Table of Contents
Advertisement
Installing a Clean Access Manager High Availability Pair
•
•
•
•
•
The following procedures require you to reboot the Clean Access Manager. At that time, its services will
be briefly unavailable. You may want to configure an online CAM when downtime has the least impact
on your users.
Cisco NAC Appliance web admin consoles support the Internet Explorer 6.0 or above browser.
Note
Connect the Clean Access Manager Machines
There are two types of connections between HA-CAM peers: one for exchanging runtime data relating
to the Clean Access Manager activities and one for the heartbeat signal. In High Availability, the Clean
Access Manager always uses the eth1 interface for both data exchange and heartbeat UDP exchange.
When the UDP heartbeat signal fails to be transmitted and received within a certain time period, the
standby system takes over. In order to provide an extra measure of heartbeat redundancy, Cisco
recommends you use more Ethernet interfaces in addition to eth1 (mandatory) interface for heartbeat
exchange. In order for a failover to occur, all configured heartbeat interfaces must report heartbeat
exchange failure. (The eth0 and eth2/eth3 can be used for additional heartbeat interfaces.) Note,
however, that the eth1 connection between the CAM peers is mandatory.
Physically connect the peer Clean Access Managers as follows:
•
•
•
Note
Cisco NAC Appliance Hardware Installation Guide
4-8
The HA-Primary CAM is fully configured for runtime operation. This means that connections to
authentication sources, policies, user roles, access points, and so on, are all specified. This
configuration is automatically duplicated in the HA-Secondary (standby) CAM.
If you use the Authorization feature in a CAM HA-pair, follow the guidelines in "Backing Up and
Restoring CAM/CAS Authorization Settings" section of the
Manager Configuration Guide, Release 4.8(3)
Authorization settings from one CAM to its high availability counterpart. (CAM Authorization
settings are not automatically passed from one CAM to the other in an HA-pair.)
Both Clean Access Managers are accessible on the network (try pinging them to test the connection).
The machines on which the CAM software is installed have at least one free Ethernet port (eth1) and
at least one free serial port. Use the specification manuals for the server hardware to identify the
serial port (ttyS0 or ttyS1) on each machine.
In Out-of-Band deployments, Port Security is not enabled on the switch interfaces to which the CAS
and CAM are connected. This can interfere with CAS HA and DHCP delivery.
Use a crossover cable to connect the eth1 Ethernet ports of the Clean Access Manager machines.
This connection is used for the heartbeat UDP interface and data exchange (database mirroring)
between the failover peers.
Use null modem serial cable to connect the serial ports (highly recommended).
Optionally connect eth2 and/or eth3 interfaces on the CAM to counterpart interfaces on the HA peer
using either crossover cables or via an in-line switch. (Remember: you must configure these
interfaces manually before configuring your CAM for HA).
For serial cable connection for HA, the serial cable must be a "null modem" cable. For details,
refer to http://www.nullmodem.com/NullModem.htm.
Chapter 4
Configuring High Availability (HA)
Cisco NAC Appliance - Clean Access
to ensure you are able to exactly duplicate your
OL-20326-01
Hide quick links:
Advertisement
Table of Contents
