Cisco Cisco NAC Appliance 4.1.0
12-3
Cisco NAC Appliance - Clean Access Server Installation and Administration Guide
OL-12213-01
Chapter 12 Administer the Clean Access Server
Manage CAS SSL Certificates
Note that almost all of the settings in the CAS web console can be configured via the CAS management
pages in the CAM web admin console, with the exception of the Failover, DHCP Failover, Admin
Password, and Support Logs. The CAS direct access web console provides the following
Administration pages for the local CAS:
pages in the CAM web admin console, with the exception of the Failover, DHCP Failover, Admin
Password, and Support Logs. The CAS direct access web console provides the following
Administration pages for the local CAS:
•
Network Settings (IP, DNS, Failover, DHCP Failover)
•
Software Update
•
SSL Certificates (Generate Temporary Certificate, Import Certificate, Export CSR/Private
Key/Certificate)
Key/Certificate)
•
Time Server
•
Admin Password
The Monitoring module of the CAS direct access console provides the following pages:
•
Active VPN Clients
•
Support Logs
Note
For High Availability CAS pairs, any CAS network setting changes performed on an HA-Primary CAS
through the CAS management pages or CAS direct access web console must also be repeated on the
standby CAS unit through its direct access web console. These settings include updating the SSL
certificate, system time, time zone, DNS, or Service IP. See
through the CAS management pages or CAS direct access web console must also be repeated on the
standby CAS unit through its direct access web console. These settings include updating the SSL
certificate, system time, time zone, DNS, or Service IP. See
and
for details.
Manage CAS SSL Certificates
The elements of Cisco NAC Appliance communicate securely over Secure Socket Layer (SSL)
connections. Cisco NAC Appliance uses SSL connections for the following:
connections. Cisco NAC Appliance uses SSL connections for the following:
•
Between the CAM and the CAS
•
Between the CAM and the browser accessing the CAM web admin console
•
Between the CAS and end-users connecting to the CAS
•
Between the CAS and the browser accessing the CAS direct access web console
During installation, the configuration utility script for both the CAM and CAS requires you to generate
a temporary SSL certificate for the server being installed (CAM or CAS). A corresponding private key
is also generated with the temporary certificate.
a temporary SSL certificate for the server being installed (CAM or CAS). A corresponding private key
is also generated with the temporary certificate.
For a production deployment, you will typically want to replace the temporary certificate for the Clean
Access Server with a CA-signed SSL certificate, since the CAS certificate is the one that is visible to
the end user. Otherwise, if the Clean Access Server has a temporary certificate, users accessing the
network will have to explicitly accept the certificate from the CAS each time they login.
Access Server with a CA-signed SSL certificate, since the CAS certificate is the one that is visible to
the end user. Otherwise, if the Clean Access Server has a temporary certificate, users accessing the
network will have to explicitly accept the certificate from the CAS each time they login.
Note
Due to Java version dependencies on the system software, Cisco Clean Access only supports 1024- and
2048-bit key lengths for SSL certificates.
2048-bit key lengths for SSL certificates.
For the Clean Access Manager, it is not necessary to use a CA-signed certificate and you can continue
to use a temporary certificate, if desired. For details on managing SSL certificates for the CAM, see the
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide.
to use a temporary certificate, if desired. For details on managing SSL certificates for the CAM, see the
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide.
The following sections describes how to manage SSL certificates for the CAS: