Preview Tool

Cisco Bug: CSCup82816 - Cert Not issued to MAC OS with Wired and Wireless in NSP

Last Modified

Jun 09, 2016

Products (1)

  • Cisco Identity Services Engine

Known Affected Releases


Description (partial)

Certificates are not issued to MAC OS devices using the NSP wizard, when the Profile has both wired and wireless selected.

On analyzing the issue at Premier we noticed the following when we configured an NSP for both wired and wireless networks.
The spw would send back a CSR with the following format as part of the SAN extensions:
[2014-07-08 14:31:48,884] DEBUG  [caservice-http-94441][scep job 855a0ff566a938783d85f39039977dd89b8f9fcb 0x2cedc611 request issuance] :- 
CA SAN Extensions = GeneralNames:
    1: 20-C9-D0-43-B4-79  <--Wireless interface mac addr
    6: 21-C9-D1-44-B5-80  <--Wired interface mac addr
Under GeneralNames, the type '1' points to an rfc822Name and type'6' points to a URI Name.
Internally we use java security to create a URIName. This expects a scheme within the value. For e.g. http://...
For a properly constructed GeneralName using URI would look like:
    1: 20-C9-D0-43-B4-79  <--Wireless interface mac addr
    6: http://... 
However like you see in this case we just use a mac addr. As a result provisioning is failing.
We can solve this problem by using type '1' for all the interfaces:
Ensure that all interfaces values use the same type (this approach is used by Windows spw and it works fine)
    1: 20-C9-D0-43-B4-79  <--Wireless interface mac addr
    1: 21-C9-D1-44-B5-80  <--Wired interface mac addr
This is where we need your help with modifying the code in the spw.
(P.S. Microsoft CA seems to be a little lenient (doesn't follow the RFC) with this and that's why this works today with an External CA.)
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.