1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Network Hardware
  5. NAC3350-PROF-K9 - NAC Profiler Server
  6. Installation manual

Cisco NAC3350-PROF-K9 - NAC Profiler Server Installation Manual

Nac appliance hardware
Hide thumbs
Table of Contents

Advertisement

Quick Links

Enlarged version
Cisco NAC Appliance Hardware
Installation Guide
Release 4.8
Jan 2012
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-20326-01

Advertisement

Table of Contents
loading

Related Manuals for Cisco NAC3350-PROF-K9 - NAC Profiler Server

Summary of Contents for Cisco NAC3350-PROF-K9 - NAC Profiler Server

  • Page 1 Cisco NAC Appliance Hardware Installation Guide Release 4.8 Jan 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-20326-01...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.

  • Page 3: Table Of Contents

    About Cisco NAC Appliance FIPS 140-2 Compliant and Non-FIPS Hardware Platforms NAC-3315, NAC-3355, and NAC-3395 NAC-3315 Serial Number Location Cisco NAC-3315 Front and Rear Panels Front Panel Features Rear Panel Features NAC-3355 Serial Number Location Cisco NAC-3355 Front and Rear Panels...
  • Page 4 Clean Access Manager (CAM) Configuration Worksheet 2-12 Clean Access Server (CAS) Configuration Worksheet 2-12 CAS Mode IP Addressing Considerations 2-13 Rack-Mounting Your Cisco NAC Appliance CAM/CAS 2-14 Mounting the NAC-3315 Appliance in a 4-Post Rack 2-15 NAC-3315 4-Post Rack-Mount Hardware Kit 2-15...
  • Page 5 Connectivity Across a Wide Area Network 3-37 Configuring Additional NIC Cards 3-37 Serial Connection to the CAM and CAS 3-39 Configuring Boot Settings on the Cisco NAC Appliance CAM/CAS 3-40 Useful CLI Commands for the CAM/CAS 3-42 CAM CLI Commands 3-42...
  • Page 6 Powering Down the NAC Appliance 3-50 Configuring High Availability (HA) C H A P T E R Adding High Availability Cisco NAC Appliance To Your Network Installing a Clean Access Manager High Availability Pair CAM High Availability Overview Before Starting...
  • Page 7 Recovering Root Password for CAM/CAS Recovering Root Password for CAM/CAS (Release 3.5.x or Below) Open Source License Acknowledgements A P P E N D I X Notices OpenSSL/Open SSL Project License Issues N D E X Cisco NAC Appliance Hardware Installation Guide OL-20326-01...
  • Page 8 Contents Cisco NAC Appliance Hardware Installation Guide OL-20326-01...

  • Page 9: About This Guide

    Servers (CASs) in a deployment. End users connect through the Clean Access Server to the network via web login or Cisco NAC Agent. This guide also describes how to implement High Availability for the CAMs and CASs in your network.

  • Page 10: Document Organization

    Clean Access Server. Starting from Release 4.7(0), the Cisco NAC Appliance Hardware Installation Guide replaces the installation chapters that were formerly located in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide and Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide.

  • Page 11: Product Documentation

    About This Guide Product Documentation Table 3 lists the technical documentation available for Cisco NAC Appliance on Cisco.com at http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html. When using the online publications, refer to the documents that match the software version running on your Cisco NAC Appliance (e.g. “Release 4.8”).
  • Page 12 Hardware specifications on the various • CAM/CAS platforms How to install the Clean Access Manager and • Clean Access Server Platforms How to install Cisco NAC Appliance software • on the CASM/CAS How to configure CAM and CAS pairs for High • Availability...

  • Page 13: Documentation Updates

    Appliance release on non-Cisco hardware to a next generation (NAC-3315/3355/3395) platform using the Cisco NAC Appliance Migration utility Documentation Updates Table 4 Updates to Cisco NAC Appliance Hardware Installation Guide, Release 4.8 Date Description 1/18/12 Release 4.8(3) Updated Upgrading Cisco NAC Appliance Software, page 2-27 •...

  • Page 14: Obtaining Documentation And Submitting A Service Request

    Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

  • Page 15: Chapter 1 Cisco Nac Appliance Hardware Platforms

    Clean Access Manager (CAM), enforced through the Clean Access Server (CAS), and applied on clients through the Cisco NAC Agent and Cisco NAC Web Agent client software. You can deploy the Cisco NAC Appliance solution in the configuration that best meets the needs of your network.
  • Page 16 NAC-3140 (EOL) 1. If the FIPS card in a Cisco NAC-3315/3355/3395 CAM/CAS ceases to work correctly, make sure the FIPS card operation switch is set to “O” (for operational mode), as described in the “FIPS 140-2 Compliance” section of the...
  • Page 17 Installed FIPS Card) Note The NAC-3315 is based on the IBM System Rear Panel” x3250 M2 server platform. Figure 1-5 on • page 1-7 “Cisco NAC-3315 (With Installed FIPS Card) Rear Panel LEDs” Cisco NAC Appliance Hardware Installation Guide OL-20326-01...
  • Page 18 Chapter 1 Cisco NAC Appliance Hardware Platforms NAC-3315, NAC-3355, and NAC-3395 Table 1-1 Cisco NAC Appliance Hardware Summary (continued) Cisco NAC Appliance Product Hardware Specifications Diagrams MANAGER NAC-3355 Single processor: Quad-core Intel Xeon Figure 1-7 on • • (Nehalem) page 1-8 “Cisco...

  • Page 19: Front Panel Features

    CISCO The serial number for the NAC-3315 is 7 characters long. You can also view the NAC-3315 serial Note number location on the Cisco Support website using the Cisco Product Identification Tool. For details, Cisco Product Identification Tool, page 1-27.

  • Page 20: Rear Panel Features

    • A power supply unit error has occurred • Rear Panel Features Figure 1-4 Cisco NAC-3315 (With Installed FIPS Card) Rear Panel Power supply cable socket Video port NIC 3 (eth2) add-on card NIC 2 (eth1) GbE interface NIC 4 (eth3) add-on card...
  • Page 21 Rear USB port 3 Serial port Console port Figure 1-5 Cisco NAC-3315 (With Installed FIPS Card) Rear Panel LEDs FIPS card status LED Solid blue occasionally blinking off = FIPS card is enabled and accepting commands Two short blue flashes followed by a pause = FIPS card is in...
  • Page 22 NIC interface selection and facilitate CAS high availability configuration. The Cisco NAC-3355 additionally provides 2 GB of RAM, two SAS drives configured in RAID 0 and 1, dual power supplies, and an SSL accelerator card to support large network deployments and provide added reliability for a centralized CAM/CAS deployment in the network core.
  • Page 23 Empty (unused) hard disk drive (HDD) bay Operator information panel release switch Hard disk drive (HDD) bay 1 Video port 1. Cisco does not support installing additional hard drives in the NAC-3355 appliance. Figure 1-8 Cisco NAC-3355 Front Panel LEDs/Buttons Cisco NAC 3355 Series...

  • Page 24: Rear Panel Features

    NIC 4 (eth3) add-on card Rear USB port 4 NIC 3 (eth2) add-on card Power supply cable sockets Console port Rear USB port 3 Figure 1-10 Cisco NAC-3355 (With Installed FIPS Card) Rear Panel LEDs Cisco NAC Appliance Hardware Installation Guide 1-10 OL-20326-01...
  • Page 25 = The appliance is in power-save mode and is ready to be turned on Off = The appliance is powered off (power is disconnected) Cisco NAC Appliance Hardware Installation Guide 1-11 OL-20326-01...

  • Page 26: Front Panel Features

    Clean Access Super Manager (Super CAM) which can support up to 40 Clean Access Servers or 40 HA-CAS pairs. The Cisco NAC-3390 features dual processors, dual power supplies, 4 GB of RAM, 4 hard disk drives, 4 network interfaces, and an SSL accelerator card.
  • Page 27 Hard disk drive (HDD) bay 3 Operator information panel release switch Hard disk drive (HDD) bay 1 Video port 1. Cisco does not support installing additional hard drives in the NAC-3395 appliance. Figure 1-13 Cisco NAC-3395 Front Panel LEDs/Buttons Cisco NAC 3395 Series...

  • Page 28: Rear Panel Features

    NIC 4 (eth3) add-on card Rear USB port 4 NIC 3 (eth2) add-on card Power supply cable sockets Console port Rear USB port 3 Figure 1-15 Cisco NAC-3395 (With Installed FIPS Card) Rear Panel LEDs Cisco NAC Appliance Hardware Installation Guide 1-14 OL-20326-01...
  • Page 29 = The appliance is in power-save mode and is ready to be turned on Off = The appliance is powered off (power is disconnected) Cisco NAC Appliance Hardware Installation Guide 1-15 OL-20326-01...
  • Page 30 1 GB RAM NAC-3310 Front supporting up to 3 • 160 GB NHP SATA HDD Panel” standalone or Newer Cisco NAC-3310 CAMs/CASs feature a HA-pair CASs Note Figure 1-17 on • 160GB hard drive, while older NAC-3310s page 1-19 “Cisco SERVER originally shipped with 80GB hard drives.
  • Page 31 Chapter 1 Cisco NAC Appliance Hardware Platforms NAC-3310, NAC-3350, and NAC-3390 Table 1-2 Cisco NAC Appliance Hardware Summary (continued) Cisco NAC Appliance Product Hardware Specifications Diagrams MANAGER NAC-3350 Single processor: Xeon 3.0 GHz dual core Figure 1-20 on • •...

  • Page 32: Cisco Nac-3310 Front And Rear Panels

    Access Server (100/250/500 user count) deployments. A NAC-3310 CAM Lite can manage up to 3 Clean Access Servers or 3 HA-CAS pairs. A NAC-3310 CAS can support 100, 250, or 500 users. If Cisco NAC-3310 has been made FIPS-compliant, then NAC-3310 CAS can support only 250 or 500 Note users.
  • Page 33 Green = The server has AC power and is powered up (recessed) Amber = The server has AC power and is in standby mode Off = The server is powered off (AC power disconnected) Cisco NAC Appliance Hardware Installation Guide 1-19 OL-20326-01...

  • Page 34: Rear Panel Features

    Power supply cable socket 10/100 Mbps iLO LAN port for IPMI management (RJ-45) NIC 1 (eth0) and NIC 2 (eth1) integrated GbE LAN (RJ-45) ports (Broadcom) Figure 1-19 Cisco NAC-3310 Rear Panel LEDs Cisco NAC Appliance Hardware Installation Guide 1-20 OL-20326-01...

  • Page 35: Cisco Nac-3350 Front And Rear Panels

    NIC interface selection and facilitate CAS high availability configuration. The Cisco NAC-3350 additionally provides 2 GB of RAM, two SAS drives configured in RAID 0 and 1, dual power supplies, and an SSL accelerator card to support large network deployments and provide added reliability for a centralized CAM/CAS deployment in the network core.
  • Page 36 Off = No link to network exists If power is off, the front panel LED is not active. For status, view the rear panel LED for the RJ-45 connector (Figure 1-23 on page 1-23). Cisco NAC Appliance Hardware Installation Guide 1-22 OL-20326-01...
  • Page 37 Off = No activity (if link LED is off, link is dead) 10/100/1000 NIC 4 (Intel) Link LED Orange = 1000 Mbps Green = 100 Mbps Off = 10 Mbps (if activity LED is off, link is dead) Cisco NAC Appliance Hardware Installation Guide 1-23 OL-20326-01...

  • Page 38: Cisco Nac-3390 Front And Rear Panels

    Clean Access Super Manager (Super CAM) which can support up to 40 Clean Access Servers or 40 HA-CAS pairs. The Cisco NAC-3390 features dual processors, dual power supplies, 4 GB of RAM, 4 hard disk drives, two integrated NICs, and an SSL accelerator.

  • Page 39: Front Panel Features

    HP Systems Insight Display Hard drive bay 4 USB connector Figure 1-25 Cisco NAC-3390 Front Panel LEDs /Buttons Power On/Standby button Green = System is on and system power LED Amber = System is shut down, but power is still applied Off = Power cord is not attached, power supply failure has occurred, no power supplies are installed;...
  • Page 40 Power supply bay 2 USB connector Integrated NIC 2 (eth1) port (Broadcom) USB connector Integrated NIC 1 (eth0) port (Broadcom) iLO 2 NIC connector (RJ-45) Keyboard connector (purple) Figure 1-27 Cisco NAC-3390 Rear Panel LEDs/Buttons Cisco NAC Appliance Hardware Installation Guide 1-26 OL-20326-01...

  • Page 41: Cisco Product Identification Tool

    Cisco Product Identification Tool The Cisco Product Identification (CPI) tool helps you retrieve the serial number of your Cisco products. Before you submit a request for service online or by phone, use the CPI tool to locate your product serial number.
  • Page 42 Cisco NAC Appliance Hardware Platforms Cisco Product Identification Tool To access the CPI tool, you require a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at: http://tools.cisco.com/RPF/register/register.do...

  • Page 43: Chapter 2 Preparing For Installation

    This chapter provides preparatory installation instructions for Cisco NAC Appliance. It provides instructions for how to verify your hardware and other required equipment, install your Cisco NAC Appliance in a four-post rack, and upgrade the existing Cisco NAC Appliance software and chassis firmware.

  • Page 44: Safety Guidelines

    General Precautions Observe the following general precautions for using and working with your appliance: Observe and follow service markings. Do not service any Cisco product except as explained in your • appliance documentation. Opening or removing covers that are marked with the triangular symbol with a lightning bolt may expose you to electrical shock.

  • Page 45: Safety With Equipment

    This unit is intended for installation in restricted access areas. A restricted access area can be Warning accessed only through the use of a special tool, lock and key, or other means of security. Statement 1017 Cisco NAC Appliance Hardware Installation Guide OL-20326-01...
  • Page 46 Never assume that power is disconnected from a circuit; always check. • Never perform any action that creates a potential hazard to people or makes the equipment unsafe. • Never work alone when potentially hazardous conditions exist. • Cisco NAC Appliance Hardware Installation Guide OL-20326-01...

  • Page 47: Preventing Electrostatic Discharge Damage

    1 and 10 Mohm. Lifting Guidelines A Cisco NAC Appliance CAM/CAS weighs between 15 lb (9.071 kg) and 33 lb (14.96 kg) depending on what hardware options are installed in the appliance. The appliance is not intended to be moved frequently.

  • Page 48: Preparing Your Site For Installation

    Typically, you should have prepared the installation site beforehand. As part of your preparation, obtain a floor plan of the site and the equipment rack where the Cisco NAC Appliance CAM/CAS will be housed. Determine the location of any existing appliances and their interconnections, including communications and power.

  • Page 49: Rack Installation Safety Guidelines

    The Cisco NAC Appliance CAM/CAS may be installed in this type of enclosed rack, because the appliance only requires an unobstructed flow of cooling air into the front of the chassis and pushed out of the rear to maintain acceptable operating temperatures for its internal components.

  • Page 50: Site Environment

    Chapter 2 Preparing for Installation Preparing Your Site for Installation Before installing your Cisco NAC Appliance CAM/CAS in a rack, review the following guidelines: Two or more people are required to install the appliance in a rack. • Ensure that the room air temperature is below 95°F (35°C).

  • Page 51: Airflow Guidelines

    — Power Considerations You configure the Cisco NAC Appliance CAM/CAS with AC-input power only. Ensure that all power connections conform to the rules and regulations in the National Electrical Codes (NECs), as well as local codes. When planning power connections to your appliance, the following precautions and...

  • Page 52: Method Of Procedure

    2-2, to ensure that you have received all items necessary to install your Cisco NAC Appliance. Save the packing material in case you need to repack the unit. If any item is missing or damaged, contact your Cisco representative or reseller for instructions.

  • Page 53: Failover Bundles

    (straight-through) Ethernet Category 5 network cable with RJ-45 connectors to connect the interfaces of the Cisco NAC Appliance to the network (eth0 for the CAM; eth0 and eth1 for the CAS). You will need a crossover RJ-45 Ethernet cable to connect HA-pair appliances together. The...

  • Page 54: Clean Access Manager (Cam) Configuration Worksheet

    1. eth0 and eth1 generally correlate to the first two network cards—NIC 1 and NIC 2—on the server hardware. 2. Cisco highly recommends replacing default password(s) with “strong” passwords (at least 8 characters long, comprised of a combination of two characters from each of the upper- and lower-case letters, numbers, and special characters categories)

  • Page 55: Cas Mode Ip Addressing Considerations

    1. eth0 and eth1 generally correlate to the first two network cards—NIC 1 and NIC 2—on the server hardware. 2. Cisco highly recommends replacing default password(s) with “strong” passwords (at least 8 characters long, comprised of a combination of two characters from each of the upper- and lower-case letters, numbers, and special characters categories)

  • Page 56: Rack-Mounting Your Cisco Nac Appliance Cam/Cas

    Rack-Mounting Your Cisco NAC Appliance CAM/CAS Each Cisco NAC Appliance CAM/CAS has a set of rack handles (installed at the factory). You will use these handles later when you install the appliance in a four-post rack. You can front (flush) mount or mid-mount the appliance in a 19-inch (48.3-cm) equipment rack that conforms to the four-post rack...

  • Page 57: Mounting The Nac-3315 Appliance In A 4-Post Rack

    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Because you may install more than one appliance in the rack, ensure that the weight of all the • appliances installed does not make the rack unstable. Some equipment racks are also secured to ceiling brackets due to the weight of the equipment in the rack.
  • Page 58 Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-3 Release Levers on the NAC-3315 Slide Rail Hardware Cable straps (6) M6 screws (6) Slide rail (2) Shipping bracket Front of rail Rear of rail Installing the NAC-3315 Slide Rails into a Rack...
  • Page 59 Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-4 Installing the Slide Rail into the Rack Adjustment tab 1 Rail-adjustment bracket Adjustment tab 2 If you need to adjust the slide-rail length, lift the release tab (see...
  • Page 60 Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-5 Adjusting the Slide-rail Length Adjustment tab Pins not extended through the mounting flange and slide rail Release tab Pins extended through the mounting flange and slide rail...

  • Page 61: Installing The Nac-3315 Appliance Into The Slide Rails

    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-6 Aligning the Slide Rail with the Mounting Flange Adjustment tab Pins extended through the mounting flange and slide rail Mounting flange Pins not extended through the mounting flange and slide rail...
  • Page 62 Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-7 Aligning the NAC-3315 on the Slide Rails Shipping brackets Thumbscrews NAC-3315 appliance Press on the release tab (see Figure 2-8) as indicated on the shipping bracket, and remove the shipping Step 3 bracket from the slide rail.

  • Page 63: Mounting The Nac-3355/3395 Appliance In A Four-Post Rack

    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-8 Removing the Shipping Brackets Release tab Mounting the NAC-3355/3395 Appliance in a Four-Post Rack Warning When the appliance is installed in a rack and is fully extended on its slide rail, it is possible for the rack to become unstable and tip over, which could cause serious injury.

  • Page 64: Nac-3355/3395 4-Post Rack-Mount Hardware Kit

    Installing the NAC-3355/3395 Slide Rails Into the 4-Post Rack When installing the NAC-3355/3395 slide rails in your equipment rack, Cisco recommends using cage nuts with square-holed racks, clip nuts with round-holed racks, and your own rack screws with thread-hole racks.
  • Page 65 Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-10 Position Cage Nuts or Clip Nuts Front Rear Upper U Optional screw (For 2 U to secure system system) into the rack Clip or cage nuts Lower U...
  • Page 66 Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-12 Set Up Slide Rails Post D Post C Post B Post A Slots Fasten the front of the slide rail and EIA latch to the front of the four-post rack by installing a screw in Step 8 the bottom hole of the selected rack space for your NAC-3355/3395.

  • Page 67: Installing The Nac-3355/3395 Appliance Into The Slide Rails

    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-14 Fasten Rear of Slide Rail to Four-Post Rack Repeat Step 8 Step 9 to attach the other slide rail to the selected rack space for your Step 10 NAC-3355/3395.

  • Page 68: Cisco Nac Appliance Licensing

    Push the CAM/CAS into the rack Cisco NAC Appliance Licensing You need at least one Clean Access Manager license and one Clean Access Server license for your Cisco NAC Appliance system to work. Both licenses are installed via the Clean Access Manager administration web console.

  • Page 69: Upgrading Cisco Nac Appliance Software

    Note Upgrading to Release 4.8(x) In Cisco NAC Appliance release 4.8(x), you use a .tar.gz upgrade process similar to that used for upgrading CAM/CAS appliances in Cisco NAC Appliance Release 4.7(2) and 4.6(1). (Cisco NAC Appliance release 4.7(0) and 4.7(1) requires users to perform “in-place” upgrades via an .ISO image on a CD-ROM.)

  • Page 70: Downloading Cisco Nac Appliance Software

    Upgrading Firmware Downloading Cisco NAC Appliance Software You can access the latest versions of the Cisco NAC Appliance Release 4.8(x) installation .ISO file as follows. Before downloading or installing any Cisco NAC Appliance software, make sure to refer to the...

  • Page 71: Overview

    Powering Down the NAC Appliance, page 3-50 Overview This chapter provides installation instructions for Cisco NAC Appliance. It provides instructions for how to initially configure your CAM and CAS using the Configuration Utility, access the CAM web console, and install product licenses. Once the initial configuration of your CAM and CAS is complete, you will be able to access the CAM web console to continue the rest of the configuration for your deployment.

  • Page 72: Important Release Information

    Appliance does not support the installation of any other packages or applications onto a CAM or CAS dedicated machine. When you receive a new Cisco NAC Appliance, you will need to connect to the appliance and perform initial configuration. If you want to install a different version of the software than what is shipped on the appliance, you can perform software installation via CD first.

  • Page 73: Summary Of Steps For New Installation

    CD-R. Note Cisco recommends burning the .ISO image to a CD-R using speeds 10x or lower. Higher speeds can result in corrupted/unbootable installation CDs. Connect the CAM to the network and connect a monitor and keyboard to the CAM, or connect your...

  • Page 74: Connect The Clean Access Manager

    Serial Connection to the CAM and CAS, page 3-39. Cisco NAC Appliances assume the keyboard connected to be of US layout for both direct and IP-KVM Note connections. Use a US layout keyboard or ensure that you know the key mapping if you are connecting a keyboard of different layout.

  • Page 75: Install The Clean Access Manager (Cam) Software From Cd-Rom

    • serial over a serial connection. If the install CD detects an existing installation of Cisco NAC Appliance, you are presented with the Step 6 following prompt: Checking for existing installations.

  • Page 76: Perform The Initial Cam Configuration

    Installing the Clean Access Manager and Clean Access Server Installing the Clean Access Manager Next, the Cisco NAC Appliance software installer asks you to specify whether you are installing a Clean Step 8 Access Manager or Clean Access Server. At the following prompt, enter to perform the installation for a Clean Access Manager.
  • Page 77 The utility will now ask you a series of configuration questions. Please answer them carefully. Cisco Clean Access Manager, (C) 2012 Cisco Systems, Inc. If this prompt does not appear after you install the Cisco NAC Appliance software and restart the CAM, Note refer to Manually Restarting the CAM/CAS Configuration Utility, page 3-46.
  • Page 78 The Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and Step 11 protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to restore database snapshots on the CAM when you need them and are able to fail over to the HA peer CAM/CAS in HA deployments.
  • Page 79 Specify whether or not you want the CAM to feature Pre-login Banner Support at the following prompt. Step 16 Enable Prelogin Banner Support? (y/n)? [n] For more information and an example of the Pre-login Banner feature, see Figure 3-2 on page 3-14. Cisco NAC Appliance Hardware Installation Guide OL-20326-01...
  • Page 80 SSH. root Cisco NAC Appliance supports using Strong Passwords for root user login. Passwords must be at least 8 characters long and feature a combination of upper- and lower-case letters, digits, and other characters.

  • Page 81: Access The Cam Web Console

    Access the CAM Web Console The Clean Access Manager web administration console is the primary interface for administering the Cisco NAC Appliance deployment. After initial configuration is complete, use the following steps to access the CAM web console. Cisco NAC Appliance Hardware Installation Guide...
  • Page 82 You must already have obtained a product or evaluation license to access the CAM/CAS and CAM web Warning console. Refer to Cisco NAC Appliance Service Contract / Licensing Support for complete step-by-step instructions on how to obtain and install product licenses and obtain service contract support for Cisco NAC Appliance.

  • Page 83: Install Cam License

    Pre-login Banners during your initial CAM configuration) or the web admin console login window appears (Figure 3-3). Type the username admin and web admin user password, and click Login. Cisco NAC Appliance Hardware Installation Guide 3-13 OL-20326-01...
  • Page 84 The Monitoring > Summary page and left-hand navigation pane appears (Figure 3-4). Step 8 Type the username admin and web console admin password you specified during installation and initial Step 9 configuration, and click Login. Cisco NAC Appliance Hardware Installation Guide 3-14 OL-20326-01...

  • Page 85: Add Additional Licenses

    A Manager Failover license must be present for HA-CAS machines. When a Manager Failover license Note is installed, the Server count increment can represent either 1 standalone CAS or 1 CAS HA-pair. Cisco NAC Appliance Hardware Installation Guide 3-15 OL-20326-01...
  • Page 86 Licenses are now installed. You can continue the configuration of your deployment using the CAM web Step 13 console. Refer to the following documents for further configuration guidelines: Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) • Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) •...

  • Page 87: Important Notes For Ssl Certificates

    CAM can trust the CAS’s certificate and vice-versa. Before deploying the CAM in a production environment, Cisco strongly recommends acquiring a trusted certificate from a third-party Certificate Authority to replace the temporary certificate (in order to avoid the security warning that is displayed to the web user during admin login).

  • Page 88: Installing The Clean Access Server

    Perform the Initial CAM Configuration, page 3-6 Overview When you receive a new Cisco NAC Appliance, you will need to connect to the appliance and perform initial configuration. If you want to install a different version of the software than what is shipped on the appliance, you can perform software installation via CD first.

  • Page 89: Virtual Gateway Mode Connection Requirements

    Add the CAS to the CAM in the CAM web console under Device Management > CCA Servers > New Step 3 Server, as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). Manage the CAS by accessing the CAS management pages, via Device Management > CCA Servers Step 4 >...

  • Page 90: Switch Support For Cas Virtual Gateway/Vlan Mapping (Ib And Oob)

    Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB) For details on Cisco Catalyst switch model/NME support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band (OOB) deployments, refer to Switch Support for Cisco NAC Appliance.

  • Page 91: Summary Of Steps For New Installation

    CAS licenses are generated based on the eth0 address of the CAM. Both CAM and CAS licenses Note are installed via the CAM web admin console. Obtain a bootable CD of the latest version of the software. You can log in to Cisco Secure Software and Step 2 download the latest 4.8(x) .ISO image.

  • Page 92: Connect The Clean Access Server

    Serial Connection to the CAM and CAS, page 3-39. Cisco NAC Appliances assume the keyboard connected to be of US layout for both direct and IP-KVM Note connections. Use a US layout keyboard or ensure that you know the key mapping if you are connecting a keyboard of different layout.
  • Page 93 • serial over a serial connection. If the install CD detects an existing installation of Cisco NAC Appliance, you are presented with the Step 6 following prompt: Checking for existing installations.

  • Page 94: Perform The Initial Cas Configuration

    After the software is installed from the CD and package installation is complete, the welcome script for Step 2 the configuration utility appears: Welcome to the Cisco Clean Access Server quick configuration utility. Note that you need to be root to execute this utility. The utility will now ask you a series of configuration questions.
  • Page 95 Chapter 3 Installing the Clean Access Manager and Clean Access Server Installing the Clean Access Server If this prompt does not appear after you install the Cisco NAC Appliance software and restart the CAS, Note refer to Manually Restarting the CAM/CAS Configuration Utility, page 3-46.
  • Page 96 CAS, as illustrated in Figure 3-6. The IDs are retained by the Clean Access Server and attached to response messages passed from the untrusted network back to the trusted network. Cisco NAC Appliance Hardware Installation Guide 3-26 OL-20326-01...
  • Page 97 VLAN identifier or if the identifier was originally stripped by the adjacent interface. The setting at the prompt applies to traffic passing from the untrusted network to the trusted network. Cisco NAC Appliance Hardware Installation Guide 3-27 OL-20326-01...
  • Page 98 For Virtual Gateways, the eth1 address most commonly used is the eth0 address. To prevent looping, do not connect eth1 to the network until after you have added the CAS to the CAM in the web console. See Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for further details.
  • Page 99 You can change the Management VLAN ID later from the CAS Network > IP web console Note page; however, changing settings on the CAS IP page requires a reboot of the CAS. Cisco NAC Appliance Hardware Installation Guide 3-29 OL-20326-01...
  • Page 100 The Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and Step 19 protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to restore database snapshots on the CAM when you need them and are able to fail over to the HA peer CAM/CAS in HA deployments.
  • Page 101 State code: CA Country code: US Is this correct? (y/n)? [y] y You must generate the temporary SSL certificate or you will not be able to access your CAS as an end Note user. Cisco NAC Appliance Hardware Installation Guide 3-31 OL-20326-01...
  • Page 102 SSH. root Cisco NAC Appliance supports using Strong Passwords for root user login. Passwords must be at least 8 characters long and feature a combination of upper- and lower-case letters, digits, and other characters.

  • Page 103: Important Notes For Ssl Certificates

    The CAS initial configuration is now complete. Once the Clean Access Manager is also installed and initially configured, use the CAM web administration console to add the CAS to the CAM as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). Step 31 Following CAS installation and initial configuration: Ping the eth0 interface address from a command line.

  • Page 104: Cisco Nac Appliance Connectivity Across A Firewall

    Installing the Clean Access Manager and Clean Access Server Cisco NAC Appliance Connectivity Across a Firewall Before deploying the CAS in a production environment, Cisco Strongly recommends acquiring a trusted certificate from a third-party Certificate Authority to replace the temporary certificate (in order to avoid the security warning that is displayed to end users during user login).
  • Page 105 Chapter 3 Installing the Clean Access Manager and Clean Access Server Cisco NAC Appliance Connectivity Across a Firewall Table 3-2 Port Usage Communicating Device Devices Ports to Open Purpose Firewall, if any CAM and CAS TCP 8995, 8996 Java Management Extensions (JMX) communication between the CAM and CAS, such as pre-connect and connect messages.

  • Page 106: Configuring The Cas Behind A Nat Firewall

    If deploying a NAT firewall between the CAS and the CAM, the CAS must be in Standalone mode. Caution Cisco NAC Appliance does not support High Availability CAS pairs when a NAT firewall is deployed on the trusted side of the CAS HA pair.

  • Page 107: Connectivity Across A Wide Area Network

    UDP heartbeat interface for the HA-CAM/CAS. For Cisco NAC Appliance hardware, the following instructions assume that the NIC is plugged in Note •...
  • Page 108 Note Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces. Chapter 4, “Configuring High Availability (HA)”for details on configuring HA. Cisco NAC Appliance Hardware Installation Guide 3-38 OL-20326-01...

  • Page 109: Serial Connection To The Cam And Cas

    To help prevent a potential network security threat, Cisco strongly recommends physically Caution disconnecting from the Cisco NAC console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.

  • Page 110: Configuring Boot Settings On The Cisco Nac Appliance Cam/Cas

    Configuring Boot Settings on the Cisco NAC Appliance CAM/CAS If your CAM or CAS does not read the software on the CD-ROM drive, and instead attempts to boot from the hard disk, use the following steps to configure the appliance to boot from CD-ROM before attempting to re-image or upgrade the appliance from CD.
  • Page 111 Change the setting to boot from CD ROM by selecting “CD-ROM Drive” from the menu and pressing Step 3 the plus (“+”) key (Figure 3-12). Figure 3-12 Boot from CD-ROM Drive Press the F10 key to Save and Exit. Step 4 Cisco NAC Appliance Hardware Installation Guide 3-41 OL-20326-01...

  • Page 112: Useful Cli Commands For The Cam/Cas

    However, in some cases you may need to access the CAM configuration directly, for example if the web admin console is unavailable due to incorrect network or VLAN settings. You can use the Cisco NAC Appliance command line interface (CLI) to set basic operational parameters directly on the CAM.

  • Page 113: Cas Cli Commands

    4.8(3). CAS CLI Commands The CAM web admin console allows you to perform most of the tasks required for administering Cisco NAC Appliance deployment. However, there are two cases where the command line interface of the CAS can be or must be used:...

  • Page 114: Cas Cli Commands For Cisco Nac Profiler

    CAS CLI Commands for Cisco NAC Profiler All Cisco NAC Appliance releases are shipped with a default version of the Cisco NAC Profiler Collector component. Cisco NAC Appliance 4.8(x) releases are shipped with Collector version 3.1.0-24 by default. When upgrading the NAC Server to a newer NAC Appliance release, the current version of the Collector will be replaced with the default version of the Collector shipped with the NAC Appliance release.
  • Page 115 Installing the Clean Access Manager and Clean Access Server Useful CLI Commands for the CAM/CAS The Clean Access Server is shipped with a default version of the Cisco NAC Profiler Collector component, which needs to be enabled and configured separately when integrating with the Cisco NAC Profiler solution.

  • Page 116: Manually Restarting The Cam/Cas Configuration Utility

    Chapter 3 Installing the Clean Access Manager and Clean Access Server Manually Restarting the CAM/CAS Configuration Utility Table 3-5 Cisco NAC Profiler Collector CLI Commands for CAS Command Description Stops and then restarts the Collector service on the CAS. This is...

  • Page 117: Troubleshooting The Installation

    Enabling TLSv1 on Internet Explorer Version 6, page 3-49 • Note If the FIPS card in a Cisco NAC-3315/3355/3395 CAM/CAS ceases to work correctly, make sure the FIPS card operation switch is set to “O” (for operational mode), as described in the “FIPS 140-2 Compliance” section of the...

  • Page 118: Verify/Change Current Master Secret On Cam/Cas

    Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to fail over to the HA peer CAM/CAS in an HA deployment.

  • Page 119: Network Interface Card (Nic) Driver Not Supported

    4.8(3). Enabling TLSv1 on Internet Explorer Version 6 Cisco NAC Appliance network administrators managing the CAM/CAS via web console and client machine browsers accessing a FIPS-compliant Cisco NAC Appliance Release 4.8(x) network require TLSv1 in order to “talk” to the network, which is disabled by default in Microsoft Internet Explorer Version 6.

  • Page 120: Powering Down The Nac Appliance

    To power down the CAM/CAS, use one of the following recommended methods while connected via console/SSH. These methods prevent database corruption when powering down the CAM. Type and power down the machine. • service perfigo stop Type and power down the machine. • /sbin/halt Cisco NAC Appliance Hardware Installation Guide 3-50 OL-20326-01...

  • Page 121: Adding High Availability Cisco Nac Appliance To Your Network

    (with Catalyst 6500s in the distribution and access layers). Figure 4-1 shows a network topology without Cisco NAC Appliance, where the core and distribution layers are running HSRP (Hot Standby Router Protocol), and the access switches are dual-homed to the distribution switches.
  • Page 122 Link-failure based failover connection can also be configured over the eth0 and/or eth1 interfaces. Note Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not support high availability. Cisco NAC Appliance Hardware Installation Guide...

  • Page 123: C H A P T E R 4 Configuring High Availability (Ha)

    • Note You must use identical appliances (e.g. NAC-3350 and NAC-3350 or NAC-3315 and NAC-3315) in order to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs). Cisco NAC Appliance Hardware Installation Guide OL-20326-01...

  • Page 124: Cam High Availability Overview

    CAM-HA pair. Similarly, the CAS-HA pair should maintain the same master secret password. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to fail over to the HA peer CAM/CAS in HA deployments. (HA-Secondary CAMs/CASs are not able to assume the “active”...
  • Page 125 Configuring High Availability (HA) Installing a Clean Access Manager High Availability Pair Cisco NAC-3310 CAMs/CASs feature a 160GB hard drive or 80GB hard drive. Both of these hard • drive sizes support High Availability (HA) deployments, and you can safely deploy a 160GB model in an HA pair with an 80GB model.
  • Page 126 If both the HA-Primary and HA-Secondary CAMs in your HA deployment lose their configuration, you can restore the system using the guidelines in the “Restoring Configuration from CAM Snapshot—HA-CAM or HA-CAS” section of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).

  • Page 127: Before Starting

    Warning When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port must be disabled for Cisco NAC Appliance CAMs/CASs and any other server hardware platform that supports the BIOS redirection to serial port functionality. See...

  • Page 128: Connect The Clean Access Manager Machines

    When the UDP heartbeat signal fails to be transmitted and received within a certain time period, the standby system takes over. In order to provide an extra measure of heartbeat redundancy, Cisco recommends you use more Ethernet interfaces in addition to eth1 (mandatory) interface for heartbeat exchange.

  • Page 129: Serial Connection

    To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting Caution from the Cisco NAC console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.
  • Page 130 If you have not yet obtained a CA-signed certificate for the CAS, be sure to follow the instructions in the “Manage CAM SSL Certificates” section of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) for details.
  • Page 131 CAM, in the Link-detect Timeout field. The minimum value for this setting is 10 seconds, but Cisco recommends at least a 25-second timeout interval. Note Link-detect settings on the CAM (Release 4.1(3) and later) are needed to allow the active...

  • Page 132: Configure The Ha-Secondary Cam

    Address on interface 3 field. Otherwise, leave this N/A if not using the additional UDP heartbeat interface. Cisco strongly recommends you do not use the serial interface on the NAC-3315/3355/3395 for the HA Note heartbeat function. Although this element still appears in the CAM web console, the Heartbeat Serial Interface feature is being deprecated in a future Cisco NAC Appliance release.
  • Page 133 Choose HA-Secondary in the Clean Access Manager Mode dropdown menu. The high availability Step 6 settings appear. Set the Service IP Address value to the same value set for the Service IP Address in the HA-Primary Step 7 CAM configuration. Cisco NAC Appliance Hardware Installation Guide 4-13 OL-20326-01...
  • Page 134 HA-Primary CAM, select eth2 or eth3 from the dropdown menu and the same associated peer IP address in the [Primary] Heartbeat IP Address on interface 3 field as on the HA-Primary CAM. Cisco strongly recommends you do not use the serial interface on the NAC-3315/3355/3395 for the HA Note heartbeat function.
  • Page 135 When connecting high availability (failover) pairs via serial cable, BIOS redirection to the serial port Warning must be disabled for Cisco NAC Appliance CAMs/CASs and any other server hardware platform that supports the BIOS redirection to serial port functionality. See...

  • Page 136: Complete The Configuration

    Verify settings in the Failover pages for both the active and standby CAMs. The high availability configuration is now complete. Upgrading an Existing Failover Pair For instructions on how to upgrade an existing failover pair to a new Cisco NAC Appliance release, see “Upgrading High Availability Pairs” in the Release Notes for Cisco NAC Appliance corresponding to your latest Cisco NAC Appliance release version.

  • Page 137: Accessing High Availability Pair Cam Web Consoles

    Chapter 4 Configuring High Availability (HA) Installing a Clean Access Server High Availability Pair does not work when used to test high availability (failover). Instead, Cisco Note service perfigo restart recommends “shutdown” or “reboot” on the machine to test failover, or, the CLI commands service .

  • Page 138: Cas High Availability Overview

    For more information, see the “HA Active-Active Situation Due to Expired SSL Certificates” section of Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3). Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not support high Note availability.
  • Page 139 HA pairs is the ability to restore that link should it go down; restoration may be fundamental to network stability, depending on your design. To avoid the HA pairs resulting in two active nodes, Cisco recommends to setup the eth2/eth3 interfaces on HA CASs for heartbeat.
  • Page 140 “Restoring Configuration from CAM Snapshot In HA Deployment” section in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). When the CAS starts up again, it checks to see if its peer is active. If the peer is active, the starting CAS becomes the standby.
  • Page 141 HA. After HA configuration is complete on both CASs, the Service IP is then entered in the New Server form to add the HA-CAS pair to the CAM. To ensure heartbeat redundancy, Cisco recommends configuring optional Heartbeat UDP Interface 2 or Note 3 between the HA CASs in your deployment.

  • Page 142: Cas High Availability Requirements

    Primary and Secondary CAS. For example, -Dperfigo.nat.serviceip=172.10.20.100 Physical Connection Cisco recommends using a dedicated connection for failover heartbeat on Clean Access Server high-availability pairs. You can use: • A dedicated Ethernet NIC card, configured as the eth2 or eth3 interface of the CAS If a dedicated Ethernet interface (e.g.
  • Page 143 When you configure two CASs that also perform DHCP functions for your deployment as an HA pair, Cisco NAC Appliance automatically synchronizes and exchanges the required keys between the HA-Primary and HA-Secondary CASs to ensure DHCP continues to work properly following a failover event.

  • Page 144: Before Starting

    CAS unit through its direct access web console. These settings include updating the SSL certificate, system time, time zone, DNS, or Service IP. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) Modifying CAS High Availability Settings, page 4-40 details.

  • Page 145: Selecting And Configuring The Heartbeat Udp Interface

    Selecting and Configuring the Heartbeat UDP Interface Note Cisco strongly recommends you do not use the serial interface on the NAC-3315/3355/3395 for the HA heartbeat function. Although this element still appears in the CAM web console, the Heartbeat Serial Interface feature is being deprecated in a future Cisco NAC Appliance release. (The associated Heartbeat Timeout value remains a valid configuration point, however, for deployments using optional Heartbeat UDP interfaces 2 and 3.)

  • Page 146: Serial Port High-Availability Connection

    To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting Caution from the Cisco NAC console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.

  • Page 147: Configure The Ha-Primary Clean Access Server

    Note • In order to copy and paste values to/from configuration forms, Cisco recommends keeping both web consoles open for each CAS (primary and secondary). See also a. Access the HA-Secondary CAS Directly, page 4-34.
  • Page 148 Click the Failover > General tab and choose HA-Primary Mode from the Clean Access Server Mode dropdown menu. Figure 4-13 Failover —Choose Mode In the HA-Primary Mode form that opens, type values for the following fields. Cisco NAC Appliance Hardware Installation Guide 4-28 OL-20326-01...
  • Page 149 • optionally entered in this field, the CAS will attempt to ping this external address. You can enter the same or different untrusted-side link-detect addresses on both the HA-Primary and HA-Secondary CAS. Cisco NAC Appliance Hardware Installation Guide 4-29 OL-20326-01...
  • Page 150 Link-detect Timeout (seconds): This configures the length of time the CAS attempts to ping the • Trusted-side and/or Untrusted-side Link-detect IP address(es). Cisco recommends entering a time of at least 26 seconds. If the CAS cannot ping the node for the period of time specified, the node is not pingable.
  • Page 151 Heartbeat UDP Interface 3: Options are N/A, eth2, or eth3. If a dedicated Ethernet connection is not available, Cisco recommends using eth0 or another Ethernet interface for the Heartbeat UDP interface when configuring a Clean Access Server in HA mode.
  • Page 152 Configuring High Availability (HA) Installing a Clean Access Server High Availability Pair Cisco strongly recommends you do not use the serial interface on the NAC-3315/3355/3395 for the HA Note heartbeat function. Although this element still appears in the CAM web console, the Heartbeat Serial Interface feature is being deprecated in a future Cisco NAC Appliance release.
  • Page 153 Private Key, submitted the request to your Certificate Authority, and have received your CA-signed certificate. If you have not yet obtained a CA-signed certificate for the CAS, be sure to follow the instructions in the “Manage CAS SSL Certificates” section of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3).

  • Page 154: Configure The Ha-Secondary Clean Access Server

    Configuring High Availability (HA) Installing a Clean Access Server High Availability Pair Configure the HA-Secondary Clean Access Server Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not support high Note availability. The general sequence to configure the HA-Secondary CAS is as follows: a.
  • Page 155 CAS will attempt to ping this address. Typically, the same trusted-side link-detect address is entered on both the HA-Primary and HA-Secondary CAS, but you can specify different addresses for each CAS if your network topology is different. Cisco NAC Appliance Hardware Installation Guide 4-35 OL-20326-01...
  • Page 156 [Primary] Peer Serial No: The serial number of the HA-Primary CAS. When the HA-Secondary • CAS becomes Active, it must use the serial number of the HA-Primary CAS to identify itself to the CAM in order to access the CAS configuration information. Cisco NAC Appliance Hardware Installation Guide 4-36 OL-20326-01...
  • Page 157 The Ethernet interface you configure serves as the medium for data sync between the Primary and Secondary CAS. Cisco strongly recommends you do not use the serial interface on the NAC-3315/3355/3395 for the HA Note heartbeat function. Although this element still appears in the CAM web console, the Heartbeat Serial Interface feature is being deprecated in a future Cisco NAC Appliance release.

  • Page 158: Connect The Clean Access Servers And Complete The Configuration

    (in the event power returning after an outage, for example) and both come up as the active CAS in the HA pair, Cisco recommends setting the Heartbeat Timeout to a value greater than 30 seconds. The possible network implication in this scenario is that the to “active”...

  • Page 159: Failing Over An Ha-Cas Pair

    The HA-Secondary CAS should still be active and providing services for the user. Shut down the HA-Secondary CAS machine. Cisco recommends “shutdown” or “reboot” on the machine to test failover, or, if a CLI command Note is preferred, .

  • Page 160: Modifying Cas High Availability Settings

    SSL certificate based on the new IP address configured. This can be done under Administration > SSL > X509 Certificate. See the “Manage CAS SSL Certificates” section of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for details.

  • Page 161: Upgrading An Existing Failover Pair

    List of Servers and displays all the new IP information. Upgrading an Existing Failover Pair For instructions on upgrading an existing failover pair to a new Cisco NAC Appliance release, see “Upgrading High Availability Pairs” in the...

  • Page 162: Configuring High Availability For Virtual Gateway Mode

    After HA configuration is complete on both CASs, use the Service IP in the New Server form to add the HA-CAS pair to the CAM. Note that the HA-CAS pair is automatically added as the same Server Type. For example, Out-of-Band Virtual Gateway, as shown in Figure 4-19. Cisco NAC Appliance Hardware Installation Guide 4-42 OL-20326-01...

  • Page 163: Useful Cli Commands For Ha

    My node is active, peer node is standby [root@rjcam_1 ~]# This CAM is the active CAM in the HA-pair. Run the fostate.sh script on the second CAM: [root@rjcam_2 ~]# ./fostate.sh My node is standby, peer node is active Cisco NAC Appliance Hardware Installation Guide 4-43 OL-20326-01...

  • Page 164: Clean Access Server

    The /etc/ha.d/ha.cf file shows additional information about the heartbeat and link-based connections: [root@rjcas_1 ha.d]# more ha.cf # Generated by make-hacf-ss.pl udpport ucast eth2 10.10.50.2 baud 19200 serial /dev/ttyS0 keepalive deadtime deadping auto_failback apiauth default uid=root respawn hacluster /usr/lib64/heartbeat/ipfail ping 10.10.20.100 ping 10.10.40.100 Cisco NAC Appliance Hardware Installation Guide 4-44 OL-20326-01...

  • Page 165: Link-Detect Interfaces

    CAS in the HA pair. You can find the fostate.sh command in the /perfigo/common/bin/ directory on new and upgraded CASs. Cd to , and run the fostate.sh script on the first CAS: /perfigo/common/bin/ [root@rjcas_1 bin]# ./fostate.sh Cisco NAC Appliance Hardware Installation Guide 4-45 OL-20326-01...

  • Page 166: Accessing High Availability Pair Cas Web Consoles

    The Secondary CAS is the CAS you configured in HA-Secondary Mode when you initially set up • For releases prior to 4.0(0), the Secondary CAS is labelled as HA-Standby Mode (CAS) for the initial HA configuration. Cisco NAC Appliance Hardware Installation Guide 4-46 OL-20326-01...

  • Page 167: Chapter 5 Password Recovery

    To recover the root password for CAM/CAS on release 3.5(x), you can use the Linux procedure to boot to single user mode and change the root password: Step 1 Connect to the CAM/CAS machine via console. Cisco NAC Appliance Hardware Installation Guide OL-20326-01...
  • Page 168 At the prompt type: . This boots the machine into single user mode. Step 4 linux single Type: Step 5 passwd Change the password. Step 6 Reboot the machine using the command. Step 7 reboot Cisco NAC Appliance Hardware Installation Guide OL-20326-01...

  • Page 169: Appendix

    OpenSSL Toolkit (http://www.openssl.org/)”. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org. Cisco NAC Appliance Hardware Installation Guide OL-20326-01...

  • Page 170: A P P E N D I X A Open Source License Acknowledgements

    The word ‘cryptographic’ can be left out if the routines from the library being used are not cryptography-related. If you include any Windows specific code (or a derivative thereof) from the apps directory (application code) you must include an acknowledgement: “This product includes software written by Tim Hudson (tjh@cryptsoft.com)”. Cisco NAC Appliance Hardware Installation Guide OL-20326-01...
  • Page 171 The license and distribution terms for any publicly available version or derivative of this code cannot be changed. i.e. this code cannot simply be copied and put under another distribution license [including the GNU Public License]. Cisco NAC Appliance Hardware Installation Guide OL-20326-01...
  • Page 172 Appendix A Open Source License Acknowledgements Notices Cisco NAC Appliance Hardware Installation Guide OL-20326-01...

  • Page 173: I N D E X

    3-36 configuration, reset 3-49 configuring the installation 3-6 to 3-11, 3-24 considerations power CPI tool guidelines identification airflow 1-27 lifting rack installation rack-mounting configuration 2-14 safety deployment firewalls 3-36 Text Part Number: Cisco NAC Appliance Hardware Installation Guide IN-1 OL-20326-01...
  • Page 174 2-6, 2-10 service perfigo config 3-6, 3-24 site configuration environment planning planning site requirement, MOPs 2-10 power considerations power lines (warning) power supplies (warning) temperature and humidity guidelines power supply (warning) precautions Cisco NAC Appliance Hardware Installation Guide IN-2 OL-20326-01...
  • Page 175 Index untrusted interface 3-28 VLAN settings at install 3-29 Cisco NAC Appliance Hardware Installation Guide IN-3 OL-20326-01...
  • Page 176 Index Cisco NAC Appliance Hardware Installation Guide IN-4 OL-20326-01...

This manual is also suitable for:

Nac-3315Nac-3355Nac-3395Nac-3310Nac-3350Nac-3390

Table of Contents