Cisco Cisco NAC Appliance 4.9.4 Technical Manual
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on these software and hardware versions:
NAC Server
•
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Main Task: Install the Certificate
Most browsers require the user to provide additional input to continue the connection, which can be
bothersome.
bothersome.
In order to fully utilize the increased security afforded by the use of digital certificates for SSL security of the
Profiler interface, changes to the SSL subsystem configuration of the NPS must be made. Those changes
require the replacement of the private key and digital certificate that are used by the system by default with
those issued by a trusted Certificate Authority and that are specific to the installation. After this procedure, the
browser initiates a HTTPS session with the Server and takes the user immediately to the UI login process to
bypass the certificate warnings.
Profiler interface, changes to the SSL subsystem configuration of the NPS must be made. Those changes
require the replacement of the private key and digital certificate that are used by the system by default with
those issued by a trusted Certificate Authority and that are specific to the installation. After this procedure, the
browser initiates a HTTPS session with the Server and takes the user immediately to the UI login process to
bypass the certificate warnings.
Two Options
There are two alternatives for this on the NPS systems:
1. Utilize the OpenSSL toolkit resident on the appliance to generate a signed certificate that can be installed
on the NPS Server system and the PCs used to manage the system through the Web UI.
on the NPS Server system and the PCs used to manage the system through the Web UI.
This option can be used in environments that do not currently have an internal CA and choose not to rely on
the commercial CA providers that charge a fee to provide a signed digital certificate that is recognized by
most commercial browsers automatically.
the commercial CA providers that charge a fee to provide a signed digital certificate that is recognized by
most commercial browsers automatically.
2. Use the OpenSSL toolkit to generate a Certificate Signing Request for the NPS system that is submitted to
either an internal or external commercial CA service, which returns a ready−to−use, signed digital certificate
for use on the system.
either an internal or external commercial CA service, which returns a ready−to−use, signed digital certificate
for use on the system.
It is typically a matter of the internal security policy of the organization in which the Profiler system is
installed to make the determination of which option to use in a specific environment. Detailed instructions for
both options are provided in the remainder of this document.
installed to make the determination of which option to use in a specific environment. Detailed instructions for
both options are provided in the remainder of this document.
Option 1: Use OpenSSL Toolkit on Beacon/NPS to Generate Sign
Prior to beginning the procedure outlined, it is important to verify that the Profiler system is properly
configured to utilize the enterprise name service, and that a DNS entry is made such that the system has a
fully qualified domain name (FQDN). In order to verify that this is the case, ensure that you are able to open a
UI session with the Profiler system with the FQDN of the system (that is, https://beacon.bspruce.com/beacon)
instead of the IP address (or VIP in the case of HA systems) in the URL when you browse to the UI.
configured to utilize the enterprise name service, and that a DNS entry is made such that the system has a
fully qualified domain name (FQDN). In order to verify that this is the case, ensure that you are able to open a
UI session with the Profiler system with the FQDN of the system (that is, https://beacon.bspruce.com/beacon)
instead of the IP address (or VIP in the case of HA systems) in the URL when you browse to the UI.