Guest

Preview Tool

Cisco Bug: CSCup82816 - Cert Not issued to MAC OS with Wired and Wireless in NSP

Last Modified

Jun 09, 2016

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases

1.3(0.685)

Description (partial)

Symptom:
Certificates are not issued to MAC OS devices using the NSP wizard, when the Profile has both wired and wireless selected.

Conditions:
On analyzing the issue at Premier we noticed the following when we configured an NSP for both wired and wireless networks.
 
The spw would send back a CSR with the following format as part of the SAN extensions:
 
========================================================
 
[2014-07-08 14:31:48,884] DEBUG  [caservice-http-94441][scep job 855a0ff566a938783d85f39039977dd89b8f9fcb 0x2cedc611 request issuance] 
com.cisco.cpm.caservice.CertificateAuthority :- 
CA SAN Extensions = GeneralNames:
    1: 20-C9-D0-43-B4-79  <--Wireless interface mac addr
    6: 21-C9-D1-44-B5-80  <--Wired interface mac addr
 
========================================================
 
Under GeneralNames, the type '1' points to an rfc822Name and type'6' points to a URI Name.
Internally we use java security to create a URIName. This expects a scheme within the value. For e.g. http://...
For a properly constructed GeneralName using URI would look like:
    1: 20-C9-D0-43-B4-79  <--Wireless interface mac addr
    6: http://... 
 
However like you see in this case we just use a mac addr. As a result provisioning is failing.
 
We can solve this problem by using type '1' for all the interfaces:
Ensure that all interfaces values use the same type (this approach is used by Windows spw and it works fine)
    1: 20-C9-D0-43-B4-79  <--Wireless interface mac addr
    1: 21-C9-D1-44-B5-80  <--Wired interface mac addr
 
This is where we need your help with modifying the code in the spw.
 
Thanks,
Avinash
(P.S. Microsoft CA seems to be a little lenient (doesn't follow the RFC) with this and that's why this works today with an External CA.)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.