The purpose of this document is to highlight the best practice
guidelines to ensure a successful implementation of the Policy Import Export
(PIE) feature in Cisco NAC.
Familiarity is required with the Cisco NAC Manager (Clean Access
Manager) web interface and the policies that are typically configured. Refer to
the Release Notes for Cisco NAC Release 4.5 for what is and is not supported
The information in this document is based on these software and
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Refer to the Cisco Technical Tips
Conventions for more information on document conventions.
In this section, you are presented with the information to configure
the features described in this document.
Note: Use the
(registered customers only)
to obtain more information on the commands used in this
Follow the recommendations listed below to ensure a successful
implementation of CAM Policy Import Export (PIE) feature.
Cisco recommends that you configure the same auto update settings
on both master and receiver NACMs (under Device Management > Clean
Access > Updates > Update) to ensure that all NACMs have the
same Cisco updates before you perform a Policy Sync. This is because the
current checks on the master override any checks on the receiver if you perform
Cisco updates on a receiver NACM with different auto update settings and then
perform a Policy Sync.
If you have an OOB NACM and any legacy NACM(s) with an IB-only
license, make sure that you use the OOB NACM as the master NACM and the legacy
NACM(s) as the receivers.
Once PIE is enabled for a particular component between the master
and the receiver, the receiver tables/information are completely replaced with
the information that is pushed from the master. It is not cumulative on the
receiver side. For example, if the receiver has a traffic rule that allows
access to mcafee.com and the master has traffic rules that allow access to
cisco.com and abc.com, but no rule for mcafee.com, the receiver and master will
have identical rules once the sync is executed: cisco.com and abc.com. Note
that the traffic rule for mcafee.com does not exist on the receiver after the
sync since the master did not have that rule. The best practice is to configure
the master NACM as desired but not modify the policy settings on the
The maximum number of supported receivers is 10. Although there is
no technical limitation to the number of receivers, the best practice
recommendation is to keep this to the supported number (fewer than or equal to
Note: For NACM HA-pairs, the Policy Sync settings are disabled for the
The master and receiver(s) must run the same version of Cisco NAC
(4.5 or higher) release.
Ensure that both NAC managers have Certificate Authority (CA)
signed certificates and both master and receiver trust the certificates of each
other. Certificates are key to secure the synchronization between the master
and receiver. The master has to trust the certificate presented by the receiver
and vice-versa. For this, it is necessary to ensure that each of them has the
root CA of their peer certificate (full chain if intermediary is involved) in
the trusted CA list. In production deployments, the best practice is to replace
the self-signed certificates on the NAC Manager with CA signed certificates. In
short, make sure that the NAC manager SSL certificate best practices are met
before you implement PIE.
Make sure that you are logged in as a Full-Control Admin user to
the master NAC Manager in order to perform automatic or manual Policy
Auto sync allows you to schedule an automatic Policy Sync once
every X number of days (minimum is 1 day). If you desire
to use auto sync for PIE, Cisco strongly recommends that you to perform a
manual sync and verify that the sync works successfully before you enable auto
sync between your NAC managers.
There is currently no verification procedure available for this