[ Pobierz całość w formacie PDF ]
Manager page. The server should provide the time in NIST-standard format (mm/dd/yy
hh:mm:ss). Use spaces to separate multiple servers.
If more than one time server is listed, the Cisco NAM contacts the first server in the list when
synchronizing. If the time is available from that server, the time is updated from that server. If
the time is not available from that server, the Cisco NAM tries the next server on the list until a
server is reached.
© 2007 Cisco Systems, Inc. Cisco NAC Appliance Monitoring and Administration 5-33
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Managing SSL Certificates
This topic describes how to configure SSL certificate management using the administration
console of the Cisco NAM.
Managing SSL Certificates
Considerations:
Cisco NAC Appliance components communicate using SSL connections.
Generate a temporary SSL certificate for the Cisco NAM using an
installation script.
Use a CA-signed certificate for the Cisco NAS.
Use either CA-signed or temporary certificates for the Cisco NAM.
You cannot use the same CA-signed certificate for both a Cisco NAM
and a Cisco NAS.
Use the Cisco NAM admin console to perform the following SSL
certificate-related operations:
Generate a temporary certificate.
Generate a PKCS #10 certificate.
Import and export the private key.
© 2007 Cisco Systems, Inc. All rights reserved. CANAC v2.1 5-14
The individual servers and managers of Cisco NAC Appliance communicate with each other
securely over SSL connections. SSL connections are used between the Cisco NAM and the
Cisco NAS, as well as between the Cisco NAM and the browser used to access the Cisco NAC
Appliance administration console. The Cisco NAC Appliance Agent (Cisco NAA) also
communicates using SSL.
At installation time, the install script allows you to generate a temporary SSL certificate for the
Cisco NAM. When configuring high availability for a Cisco NAS, you should contact a
certificate authority (CA), an organization authorized to issue trusted certificates, and obtain a
signed SSL certificate (CA-signed certificate). The Cisco NAS certificate is the certificate that
is visible to the end user. Consequently, a CA-signed certificate is recommended for the server
so that the end user is assured of the authenticity of the Cisco NAS that they are about to
connect to. A CA-signed certificate does not require that the user validates a certificate that is
unknown to their configuration when logging in. When a temporary certificate is used for the
Cisco NAS, the user is asked to accept the temporary certificate, which can be confusing if the
user is not familiar with certificates. Because the Cisco NAM does not interact with users, you
can choose either a CA-signed or temporary certificate.
Note You cannot use the same CA-signed certificate for the Cisco NAM and the Cisco NAS. You
must buy a separate certificate for each Cisco NAS.
5-34 Implementing Cisco NAC Appliance (CANAC) v2.1 © 2007 Cisco Systems, Inc.
The PDF files and any printed representation for this material are the property of Cisco Systems, Inc.,
for the sole use by Cisco employees for personal study. The files or printed representations may not be
used in commercial training, and may not be distributed for purposes other than individual self-study.
Use the Cisco NAM administration console to perform these SSL certificate-related operations:
Generate a temporary certificate.
Generate a Public-Key Cryptography Standard #10 (PKCS #10) certificate request based
on the current certificate.
Import and export the private key.
Tip You can export a private key and keep it as a copy of a certificate.
Note To review the procedure that is used to generate a PKCS #10 certificate and the procedure
that is used to import and export certificates, refer to the Manage SSL Certificates section in
[ Pobierz całość w formacie PDF ]