Reset Search
 

 

Article

Obsolete Certificate Message Regarding NAC Agent Legacy Certificate

« Go Back

Information

 
TitleObsolete Certificate Message Regarding NAC Agent Legacy Certificate
Symptoms
Message seen in Netsight event log stating "Obsolete Certificate" Agent-based assessment uses the legacy (4.0.0 and earlier) server certificate on NAC appliance: x.x.x.x
 
Environment
All NAC Platforms
 
Cause
This message is a warning that is generated by a nightly security audit, indicating that the NAC deployment could be more secure. The message indicates the use of an older NetSight server certificate for use on connections to NAC Assessment Agents. As of Netsight version 4.0.1 we updated all other certificates, with the exception of the Agent. The reason for this is that updating this certificate would prevent older versions of the NAC Agent from successfully connecting to the NAC appliances. 

Given that we have no direct control of the Agent versions installed at each site, the original certificate was left in place and the warning message was generated so that the certificate could be updated when all Agents were running a newer version. 
Resolution
Update all client Agents to be current, then in NAC Manager:
  1. Select All NAC Appliances (the applicable appliance group)
  2. Select the NAC Appliances tab
  3. Right click on each Appliance
  4. Select Manage Appliance Certificates
  5. Go to the Agent-based Assessment section and click the button that says “Use Internal Certificate”. (When you do this the status will change from “uses the legacy cert” to “uses the internal communications cert”).
  6. Click close and perform an Enforce to the appliances. 
Additional notes
More information from the Help within NetSight:


Updating the Certificate Configuration for NAC Agent-Based Assessment

NAC agent-based assessment uses a server certificate to provide secure agent communications. There are two server certificate options to select from:
• Use Legacy Certificate - With this option, agent-based assessment uses the legacy (NAC version 4.0.0 and earlier) server certificate in order to provide backward compatibility with older agents.
• Use Internal Certificate - Once agents have been upgraded, this option uses the Internal Communications server certificate for agent communications. Using the Internal Communications server certificate provides increased security and also allows you to update the certificate, if desired.

NOTE: If you are using the advanced security options, be sure the client certificate trust mode and server certificate trust mode are configured appropriately before updating the assessment server certificate.
Use the following steps to view and change your certificate configuration:
1. In NAC Manager right-click on any appliance in the right-panel Appliances tab to open the Manage Appliance Certificates window.
2. In the Agent-Based Assessment Server Certificate section, use the button to select the desire certificate.
3. Any change will take effect when the appliance is enforced. When enforced, the agent communications port (8443) will be offline for 15 seconds to reload the certificate.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255