and date from the CAS, and both the DNS and TIME settings on the CAS are

correct, this can indicate that the caCerts file on the CAS is corrupted. In this case Cisco recommends

backing up the existing caCerts file from /usr/java/j2sdk1.4/lib/security/caCerts, then override it with the

file from /perfigo/common/conf/caCerts, then perform “service perfigo restart” on the CAS.

Note If the error message on the client is “Clean Access Server is not properly configured, please report to

your administrator,” this typically is not a certificate issue but indicates that a default user login page has

not been added to the CAM. See Add Default Login Page, page 5-3 for details.

For additional information, see also:

• Troubleshooting when Adding the Clean Access Server, page 2-8