Table of Contents
Advertisement
Installing a Clean Access Manager High Availability Pair
(Optional) If you want to enable the CAM's Heartbeat UDP Interface 3 function, select eth2 or eth3
Step 9
from the dropdown menu and specify an associated peer IP address in the [Secondary] Heartbeat IP
Address on interface 3 field. Otherwise, leave this N/A if not using the additional UDP heartbeat
interface.
Cisco strongly recommends you do not use the serial interface on the NAC-3315/3355/3395 for the HA
Note
heartbeat function. Although this element still appears in the CAM web console, the Heartbeat Serial
Interface feature is being deprecated in a future Cisco NAC Appliance release. (The associated
Heartbeat Timeout value remains a valid configuration point, however, for deployments using optional
Heartbeat UDP interfaces 2 and 3.)
Step 10
Specify the Heartbeat Timeout value for the HA primary CAM to set the duration the CAM should wait
before declaring that it has lost communication with its HA peer, thus assuming the role of the active
CAM in the HA pair. The default Heartbeat Timeout value is 30 seconds.
Note
Click Update and then Reboot to restart the Clean Access Manager.
Step 11
After the Clean Access Manager restarts, make sure that the CAM machine is working properly. Check
to see if the Clean Access Servers are connected and new users are being authenticated.
Configure the HA-Secondary CAM
Open the web admin console for the Clean Access Manager to be designated as the HA-Secondary, and
Step 1
go to Administration > CCA Manager > SSL > X509 Certificate.
Before starting:
Step 2
•
•
Import the HA-Primary CAM's private key file and certificate as described below:
Step 3
If using a temporary certificate for the HA pair:
a.
b.
c.
Cisco NAC Appliance Hardware Installation Guide
4-12
Starting from Cisco NAC Appliance Release 4.6(1), the Heartbeat Timeout default value has
been increased to 30 seconds to help accommodate CAM HA peers located in relatively distant
locations on the network, where latency issues might cause a standby HA CAM to assume the
active role when it has not received heartbeat packets from its HA peer within the specified
Heartbeat Timeout period. In the resulting network scenario, you could potentially end up with
two "active" CAMs performing Cisco NAC Appliance functions, requiring you to reboot both
CAMs to re-establish the correct primary/secondary HA peer relationship.
Back up the secondary CAM's private key.
Make sure the private key and SSL certificate files associated with the Service IP/HA-Primary CAM
are available (previously exported as described in
Click Browse and navigate to the location on your local machine where you have saved the
temporary certificate and Private Key you previously exported from the HA-Primary CAS.
Select the certificate file and click Import.
Repeat the process to import the Private Key.
Chapter 4
Configuring High Availability (HA)
Configure the HA-Primary CAM, page
4-9).
OL-20326-01
Hide quick links:
Advertisement
Table of Contents
