Cisco Cisco NAC Appliance 4.1.0
11-18
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 11 Distributing the Clean Access Agent
Configuring Agent Distribution/Installation
SSL Requirements for Mac OS/CAS Communication
For the Mac OS Clean Access Agent to communicate with the Clean Access Server, the SSL
communication between the Agent and CAS must meet certain requirements. The CAS must have either:
communication between the Agent and CAS must meet certain requirements. The CAS must have either:
•
A valid CA-signed certificate (from a trusted Certificate Authority), or
•
A temporary certificate that meets the requirements described below.
CAS Temporary Certificate Requirements for SSL Connection to Mac OS Agent
If using a temporary certificate for the CAS, make sure the following are in place.
Step 1
The CAS/CAM must use a fully qualified domain name (FQDN) as the “subject” DN on the certificate
(this is the “Full Domain Name or IP” on the CAS/CAM console). An IP address is not allowed. This
may require regenerating the certificate on your CAS. (See “Manage CAS SSL Certificates” in the Cisco
NAC Appliance - Clean Access Server Installation and Administration Guide for details.)
(this is the “Full Domain Name or IP” on the CAS/CAM console). An IP address is not allowed. This
may require regenerating the certificate on your CAS. (See “Manage CAS SSL Certificates” in the Cisco
NAC Appliance - Clean Access Server Installation and Administration Guide for details.)
Step 2
On the Mac OS machine, the root certificate which is used to sign the temporary certificate must be
installed in the X509 Anchors in Keychain Access application. To do this, use one of the following set
of steps for the Mac OS version running on the machine:
installed in the X509 Anchors in Keychain Access application. To do this, use one of the following set
of steps for the Mac OS version running on the machine:
•
•
•
Step 3
The Mac OS machine must be able to correctly resolve the FQDN name via DNS. There are two
approaches to this:
approaches to this:
a.
Add an entry into the DNS server which the Mac machine is using, or
b.
For a test machine:
1.
Enable your root account as described in
2.
Edit the /etc/hosts file on the Mac machine by running
sudo vi /etc/hosts
to add a new
domain lookup entry.
Caution
Because the CAS/CAM use the full domain name, you cannot use an IP address in the certificate. You
must use the domain name instead.
must use the domain name instead.
Caution
Make sure your machine's date and time are valid for the certificate. If the current date and time fall out
of the range of the certificate, the Agent will not work.
of the range of the certificate, the Agent will not work.