This document provides instructions for how to upgrade your existing Cisco Network Admission Control (NAC) Appliance (formerly Cisco Clean Access [CCA]) system to release 4.0(x).
This document assumes the NAC Appliance software earlier than 4.0(x) is installed and works properly.
The information in this document is based on the Cisco NAC Appliance.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Refer to Cisco Technical Tips Conventions for more information on document conventions.
This section provides general information for how to prepare to upgrade your existing Cisco NAC Appliance (Clean Access) system to release 4.0(x). This section contains these topics:
If you need to upgrade from a much older version of Cisco Clean Access, you might need to perform an interim upgrade to a version that is supported for upgrade to 4.0(x). In this case, refer to the applicable release notes under Cisco NAC Appliance (Clean Access) for upgrade instructions for the interim release. Cisco recommends that you always test new releases on a different system first before you upgrade your production system.
If you plan to upgrade to the latest Cisco NAC Appliance (Cisco Clean Access) 4.0(x) ED, take note of these items:
Cisco NAC Appliance (Cisco Clean Access) release 4.0(x) ED is a major software release with an Early Deployment status.
Cisco recommends you use the console/SSH upgrade procedure to upgrade from release 3.6(x) or 4.0(x) to the latest 4.0(x) release (for example, 4.0(5)). Refer to Console/SSH Upgrade—Standalone Machines for more information.
Note: When you upgrade from 3.6(x)/4.0(x) to 4.0(4) or later, you can only perform web console upgrade on standalone (non-HA) CAM machines. Standalone CAS machines still need to be upgraded from 3.6(x)/4.0(x) to the latest 4.0(x) release using the console/SSH upgrade procedure.
Warning: Web upgrade is not supported for a software upgrade of HA-CAM pairs. An upgrade of high availability Clean Access Manager pairs must always be performed via console as described in Console/SSH Instructions for Upgrading HA-CAM and HA-CAS Pairs.
You can upgrade from release 3.5(7), 3.5(8), 3.5(9), 3.5(10), or 3.5(11) to the latest 4.0(x) using the in-place upgrade procedure, in which the installation CD is used to upgrade each machine in place. For standalone machines, refer to In-Place Upgrade from 3.5(7)+ to 4.0(x)—Standalone Machines for more information. For HA machines, refer to In-Place Upgrade from 3.5(7)+ to 4.0(x)—HA-Pairs for more information.
Read and review the installation or upgrade instructions completely before you begin. The 3.5(7) and later to 4.0(x) in-place upgrade procedure is different from minor release upgrades and requires a physical CD installation.
If you have existing users, test the ED release in your lab environment first and complete a pilot phase prior to production deployment.
Note: Your production license references the MAC address of your production Clean Access Manager. When you test on a different box before you upgrade your production Cisco NAC Appliance environment, you need to get a trial license for your test servers. Refer to Evaluation Licenses for more information.
Note: Release 4.0(1) is obsolete. If your system runs 4.0(1), 3.5(x) or 3.6(x) and you wish to upgrade to release 4.0(x), upgrade to the latest 4.0(x) release directly.
5702/5703/5704 Broadcom NIC chipsets—If your system uses 5702/5703/5704 Broadcom NIC chipsets, and you run either 4.0(x) or 3.6(x) or plan to upgrade from 3.5(x), you need to perform a firmware upgrade from HP. Refer to Known Issues with Broadcom NIC 5702/5703/5704 Chipsets in the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(x) for more information
Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs)—If you use the Clean Access Server (CAS) as a DHCP server in conjunction with Airespace WLCs, you might need to configure DHCP options. Refer to the Known Issue with Cisco 2200/4400 Wireless LAN Controllers (Airespace WLCs) section of the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.0(x) for more information.
Out-of-Band (OOB) Deployments—Because the Cisco NAC Appliance can control switch trunk ports for OOB (release 3.6(1) and later), ensure the uplink ports for controlled switches are configured as "uncontrolled" ports either before or after the upgrade.
Note: For additional OOB troubleshooting, refer to Switch Support for Cisco NAC Appliance for more information.
DHCP Options—When you upgrade from 3.5/3.6 to 4.0, any existing DHCP options on the CAS are not retained. Administrators must re-enter any previously configured DHCP options using the newly-enhanced Global Options page.
SNMP Settings—When you upgrade from 3.5/3.6 to 4.0, any existing SNMP traps configured on the Clean Access Manager (CAM) are not retained. Administrators must re-enter any previously configured SNMP settings using the newly-enhanced SNMP page.
Caution: Review this section carefully before you start any Cisco NAC Appliance upgrade.
Homogenous Clean Access Server Software Support:
You must upgrade your Clean Access Manager and all your Clean Access Servers concurrently. The Cisco NAC Appliance architecture is not designed for heterogeneous support (for example, some Clean Access Servers that run 4.0 software and some that run 3.6 software).
Upgrade Downtime Window:
Based on the number of Clean Access Servers you have, the upgrade process should be scheduled as downtime. For minor release upgrades such as 4.0.0 to 4.0.x, our estimates suggest that it takes approximately 15 minutes for the Clean Access Manager upgrade and 10 minutes for each Clean Access Server upgrade. Use this approximation to estimate your downtime window.
Note: Allow more time for the 3.5(7) and later to 4.0(x) in-place upgrade process, particularly for high-availability (failover) pairs of machines.
Clean Access Server Effect During Clean Access Manager Downtime:
While the Clean Access Manager upgrade is conducted, the Clean Access Server (which has not yet been upgraded, and which loses connectivity to the Clean Access Manager during Clean Access Manager restart or reboot) continues to pass authenticated user traffic.
Caution: New users are not able to logon or be authenticated until the Clean Access Server re-establishes connectivity with the Clean Access Manager.
Database Backup (Before and After Upgrade):
For safekeeping, it is recommended to back up your current Clean Access Manager installation (using Administration > Backup) both before and after the upgrade and to save the snapshot on your local computer. Make sure to download the snapshots to your desktop/laptop for safekeeping. When you perform a backup before an upgrade, it enables you to revert to your previous 3.5(x) or 3.6(x) database if you encounter problems during upgrade. When you perform a backup immediately after you upgrade, it preserves your upgraded tables and provides a baseline of your 4.0 database. After the migration is complete, go to the database backup page (Administration > Backup) in the Clean Access Manager web console. Download and then delete all earlier snapshots from there as they are no longer compatible. Refer to Create a Clean Access Manager Database Backup Snapshot for more information.
Warning: You cannot restore a 3.6 or earlier database to a 4.0 Clean Access Manager.
Once you upgrade your software to 4.0, if you wish to revert to your previous version of Cisco Clean Access software, you need to reinstall the previous Cisco Clean Access version from the CD and recover your configuration based on the backup you performed before the upgrade to 4.0.
For an upgrade via console/SSH, you need your Clean Access Manager and Clean Access Server root user password (default password is cisco123). For a web console upgrade, you need your Clean Access Manager web console admin user password (and, if applicable, the Clean Access Server direct access console admin user password).