Cisco NAC Appliance and Wildcard SSL Certificates

The Cisco NAC Appliance 4.1.6 Server Configuration guide clearly states that wildcard SSL certificates are not supported. Below is the associated text that is also a link to the section in the guide

Cisco NAC Appliance does not support "wildcard" certificates.

What is not stated is exactly why this is the case. On the Miami of Ohio mailing list, Nate Austin, provided more detailed information about why wildcard certificates are not supported

Theres actually a valid reason. The client pulls the redirection information out of the certificate Common Name. So if the CN is *.domain.com, it will try to redirect you to that and obviously fail.

I have never personally tried it where the SAN in the cert was the cas name, so I don't know if we can pull the name from there as well, but my instinct says probably not.

Cisco NAC Appliance 4.1.6 upgrade notes

I'll start by saying that it is imperative to read the release notes, cover to cover, before doing the upgrade. There are a couple of problems I ran into with my first two NAC upgrades. Both problems revolved around one big change in 4.1.6. That change requires the communication between the NAS and NAM to provide mutual SSL certificate authentication. This means that the CA root certificate for the NAS SSL certificate needs to exist on the NAM and the the CA root certificate for the NAM SSL certificate needs to exist on the NAS. Previously, the NAM only authenticated the NAS SSL certificate so you only had to make sure that the CA root certificate for the NAS existed on the NAM. With this new requirement, you also now have to make sure that the NAS SSL certificate supports both SSL server and SSL client attributes. Chris Evans does a pretty good explaining this on his Miami of Ohio Mailing List entry.

The first big problem was that SSL certificates on the NAS and NAM must support SSL client and SSL server attributes. On the Miami of Ohio Mailing List, Rand talked about that issue. I ran into that issue with an Entrust Standard SSL certificate. It turns out that you have to purchase the Entrust Advantage SSL certifcate to get the SSL client and SSL server attribute functionality.

Here's what an SSL public certificate with only the SSL server attribute enabled looks like


Here's what an SSL public certificate with SSL server and SSL client attributes enabled looks like. This is what you want to see.


The second problem I ran into had to do with corruption of the SSL certificate when doing the upgrade. I had a Verisign certificate, which uses an intermediate root CA certificate, on the NAS. I made sure I added the root and intermediate CA certificate onto the NAM. When I did the upgrade the NAS and NAM wouldn't talk. In the NAS and NAM logs there were complaints about invalid chaining certificate. I checked the Trusted Certifcate Authority on the NAS and the NAM and made sure the intermediate and root CA Verisign certificate existed on both. I ended up solving the problem by re-inputting the private key and CA-Signed Certificate on the NAS. Once I did that and rebooted everything worked fine. I also saw in the 4.1.6 NAS config guide that the cacerts file can get corrupted. That may have been what happened during the upgrade. The config guide recommends the following

If you check nslookup and date from the CAS, and both the DNS and TIME settings on the CAS are correct, this can indicate that the cacerts file on the CAS is corrupted. In this case, Cisco recommends backing up the existing cacerts file from /usr/java/j2sdk1.4/lib/security/cacerts, overriding it with the file from /perfigo/common/conf/cacerts, then performing “service perfigo restart” on the CAS.