Verify/Change Current Master Secret On Cam/Cas; Recover From Corrupted Master Secret - Cisco NAC3350-PROF-K9 - NAC Profiler Server Installation Manual

Troubleshooting the Installation

Verify/Change Current Master Secret on CAM/CAS

Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and
protect important data, like other system passwords. Cisco recommends keeping very accurate records
of assigned master secret passwords to ensure that you are able to fail over to the HA peer CAM/CAS
in an HA deployment. (HA-Secondary CAMs/CASs are not able to assume the "active" role following
a failover event when the master secret passwords are different.) If you suspect that the CAM/CAS
master secret is different from its peer in an HA deployment, you can do the following to verify and/or
change the master secret on CAM/CAS HA peers:
Log in to the CLI of the HA-Primary CAM/CAS as "root."
Step 1
Enter
Step 2
Log in to the CLI of the HA-Secondary CAM/CAS as "root" and enter the same
Step 3
/root/.perfigo/master
If the two CAM/CAS master secret signatures are different, use
Step 4
"reconfigure" the CAM/CAS with the incorrect master secret, accepting the previous values for all
settings other than the master secret, which, in the case of an HA peer, you specify to match the other
appliance in the HA pair.
a.
b.
c.
d.
e.
After approximately 5 minutes, an HA-Secondary CAM automatically synchronizes with the
HA-Primary.

Recover From Corrupted Master Secret

Note This procedure applies to both standalone and HA CAMs and CASs. In order to use this procedure for
an HA CAM/CAS with a corrupted master secret, you must bring both peers in the HA deployment to
"standalone" state before performing the steps necessary to recover from the corrupted master secret.
If the master secret changes (by using service perfigo config, for example) and the CAM/CAS database
is synchronized from a peer CAM/CAS that has a different master secret, the database can become
corrupted rendering the appliance unusable. You can recover from this scenario by going through the
following steps:
Log in to the CLI of the CAM/CAS with the corrupted master secret as "root."
Step 1
Remove /root/.perfigo/master file from the affected CAM/CAS.
Step 2
Cisco NAC Appliance Hardware Installation Guide
3-48
cat /root/.perfigo/master
command.
Enter
service perfigo stop
Enter
service perfigo stop
Enter
service perfigo config
(Once you have completed the initial configuration, you will also need to reboot the appliance.)
Enter
service perfigo start
When the HA-Primary CAM/CAS comes back up, enter
HA-Secondary CAM/CAS.
Chapter 3 Installing the Clean Access Manager and Clean Access Server
and record the master secret signatures for that CAM/CAS.
on the HA-Secondary CAM/CAS.
on the HA-Primary CAM/CAS.
to "reconfigure" the CAM/CAS with the incorrect master secret.
to bring up the HA-Primary CAM/CAS.
cat
service perfigo config
to bring up the
service perfigo start
to
OL-20326-01