manualshive.com logo in svg

Cisco NAC-3310, Installation Manual

The Cisco NAC-3310 is a cutting-edge network appliance, offering seamless network access control. Ensure a smooth installation process by downloading the free Installation Manual from our website, providing comprehensive instructions for quick and hassle-free setup. Perfectly complementing your Cisco NAC-3310 experience.

Share
Download
background image

 

3-19

Cisco NAC Appliance Hardware Installation Guide

OL-20326-01

Chapter 3      Installing the Clean Access Manager and Clean Access Server

Installing the Clean Access Server

When the Clean Access Server is in Real-IP Gateway mode, it can act as a DHCP Server or DHCP Relay. 
With DHCP functionality enabled, the CAS provides the appropriate gateway information (that is, the 
CAS’s untrusted interface IP address) to the clients. If the CAS is working as a DHCP Relay, then the 
DHCP server in your network must be configured to provide the managed clients with the appropriate 
gateway information (that is, the Clean Access Server's untrusted interface IP address). 

Virtual Gateway Mode Connection Requirements

For all deployments, if planning to configure the Clean Access Server in Virtual Gateway mode (IB or 
OOB), do not connect the untrusted interface (eth1) of the standalone CAS or HA-Primary CAS until 
after you have added the CAS to the CAM from the web admin console. For Virtual Gateway HA-CAS 
pairs, also do not connect the eth1 interface of the HA-Secondary CAS until after HA configuration is 
fully complete. Keeping the eth1 interface connected while performing initial installation and 
configuration of the CAS for Virtual Gateway mode can result in network connectivity issues. 

When setting up a CAS in Virtual Gateway mode, you specify the same IP address for the trusted (eth0) 
and untrusted (eth1) network interfaces during the initial installation of the CAS via CLI. At this point 
in the installation, the CAS does not recognize that it is a Virtual Gateway. It will attempt to connect to 
the network using both interfaces, causing collisions and possible port disabling by the switch. 
Disconnecting the untrusted interface until after adding the CAS to the CAM in Virtual Gateway mode 
prevents these connectivity issues. Once the CAS has been added to the CAM in Virtual Gateway mode, 
you can reconnect the untrusted interface.

Administrators must use the following procedure for correct configuration of a Virtual Gateway Central 
Deployment. To prevent looping on any central/core switch as you plug both interfaces of the Clean 
Access Server into the switch, perform the following steps:

Step 1

Before you connect both interfaces of the CAS to the switch, physically disconnect the eth1 interface.

Step 2

Physically connect the eth0 interface of the CAS to the network.

Step 3

Add the CAS to the CAM in the CAM web console under 

Device Management > CCA Servers > New 

Server

, as described in the 

Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 

4.8(3)

.

Step 4

Manage the CAS by accessing the CAS management pages, via 

Device Management > CCA Servers 

> Manage [CAS_IP] 

as described in the 

Cisco NAC Appliance - Clean Access Server Configuration 

Guide, Release 4.8(3)

.

Step 5

Configure VLAN mapping. This is a 

mandatory

 step for a Central Deployment where both interfaces 

of the CAS connect to the same switch. (Note that you can configure VLAN mapping in Edge 
Deployments with no adverse affect, but you are not required to do so.) 

a.

Make sure you check the “

Enable VLAN Mapping

” checkbox and click 

Update

b.

Make sure to set the Untrusted VLAN-to-Trusted VLAN mapping under 

Device Management > 

CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping

. See the “VLAN Mapping in 

Virtual Gateway Modes” section in the 

Cisco NAC Appliance - Clean Access Manager 

Configuration Guide, Release 4.8(3)

.

Note

Enable VLAN Pruning

 is checked by default on the Virtual Gateway CAS (starting from 

release 4.1(1) and later) under 

Device Management > CCA Servers > Manage [CAS_IP] > 

Advanced > VLAN Mapping

Step 6

Once the preceding steps are completed, physically connect the eth1 interface of the CAS to the switch. 

Summary of Contents for NAC-3310

Page 1: ...Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco NAC Appliance Hardware Installation Guide Release 4 8 Jan 2012 Text Part Number OL 20326 01 ...

Page 2: ...LITY OF SUCH DAMAGES Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and or its affiliates in the U S and other countries To view a list of Cisco trademarks go to this URL www cisco com go trademarks Third party trademarks mentioned are the property of their respective owners The use of the word partner does not imply a partnership relationship between Cisco and any other...

Page 3: ...355 and NAC 3395 1 3 NAC 3315 Serial Number Location 1 5 Cisco NAC 3315 Front and Rear Panels 1 5 Front Panel Features 1 5 Rear Panel Features 1 6 NAC 3355 Serial Number Location 1 8 Cisco NAC 3355 Front and Rear Panels 1 8 Front Panel Features 1 8 Rear Panel Features 1 10 NAC 3395 Serial Number Location 1 12 Cisco NAC 3395 Front and Rear Panels 1 12 Front Panel Features 1 12 Rear Panel Features 1...

Page 4: ...1 Required Equipment 2 11 Configuration Worksheets 2 11 Clean Access Manager CAM Configuration Worksheet 2 12 Clean Access Server CAS Configuration Worksheet 2 12 CAS Mode IP Addressing Considerations 2 13 Rack Mounting Your Cisco NAC Appliance CAM CAS 2 14 Mounting the NAC 3315 Appliance in a 4 Post Rack 2 15 NAC 3315 4 Post Rack Mount Hardware Kit 2 15 Installing the NAC 3315 Slide Rails into a ...

Page 5: ...equirements 3 19 Switch Support for CAS Virtual Gateway VLAN Mapping IB and OOB 3 20 Determining VLANs For Virtual Gateway 3 20 Summary of Steps For New Installation 3 21 Connect the Clean Access Server 3 22 Install the Clean Access Server CAS Software from CD ROM 3 22 Perform the Initial CAS Configuration 3 24 Configuration Utility Script 3 24 Important Notes for SSL Certificates 3 33 Cisco NAC A...

Page 6: ...CAM 4 12 Complete the Configuration 4 16 Upgrading an Existing Failover Pair 4 16 Failing Over an HA CAM Pair 4 16 Accessing High Availability Pair CAM Web Consoles 4 17 Determining Active and Standby CAM 4 17 Determining Primary and Secondary CAM 4 17 Installing a Clean Access Server High Availability Pair 4 17 CAS High Availability Overview 4 18 CAS High Availability Requirements 4 22 Before Sta...

Page 7: ...Standby Status 4 45 Accessing High Availability Pair CAS Web Consoles 4 46 Determining Active and Standby CAS 4 46 Determining Primary and Secondary CAS 4 46 C H A P T E R 5 Password Recovery 5 1 Recovering Root Password for CAM CAS 5 1 Recovering Root Password for CAM CAS Release 3 5 x or Below 5 1 A P P E N D I X A Open Source License Acknowledgements A 1 Notices A 1 OpenSSL Open SSL Project A 1...

Page 8: ...Contents 6 Cisco NAC Appliance Hardware Installation Guide OL 20326 01 ...

Page 9: ...ease 4 8 3 and Cisco NAC Appliance Clean Access Server Configuration Guide Release 4 8 3 to install configure and administer your Cisco NAC Appliance deployment Purpose The Cisco NAC Appliance Hardware Installation Guide Release 4 8 describes how to install and initially configure the Clean Access Manager and Clean Access Server on all Cisco NAC Appliance platforms Once you have installed and init...

Page 10: ...are Platforms Provides information about the hardware platforms available in Cisco NAC Appliance Chapter 2 Preparing for Installation Outlines the steps necessary to ensure your environment is ready to install Cisco NAC Appliance hardware Chapter 3 Installing the Clean Access Manager and Clean Access Server Describes how to install and initially configure the Clean Access Manager and Clean Access ...

Page 11: ...rted Hardware and System Requirements for Cisco NAC Appliance Supported Hardware Platforms Troubleshooting Network Card Driver Support Issues and System Requirements Regulatory Compliance and Safety Information for Cisco 1121 Secure Access Control System Cisco NAC Appliance Cisco NAC Guest Server and Cisco NAC Profiler Regulatory Compliance and Safety Information Support Information for Cisco NAC ...

Page 12: ...ity Cisco NAC Appliance Clean Access Manager Configuration Guide Release 4 8 3 Complete CAM details including How to install the CAM software Overviews of major concepts and features of Cisco NAC Appliance How to use the CAM web console to perform global configuration of Cisco NAC Appliance applying to all CASs in the deployment How to configure CAM pairs for High Availability Cisco NAC Appliance ...

Page 13: ... Availability Connection page 4 26 5 3 11 Release 4 8 2 Updated Upgrading Cisco NAC Appliance Software page 2 27 Updated Release 4 8 2 screenshots as appropriate 1 31 11 Release 4 8 1 Updated Upgrading Cisco NAC Appliance Software page 2 27 Updated Release 4 8 1 screenshots as appropriate 12 7 10 Added a note about number of users supported by NAC 3315 and NAC 3310 when they are FIPS Compliant to ...

Page 14: ...l information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free service Cisco ...

Page 15: ...ptops desktops and corporate assets are compliant with a network s security policies and it repairs any vulnerabilities before permitting access to the network Cisco NAC Appliance is a network centric integrated solution administered from the web console of the Clean Access Manager CAM enforced through the Clean Access Server CAS and applied on clients through the Cisco NAC Agent and Cisco NAC Web...

Page 16: ...the Release Notes for Cisco NAC Appliance corresponding to your latest Cisco NAC Appliance release version If the FIPS card is still not operational you will need to RMA the appliance with Cisco Systems and replace it with a new Cisco NAC 3315 3355 3395 Refer to the Cisco NAC Appliance RMA and Licensing section of the Cisco NAC Appliance Service Contract Licensing Support document for details Yes ...

Page 17: ...cessor Quad core Intel Xeon Core 2 quad 4GB RAM 2 x 250 GB SATA HDD 4 10 100 1000 LAN ports 2 integrated NICs 2 Gigabit NICs PCI E CD DVD ROM Drive 4 USB Ports 2 front 2 rear Power supply 350W Note The NAC 3315 is based on the IBM System x3250 M2 server platform Figure 1 2 on page 1 5 Cisco NAC 3315 Front Panel Figure 1 3 on page 1 6 Cisco NAC 3315 Front Panel LEDs Buttons Figure 1 4 on page 1 6 C...

Page 18: ...nel Figure 1 10 on page 1 10 Cisco NAC 3355 With Installed FIPS Card Rear Panel LEDs SERVER CAS supporting 1500 2500 or 3500 and 5000 users NAC 3395 MANAGER Super Manager supporting up to 40 standalone or HA pair CASs Dual processor 2 x Quad core Intel Xeon Nehalem 8GB RAM 4 x 300 GB SAS RAID HDD 4 10 100 1000 LAN ports 2 integrated NICs 2 Gigabit NICs PCI E CD DVD ROM Drive 4 USB Ports 1 front 1 ...

Page 19: ...m is recommended for Clean Access Lite Manager and Clean Access Server 100 250 500 user count deployments A NAC 3315 CAM Lite can manage up to 3 Clean Access Servers or 3 HA CAS pairs A NAC 3315 CAS can support 100 250 or 500 users Note FIPS 140 2 compliant NAC 3315 CAS can support only 250 or 500 users The Cisco NAC 3315 comes equipped with 4 network interfaces to provide flexibility in NIC inter...

Page 20: ... activity Off No drive activity 5 Locator button LED Flashing blue The Locator button has been pressed 6 System health LED Off System health is normal Amber A pre failure system threshold has been breached This can be any of the following At least one fan failure system or processor fan At least one of the temperature sensors reached critical level system or processor thermal sensors At least one ...

Page 21: ...se FIPS card is in initialization mode Two longer blue flashes followed by a pause FIPS card is in maintenance mode Repeatedly flashing morse code distress call three short blue flashes followed by three longer blue flashes followed again by three more short blue flashes FIPS card is in error mode Off There is no power source connected to the FIPS card 2 NIC 1 eth0 activity LED Green Activity exis...

Page 22: ...0 HA CAS pairs A NAC 3355 CAS can support up to 1500 2500 or 3500 users Similar to the Cisco NAC 3315 the Cisco NAC 3355 comes equipped with 4 network interfaces to provide flexibility in NIC interface selection and facilitate CAS high availability configuration The Cisco NAC 3355 additionally provides 2 GB of RAM two SAS drives configured in RAID 0 and 1 dual power supplies and an SSL accelerator...

Page 23: ...Power switch button cover Slides left and right to expose or protect power switch 4 Ethernet icon LED Green Ethernet interfaces are configured and up Off No Ethernet interfaces are currently configured or Ethernet interfaces are all down 5 Ethernet interface activity LEDs NIC 1 and NIC 2 Green Activity exists Flashing green Activity exists Off No activity exists 6 Information LED Amber A non criti...

Page 24: ...d is powered up Rapidly flashing green The appliance is off and is not yet ready to be turned on the appliance typically only remains in this state for 1 to 3 minutes Slowly flashing green The appliance is currently off and ready to be turned on slowly fading on off green The appliance is in power save mode and is ready to be turned on Off The appliance is powered off AC power disconnected 1 FIPS ...

Page 25: ...e is connected to power supply Off No AC power source is connected to power supply 5 DC power LED Green DC power source is connected to power supply Off No DC power source is connected to power supply 6 Power supply error LED Amber Power source to power supply is present but power supply is in error state Off Power supply is functioning normally if AC and DC power indicators are green or power sup...

Page 26: ...ssary for enterprise wide deployment of the Clean Access Super Manager Super CAM which can support up to 40 Clean Access Servers or 40 HA CAS pairs The Cisco NAC 3390 features dual processors dual power supplies 4 GB of RAM 4 hard disk drives 4 network interfaces and an SSL accelerator card For additional details see FIPS 140 2 Compliant and Non FIPS Hardware Platforms page 1 1 Note The Super CAM ...

Page 27: ...switch button cover Slides left and right to expose or protect power switch 4 Ethernet icon LED Green Ethernet interfaces are configured and up Off No Ethernet interfaces are currently configured or Ethernet interfaces are all down 5 Ethernet interface activity LEDs NIC 1 and NIC 2 Green Activity exists Flashing green Activity exists Off No activity exists 6 Information LED Amber A non critical sy...

Page 28: ...powered up Rapidly flashing green The appliance is off and is not yet ready to be turned on the appliance typically only remains in this state for 1 to 3 minutes Slowly flashing green The appliance is currently off and ready to be turned on slowly fading on off green The appliance is in power save mode and is ready to be turned on Off The appliance is powered off AC power disconnected 1 FIPS card ...

Page 29: ...e is connected to power supply Off No AC power source is connected to power supply 5 DC power LED Green DC power source is connected to power supply Off No DC power source is connected to power supply 6 Power supply error LED Amber Power source to power supply is present but power supply is in error state Off Power supply is functioning normally if AC and DC power indicators are green or power sup...

Page 30: ...rd drive while older NAC 3310s originally shipped with 80GB hard drives Both of these hard drive sizes support High Availability HA deployments and you can safely deploy a 160GB model in an HA pair with an 80GB model 4 10 100 1000 LAN ports 2 Broadcom 5721 integrated NICs 2 Intel e1000 PCI X NICs HP NC360T CD DVD ROM Drive 4 USB Ports 2 front 2 rear Note The NAC 3310 is based on the HP ProLiant DL...

Page 31: ...or HA pair CASs Dual processor Xeon 3 0 GHz dual core Dual power supply 4 GB RAM 4 x 72 GB SFF SAS RAID HDD Smart Array E200i Controller 4 10 100 1000 LAN ports 2 Broadcom 5708 integrated NICs 2 Intel e1000 PCI X NICs HP NC360T CD DVD ROM Drive 4 USB Ports 1 front 1 internal 2 rear Cavium CN1120 NHB E SSL Accelerator Card Note The NAC 3390 is based on the HP ProLiant DL360 G5 server platform Figur...

Page 32: ...e Cisco NAC 3310 comes equipped with 4 network interfaces to provide flexibility in NIC interface selection and to facilitate CAS high availability configuration Note Newer Cisco NAC 3310 CAMs CASs feature a 160GB hard drive while older NAC 3310s originally shipped with 80GB hard drives Both of these hard drive sizes support High Availability HA deployments and you can safely deploy a 160GB model ...

Page 33: ... At least one of the temperature sensors reached critical level system or processor thermal sensors At least one memory module failure A power supply unit error has occurred 3 Activity link status LED for NIC 1 eth0 and NIC 2 eth1 Solid green An active network link exists Flashing green An ongoing network data activity exists Off The server is off line 4 HDD activity LEDs Flashing green Ongoing dr...

Page 34: ...r the top cover 10 Rear USB ports black 3 Thumbscrews for the PCI riser board assembly 11 Video port blue 4 NIC 3 eth2 and NIC 4 eth3 PCI Express GbE LAN RJ 45 ports Intel 12 Serial port 5 13 PS 2 keyboard port purple 6 Standard height full length PCI Express x16 PCI X riser board slot cover 14 PS 2 mouse port green 7 Power supply cable socket 15 10 100 Mbps iLO LAN port for IPMI management RJ 45 ...

Page 35: ...uration The Cisco NAC 3350 additionally provides 2 GB of RAM two SAS drives configured in RAID 0 and 1 dual power supplies and an SSL accelerator card to support large network deployments and provide added reliability for a centralized CAM CAS deployment in the network core For additional details see FIPS 140 2 Compliant and Non FIPS Hardware Platforms page 1 1 Front Panel Features Figure 1 20 Cis...

Page 36: ...ealth is degraded To identify the component in a degraded state refer to HP Systems Insight Display and LEDs Red System health is critical To identify the component in a critical state refer to HP Systems Insight Display and LEDs Off System health is normal when in standby mode 4 External health LED power supply Green Power supply health is normal Amber Power redundancy failure occurred Off Power ...

Page 37: ... 14 iLO 2 NIC connector RJ 45 181237 2 3 4 5 6 7 8 9 10 11 12 13 14 1 1 iLO 2 NIC activity LED Green Activity exists Flashing green Activity exists Off No activity exists 2 iLO 2 NIC link LED Green Link exists Off No link exists 3 10 100 1000 NIC 3 Intel Activity LED Steady green High activity Flashing green Activity exists Off No activity if link LED is off link is dead 4 10 100 1000 NIC 3 Intel ...

Page 38: ...sk drives two integrated NICs and an SSL accelerator For additional details see FIPS 140 2 Compliant and Non FIPS Hardware Platforms page 1 1 Note The Super CAM software is supported only on the Cisco NAC 3395 and Cisco NAC 3390 platforms 7 10 100 1000 NIC 1 Broadcom Activity LED Green Activity exists Flashing green Activity exists Off No activity exists 8 10 100 1000 NIC 1 Broadcom Link LED Green...

Page 39: ...er System is shut down but power is still applied Off Power cord is not attached power supply failure has occurred no power supplies are installed facility power is not available or disconnected power button cable 2 UID button LED Blue Identification is activated Flashing blue System is being managed remotely Off Identification is deactivated 3 Internal health LED Green System health is normal Amb...

Page 40: ... For status view the rear panel LED for the RJ 45 connector Figure 1 27 on page 1 26 6 NIC 2 link activity LED Green Network link exists Flashing green Network link and activity exist Off No link to network exists If power is off the front panel LED is not active For status view the rear panel LED for the RJ 45 connector Figure 1 27 on page 1 26 1 PCI Express expansion slot 1 low profile half leng...

Page 41: ...llustration of your product with the serial number label location highlighted Locate the serial number label on your product and record the information before you place a service call You can access the CPI tool at http tools cisco com Support CPI index do 1 iLO 2 NIC activity LED Green Activity exists Flashing green Activity exists Off No activity exists 2 iLO 2 NIC link LED Green Link exists Off...

Page 42: ...sco NAC Appliance Hardware Platforms Cisco Product Identification Tool To access the CPI tool you require a Cisco com user ID and password If you have a valid service contract but do not have a user ID or password you can register at http tools cisco com RPF register register do ...

Page 43: ...C Appliance software and chassis firmware Note This Installation Guide does not cover the Cisco NAC Network Module NME NAC K9 For information on Cisco NAC Network Module installation and configuration see Getting Started with Cisco NAC Network Modules in Cisco Access Routers This chapter covers the following topics Safety Guidelines page 2 2 Preparing Your Site for Installation page 2 6 Rack Mount...

Page 44: ... or plug is damaged An object has fallen into the product The product has been exposed to water The product has been dropped or damaged The product does not operate correctly when you follow the operating instructions Keep your appliance away from radiators and heat sources Also do not block cooling vents Do not spill food or liquids on your appliance and never operate the product in a wet environ...

Page 45: ...r power cord Do not modify power cables or plugs Consult a licensed electrician or your power company for site modifications Always follow your local or national wiring rules Safety with Equipment The following guidelines will help ensure your safety and protect the equipment However this list does not include all potentially hazardous situations so be alert Warning Read the installation instructi...

Page 46: ...power supplies unplug the power cord on AC units disconnect the power at the circuit breaker on DC units Statement 12 Warning Do not work on the system or connect or disconnect cables during periods of lightning activity Statement 1001 Warning This equipment is intended to be grounded Ensure that the host is connected to earth ground during normal use Statement 39 Warning When installing or replac...

Page 47: ... static sensitive component from its shipping carton do not remove the component from the antistatic packing material until you are ready to install the component in your appliance Just before unwrapping the antistatic packaging be sure to discharge static electricity from your body When transporting a sensitive component first place it in an antistatic container or packaging Handle all sensitive ...

Page 48: ...ge Contents page 2 10 Failover Bundles page 2 11 Required Equipment page 2 11 Configuration Worksheets page 2 11 Site Planning Warning This unit is intended for installation in restricted access areas A restricted access area can be accessed only through the use of a special tool lock and key or other means of security Statement 1017 Typically you should have prepared the installation site beforeh...

Page 49: ...t have at least two posts that provide mounting flanges for mounting an appliance Figure 2 1 shows a couple of common examples of four post equipment racks Figure 2 1 Four Post Equipment Rack Types Four Post Partially Enclosed Rack Image 1 in Figure 2 1 shows a freestanding partially enclosed rack with two mounting posts in the front and two more at the rear The Cisco NAC Appliance CAM CAS may be ...

Page 50: ...cceptable operating environment for your appliance and will help you avoid environmentally caused equipment failures Ensure that the room where your appliance operates has adequate circulation Electrical equipment generates heat Without adequate circulation ambient air temperature may not cool equipment to acceptable operating temperatures For more information see Airflow Guidelines page 2 9 Ensur...

Page 51: ...ates within the ranges listed however a temperature measurement approaching a minimum or maximum parameter indicates a potential problem Maintain normal operation by anticipating and correcting environmental anomalies before they approach critical values by properly planning and preparing your site before you install the appliance Power Considerations You configure the Cisco NAC Appliance CAM CAS ...

Page 52: ...reinstallation checklist of tasks and considerations that need to be addressed and agreed upon before proceeding with the installation is as follows 1 Assign personnel 2 Determine protection requirements for personnel equipment and tools 3 Evaluate potential hazards that may affect service 4 Schedule time for installation 5 Determine any space requirements 6 Determine any power requirements 7 Iden...

Page 53: ... serial port must be disabled for the Cisco NAC Appliance CAM CAS Refer to the Disable BIOS Redirection for Serial HA Failover Connections section of the Supported Hardware and System Requirements for Cisco NAC Appliance Cisco Clean Access for details Required Equipment You need to supply a workstation PC or laptop and keyboard monitor mouse to run the Cisco NAC Appliance Configuration Utility on ...

Page 54: ...C 2 on the server hardware b Subnet mask IP netmask for eth0 interface c Default gateway IP address for eth0 interface d Host name for your CAM e IP address of Domain Name Server on your network f Master secret Note The master secret must be the same for CAMs CASs deployed as HA peers g Date time and timezone h To generate the required temporary SSL certificate you can change this at a later time ...

Page 55: ...rganization location e g San Jose CA US Note If using FQDN make sure your DNS server is set up for the domain name l Root user password m Web console password 2 1 eth0 and eth1 generally correlate to the first two network cards NIC 1 and NIC 2 on the server hardware 2 Cisco highly recommends replacing default password s with strong passwords at least 8 characters long comprised of a combination of...

Page 56: ...rack is bolted to the floor Virtual Gateway CAUTION To avoid switch errors do not connect the untrusted interface eth1 of a Virtual Gateway IB or OOB CAS to the switch until after the CAS is added to the CAM via the web console and VLAN mapping is configured correctly under Device Management CCA Servers Manage CAS_IP Advanced VLAN Mapping See the Cisco NAC Appliance Clean Access Server Configurati...

Page 57: ...least 24 inches 61 cm of clearance at the front and rear of the rack for appliance maintenance Caution To prevent appliance overheating never install an appliance in an enclosed rack or a room that is not properly ventilated or air conditioned Follow your local practices for cable management Ensure that cables to and from appliances do not impede access for performing equipment maintenance or upgr...

Page 58: ...nce in a rack Step 1 Press on the rail adjustment bracket on the rear of the slide rail see Figure 2 4 to prevent the bracket from moving Step 2 Press on Tab 1 and 2 see Figure 2 4 and slide the rail locking carrier toward the front of the slide rail until it snaps into place Step 3 Press on Tab 1 and 2 and slide the rail locking carrier toward the rear of the slide until it snaps into place 1 Cab...

Page 59: ...tab see Figure 2 5 and fully extend the rail adjustment bracket from the rear of the slide rail until it snaps into place Step 5 Align the pins on the rear rail locking carrier with the holes on the rear mounting flange Then press the tab see Figure 2 5 to secure the rear of the slide rail to the rear mounting flange Note Ensure that the pins are fully extended through the mounting flange and slid...

Page 60: ...ail length push the rail locking carrier back toward the rear of the slide rail to align the slide rail with the mounting flange Then press the tab to secure the front of the slide rail to the front mounting flange Note Ensure that the pins are fully extended through the mounting flange and the slide rail Step 7 Repeat the steps from 1 to 6 for the other slide rail 1 Adjustment tab 3 Pins not exte...

Page 61: ...on the slide rails and push the CAM CAS fully into the rack cabinet Step 2 Secure the CAM CAS to the front mounting flanges with the captive thumbscrews see Figure 2 7 Note You must leave the shipping brackets attached to the slide rails unless the shipping brackets impede the CAM CAS from sliding fully in the rack cabinet If you need to remove the shipping brackets see Step 3 1 Adjustment tab 4 P...

Page 62: ...ee Figure 2 8 as indicated on the shipping bracket and remove the shipping bracket from the slide rail Step 4 Repeat step 3 for the other shipping bracket Store the shipping brackets for future use Note You must reinstall the shipping brackets on the slide rails before you transport the rack cabinet with the CAM CAS installed To reinstall the shipping brackets reverse the steps 1 Shipping brackets...

Page 63: ...d is fully extended on its slide rail it is possible for the rack to become unstable and tip over which could cause serious injury To eliminate the risk of rack instability from extending the rail or in the event of an earthquake you should affix the rack to the floor This section contains NAC 3355 3395 4 Post Rack Mount Hardware Kit page 2 22 Installing the NAC 3355 3395 Slide Rails Into the 4 Po...

Page 64: ... screws with thread hole racks Note If the slide rails that arrived in your shipping container include shipping thumbscrews remove them before performing the following procedure Step 1 Identify an available space in your rack to install the NAC 3355 3395 Step 2 If you have either a round holed or square holed rack install cage nuts or clip nuts in the middle and bottom holes of the rack unit space...

Page 65: ...Nuts Step 5 Use the tab on the rear of the slide rails to align the rear of the slide rail to the rear of the four post rack Step 6 Select the best range among Posts A B C and D to fit into the slots Adjust the length of the slide rails by moving around the depth adjustment screws and nuts see Figure 2 12 Step 7 Once you have the combination and fit you want for your NAC 3355 3395 reinstall and ti...

Page 66: ... another screw in the middle hole to secure the front of the slide rail to the four post rack see Figure 2 13 Note Use the 12 24 screws that came in the rack installation kit if you have installed clip nuts or cage nuts in the four post rack mounting rails Figure 2 13 Fasten Front of Slide Rail to Four Post Rack Step 9 Use two screws to fasten the rear of the slide rail to the respective rear moun...

Page 67: ... four post rack until they click twice into place Step 2 Carefully lift the NAC 3355 3395 and tilt it into position over the slide rails so that the rear chassis nail heads on the CAM CAS line up with the rear slots on the slide rails see Figure 2 15 Step 3 Slide the CAM CAS down so that the rear chassis nail heads slip into the two rear slots and then slowly lower the front of the CAM CAS until t...

Page 68: ...a the Clean Access Manager administration web console For Out of Band OOB deployments you must add both the OOB CAS license and the CAS as an Out of Band device to the CAM to access the OOB Management module of the CAM web console For instructions on how to obtain new license s for your system see Cisco NAC Appliance Service Contract Licensing Support For instructions on how to install licenses fo...

Page 69: ... Release 4 8 on CCA 3140 EOL Note Due to limited hardware resources on the CCA 3140 some combinations of Release 4 8 features may cause undesirable system behavior If you are experiencing problems with Release 4 8 on the CCA 3140 please contact the Cisco Technical Assistance Center TAC Note The support for CCA 3140 has been dropped starting from Cisco NAC Appliance release 4 8 1 Upgrading to Relea...

Page 70: ...work Access Control Cisco NAC Appliance Cisco NAC Appliance 4 8 Step 3 Download the latest 4 8 x ISO image e g nac 4 8 K9 iso and burn the image as a bootable disk to a CD R Note Cisco recommends burning the ISO image to a CD R using speeds 10x or lower Higher speeds can result in corrupted unbootable installation CDs Upgrading Firmware Cisco NAC Appliance CAMs CASs are subject to any system BIOS ...

Page 71: ...ter provides installation instructions for Cisco NAC Appliance It provides instructions for how to initially configure your CAM and CAS using the Configuration Utility access the CAM web console and install product licenses Once the initial configuration of your CAM and CAS is complete you will be able to access the CAM web console to continue the rest of the configuration for your deployment For ...

Page 72: ... Appliance does not support the installation of any other packages or applications onto a CAM or CAS dedicated machine When you receive a new Cisco NAC Appliance you will need to connect to the appliance and perform initial configuration If you want to install a different version of the software than what is shipped on the appliance you can perform software installation via CD first Refer to Suppo...

Page 73: ...le CD of the latest version of the software You can log in and download the latest 4 8 x ISO image from Cisco Software Download Site at http www cisco com public sw center index shtml or click the Download Software link from the Cisco NAC Appliance support page here and burn it as a bootable disk to a CD R Note Cisco recommends burning the ISO image to a CD R using speeds 10x or lower Higher speed...

Page 74: ...ep 3 Connect the external FIPS Smart card reader module to a FIPS 140 2 compliant NAC 3315 NAC 3355 or NAC 3395 by plugging the Smart card reader mini DIN cable into the female mini DIN FIPS card port on the back of the appliance see Figure 1 4 on page 1 6 Figure 1 9 on page 1 10 and Figure 1 14 on page 1 14 Ensure you also have a Smart card inserted into the reader Step 4 Power on the CAM by pres...

Page 75: ... R Note Cisco recommends burning the ISO image to a CD R using speeds 10x or lower Higher speeds can result in corrupted unbootable installation CDs Step 3 Insert the CD ROM containing the Cisco NAC Appliance ISO file into the CD ROM drive and reboot the machine Step 4 The Cisco Clean Access Installer welcome screen appears after the machine restarts Cisco Clean Access 4 8 3 Installer C 2012 Cisco...

Page 76: ...ick configuration utility appears and a series of questions prompt you for the initial configuration as described in Perform the Initial CAM Configuration next Perform the Initial CAM Configuration When installing the Clean Access Manager from CD ROM the Configuration Utility Script automatically appears after the software packages install to prompt you for the initial configuration Note If necess...

Page 77: ...erver Security world not found Creating the security world and initializing the smart cards Next the FIPS setup process prompts you to specify how many Smart Cards from 1 6 you want to initialize to enable FIPS compliance on the CAM How many cards do you want to initialize 1 6 1 Set ncipher card switch in i mode and press Return to continue Step 4 Enter the number of Smart Cards you want to initia...

Page 78: ...93 96 94 You entered 63 93 96 94 Is this correct y n y Step 11 The Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and protect important data like other system passwords Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to restore database snapshots on the CAM when you need them and are able t...

Page 79: ... web server responds If DNS is not already set up for a domain name the CAM web console will not load Make sure to create a DNS entry in your servers or else use an IP address for the CAM b For the organization unit name enter the group within your organization that is responsible for the certificate for example DOC c For the organization name type the name of your organization or company for whic...

Page 80: ...all of these classes Minimum of 2 characters from each of the four character classes is mandatory An upper case letter that begins the password and a digit that ends it do not count towards the number of character classes used Enter new password Re type new password passwd all authentication tokens updated successfully Step 18 Next type the password for the admin user for the CAM direct access web...

Page 81: ... c If the CAM does not respond try connecting to the CAM using SSH Secure Shell Connect with the root username and password Once connected try pinging the default gateway to see if the CAM can reach the external network If after installation you need to reset the initial configuration settings for the CAM connect to the CAM machine directly or through SSH and use the CLI command service perfigo co...

Page 82: ...tails see Enabling TLSv1 on Internet Explorer Version 6 page 3 49 Step 3 In the URL address field type the IP address of the CAM or the host name if you have made the required entry in your DNS server Step 4 If using a temporary SSL certificate the security alert appears and you are prompted to accept the certificate Click Yes to accept the certificate If using signed certificates security dialogs...

Page 83: ...ger License File field click the Browse button to locate the license file you received for the CAM and click the Install License button Note If you have purchased a CAM Failover HA license install the Failover license to the Primary CAM first then load all the other licenses This facilitates upgrading CAM HA pairs Step 7 Once the license is accepted the customizable CAM Pre login Banner Figure 3 2...

Page 84: ... appliance logging into the command line console and editing the root banner pre file The text of the Pre login Banner appears in both the web console interface and the command line interface when admin users are logging into the CAM CAS You can enable or disable the Pre login Banner during the initial CAM CAS configuration CLI session and whenever you choose to alter your base CAM CAS configurati...

Page 85: ...ing Summary Page Add Additional Licenses Step 10 To add additional licenses for your Clean Access Servers go to Administration CCA Manager Licensing Figure 3 5 in the CAM administrator web console Note A Manager Failover license must be present for HA CAS machines When a Manager Failover license is installed the Server count increment can represent either 1 standalone CAS or 1 CAS HA pair ...

Page 86: ...Repeat Step 11 for each license file you need to install you should have received one license file per PAK submitted during customer registration The Server Count information at the bottom of the page will display the total number of CASs enabled per successful license file installation Note Clicking the Remove All Licenses button removes all FlexLM license files from the system You cannot remove ...

Page 87: ...e s trusted store so that the CAM can trust the CAS s certificate and vice versa 4 Before deploying the CAM in a production environment Cisco strongly recommends acquiring a trusted certificate from a third party Certificate Authority to replace the temporary certificate in order to avoid the security warning that is displayed to the web user during admin login For further details on the CAM see t...

Page 88: ...eceive a new Cisco NAC Appliance you will need to connect to the appliance and perform initial configuration If you want to install a different version of the software than what is shipped on the appliance you can perform software installation via CD first Refer to Supported Hardware and System Requirements for Cisco NAC Appliance Cisco Clean Access for details on the software versions supported o...

Page 89: ...r adding the CAS to the CAM in Virtual Gateway mode prevents these connectivity issues Once the CAS has been added to the CAM in Virtual Gateway mode you can reconnect the untrusted interface Administrators must use the following procedure for correct configuration of a Virtual Gateway Central Deployment To prevent looping on any central core switch as you plug both interfaces of the Clean Access ...

Page 90: ...must be on different subnets and VLANs The CAS management VLAN must be on a different VLAN than the user authentication and access VLANs Configure the native VLAN to be different than the CAS management VLAN Setting native VLANs helps prevent inadvertent switching loops The native VLAN must not be the same on the eth0 and eth1 interfaces of the CAS CAS native VLAN eth0 e g unused dummy VLAN 999 CA...

Page 91: ...oftware from CD ROM page 3 22 Note If your NAC 3310 appliance does not read the software on the CD ROM drive and instead attempts to boot from the hard disk before proceeding you will need to change the appliance settings to boot from CD ROM as described in Configuring Boot Settings on the Cisco NAC Appliance CAM CAS page 3 40 Step 5 Perform the initial configuration of the CAS as described in Per...

Page 92: ...d port on the back of the appliance see Figure 1 4 on page 1 6 Figure 1 9 on page 1 10 and Figure 1 14 on page 1 14 Ensure you also have a Smart card inserted into the reader Step 4 Power on the machine by pressing the power button on the front of the appliance The diagnostic LEDs will flash a few times as part of an LED diagnostic test Status messages are displayed on the console as the CAS boots...

Page 93: ...he Cisco Clean Access Installer welcome screen appears after the machine restarts Cisco Clean Access 4 8 3 Installer C 2012 Cisco Systems Inc Welcome to the Cisco Clean Access Installer To install a Cisco Clean Access device press the ENTER key To install a Cisco Clean Access device over a serial console enter serial a t the boot prompt and press the ENTER key boot Step 5 At the boot prompt type o...

Page 94: ...ty Script automatically appears after software package installation to prompt you for the initial CAS configuration Note If necessary you can always manually start the Configuration Utility Script as follows 1 Over a serial connection or working directly on the CAS log onto the CAS as user root with the root user password 2 Run the initial configuration script by entering the following command ser...

Page 95: ...om 1 6 you want to initialize to enable FIPS compliance on the CAS How many cards do you want to initialize 1 6 1 Set ncipher card switch in i mode and press Return to continue Step 5 Enter the number of Smart Cards you want to initialize ensure that the FIPS card operation switch on the back of the CAS is switched to I for initialize and press Return Module 1 command ClearUnit OK Create Security ...

Page 96: ...1 240 1 Is this correct y n y Step 10 At the Vlan Id Passthrough prompt type n and press Enter or just press Enter to keep VLAN ID passthrough disabled as the default behavior of the CAS By default VLAN IDs are stripped from traffic passing through the interface to the CAS Typing y enables VLAN IDs to be passed through the CAS for traffic from the trusted to the untrusted network Vlan Id Passthrou...

Page 97: ... IP web console page however changing settings on the CAS IP page requires a reboot of the CAS Management Vlan Tagging for egress packets of eth0 is disabled Would you like to enable it y n n Note CAS eth0 interface settings are required for basic connection to the CAM CAS eth1 interface settings can be reconfigured later from the CAM web console A Management VLAN identifier is a default VLAN iden...

Page 98: ...er in a bridge Virtual Gateway configuration the trusted and untrusted interfaces must be on separate subnets Confirm the value when prompted Please enter the IP address for the untrusted interface eth1 10 10 10 10 You entered 10 10 10 10 Is this correct y n y Note For Virtual Gateways the eth1 address most commonly used is the eth0 address To prevent looping do not connect eth1 to the network unt...

Page 99: ...you like to enable it y n n Figure 3 9 VLAN ID Passthrough Step 16 Specify Management VLAN Tagging for the untrusted interface at the next prompt Type N and press Enter or just press Enter to keep Management VLAN tagging disabled default Or type Y and press Enter to enable Management VLAN tagging and specify the Management VLAN ID to use for the CAS untrusted interface Management Vlan Tagging for ...

Page 100: ...pshot that was created when the system was configured with a different master secret password and HA Secondary CAMs CASs are not able to assume the active role following a failover event when the master secret passwords are different Type and confirm the master secret at the prompts The master secret is used to encrypt sensitive data Remember to configure all HA pairs with the same secret Please e...

Page 101: ...or domain name for which you want the certificate to be issued Note This is also the IP address or domain name to which the web server responds If DNS is not already set up for a domain name the CAS web console will not load Make sure to create a DNS entry in your servers or else use an IP address for the CAS b For the organization unit name enter the group within your organization that is respons...

Page 102: ... per the requirements below Changing password for user root You can now choose the new password A valid password should be a mix of upper and lower case letters digits and other characters Minimum of 8 characters and maximum of 16 characters with characters from all of these classes Minimum of 2 characters from each of the four character classes is mandatory An upper case letter that begins the pa...

Page 103: ...is in operational mode Info httpd worker is in FIPS mode Info sshd up c If the CAS is not responding try connecting to the CAS using SSH Secure Shell Connect with the root username and password Once connected try pinging the gateway and or an external website from the CAS to see if the CAS can reach the external network If both tests fail make sure that you have configured the IP address correctly...

Page 104: ...eployment has a firewall between the CAS and the CAM you will need to set up rules in the firewall to allow communication between the CAS and CAM machines that is a rule that allows traffic originating from the CAM destined to the CAS and vice versa Note If there is a NAT router between the CAS and CAM also refer to section Configuring the CAS Behind a NAT Firewall in the Installation chapter of t...

Page 105: ...80 for version 3 6 x and earlier HTTP communication between Agent CAS CAM Used to download the Agent from the CAM to an end user machine CAS and Agent UDP 8905 8906 SWISS a proprietary CAS Agent communication protocol used by the Agent for UDP discovery of the CAS UDP 8905 is used for Layer 2 discovery and 8906 is used for Layer 3 discovery For more information see the Connecting to the CAS Using ...

Page 106: ...n using LDAP to connect to the AD server Cisco recommends using TCP UDP port 3268 the default Microsoft Global Catalog port instead of the default port 389 This allows for a more efficient search of all directory partitions in both single and multi domain environments TCP 445 Microsoft SMB e g needed for password change notices from DC to PC TCP 1025 RPC non standard TCP 1026 RPC non standard If i...

Page 107: ...y appending the following line public_IP_address caserver1_hostname caserver2_hostname where public_IP_address The address that is accessible outside the firewall caservern_hostname The host name of each Clean Access Server behind the firewall The Clean Access Server s should now be addressable behind the firewall Connectivity Across a Wide Area Network When deploying the CAM CAS across a WAN you ...

Page 108: ...s recognized by Linux and can be used Step 3 Change to the following directory cd etc sysconfig network scripts Step 4 Use vi to edit the ifcfg ethn file for the interface for example vi ifcfg eth2 Step 5 Add the following lines into the file replacing IPADDR NETMASK BROADCAST and NETWORK values with the actual values suitable for your network DEVICE eth2 IPADDR 192 168 0 253 NETMASK 255 255 255 2...

Page 109: ...an Access Manager High Availability Pair page 4 3 Caution To help prevent a potential network security threat Cisco strongly recommends physically disconnecting from the Cisco NAC console management port when you are not using it For more details see http seclists org fulldisclosure 2011 Apr 55 which applies to the Cisco ISE Cisco NAC Appliance and Cisco Secure ACS hardware platforms Step 2 After ...

Page 110: ...from CD ROM page 3 5 Install the Clean Access Server CAS Software from CD ROM page 3 22 Perform the Initial CAM Configuration page 3 6 Perform the Initial CAS Configuration page 3 24 Note If you already performed the initial installation but need to modify the original settings you can log in as user root and run the service perfigo config command Configuring Boot Settings on the Cisco NAC Applian...

Page 111: ...Access Manager and Clean Access Server Serial Connection to the CAM and CAS Figure 3 11 Boot Menu Step 3 Change the setting to boot from CD ROM by selecting CD ROM Drive from the menu and pressing the plus key Figure 3 12 Figure 3 12 Boot from CD ROM Drive Step 4 Press the F10 key to Save and Exit ...

Page 112: ...he format service perfigo command is used to enter a command from the command line Table 3 3 lists the commonly used Cisco NAC Appliance CLI commands Power Down the CAM To power down the CAM use one of the following recommended methods while connected via SSH Type service perfigo stop then power down the machine or Type sbin halt then power down the machine Table 3 3 CLI Commands Command Descripti...

Page 113: ... can be or must be used Use the CAS CLI Commands for Cisco NAC Appliance to access the CAS configuration directly for initial configuration of the CAS or if the web admin console is unavailable due to incorrect network or VLAN settings If you have purchased the Cisco NAC Profiler solution use the CAS CLI Commands for Cisco NAC Profiler to enable the Cisco NAC Profiler Collector application on the ...

Page 114: ...service when testing high availability failover for Virtual Gateway CASs over an SSH connection service perfigo platform This command allows you to determine whether the CAS is a standard Clean Access Server appliance or a Cisco NAC network module installed in a Cisco ISR router chassis The output displays either APPLIANCE or NME NAC as the platform setting For detailed installation and configurat...

Page 115: ...ctor on the CAS SSH to the CAS machine running the Collector service and type rpm q Collector Table 3 5 Cisco NAC Profiler Collector CLI Commands for CAS Command Description service collector start Starts the Collector service on the CAS service collector stop Shuts down the Collector service on the CAS service collector verify Displays the configured Collector Services running on the CAS Collecto...

Page 116: ... Perform the Initial CAS Configuration page 3 24 Step 5 When configuration is done enter service perfigo reboot or reboot to reboot the machine service collector restart Stops and then restarts the Collector service on the CAS This is used when the service is already running and you want to restart it service collector config Starts the Collector service configuration script to allow communication...

Page 117: ...ternet Explorer Version 6 page 3 49 Note If the FIPS card in a Cisco NAC 3315 3355 3395 CAM CAS ceases to work correctly make sure the FIPS card operation switch is set to O for operational mode as described in the FIPS 140 2 Compliance section of the Release Notes for Cisco NAC Appliance corresponding to your latest Cisco NAC Appliance release version If the FIPS card is still not operational you...

Page 118: ...es for all settings other than the master secret which in the case of an HA peer you specify to match the other appliance in the HA pair a Enter service perfigo stop on the HA Secondary CAM CAS b Enter service perfigo stop on the HA Primary CAM CAS c Enter service perfigo config to reconfigure the CAM CAS with the incorrect master secret Once you have completed the initial configuration you will a...

Page 119: ...cate or VLAN settings have rendered the Clean Access Server unreachable from the Clean Access Manager you can reset the Clean Access Server s configuration Note that resetting the configuration restores the Clean Access Server configuration to its install state Any configuration settings made since installation will be lost To reset the configuration Step 1 Connect to the Clean Access Server by SS...

Page 120: ...new one where the TLS 1 0 option should now be automatically enabled Note Mozilla Firefox has not shown this limitation Powering Down the NAC Appliance To power down the CAM CAS use one of the following recommended methods while connected via console SSH These methods prevent database corruption when powering down the CAM Type service perfigo stop and power down the machine Type sbin halt and powe...

Page 121: ...mands for HA page 4 43 Adding High Availability Cisco NAC Appliance To Your Network The following diagrams illustrate how HA CAMs and HA CASs can be added to an example core distribution access network with Catalyst 6500s in the distribution and access layers Figure 4 1 shows a network topology without Cisco NAC Appliance where the core and distribution layers are running HSRP Hot Standby Router P...

Page 122: ...A CAMs to Network Figure 4 3 shows how HA CASs can be added to the core distribution access network In this example the CAS is configured as an L2 OOB Virtual Gateway in Central Deployment The HA heartbeat connection is configured over both a serial interface and a dedicated eth2 interface Link failure based failover connection can also be configured over the eth0 and or eth1 interfaces Note Cisco...

Page 123: ...e CAM High Availability Overview page 4 4 Before Starting page 4 7 Connect the Clean Access Manager Machines page 4 8 Configure the HA Primary CAM page 4 9 Configure the HA Secondary CAM page 4 12 Upgrading an Existing Failover Pair page 4 16 Failing Over an HA CAM Pair page 4 16 Accessing High Availability Pair CAM Web Consoles page 4 17 Note You must use identical appliances e g NAC 3350 and NAC...

Page 124: ... encrypt and protect important data like other system passwords The master secret password needs to be the same for a CAM HA pair Similarly the CAS HA pair should maintain the same master secret password Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to fail over to the HA peer CAM CAS in HA deployments HA Secondary CAMs CASs are not ...

Page 125: ...g your CAM for HA you must use eth1 for heartbeat and database synchronization All other Ethernet interfaces eth0 and eth2 eth3 can be used only for heartbeat packets Note In CAM HA when heartbeat is configured on multiple interfaces and eth1 is down the standby CAM fails to do the database synchronization The perfigo service is stopped on the standby CAM as the database synchronization happens on...

Page 126: ...uidelines in the Restoring Configuration from CAM Snapshot HA CAM or HA CAS section of the Cisco NAC Appliance Clean Access Manager Configuration Guide Release 4 8 3 When the Clean Access Manager starts up it checks to see if its peer is active If not the starting CAM assumes the active role If the peer is active on the other hand the starting CAM becomes the standby You can configure two Clean Ac...

Page 127: ... The following sections describe the steps for setting up high availability Note The instructions in this section assume that you are adding a Clean Access Manager to a standalone CAM in order to configure the HA pair for a test network Before Starting Warning To prevent any possible data loss during database synchronization always make sure the standby secondary Clean Access Manager is up and run...

Page 128: ...as the least impact on your users Note Cisco NAC Appliance web admin consoles support the Internet Explorer 6 0 or above browser Connect the Clean Access Manager Machines There are two types of connections between HA CAM peers one for exchanging runtime data relating to the Clean Access Manager activities and one for the heartbeat signal In High Availability the Clean Access Manager always uses th...

Page 129: ...g When connecting high availability failover pairs via serial cable BIOS redirection to the serial port must be disabled for Cisco NAC Appliance CAMs CASs and any other server hardware platform that supports the BIOS redirection to serial port functionality See Supported Hardware and System Requirements for Cisco NAC Appliance Cisco Clean Access for more information Configure the HA Primary CAM On...

Page 130: ...ne containing the CA signed certificate and Private Key b Click Import Note that you will need to import the same certificate later to the HA Secondary CAS Step 2 Go to Administration CCA Manager and click the Failover tab Choose the HA Primary option from the Clear Access Manager Mode dropdown menu The high availability settings appear Figure 4 5 HA Primary Clean Access Manager Failover Settings ...

Page 131: ...ame such as rjcam_1 and rjcam_2 Type the host name of the HA Primary CAM in the Host Name field under Administration CCA Manager Network and type the host name of the HA Secondary CAM in the Peer Host Name field under Administration CCA Manager Failover Note A Host Name value is mandatory when setting up high availability while the Host Domain name is optional The Host Name and Peer Host Name fiel...

Page 132: ...ively distant locations on the network where latency issues might cause a standby HA CAM to assume the active role when it has not received heartbeat packets from its HA peer within the specified Heartbeat Timeout period In the resulting network scenario you could potentially end up with two active CAMs performing Cisco NAC Appliance functions requiring you to reboot both CAMs to re establish the ...

Page 133: ...Appliance Clean Access Manager Configuration Guide Release 4 8 3 Step 4 Go to the Administration CCA Manager Network and change the IP Address of the secondary CAM to an address that is different from the HA Primary CAM IP address and the Service IP address such as x x x 122 Figure 4 6 HA Secondary Clean Access Manager Failover Settings Step 5 Set the Host Name value to the same value set for the ...

Page 134: ...cally assigns 192 168 0 254 as the primary CAM s eth1 heartbeat interface and assumes the IP address for the peer secondary eth1 interface is 192 168 0 253 Warning To specify redundant failover links as described in Step 12 you must first configure the appropriate Ethernet interfaces on the CAM before you try to set up HA If you attempt to configure these interfaces however and the NICs on which t...

Page 135: ...s requiring you to reboot both CAMs to re establish the correct primary secondary HA peer relationship Warning When connecting high availability failover pairs via serial cable BIOS redirection to the serial port must be disabled for Cisco NAC Appliance CAMs CASs and any other server hardware platform that supports the BIOS redirection to serial port functionality See Supported Hardware and System...

Page 136: ...rading High Availability Pairs in the Release Notes for Cisco NAC Appliance corresponding to your latest Cisco NAC Appliance release version Failing Over an HA CAM Pair Warning To prevent any possible data loss during database synchronization always make sure the standby CAM is up and running before failing over the active CAM To failover an HA CAM pair SSH to the active machine in the pair and pe...

Page 137: ...e currently Active CAM Determining Primary and Secondary CAM In each CAM web console go to Administration CCA Manager Failover The Primary CAM is the CAM you configured as the HA Primary when you initially set up HA The Secondary CAM is the CAM you configured as the HA Secondary when you initially set up HA Note For releases prior to 4 0 0 the Secondary CAM is labeled as HA Standby CAM for the ini...

Page 138: ...rization feature in a CAS HA pair follow the guidelines in Backing Up and Restoring CAM CAS Authorization Settings in the Cisco NAC Appliance Clean Access Manager Configuration Guide Release 4 8 to ensure you are able to exactly duplicate your Authorization settings from one CAS to its high availability counterpart Clean Access Managers and Clean Access Servers use a local master secret password t...

Page 139: ...re a 160GB hard drive or 80GB hard drive Both of these hard drive sizes support High Availability HA deployments and you can safely deploy a 160GB model in an HA pair with an 80GB model HA CAMs CASs automatically establish an IPSec tunnel to ensure all communications between the HA Pair appliances remains secure across the network Starting from release 4 5 1 when a standby CAS assumes the role of ...

Page 140: ...r is active the starting CAS becomes the standby If the peer is not active then the starting CAS assumes the active role Typically Clean Access Servers are configured as an HA pair at the same time but you can add a new Clean Access Server to an existing standalone CAS to create a high availability pair In order for the pair to appear to the network and to the Clean Access Manager as one entity yo...

Page 141: ...Two IP addresses that are external to the CAS are configured for Link detect one on the trusted network the other on the untrusted network The active and standby CAS will send ICMP ping packets via eth0 to the IP address on the trusted network The active and standby CAS will send ICMP ping packets via eth1 to the IP address on the untrusted network Note If your network topology restricts Link dete...

Page 142: ...e external IP address will be in the CAS management subnet but on the untrusted side the traffic will be going out from the CAS in the native VLAN hence ensure the native VLAN is being forwarded towards the external IP device Refer to c Configure HA Primary Mode and Update page 4 28 and c Configure HA Secondary Mode and Update page 4 34 for additional configuration details CAS High Availability Re...

Page 143: ...r form to add the HA CAS pair to the CAM Note that the HA CAS pair is automatically added as the same Server Type for example Out of Band Virtual Gateway Host Names For heartbeat each CAS needs to have a unique hostname or node name For HA CAS pairs this host name will be provided to the peer and must be resolved via DNS or added to the peer s etc hosts file DHCP Synchronization When you configure...

Page 144: ...ny CAS network setting changes performed on an HA Primary CAS through the CAS management pages or CAS direct access web console must also be repeated on the HA Secondary CAS unit through its direct access web console These settings include updating the SSL certificate system time time zone DNS or Service IP See the Cisco NAC Appliance Clean Access Server Configuration Guide Release 4 8 3 and Modif...

Page 145: ...sed to send UDP heartbeat traffic related to high availability The interface used depends on the interfaces available on the server machine and the load level expected This interface can use either a dedicated Ethernet interface such as eth2 or eth3 or the trusted interface eth0 if a dedicated interface is not available When using an additional Ethernet interface you must manually configure the in...

Page 146: ... threat Cisco strongly recommends physically disconnecting from the Cisco NAC console management port when you are not using it For more details see http seclists org fulldisclosure 2011 Apr 55 which applies to the Cisco ISE Cisco NAC Appliance and Cisco Secure ACS hardware platforms When high availability mode is selected the serial console login ttyS0 is automatically disabled to free the serial...

Page 147: ... CAS in the URL address field as follows https primary_CAS_eth0_IP_address admin for example https 172 16 1 2 admin 2 Accept the temporary certificate and log in as user admin with the web console password specified during initial configuration Note In order to copy and paste values to from configuration forms Cisco recommends keeping both web consoles open for each CAS primary and secondary See a...

Page 148: ... Clean Access Server High Availability Pair Figure 4 12 DNS Tab c Configure HA Primary Mode and Update 5 Click the Failover General tab and choose HA Primary Mode from the Clean Access Server Mode dropdown menu Figure 4 13 Failover Choose Mode 6 In the HA Primary Mode form that opens type values for the following fields ...

Page 149: ... 50 243 in the sample Trusted side Link detect IP Address When an IP address e g for an upstream router is optionally entered in this field the CAS attempts to ping this external address Typically the same trusted side link detect address is entered on both the HA Primary and HA Secondary CAS but you can specify different addresses for each CAS if your network topology is different Untrusted side ...

Page 150: ... at least one link detect IP address on each CAS and a link detect timeout See also Choosing External IPs for Link Based Failover page 4 22 for further details Note The standby CAS may still receive heartbeat packets from the active CAS via other available heartbeat interfaces serial or eth2 for example even though its eth0 and or eth1 interface goes down If the standby CAS relies only on heartbea...

Page 151: ...d Ethernet connection is not available Secondary Heartbeat IP Address on eth0 The IP address of the trusted interface eth0 of the HA Secondary CAS Heartbeat UDP Interface 2 This setting specifies eth1 as a failover IP interface on the CAS If you configure your CAS HA system to use eth0 as the primary failover heartbeat connection you can also use the eth1 interface as a redundant heartbeat monitor...

Page 152: ...age for example and both come up as the active CAS in the HA pair Cisco recommends setting the Heartbeat Timeout to a value greater than 30 seconds The possible network implication in this scenario is that the to active CASs can introduce a Layer 2 broadcast loop that almost immediately brings down the network Another method you can use to avoid this scenario is to ensure you use an additional Eth...

Page 153: ...ined a CA signed certificate for the CAS be sure to follow the instructions in the Manage CAS SSL Certificates section of the Cisco NAC Appliance Clean Access Server Configuration Guide Release 4 8 3 a Click Browse and navigate to the directory on your local machine containing the CA signed certificate and Private Key b Click Import Note that you will need to import the same certificate later to t...

Page 154: ... order to copy and paste values to from configuration forms Cisco recommends keeping both web consoles open for each CAS primary and secondary See also a Access the HA Primary CAS Directly page 4 27 b Configure the Host Information for the HA Secondary CAS 3 In the Network Settings page open the DNS tab 4 Make sure the host name is a unique host name for the HA Secondary CAS such as rjcas_2 You mu...

Page 155: ...10 201 2 112 in the example in Figure 4 9 on page 4 20 Untrusted side Service IP Address The IP address by which the pair is addressed from the untrusted managed network Use the same value as for the primary CAS 10 201 50 243 in the example Trusted side Link detect IP Address Optional When an IP address e g for an upstream router is optionally entered in this field the CAS will attempt to ping thi...

Page 156: ...h0 and eth1 status via the heartbeat interface so if one of those two interfaces go down the standby CAS can still assume the active role even if the heartbeat from the active CAS does not trigger a failover event See Choosing External IPs for Link Based Failover page 4 22 for additional details Secondary Local Host Name This is filled in by default for the HA Secondary CAS as configured under Adm...

Page 157: ...a dedicated Ethernet connection is not available Cisco recommends using eth0 or another Ethernet interface for the Heartbeat UDP interface when configuring a Clean Access Server in HA mode Note Before you can specify either the eth2 or eth3 interfaces to be Heartbeat UDP Interface 3 you must manually configure the interface using the CAS CLI There are no eth2 or eth3 configuration settings IP addr...

Page 158: ...HA Secondary CAS Navigate to Administration SSL X509 Certificate and perform one of the following procedures If using a temporary certificate for the HA pair a Click Browse and navigate to the location on your local machine where you have saved the temporary certificate and Private Key you previously exported from the HA Primary CAS b Select the certificate file and click Import c Repeat the proce...

Page 159: ...o test your HA system use the following steps 1 Turn on the HA Primary CAS machine Make sure that the CAS is fully started and functioning before proceeding 2 From the client computer log off the user s session and try to log onto the untrusted managed network again as the user 3 The HA Secondary CAS should still be active and providing services for the user 4 Shut down the HA Secondary CAS machin...

Page 160: ...ps 1 3 for the secondary CAS and reboot the secondary CAS 5 While the secondary CAS reboots the primary CAS becomes active in the Clean Access Manager and displays the new settings To Change IP Settings for an HA CAS 1 From the CAM web admin console go to Device Management CCA Servers 2 Click the Manage button for the Clean Access Server 3 Click the Network tab 4 Change the IP Address Subnet Mask ...

Page 161: ...es The active CAS of a high availability pair is displayed in brackets next to the Service IP for the pair as shown in Figure 4 9 on page 4 20 The IP address of the secondary CAS should appear in brackets in the List of Servers with a status of Connected 14 Once the IP address of the secondary CAS appears in brackets in the List of Servers and the CAS has a status of Connected repeat steps 1 11 fo...

Page 162: ...way mode the Trusted and Untrusted interfaces have the same IP address as shown in Figure 4 18 Figure 4 18 Clean Access Server Network Settings Warning Do not physically connect the eth1 NIC2 untrusted network interface on a Virtual Gateway CAS until the proper configuration has been performed Refer to Install the Clean Access Server CAS Software from CD ROM page 3 22 for details After HA configur...

Page 163: ...th default uid root log_badpack false debug 0 debugfile var log ha debug logfile var log ha log logfacility local0 watchdog dev watchdog keepalive 2 warntime 10 deadtime 15 node rjcam_1 node rjcam_2 Verifying Active Standby Runtime Status on the HA CAM The following example shows how to use the CLI to determine the runtime status active or standby of each CAM in the HA pair You can run the fostate...

Page 164: ...terface UDP serial and Link detect interface information root rjcas_1 ha d more perfigo conf linux ha Mon Aug 28 18 50 15 PDT 2006 WIRELESS_SERVICEIP 10 10 20 4 PING_DEAD 25 HOSTNAME rjcas_1 HA_DEAD 15 PEERGUSSK PEERMAC 00 16 35 BF FE 67 PEERHOSTNAME rjcas_2 TRUSTED_PINGNODE 10 10 40 100 UNTRUSTED_PINGNODE 10 10 20 100 HAMODE PRIMARY PEERMAC0 00 16 35 BF FE 66 PEERHOSTIP 10 10 50 2 HA_FAILBACK off...

Page 165: ... linkdetect conf file so that it contains the interface names you want to monitor or if the linkdetect conf file does not currently exist on the CAS add the linkdetect conf file to this directory Step 4 Verify the contents of the file root rjcas_1 ha d more linkdetect conf The following network interfaces will be monitored for link healthiness The active CAS will change to standby mode when any li...

Page 166: ...ry CAS takes over its IP address will be listed in the brackets as the Active server Note The CAS configured in HA Primary Mode may not be the currently Active CAS Determining Primary and Secondary CAS Open the direct access console for each CAS in the pair by typing the following in the URL Address field of a web browser you should have two browsers open For the Primary CAS type https primary_CAS...

Page 167: ... dev cciss c0d0p2 console tty0 console ttyS0 9600n8 crashkernel 128M 16M initrd initrd 2 6 18 128 1 10 el5PAE img Step 5 Scroll to the second entry line starting with kernel and press e to edit the line Step 6 Delete the line console ttyS0 9600n8 and edit the line so it appears as follows kernel vmlinuz 2 6 18 128 1 10 el5PAE ro root dev cciss c0d0p2 console tty0 single Step 7 Press b to boot the ...

Page 168: ...AS Step 2 Power cycle the machine Step 3 After power cycling the GUI mode displays Press Ctrl x to switch to text mode This displays a boot prompt Step 4 At the prompt type linux single This boots the machine into single user mode Step 5 Type passwd Step 6 Change the password Step 7 Reboot the machine using the reboot command ...

Page 169: ...ssl core openssl org OpenSSL License Copyright 1998 2007 The OpenSSL Project All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reprod...

Page 170: ... to conform with Netscapes SSL This library is free for commercial and non commercial use as long as the following conditions are adhered to The following conditions apply to all code found in this distribution be it the RC4 RSA lhash DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson ...

Page 171: ...ECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE The lic...

Page 172: ...A 4 Cisco NAC Appliance Hardware Installation Guide OL 20326 01 Appendix A Open Source License Acknowledgements Notices ...

Page 173: ...ration reset 3 49 configuring the installation 3 6 to 3 11 3 24 considerations power 2 9 CPI tool identification 1 27 D deployment firewalls 3 36 E electricity safety with 2 3 electrostatic discharge 2 5 See ESD environment site 2 8 environmental specifications table 2 9 equipment racks rack mounting 2 9 safety with 2 3 ESD preventing effects of 2 5 eth1 3 28 F failover See high availability firew...

Page 174: ...ng 2 4 precautions general precautions 2 2 primary HA server 4 9 procedure method of 2 10 R rack mounting on 4 post 2 15 rack installation guidelines 2 7 rack mount 4 post hardware kit 2 15 2 22 rack mounting configuration guidelines 2 14 reboot command 3 49 resetting the configuration 3 49 restricted access warning 2 3 2 6 S safety guidelines 2 2 SELV circuits warning 2 4 serial number location 1...

Page 175: ...Index IN 3 Cisco NAC Appliance Hardware Installation Guide OL 20326 01 U untrusted interface 3 28 V VLAN settings at install 3 29 ...

Page 176: ...Index IN 4 Cisco NAC Appliance Hardware Installation Guide OL 20326 01 ...

Reviews:

No comments

Related manuals for NAC-3310

Panasonic WJ-NV200K Quick Reference Manual preview
WJ-NV200K
Brand: Panasonic Pages: 4
Paradyne 3172 Quick Reference preview
3172
Brand: Paradyne Pages: 20
Paradyne Compshere 3000 Series Notice preview
Compshere 3000 Series
Brand: Paradyne Pages: 2
Pantech Sprint PX-500 Quick Start Manual preview
Sprint PX-500
Brand: Pantech Pages: 17
Ubiquiti ER-4 Quick Start Manuals preview
ER-4
Brand: Ubiquiti Pages: 22
Ublox NEO-D9S Quick Start Manual preview
NEO-D9S
Brand: Ublox Pages: 17
IBM 3101 Maintenance Information preview
3101
Brand: IBM Pages: 63
Lochinvar Armor 101 Series Instructions Manual preview
Armor 101 Series
Brand: Lochinvar Pages: 28
Lochinvar Armor 101 Series Service Manual preview
Armor 101 Series
Brand: Lochinvar Pages: 44
ebm-papst R3G175-AF01-02 Operating Instructions Manual preview
R3G175-AF01-02
Brand: ebm-papst Pages: 11
Kontron 50099 067 User Manual preview
50099 067
Brand: Kontron Pages: 42
WAGO 750-459 Manual preview
750-459
Brand: WAGO Pages: 48
Comet Labs GS8+ User Manual preview
GS8+
Brand: Comet Labs Pages: 11
PairGain T1L2N20A Manual preview
T1L2N20A
Brand: PairGain Pages: 80
RTS AIO-8 Drawings Manual preview
AIO-8
Brand: RTS Pages: 3
Ubiquiti EdgeRouter ER-8 Quick Start Manual preview
EdgeRouter ER-8
Brand: Ubiquiti Pages: 20
Lantronix WP2002000-01 User Manual preview
WP2002000-01
Brand: Lantronix Pages: 75
IEI Technology WAFER-ULT4 User Manual preview
WAFER-ULT4
Brand: IEI Technology Pages: 136

Brands by name

Popular brands

Load more brands