4-23
Cisco NAC Appliance Hardware Installation Guide
OL-20326-01
Chapter 4 Configuring High Availability (HA)
Installing a Clean Access Server High Availability Pair
If additional network interfaces (e.g. eth2 or eth3) are available, you can use them for UDP heartbeat
instead of eth0. In this case, the eth2 or eth3 interfaces on the two machines are connected using a
crossover cable. If installing an additional Ethernet interface, configure the IP address for the
interface. For instructions, see
Configuring Additional NIC Cards, page 3-37
.
Switch Interfaces for OOB Deployment
For Out-of-Band deployments, ensure that Port Security is not enabled on the switch interfaces to which
the CAS and CAM are connected. This can interfere with CAS HA and DHCP delivery.
Service IP Addresses
In addition to the IP addresses for the trusted and untrusted interfaces for each individual CAS, you will
need to provide two Service IP addresses for the trusted and untrusted interfaces of the CAS pair (see
Figure 4-9 on page 4-20
for an example configuration). A
Service IP address
is the common IP address
that the external network uses to address the pair.
In addition, either the trusted or untrusted interface Service IP address should be used to generate the
SSL certificate. If a CAS was previously configured and added to the CAM as a standalone CAS, it must
be deleted prior to configuring it for HA.
After HA configuration is complete on both CASs, use the Service IP in the
New Server
form to add the
HA-CAS pair to the CAM. Note that the HA-CAS pair is automatically added as the same Server Type
(for example, Out-of-Band Virtual Gateway).
Host Names
For heartbeat, each CAS needs to have a unique hostname (or node name). For HA CAS pairs, this host
name will be provided to the peer, and must be resolved via DNS or added to the peer's /etc/hosts file.
DHCP Synchronization
When you configure two CASs that also perform DHCP functions for your deployment as an HA pair,
Cisco NAC Appliance automatically synchronizes and exchanges the required keys between the
HA-Primary and HA-Secondary CASs to ensure DHCP continues to work properly following a failover
event.
SSL Certificates
As in standalone mode, in HA mode the Clean Access Servers can use either a temporary, self-signed
certificate or a CA (Certificate Authority)-signed certificate. A temporary certificate is useful for testing
or development. A production deployment should have a CA-signed certificate. Considerations in either
case are:
1.
Both the temporary or CA-signed certificates can use either the Service IP address (for either the
trusted interface or untrusted interface) or a domain name as the certificate domain name.
2.
If creating a certificate using a domain name, then the domain name must map to the Service IP in
DNS. If you are not using a domain name in the certificate, then the DNS mapping is not necessary.
3.
For a temporary certificate, generate the temporary certificate on one of the Clean Access Servers,
and transfer it from that CAS to the other CAS.
4.
For a CA-signed certificate, you will need to import the CA-signed certificate into each of the Clean
Access Servers in the pair.