Table of Contents
Advertisement
Chapter 4
Configuring High Availability (HA)
Serial Connection
By default, the first serial port detected on the CAM server is configured for console input/output (to
facilitate installation and other types of administrative access).
If the machine has only one serial port (COM1 or ttyS0), you can reconfigure the port to serve as the
high-availability heartbeat connection. This is because, after the CAM software is installed, SSH or
KVM console can always be used to access the command line interface of the CAM.
When the primary eth1 link has been disconnected and only the serial link remains, the CAM returns a
Note
database error indicating that it cannot sync with its HA counterpart, and the administrator sees the
following error in the CAM web console: "WARNING! Closed connections to peer [standby IP]
database! Please restart peer node to bring databases in sync!!"
To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting
Caution
from the Cisco NAC console management port when you are not using it. For more details, see
http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance,
and Cisco Secure ACS hardware platforms.
Warning
When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port
must be disabled for Cisco NAC Appliance CAMs/CASs and any other server hardware platform that
supports the BIOS redirection to serial port functionality. See
Requirements for Cisco NAC Appliance (Cisco Clean Access)
Configure the HA-Primary CAM
Once you have verified the prerequisites, perform the following steps to configure the Clean Access
Manager as the HA-Primary for the high availability pair. See
high-availability configuration.
Open the web admin console for the Clean Access Manager to be designated as the HA-Primary, and go
Step 1
to Administration > CCA Manager > SSL > X509 Certificate to configure the SSL certificate for the
primary CAM.
Note
If using a temporary certificate for the HA pair:
a.
b.
c.
OL-20326-01
The HA configuration steps in this chapter assume that a temporary certificate will be exported
from the HA-Primary CAM to the HA-Secondary CAM.
Click Generate Temporary Certificate, enter information for all of the fields in the form, and click
Generate. The certificate must be associated with the Service IP addresses of the HA pair.
When finished generating the temporary certificate, click the checkboxes for the certificate and
Private Key to highlight them in the table.
Click Export to save the certificate and Private Key to your local machine. You must import the
certificate and Private Key later when configuring the HA-Secondary CAM.
Installing a Clean Access Manager High Availability Pair
Supported Hardware and System
for more information.
Figure 4-4
for an example
Cisco NAC Appliance Hardware Installation Guide
4-9
Hide quick links:
Advertisement
Table of Contents
