This document provides instructions for how to upgrade your existing
Cisco Network Admission Control (NAC) Appliance (formerly Cisco Clean Access
[CCA]) system to release 4.0(x).
This document assumes the NAC Appliance software earlier than 4.0(x) is
installed and works properly.
The information in this document is based on the Cisco NAC
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
This section provides general information for how to prepare to upgrade
your existing Cisco NAC Appliance (Clean Access) system to release 4.0(x). This
section contains these topics:
If you need to upgrade from a much older version of Cisco Clean Access,
you might need to perform an interim upgrade to a version that is supported for
upgrade to 4.0(x). In this case, refer to the applicable release notes under
Appliance (Clean Access) for upgrade instructions for the interim
release. Cisco recommends that you always test new releases on a different
system first before you upgrade your production system.
If you plan to upgrade to the latest Cisco NAC Appliance (Cisco Clean
Access) 4.0(x) ED, take note of these items:
Cisco NAC Appliance (Cisco Clean Access) release 4.0(x) ED is a major
software release with an Early Deployment status.
Cisco recommends you use the console/SSH upgrade procedure to upgrade
from release 3.6(x) or 4.0(x) to the latest 4.0(x) release (for example,
4.0(5)). Refer to
Upgrade—Standalone Machines for more information.
Note: When you upgrade from 3.6(x)/4.0(x) to 4.0(4) or later, you can
only perform web console upgrade on standalone (non-HA) CAM
machines. Standalone CAS machines still need to be upgraded from 3.6(x)/4.0(x)
to the latest 4.0(x) release using the console/SSH upgrade procedure.
Warning: Web upgrade is not supported for a software
upgrade of HA-CAM pairs. An upgrade of high availability Clean Access Manager
pairs must always be performed via console as described in
Instructions for Upgrading HA-CAM and HA-CAS Pairs.
You can upgrade from release 3.5(7), 3.5(8), 3.5(9), 3.5(10), or
3.5(11) to the latest 4.0(x) using the in-place upgrade procedure, in which the
installation CD is used to upgrade each machine in place. For standalone
machines, refer to
Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines for more information.
For HA machines, refer to
Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs for more
Read and review the installation or upgrade instructions completely
before you begin. The 3.5(7) and later to 4.0(x) in-place upgrade procedure is
different from minor release upgrades and requires a physical CD
If you have existing users, test the ED release in your lab
environment first and complete a pilot phase prior to production
Note: Your production license references the MAC address of your
production Clean Access Manager. When you test on a different box before you
upgrade your production Cisco NAC Appliance environment, you need to get a
trial license for your test servers. Refer to
Licenses for more information.
Note: Release 4.0(1) is obsolete. If your system runs 4.0(1), 3.5(x) or
3.6(x) and you wish to upgrade to release 4.0(x), upgrade to the latest 4.0(x)
5702/5703/5704 Broadcom NIC chipsets—If your system
uses 5702/5703/5704 Broadcom NIC chipsets, and you run either 4.0(x) or 3.6(x)
or plan to upgrade from 3.5(x), you need to perform a firmware upgrade from HP.
Issues with Broadcom NIC 5702/5703/5704 Chipsets in the
for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(x) for more
Cisco 2200/4400 Wireless LAN Controllers (Airespace
WLCs)—If you use the Clean Access Server (CAS) as a DHCP server in
conjunction with Airespace WLCs, you might need to configure DHCP options.
Refer to the
Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)
section of the Release Notes for
Cisco NAC Appliance (Cisco Clean Access), Version 4.0(x) for more
Out-of-Band (OOB) Deployments—Because the Cisco NAC
Appliance can control switch trunk ports for OOB (release 3.6(1) and later),
ensure the uplink ports for controlled switches are configured as
"uncontrolled" ports either before or after the upgrade.
Note: For additional OOB troubleshooting, refer to
Support for Cisco NAC Appliance for more information.
DHCP Options—When you upgrade from 3.5/3.6 to 4.0,
any existing DHCP options on the CAS are not retained. Administrators must
re-enter any previously configured DHCP options using the newly-enhanced Global
SNMP Settings—When you upgrade from 3.5/3.6 to 4.0,
any existing SNMP traps configured on the Clean Access Manager (CAM) are not
retained. Administrators must re-enter any previously configured SNMP settings
using the newly-enhanced SNMP page.
Caution: Review this section carefully before you start any Cisco NAC
Homogenous Clean Access Server Software
You must upgrade your Clean Access Manager and all your Clean Access
Servers concurrently. The Cisco NAC Appliance architecture is not designed for
heterogeneous support (for example, some Clean Access Servers that run 4.0
software and some that run 3.6 software).
Upgrade Downtime Window:
Based on the number of Clean Access Servers you have, the upgrade
process should be scheduled as downtime. For minor release upgrades such as
4.0.0 to 4.0.x, our estimates suggest that it takes approximately 15 minutes
for the Clean Access Manager upgrade and 10 minutes for each Clean Access
Server upgrade. Use this approximation to estimate your downtime window.
Note: Allow more time for the 3.5(7) and later to 4.0(x) in-place upgrade
process, particularly for high-availability (failover) pairs of
Clean Access Server Effect During Clean Access Manager
While the Clean Access Manager upgrade is conducted, the Clean Access
Server (which has not yet been upgraded, and which loses connectivity to the
Clean Access Manager during Clean Access Manager restart or reboot) continues
to pass authenticated user traffic.
Caution: New users are not able to logon or be authenticated until the Clean
Access Server re-establishes connectivity with the Clean Access Manager.
Database Backup (Before and After Upgrade):
For safekeeping, it is recommended to back up your current Clean
Access Manager installation (using Administration > Backup)
both before and after the upgrade and to save the snapshot on your local
computer. Make sure to download the snapshots to your desktop/laptop for
safekeeping. When you perform a backup before an upgrade, it enables you to
revert to your previous 3.5(x) or 3.6(x) database if you encounter problems
during upgrade. When you perform a backup immediately after you upgrade, it
preserves your upgraded tables and provides a baseline of your 4.0 database.
After the migration is complete, go to the database backup page
(Administration > Backup) in the Clean Access Manager web
console. Download and then delete all earlier snapshots from there as they are
no longer compatible. Refer to
a Clean Access Manager Database Backup Snapshot for more
Warning: You cannot restore a 3.6 or earlier database to a 4.0 Clean Access
Once you upgrade your software to 4.0, if you wish to revert to your
previous version of Cisco Clean Access software, you need to reinstall the
previous Cisco Clean Access version from the CD and recover your configuration
based on the backup you performed before the upgrade to 4.0.
For an upgrade via console/SSH, you need your Clean Access Manager
and Clean Access Server root user password (default password
is cisco123). For a web console upgrade, you need your Clean Access Manager web
console admin user password (and, if applicable, the Clean Access Server direct
access console admin user password).