Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(2)
Administering the CAM
Downloads: This chapterpdf (PDF - 868.0KB) The complete bookPDF (PDF - 14.3MB) | Feedback

Administering the CAM

Table Of Contents

Administering the CAM

Overview

Network & Failover

Set System Time

Manage CAM SSL Certificates

Generate Temporary Certificate

Export CSR/Private Key/Certificate

Verify Currently Installed Private Key and Certificates

Import Signed Certificate

View Certificate Files Uploaded for Import

Troubleshooting Certificate Issues

No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM

Private Key in Clean Access Server Does Not Match the CA-Signed Certificate

Regenerating Certificates for DNS Name Instead of IP

Certificate-Related Files

System Upgrade

Licensing

Support Logs

Admin Users

Admin Groups

Add a Custom Admin Group

Admin Users

Login / Logout an Admin User

Add an Admin User

Edit an Admin User

Active Admin User Sessions

Manage System Passwords

Change the CAM Web Console Admin Password

Change the CAS Web Console Admin User Password

Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)

Recovering Root Password for CAM/CAS (Release 3.5.x or Below)

Backing Up the CAM Database

Automated Daily Database Backups

Manual Backups from Web Console

Creating Manual Backup

Backing Up Snapshots to Another Server via FTP

Restoring Configuration from CAM Snapshot

Restoring Configuration from CAM Snapshot In HA Deployment

Database Recovery Tool

Manual Database Backup from SSH

API Support


Administering the CAM


This chapter discusses the administration pages for the Clean Access Manager. Topics include:

Overview

Network & Failover

Set System Time

Manage CAM SSL Certificates

System Upgrade

Licensing

Support Logs

Admin Users

Manage System Passwords

Backing Up the CAM Database

API Support

For details on the User Pages module, see Chapter 5, "Configuring User Login Page and Guest Access."

For details on high availability configuration, see Chapter 15, "Configuring High Availability (HA)."

Overview

At installation time, the initial configuration script provides for many of the Clean Access Manager's internal administration settings, such as its interface addresses, DNS servers, and other network information. The Administration module (Figure 14-1) allows you to access and change these settings after installation has been performed.

Figure 14-1 Administration Module

The CCA Manager pages of the Administration module allows you to perform the following administration tasks:

Change network settings for the Clean Access Manager. See Network & Failover.

Set up Clean Access Manager High-Availability mode. See Chapter 15, "Configuring High Availability (HA)."

Manage Clean Access Manager system time and SSL certificates. See Set System Time and Manage CAM SSL Certificates.

Fully upgrade the software on the Clean Access Manager. See the "Upgrading to a New Software Release" section of the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(x).

Manage Clean Access Manager license files. See Licensing.

Create support logs for the CAM to send to customer support. See Support Logs.

The User Pages tabs of the Administration module allows you to perform these administration tasks:

Add the default login page, and create or modify all web user login pages. See Chapter 5, "Configuring User Login Page and Guest Access."

Upload resource files to the Clean Access Manager. See Upload a Resource File, page 5-12.

The Admin Users pages of the Administration module (see Admin Users) allows you to perform these administration tasks:

Add and manage new administrator groups and admin users/passwords

Configure and manage administrator privileges as new features are added

The Backup page of the Administration module allows you to make manual snapshots of your Clean Access Manager in order to backup your CAM's configuration. See Backing Up the CAM Database.

In addition, the CAM provides an API interface described in API Support.

Network & Failover

You can view or change the Clean Access Manager's network settings from Administration > CCA Manager > Network & Failover page.

Changes to the network settings generally require a reboot of the Clean Access Manager machine to take effect. Therefore, if making changes to a production machine, make sure to perform the changes when rebooting the machine will have minimal impact on the users.


Note The service perfigo config configuration utility script also lets you modify CAM network settings. Because the configuration utility is used from the command line, it is particularly useful if the admin console web server is not responsive due to incorrect network or VLAN settings. For further details, see Perform the Initial Configuration, page 2-7.


To Modify CAM Network Settings

1. Go Administration > CCA Manager > Network & Failover.

Figure 14-2 CAM Network & Failover

2. In the Network & Failover page, modify the settings as desired from the following fields/controls:

IP Address—The eth0 IP address of the CAM machine.

Subnet Mask—The subnet mask for the IP address.

Default Gateway—The default IP gateway for the CAM.

Host Name—The host name for the CAM. The name is required in high availability mode.

Host Domain—An optional field for your domain name suffix. To resolve a host name to an IP address, the DNS requires the fully qualified host name. Within a network environment, users often type host names in a browser without a domain name suffix, for example:

http://siteserver

The host domain value is used to complete the address. For example, with a suffix value of cisco.com, the request URL would be:

http://siteserver.cisco.com

DNS Servers—The IP address of the DNS (Domain Name Service) server in your environment. Separate multiple addresses with commas. If you specify more than one DNS server, the Clean Access Manager tries to contact them one by one, and stops when it receives a response.

High-Availability Mode—The operating mode of the Clean Access Manager:

Standalone Mode - If the Clean Access Manager is operating alone.

HA-Primary Mode - For the primary Clean Access Manager in a failover configuration.

HA-Standby Mode - For the secondary Clean Access Manager.

If you choose one of the HA (high availability) options, additional fields appear. For information on the fields and setting up high availability, see Chapter 15, "Configuring High Availability (HA)."

3. Click the Update button.

4. Click Reboot to restart the Clean Access Manager with the new settings.

Set System Time

For logging purposes and other time-sensitive tasks (such as SSL certificate generation), the time on the Clean Access Manager and Clean Access Servers needs to be correctly synchronized. The System Time tab lets you set the time on the Clean Access Manager and modify the time zone setting for the Clean Access Manager operating system.

After CAM and CAS installation, you should synchronize the time on the CAM and CAS before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. The easiest way to ensure this is to automatically synchronize time with the time server (Sync Current Time button).


Note The time set on the CAS must fall within the creation date/expiry date range set on the CAM's SSL certificate. The time set on the user machine must fall within the creation date /expiry date range set on the CAS's SSL certificate.


The time can be modified on the CAS under Device Management > CCA Servers > Manage [CAS_IP] > Misc > Time. See the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(2) for details.

To view the current time:

1. Go to Administration > CCA Manager > System Time.

2. The system time for the Clean Access Manager appears in the Current Time field.

Figure 14-3 Time Form

There are two ways to adjust the system time: manually, by typing in the new time, or automatically, by synchronizing from an external time server.

To manually modify the system time:

1. In the System Time form, either:

2. Type the time in the Date & Time field and click Update Current Time. The time should be in the form: mm/dd/yy hh:ss PM/AM

3. Or, click the Sync Current Time button to have the time updated by the time servers listed in the Time Servers field.

To automatically synchronize to the time server:

The default time server is the server managed by the National Institute of Standards and Technology (NIST), at time.nist.gov. To specify another time server:

1. In the System Time form type the URL of the server in the Time Servers field. The server should provide the time in NIST-standard format. Use a space to separate multiple servers.

2. Click Update Current Time.

If more than one time server is listed, the CAM tries to contact the first server in the list when synchronizing. If available, the time is updated from that server. If it is not available, the CAM tries the next one, and so on, until a server is reached.

The CAM will then automatically synchronize time with the configured NTP server at periodic intervals.

To change the time zone of the server system time:

1. In the Current Time tab of the Administration > CCA Manager page, choose the new time zone from the Time Zone drop-down list.

2. Click Update Time Zone.

Manage CAM SSL Certificates

The elements of Cisco NAC Appliance communicate securely over Secure Socket Layer (SSL) connections. Cisco NAC Appliance uses SSL connections for the following:

Between the CAM and the CAS

Between the CAM and the browser accessing the CAM web admin console

Between the CAS and end-users connecting to the CAS

Between the CAS and the browser accessing the CAS direct access web console

During installation, the configuration utility script for both the CAM and CAS requires you to generate a temporary SSL certificate for the server being installed (CAM or CAS). A corresponding private key is also generated with the temporary certificate.

For a production deployment, you will typically want to replace the temporary certificate for the Clean Access Server with a CA-signed SSL certificate, since the CAS certificate is the one that is visible to the end user. Otherwise, if the Clean Access Server has a temporary certificate, users accessing the network will have to explicitly accept the certificate from the CAS each time they login. For details on managing SSL certificates for the CAS, see the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(2).


Note Due to Java version dependencies in the system software, Cisco Clean Access only supports 1024- and 2048-bit key lengths for SSL certificates.


For the Clean Access Manager, it is not necessary to use a CA-signed certificate and you can continue to use a temporary certificate, if desired. The following sections describes how to manage SSL certificates for the CAM:

Generate Temporary Certificate

Export CSR/Private Key/Certificate

Verify Currently Installed Private Key and Certificates

Import Signed Certificate

View Certificate Files Uploaded for Import

Troubleshooting Certificate Issues


Note You cannot use a CA-signed certificate that you bought for the Clean Access Manager on the Clean Access Server. You must buy a separate certificate for each Clean Access Server.


Web Console Pages for SSL Certificate Management

The actual CAM SSL certificate files are kept on the CAM machine, and the CAS SSL certificate files are kept on the CAS machine. After installation, the CAM and CAS certificates can be managed from the following web console pages (respectively):

Clean Access Manager Certificates:

Administration > CCA Manager > SSL Certificate

Clean Access Server Certificates:

CAS management pages: Device Management > CCA Servers > Manage [CAS_IP] > Network > Certs, or

CAS direct access console: Administration > SSL Certificate

The CAM web admin console lets you perform the following SSL certificate-related operations:

Generate a temporary certificate (and corresponding private key).

Generate a PEM-encoded PKCS #10 Certificate Signing Request (CSR) based on the current temporary certificate.

Import and export the private key. The Export Key feature is used to save a backup copy of the Private Key on which the CSR is based. When a CA-signed certificate is returned from the Certificate Authority and imported into the CAM, this Private Key must be used with it.

Typical Steps for New Installs

For new installations, some typical steps for managing the CAM certificate are as follows.


Note It is not necessary to have CA-signed certificates for the CAM.


1. Synchronize time

After CAM and CAS installation, make sure the time on the CAM and CAS is synchronized before regenerating the temporary certificate on which the Certificate Signing Request will be based. See the next section, Set System Time, for details.

2. Check DNS settings for the CAM

If planning to use the DNS name instead of the IP address of your servers for CA-signed certs, you will need to verify the CAM settings and regenerate a temporary certificate. See Regenerating Certificates for DNS Name Instead of IP for details.

3. Generate Temporary Certificate

A temporary certificate and private key are automatically generated during CAM installation. If changing time or DNS settings on the CAM, regenerate the temporary certificate and private key prior to creating the Certificate Signing Request.

4. Export (Backup) the private key to a local machine for safekeeping/backup.

It is a good idea to always back up the private key corresponding to the current temporary certificate to a local hard drive for safekeeping before you generate and export the Certificate Signing Request. See Export CSR/Private Key/Certificate.

5. Export (save) the Certificate Signing Request (CSR) to a local machine.
See Export CSR/Private Key/Certificate.

6. Send the CSR file to a Certification Authority (CA) authorized to issue trusted certificates.

7. After the CA signs and returns the certificate, import the CA-signed certificate to your server.

When the CA-signed certificate is received from the CA, upload it as PEM-encoded file to the CAM temporary store. See Import Signed Certificate.

8. If necessary, upload any required intermediate CA certificate(s) as a single PEM-encoded file to the CAM temporary store.

9. Click Verify and Install Uploaded Certificates to verify the entire certificate chain and private key in the temporary store and install the verified certificates to the CAM.

10. Test access to the CAM.


Note Make sure the CA-signed certificate you are importing is the one with which you generated the CSR and that you have NOT subsequently generated another temporary certificate. Generating a new temporary certificate will create a new private-public key combination. In addition, always export and save the private key to a secure location when you are generating a CSR for signing (for safekeeping and to have the private key handy).


For additional details, see also Troubleshooting Certificate Issues.

Generate Temporary Certificate

The following procedures describe how to generate a new temporary certificate for the CAM. After generating a temporary certificate, you can generate a certificate signing request based on the certificate.

1. Go to Administration > CCA Manager> SSL Certificate (Figure 14-4).

2. Select Generate Temporary Certificate (default) from the Choose an action dropdown list.

Figure 14-4 SSL Certificate: Generate Temporary Certificate

3. Type appropriate values for the following fields:

Full Domain Name or IP - The fully qualified domain name or IP address of the Clean Access Manager for which the certificate is to apply. For example: camanager.<your_domain_name>

Organization Unit Name - The name of the unit within the organization, if applicable.

Organization Name - The legal name of the organization.

City Name - The city in which the organization is legally located.

State Name - The full name of the state in which the organization is legally located.

2-letter Country Code - The two-character, ISO-format country code, such as GB for Great Britain or US for the United States.

4. When finished, click Generate. This generates a new temporary certificate and new private key.


Note The Current SSL Certificate Domain: <IP or domain name> field at the bottom of each form displays the IP address or domain name of the current SSL certificate being used to access the web console page displayed. For example, if accessing the SSL Certificate management pages of a CAS, the domain name or IP address that is on the SSL certificate of that CAS is shown. If accessing the SSL Certificate management pages of the CAM, the domain name/IP on the SSL certificate of the CAM is shown.


Export CSR/Private Key/Certificate

Exporting a CSR generates a PEM-encoded PKCS#10-formatted Certificate Signing Request suitable for submission to a certificate authority. The CSR will be based on the temporary certificate and private key currently in the keystore database.

To create a certificate request:

1. Go to Administration > CCA Manager> SSL Certificate (Figure 14-5).

2. Select Export CSR/Private Key/Certificate from the Choose an action dropdown list.

Figure 14-5 SSL Certificate: Export CSR / Private Key /Certificate

3. Create a backup of the private key used to generate the request by clicking the Export button for Currently Installed Private Key (A) in the Export CSR/Private Key/Certificate Request form. You are prompted to save or open the file (see Filenames for Exported Files). Save it to a secure location.


Note Cisco Clean Access only supports 1024- and 2048-bit key lengths for SSL certificates.


4. Click Export CSR (B). A certificate signing request file for the CAS is generated and made available for downloading (see Filenames for Exported Files).


Note This step will generate a certificate request based on the currently installed (temporary) certificate and private key pair. Make sure these are the ones for which you want to submit the CSR to the certificate authority.


5. Save the CSR file to your hard drive (or Open it immediately in a text editor if you are ready to fill out the certificate request form). Use the CSR file to request a certificate from a certificate authority. When you order a certificate, you may be asked to copy and paste the contents of the CSR file into a CSR field of the order form.

6. When you receive the CA-signed certificate back from the certification authority, you can import it into the Clean Access Manager as described in Import Signed Certificate.

After the CA-signed cert is imported, the "currently installed certificate" is the CA-signed certificate. You can always optionally Export the Currently Installed Certificate if you need to access a backup of this certificate later.


Note The Current SSL Certificate Domain: <IP or domain name> field at the bottom of each form displays the IP address or domain name of the current SSL certificate being used to access the web console page displayed. For example, if accessing the SSL Certificate management pages of a CAS, the domain name or IP address that is on the SSL certificate of that CAS is shown. If accessing the SSL Certificate management pages of the CAM, the domain name/IP on the SSL certificate of the CAM is shown.


Filenames for Exported Files

File names for SSL Certificate files that can be exported from the CAM are as follows:

File Name 1
Description

smartmgr_csr.pem

CAM Certificate Signing Request (CSR)

smartmgr_key.pem

CAM Currently Installed Private Key

smartmgr_crt.cer2

CAM Currently Installed Certificate

1 For release 3.6.0.1 and below the filename extension is .csr instead of .pem.

2 For release 3.6(1) only, the filename is smartmgr_crt.pem.


Verify Currently Installed Private Key and Certificates

You can verify the following files by viewing them under Administration > CCA Manager > SSL Certificate | Export CSR/Private Key/Certificate (Figure 14-5):

Currently Installed Private Key

Currently Installed Certificate

Currently Installed Certificate Details

Currently Installed Root/Intermediate CA Certificate

Currently Installed Root/Intermediate CA Certificate Details


Note You must be currently logged into your web console session to view any certificate files.


On the CAM, View/Details/Delete buttons are disabled (greyed out) if the files are not installed (for export) or not uploaded (for import). For example, if only a temporary certificate is present on the CAM, the "Root/Intermediate CA" and "Currently Installed Root/Intermediate CA" View/Details/Delete buttons will be disabled on the Import and Export forms, respectively.

Clicking View for "Currently Installed Private Key" brings up the dialog shown in Figure 14-6 (BEGIN PRIVATE KEY/END PRIVATE KEY).

Figure 14-6 View Currently Installed Private Key

Clicking View for "Currently Installed Certificate" brings up the dialog shown in Figure 14-7 (BEGIN CERTIFICATE / END CERTIFICATE).

Figure 14-7 View Currently Installed Certificate

Clicking Details for "Currently Installed Certificate" brings up the dialog shown in Figure 14-8 ("Certificate:"). The Currently Installed Certificate Details form provides an easy way to verify whether you have a temporary or CA-signed certificate. The most important fields to check are:

Issuer —Who signed the current certificate. The temporary certificate generated during installation will have the Issuer information shown in Figure 14-8.

Validity—The creation date ("Not Before:") and expiry date ("Not After":) of the certificate.


Note The time set on the CAS must fall within the creation date/expiry date range set on the SSL certificate of the CAM. The time set on the user machine must fall within the creation date/expiry date range set on the SSL certificate of the CAS.


Subject—The server and organizational information you entered when you generated the temporary certificate.

Begin Certificate/End Certificate—The actual certificate is displayed in this section. It is identical to the information shown when you click View "Currently Installed Certificate".

Figure 14-8 View Currently Installed Certificate Details (Example Temporary Certificate)

Clicking View or Details for "Currently Installed Root/Intermediate CA Certificate" will bring up similar dialogs for the root or intermediate certificates you have installed on your CAM

Import Signed Certificate

If you have received a CA-signed PEM-encoded X.509 certificate for the Clean Access Manager, you can import it into the Clean Access Manager as described here. Before starting, make sure that the root and CA-signed certificate files are in an accessible file directory location. If using a certificate authority for which intermediate CA certificates are necessary, make sure these files are also present and accessible.

1. Go to Administration > CCA Manager> SSL Certificate (Figure 14-9).

2. Select Import Certificate from the Choose an action dropdown list.

Figure 14-9 SSL Certificate: Import Certificate (CAM)

3. Click the Browse button next to the Certificate File field and locate the certificate file on your directory system.


Note Make sure there are no spaces in the filename when importing files (you can use underscores).


4. Select the File Type from the dropdown menu:

CA-signed PEM-encoded X.509 Cert—Select this option to upload the PEM-encoded CA-signed certificate.

Root/Intermediate CA—Select this option to upload the PEM-encoded intermediate CA certificate or root certificate.


Note If there are multiple intermediate CA files, you must copy and paste them into a single Intermediate CA PEM-encoded file for upload to the CAM. Only one Intermediate CA file can be uploaded to the CAM.


Private Key—Select this option if you need to upload the Private Key for the CAM (from backup). Typically, you only need to do this if the current Private Key does not match the Private Key used to create the original CSR on which the CA-Signed certificate is based.

Trust Non-Standard CA—On the CAM, select this option if uploading a certificate signed by a non-standard organization that is needed for communication between the CAM and an external server, such as an LDAP authentication server. For example, you may have a non-standard certificate for your LDAP server that is signed by your institution (e.g. university). If the authentication server certificate is signed by a CA that is not well known, import the CA cert using the Trust Non-Standard CA option to have it accepted. The Clean Access Manager must be rebooted for this to take effect.

5. Click Upload to upload the certificate file to the temporary store on the Clean Access Manager.

6. Click Verify and Install Uploaded Certificates to verify the entire certificate chain and private key in the temporary store and install the verified certificate files to the correct locations in the CAM. If any files are missing, errors will be displayed indicating which files need to be uploaded. For example, if an intermediate CA certificate is required for the certificate authority you are using, upload it to the CAM temporary store in order for the certificate chain to be verified and installed on the CAM.


Note Neither the CAM nor CAS will install an unverifiable certificate chain. You must have delimiters (Begin/End Certificate) for multiple certificates in one file, but you do not need to upload certificate files in any particular sequence because they are verified in the temporary store first before being installed.


7. If you try to upload a root/intermediate CA certificate for the CAM that is already in the list, you may see an error message "this intermediate CA is not necessary" after you click the Verify and Install Uploaded Certificates button. You must Delete the uploaded Root/Intermediate CA in order to remove any duplicate files.


Note The Current SSL Certificate Domain: <IP or domain name> field at the bottom of each form displays the IP address or domain name of the current SSL certificate being used to access the web console page displayed. For example, if accessing the SSL Certificate management pages of a CAS, the domain name or IP address that is on the SSL certificate of that CAS is shown. If accessing the SSL Certificate management pages of the CAM, the domain name/IP on the SSL certificate of the CAM is shown.


View Certificate Files Uploaded for Import

You can verify certificate files you have uploaded to the temporary store for import into the CAM under Administration > CCA Manager> SSL Certificate | Import Certificate (Figure 14-9), as follows:

Uploaded Private Key

Uploaded CA-Signed Certificate

Uploaded CA-Signed Certificate Details

Uploaded Root/Intermediate CA Certificate

Uploaded Root/Intermediate CA Certificate Details


Note You must be currently logged into your web console session to view any certificate files.


On the CAM, View/Details/Delete buttons are disabled (greyed out) if the files are not installed (for export) or not uploaded (for import). For example, if only a temporary certificate is present on the CAM, the "Root/Intermediate CA" and "Currently Installed Root/Intermediate CA" View/Details/Delete buttons will be disabled on the Import and Export forms, respectively.

Troubleshooting Certificate Issues

Issues can arise during Cisco NAC Appliance certificate management, particularly if there are mismatched SSL certificates somewhere along the certificate chain. Common problems on SSL certificates can be time-oriented (if the clocks are not synchronized on the CAM and CAS, authentication fails), IP-oriented (certificates are created for the wrong interface) or information-oriented (wrong or mistyped certificate information is imported). This section describes the following:

No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM

Private Key in Clean Access Server Does Not Match the CA-Signed Certificate

Regenerating Certificates for DNS Name Instead of IP

Certificate-Related Files

No Web Login Redirect / CAS Cannot Establish Secure Connection to CAM

The following client connection errors can occur if the CAS does not trust the certificate of the CAM, or vice-versa:

No redirect after web login— users continue to see the login page after entering user credentials.

Agent users attempting login get the following error: "Clean Access Server could not establish a secure connection to the Clean Access Manager at <IPaddress or domain>" (Figure 14-10)

These errors typically indicate one of the following certificate-related issues:

The time difference between the CAM and CAS is greater than 5 minutes.

Invalid IP address

Invalid domain name

CAM is unreachable

To identify common issues:

1. Check the CAM's certificate and verify it has not been generated with the IP address of the CAS.

2. Check the time set on the CAM and CAS. The time set on the CAM and the CAS must be 5 minutes apart or less.

To resolve these issues:

1. Set the time on the CAM and CAS correctly first (see Set System Time)

2. Regenerate the certificate on the CAS using the correct IP address or domain.

3. Reboot the CAS.

4. Regenerate the certificate on the CAM using the correct IP address or domain.

5. Reboot the CAM.

Figure 14-10 Troubleshooting: "CAS Cannot Establish Secure Connection to CAM"


Note If you check nslookup and date from the CAS, and both the DNS and TIME settings on the CAS are correct, this can indicate that the cacerts file on the CAS is corrupted. In this case Cisco recommends backing up the existing cacerts file from /usr/java/j2sdk1.4/lib/security/cacerts, then override it with the file from /perfigo/common/conf/cacerts, then perform "service perfigo restart" on the CAS.



Note If the error message on the client is "Clean Access Server is not properly configured, please report to your administrator," this typically is not a certificate issue but indicates that a default user login page has not been added to the CAM. See Add Default Login Page, page 5-3 for details.


For additional information, see also:

Troubleshooting when Adding the Clean Access Server, page 3-4

Troubleshooting the Agent, page 11-77

Private Key in Clean Access Server Does Not Match the CA-Signed Certificate

This issue can arise if a new temporary certificate is generated but a CA-signed certificate is returned for the Certificate Signing Request (CSR) generated from a previous temporary certificate and private key pair.

For example, an administrator generates a CSR, backs up the private key, and then sends the CSR to a CA authority, such as VeriSign.

Subsequently, another administrator regenerates a temporary certificate after the CSR has been sent. When the CA-signed certificate is returned from the CA authority, the private key on which the CA-certificate is based no longer matches the one in the Clean Access Server.

To resolve this issue, re-import the old private key and then install the CA-signed certificate.

Regenerating Certificates for DNS Name Instead of IP

If planning to regenerate certificates based on the DNS name instead of the IP address of your servers:

Make sure the CA-signed certificate you are importing is the one with which you generated the CSR and that you have NOT subsequently generated another temporary certificate. Generating a new temporary certificate will create a new private-public key combination. In addition, always export and save the private key when you are generating a CSR for signing (to have the private key handy).

When importing certain CA-signed certificates, the system may warn you that you need to import the root certificate (the CA's root certificate) used to sign the CA-signed certificate, or the intermediate root certificate may need to be imported.

Make sure there is a DNS entry in the DNS server.

Make sure the DNS address in your Clean Access Server is correct.

For High-Availability (failover) configurations, use the DNS name for the Service IP (virtual DNS)

Cisco recommends rebooting when you generate a new certificate or import a CA-signed certificate.

When using a DNS-based certificate, if it is not CA-signed, the user will simply be prompted to accept the certificate.

Certificate-Related Files

For troubleshooting purposes, Table 14-1 lists certificate-related files on the Clean Access Manager. For example, if the admin console becomes unreachable due to a mismatch of the CA-certificate/private key combination, these files may need to be modified directly in the file system of the Clean Access Manager.

Table 14-1 Clean Access Manager Certificate-Related Files  

File
Description

/root/.tomcat.key

Private key

/root/.tomcat.crt

Certificate

/root/.tomcat.csr

Certificate Signing Request

/root/.chain.crt

Intermediate certificate

/perfigo/common/conf/perfigo-ca-bundle.crt

The root CA bundle


For additional information on Clean Access Manager files, see Log Files, page 13-17.

System Upgrade

Once a release is installed on the CAM and CAS, minor release upgrades to a more recent release can be performed on the CAM through the web console. This section describes the System Upgrade page of the CAM.

For complete upgrade details, refer to the "Upgrading to a New Software Release" section of the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(2).


NoteYou can use System Upgrade to upgrade a standalone CAM to release 4.1.

If upgrading your system from 3.5(x) to 4.1 you must follow the in-place upgrade procedure detailed in the "Upgrading to a New Software Release" section of the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(x).


1. To access the CAM upgrade page, go to Administration > CCA Manager > System Upgrade.

Figure 14-11 CAM System Upgrade

2. Click Browse to locate the .tar.gz upgrade file you have downloaded from Cisco Secure Software. Filenames for upgrade typically reflect the following conventions:

cca_upgrade_4.1.x.tar.gz—CAM/CAS release upgrade file (e.g. 4.1.0)

cam_upgrade_4.1.x.tar.gz—CAM-only patch upgrade file

cas_upgrade_4.1.x.tar.gz—CAS-only patch upgrade file; must be uploaded through the CAS management pages. See the "Upgrading to a New Software Release" section of the Release Notes for Cisco NAC Appliance (Cisco Clean Access), Version 4.1(2) for details.

3. Click Upload to upload the .tar.gz upgrade file to your CAM

4. Once the upgrade file appears in the list, click the checkbox for "Upgrade Agent" if you want to upgrade the Clean Access Agent Setup Installation and Patch Installation files to the latest Agent version bundled with the release (for example, Agent 4.1.2.0 for release 4.1(2)).

This option is typically only available when upgrading between minor releases. If upgrading between major releases (e.g. 4.0(5) to 4.1(2)), the Clean Access Agent setup/patch files within the CAM are automatically upgraded (e.g. to 4.1.2.0), regardless of whether "Upgrade Agent" is enabled.

5. Click the red Apply icon. You will see the following dialog:

This will schedule a system upgrade in two minutes. Are you sure you wish to do this?

Click OK to start the CAM upgrade. Click Cancel if you do not want to upgrade at this time.

6. Clicking the notes link displays a summary of the new features, enhancements, and resolved caveats for the release.

7. Clicking Upgrade Log displays a brief summary of the upgrade process including the date and time it was performed.

8. Clicking Upgrade Details displays the details of the upgrade process, in the following format:

state before upgrade

upgrade process details

state after upgrade

It is normal for the "state before upgrade" to contain several warning/error messages (e.g. "INCORRECT"). The "state after upgrade" should be free of any warning or error messages.

Licensing

The Clean Access Manager and Clean Access Servers require a valid product license to function. The licensing model for Clean Access incorporates the FlexLM licensing standard.


Note For step-by-step instructions on initially installing the Clean Access Manager license, as well as details on permanent, evaluation, and legacy licenses, see Cisco NAC Appliance Service Contract / Licensing Support.


Install FlexLM License for Clean Access Server:

Once the initial product license for the Clean Access Manager is installed, you can use the Licensing page to add or manage additional licenses (such as CAS licenses, or a second CAM license for HA-CAMs).

1. Go to Administration > CCA Manager > Licensing.

Figure 14-12 Licensing Page

2. In the Clean Access Manager License File field, browse to the license file for your Clean Access Server or Server bundle and click Install License. You will see a green confirmation text string at the top of the page if the license was installed successfully, as well as the CAS increment count (for example, "License added successfully. Out-of-Band Server Count is now 10.").

3. Repeat this step for each Clean Access Server license file you need to install (you should have received one license file per PAK submitted during customer registration). The status information at the bottom of the page will display total number of Clean Access Servers enabled per successful license file installation.

Remove Product Licenses

1. Go to Administration > CCA Manager > Licensing

2. Click the Remove All Licenses button to remove all FlexLM license files in the system.

3. The Clean Access Manager License Form will reappear in the browser, to prompt you to install a license file for the Clean Access Manager.


Note Until you enter the license file for the Clean Access Manager, you will not be redirected to the admin user login page of the web admin console.



NoteYou cannot remove individual FlexLM license files. To remove a file, you must remove all license files.

Once installed, a permanent FlexLM license overrides an evaluation FlexLM license.

Once installed, FlexLM licenses (either permanent or evaluation) override legacy license keys (even though the legacy key is still installed).

When an evaluation FlexLM expires, or is removed, an existing legacy license key will again take effect.


Change Legacy License Keys

1. Go to Administration > CCA Manager > Licensing

2. To change the license key (for releases prior to release 3.5), copy the license key to the Product License Key field, then click Apply Key.

Support Logs

The Support Logs page on the Clean Access Manager is intended to facilitate TAC support of customer issues. The Support Logs page allows administrators to combine a variety of system logs (such as information on open files, open handles, and packages) into one tarball that can be sent to TAC to be included in the support case. Administrators should download these support logs when sending their customer support request.

The Support Logs pages on the CAM web console and CAS direct access web console provide web page controls to configure the level of log detail recorded for troubleshooting purposes in /perfigo/logs. These web controls are intended as convenient alternative to using the CLI loglevel command and parameters in order to gather system information when troubleshooting. Note that the log level configured on the Support Logs page does not affect the CAM's Monitoring > Event Log page display.

For normal operation, the log level should always remain at the default setting (severe). The log level is only changed temporarily for a specific troubleshooting time period—typically at the request of the customer support/TAC engineer. In most cases, the setting is switched from "Severe" to "All" for a specific interval, then reset to "Severe" after data is collected. Note that once you reboot the CAM/CAS, or perform the service perfigo restart command, the log level will return to the default setting (Severe).


Caution Do not leave the log level set at "All" or "Info" indefinitely, as this will cause the log file to grow very quickly.

To Download CAM Support Logs:


Step 1 Go to Administration > CCA Manager > Support Logs.

Figure 14-13 CAM Support Logs

Step 2 Specify the number of days of debug messages to include in the file you will download for your Cisco customer support request.

Step 3 Click the Download button to download the cam_logs.<CAM_IP_address>.tar.gz file to your local computer.

Step 4 Send this .tar.gz file with your customer support request.


Note To retrieve the compressed support logs file for the Clean Access Server, access the CAS web console and go to Monitoring > Support Logs. See the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(2) for details.



To Change the LogLevel for CAM Logs:


Step 1 Go to Administration > CCA Manager > Support Logs.

Step 2 Choose the CAM log category to change:

CCA Manager General Logging: This category contains the majority of logging events for the system. Any log event not contained in the other four categories listed below will be found under CCA Manager General Logging (e.g. authentication failures).

CAM/CAS Communication Logging: This category contains CAM/CAS configuration or communication errors, for example, if the CAM's attempt to publish information to the CAS fails, the event will be logged.

Switch Management Logging: This category contains generic SNMP errors that can arise from the CAM directly communicating with the switch, for example, if the CAM receives an SNMP trap for which the community string does not match.

General OOB Logging: This category contains general OOB errors that may arise from incorrect settings on the CAM, for example, if the system cannot process an SNMP linkup trap from a switch because it is not configured on the CAM or is overloaded.

Low level Switch Communication Logging: This category contains OOB errors for specific switch models.

Step 3 Click the LogLevel setting for the category of log:

All: This is the lowest LogLevel, with all events and details recorded.

Info: Provides more details than the Severe LogLevel. For example, if a user logs in successfully an Info message is logged.

Severe: This is the default level of logging for the system. A log event is written to /perfigo/logs only if the system encounters a severe error, such as:

CAM cannot connect to CAS

CAM and CAS cannot communicate

CAM cannot communicate with database

For details on the Event Log, see Chapter 13, "Monitoring Online Users and Event Logs."


Admin Users

This section describes how to add multiple administrator users in the Administration > Admin Users module of the CAM web admin console.

Under Administration > Admin Users there are two tabs: Admin Groups, and Admin Users.

You can create new admin users and associate them to pre-existing default admin groups, or you can create your own custom admin groups. In either case, the access permissions defined for the admin group are applied to admin users when you add those users to the group.

Admin Groups

There are three default (uneditable) admin groups in the system, and one predefined custom group ("Help Desk") that you can edit. In addition, you can also create any number of your own custom admin groups under Administration > Admin Users > Admin Groups > New.

The four default admin group types are:

1. Hidden

2. Read-Only

3. Add-Edit

4. Full-Control (has delete permissions)

The three default admin group types cannot be removed or edited. You can add users to one of the three pre-defined groups, or you can configure a new Custom group to create specialized permissions. When creating custom admin permissions, create and set access permissions for the custom admin group first, then add users to that group to set their permissions.

Add a Custom Admin Group

To create a new admin group:


Step 1 Go to Administration > Admin Users > Admin Groups.

Figure 14-14 Admin Groups

Step 2 Click the New link to bring up the new Admin Group configuration form.

Figure 14-15 New Admin Group

Step 3 Click the Disable this group checkbox if you want to initially create but not yet activate this new administrator group, or if you want to disable an existing administrator group.

Step 4 Enter a Group Name for the custom admin group.

Step 5 Enter an optional Description for the group.

Step 6 Set the access options next to each individual Clean Access Server as no access, view only, add-edit, or local admin. This allows you to restrict access to the individual Clean Access Server for a specified administrator group, enable an administrator group to view permissions on the individual Clean Access Server, and even tailor access to provide an administrator group full control over one or more Clean Access Servers (including delete/reboot capabilities).


Note When a Clean Access Server option is set to no access, the members of the administrator group can still see the specified server in the Device Management > CCA servers > List of Servers page, but they cannot manage, disconnect, reboot or delete the server.


Step 7 Select group access privileges of hidden, read only, add-edit, or full control for each individual module or submodule. This allows you to limit the Clean Access Server modules and submodules available to a specified administrator group and tailor administrative control over modules and/or submodules for the specified administrator group.


Note When a submodule option is set to hidden, the members of the administrator group can still see the given submodule in the left-hand web console pane, but the text is "greyed out" and they cannot access that submodule.


Step 8 Click Create Group to add the group to the Admin Groups list.

You can edit the group later by clicking the Edit button next to the group in the list. To delete the group click the Delete icon next to the group. Users in an admin group are not removed when the group is deleted, but are assigned to the default Read-Only Admin group.


Note If an administrator changes the permissions of a particular admin group by editing the admin group, the administrator must remove all admin users belonging to that group since the new permissions will only be effective from the next login.



Admin Users


Note The default admin user is in the default Full-Control Admin group and is a special system user with full control privileges that can never be removed from the Clean Access Manager. For example, a Full-Control user can log in and delete his/her own account, but one cannot log in as user admin and delete the admin account.


Admin users are classified according to Admin Group. The following general rules apply:

All admin users can access the Administration > Admin Users module and change their own passwords.

Features that are not available to a level of admin user are simply disabled in the web admin console.

Read-Only users can only view users, devices, and features in the web admin console.

Add-Edit users can add and edit but not remove local users, devices, or features in the web admin console. Add-Edit admin users cannot create other admin users.

Full-Control users can add, edit, and delete all applicable aspects of the web admin console.

Only Full-Control admin users can add, edit, or remove other admin users or groups.

Custom group users can be configured to have a combination of access privileges, as described in Add a Custom Admin Group.

Login / Logout an Admin User

As admin users are session-based, admin users should log out using the Logout icon in the top-right corner of every page of the web admin console. The administrator login page will appear:

Figure 14-16 Admin Login

Additionally, you can use the logout button to log out as one type of admin user and relogin on as another.

Add an Admin User

To add a new admin user:

1. Go to Administration > Admin Users > New.

Figure 14-17 New Admin User

2. Click the Disable this account checkbox if you want to initially create but not yet activate this new administrator user profile, or if you want to disable an existing administrator user.

3. Enter an Admin User Name.

4. Enter a password in the Password and Confirm Password fields.

5. Select an admin group type from the Group Name dropdown list. Default groups are Read-Only, Add-Edit, and Full-Control. To add a user to a custom-access permissions group, add the group first as described in Add a Custom Admin Group.

6. Enter an optional Description.

7. Click Create Admin. The new user appears under the Admin Users > List.

Edit an Admin User

To edit an existing admin user:

1. Go to Administration > Admin Users > List.

Figure 14-18 Admin Users List

2. Click the Edit button next to the admin user.

Figure 14-19 Edit Admin User

3. Change the Password and Confirm Password fields, or other desired fields.

4. Click Save Admin.


Note You can edit all properties of the system admin user, except its group type.


Active Admin User Sessions

You can view which admin users are using the Clean Access Manager web admin console from Administration > Admin Users > Admin Users > Active Sessions. The Active Sessions list shows all admin users that are currently active. Admin users are session-based. Each browser that an admin user opens to connect to the Clean Access Manager webserver creates an entry for the user in the Active Sessions list.

If an admin user opens a browser, closes it, then opens a new browser, two entries will remain for a period of time on the Active Session list. The Last Access time does not change for the ended session, and eventually the entry will be removed by the Auto-logout feature.

Figure 14-20 Admin User Active Sessions

The Active Sessions page includes the following elements:

Admin Name—The admin user name.

IP Address—The IP address of the admin user's machine.

Group Name—The access privilege group of the admin user.

Login Time—The start of the admin user session.

Last Access—The last time the admin user clicked a link anywhere in the web admin console. Each click resets the last access time.

"Auto-Logout Interval for Inactive Admins"—This value is compared against the Login Time and Last Access time for an active admin user session. If the difference between the login time and last access time is greater than the auto-logout interval configured, the user is logged out. This value must be in the range of 1 to 120 minutes, with an interval of 20 minutes set by default.

Kick—Clicking this button logs out an active admin user and removes the session from the active session list.

Manage System Passwords

It is important to provide secure passwords for the user accounts in Cisco NAC Appliance system, and to change them from time to time to maintain system security. The suite does not generally impose standards for the passwords you choose, but it is advised that you use strong passwords, that is, passwords with at least six characters, mixed letters and numbers, and so on. Strong passwords reduce the likelihood of a successful password guessing attack against your system.

Cisco NAC Appliance contains the following built-in administrative user account passwords:

1. Clean Access Manager installation machine root user

2. Clean Access Server installation machine root user

3. Clean Access Server web console admin user

4. Clean Access Manager web console admin user

The first three passwords are initially set at installation time (the default password is cisco123). To change these passwords at a later time, access the CAM or CAS machine by SSH, logging in as the user whose password you want to change. Use the Linux passwd command to change the user's password.

This section describes the following:

Change the CAM Web Console Admin Password

Change the CAS Web Console Admin User Password

Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)

Change the CAM Web Console Admin Password

To change the Clean Access Manager web console admin user password, use the following procedure.

1. Go to Administration > Admin Users > List.

2. Click the Edit icon for user admin.

.

3. Type the new password in the Password field.

4. Type the password again in the Confirm Password field.

5. Click the Save Admin button. The new password is now in effect.

Change the CAS Web Console Admin User Password

Most configuration tasks are performed in the CAM web admin console. However, the CAS direct access web console is used to perform several tasks specific to a local CAS configuration, such as configuring High-Availability mode. Use the following instructions to change the CAS web console admin password:

1. Open the Clean Access Server admin console by navigating to the following address in a browser:

https://<CAS_IP>/admin 

where <CAS_IP> is the trusted interface IP address of the CAS. For example, https://172.16.1.2/admin

2. Log in with the default user name and password of admin/cisco123.

3. Click the Admin Password link from the left side menu.

4. In the Old Password field, type the current password.

5. Type the new password in the New Password and the Confirm Password fields.

6. Click Update.

Recovering Root Password for CAM/CAS (Release 4.1.x/4.0.x/3.6.x)

Use the following procedure to recover the root password for a 4.1/4.0/3.6 CAM or CAS machine. The following password recovery instructions assume that you are connected to the CAM/CAS via a keyboard and monitor (i.e. console or KVM console, NOT a serial console)

1. Power up the machine.

2. When you see the boot loader screen with the "Press any key to enter the menu..." message, press any key.

3. You will be at the GRUB menu with one item in the list "Cisco Clean Access (2.6.11-perfigo)." Press "e" to edit.

4. You will see multiple choices as follows:

root (hd0,0)
kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 console=ttyS0,9600n8
Initrd /initrd-2.6.11-perfigo.img

5. Scroll to the second entry (line starting with "kernel...") and press "e" to edit the line.

6. Delete the line "console=ttyS0,9600n8", add the word "single" to the end of the line, then press "Enter". The line should appear as follows:

kernel /vmlinuz-2.6.11-perfigo ro root=LABEL=/ console=tty0 single

7. Press "b" to boot the machine in single user mode. You should be presented with a root shell prompt after boot-up (note that you will not be prompted for password).

8. At the prompt, type "passwd", press "Enter" and follow the instructions.

9. After the password is changed, enter "reboot" to reboot the box.

Recovering Root Password for CAM/CAS (Release 3.5.x or Below)

To recover the root password for CAM/CAS on release 3.5(x), you can use the Linux procedure to boot to single user mode and change the root password:

1. Connect to the CAM/CAS machine via console.

2. Power cycle the machine.

3. After power-cycling, the GUI mode displays. Press Ctrl-x to switch to text mode. This displays a "boot:" prompt.

4. At the prompt type: linux single. This boots the machine into single user mode.

5. Type: passwd.

6. Change the password.

7. Reboot the machine using the reboot command.

Backing Up the CAM Database

You can create a manual backup snapshot of the CAM database to backup the CAM/CAS configuration for the current release being run. When you create the snapshot, it is saved on the CAM, but you can also download it to another machine for safekeeping. Only the CAM snapshot needs to be backed up. The CAM snapshot contains all database configuration data for the Clean Access Manager, and configuration information for all Clean Access Servers added to the CAM's domain. The snapshot is a standard postgres data dump.


Note Product licenses are stored in the database and are therefore included in the backup snapshot.


Once a CAS is added to the CAM, the CAS gets its configuration information from the CAM every time it contacts the CAM, including after a snapshot configuration is downloaded to the CAM.

In the case that you replace the underlying machine for a CAS that is already added to the CAM, you will need to execute the service perfigo config utility to configure the new machine with the CAS IP address and certificate configuration. Thereafter, the CAM will push all the other configuration information to the CAS. Note that if the shared secret between the CAM and CAS is changed, you may need to add the CAS to the CAM again (via Device Management > CCA Servers > New Server).

The Clean Access Agent is always included as part of the CAM database snapshot. The Agent is always stored in the CAM database when:

The Agent is received as a Clean Access Update (Agent Patch) from web Updates.

The Agent is manually uploaded to the CAM.

However, when the CAM is newly installed from CD or upgraded to the latest release, the Clean Access Agent is not backed up to the CAM database. In this case, the CAM software will contain the new Agent software but this is not uploaded to the CAM database. Agent backups only start when a new Agent is uploaded to the system either manually or by web Updates.


Note You can only restore a CAM snapshot that has the same version as the CAM (e.g. 4.1(2) snapshot to 4.1(2) CAM).



Note For further details on database logs, refer to Log Files, page 13-17.


Automated Daily Database Backups

Cisco NAC Appliance automatically creates daily snapshots of the Clean Access Manager database and preserves the most recent from the last 30 days. It also automatically creates snapshots before and after software upgrades, and before and after failover events. For upgrades and failovers, only the last 5 backup snapshots are kept. See Database Recovery Tool for additional details.

Manual Backups from Web Console

Cisco recommends creating a backup of the CAM before making major changes to its configuration. Backing up the configuration from time to time also ensures a recent backup of a known-good configuration profile, in case of a malfunction due to incorrect settings. Besides protecting against configuration data loss, snapshots provide an easy way to duplicate a configuration among several CAMs.


Note Manually-created snapshots stay on the CAM until they are manually removed.


Creating Manual Backup

1. In the Administration > Backup page, type a name for the snapshot in the Database Snapshot Tag Name field. The field automatically populates with a filename that incorporates the current date and time (e.g MM_DD_YY-hh-mm_snapshot). You can either accept the default name or type another.

2. Click Create Snapshot. The Clean Access Manager generates a snapshot file, which is added to the snapshot list. The Version column automatically lists the CAM software version for the snapshot.

Figure 14-21 Backup Snapshot


Note The file still physically resides on the Clean Access Manager machine. For archiving purposes, it can remain there. However, to back up a configuration for use in case of system failure, the snapshot should be downloaded to another computer.


3. To download the snapshot to another computer, click either the Download icon or the Tag Name of the snapshot that you want to download.

4. In the File Download dialog, Save the file to your local computer.

To remove the snapshot from the snapshot list, click the Delete button.

Backing Up Snapshots to Another Server via FTP

The /perfigo/control/bin/pg_backup script on the CAM takes the database snapshot and backs it up on to another server using FTP.

You can set up a cron job to run this script on a regular basis to obtain OFF-SERVER copies of the backup snapshot. To execute the script:

1. SSH to the CAM

2. Execute the following script:

 ./pg_backup <FTPserver> Username Password

The script uses the Postgres pg_dump utility to create an instant database snapshot and then export it to the FTP server specified. This snapshot is essentially the same as a snapshot created manually using the CAM web console. You can set up a cron job to run this script daily.

Restoring Configuration from CAM Snapshot


Note You can only restore a CAM snapshot that has the same version as the CAM (e.g. 4.1(2) snapshot to 4.1(2) CAM).


Restore from CAM List of Snapshots

To restore the Clean Access Manager to the configuration state of the snapshot:

1. Go to Administration > Backup

2. Click the Restore button for the desired snapshot in the list. Make sure the version of the snapshot to which you want to restore the CAM is the same version currently running on the CAM.

3. The existing configuration is overridden by the configuration in the snapshot.

Restore from Downloaded Snapshot

If the snapshot was downloaded to a remote computer, it can be uploaded to the list again as follows:

1. Go to Administration > Backup and click the Browse button next to the Snapshot to Upload field. Find the file in the directory system.

2. Click Upload Snapshot and confirm the operation. The snapshot now appears in the snapshot list.

3. Click the Restore button next to the snapshot to overwrite the current configuration with the snapshot's configuration.

4. Confirm the operation.

The configuration is now restored to the configuration state recorded in the snapshot.

Restoring Configuration from CAM Snapshot In HA Deployment

If either of the HA-Primary and HA-Secondary CAMs and or CASes in your HA deployment lose their configuration, you can retrieve the most recent snapshot (or create one for the existing configuration) from the remaining CAM and load it into your HA system to ensure consistent behavior from both the HA-Primary and HA-Secondary machines.

If both the HA-Primary and HA-Secondary CAMs and or CASes in your HA deployment lose their configuration, you can restore the system using the following guidelines. (For example, if a catastrophic event wipes out the image and database on both the HA-Primary and HA-Secondary machines or forces you to RMA both machines and install new appliances.)

Restore Both HA-Primary and HA-Secondary CAMs from Snapshot

To restore the HA-Primary and HA-Secondary CAMs in a failover deployment to the configuration state of the snapshot:

1. Install and initially configure the HA-Primary CAM and HA-Secondary CAM so that they feature the same attributes as before your HA deployment went down as described in Chapter 2, "Installing the Clean Access Manager."

2. Apply your CAM user license(s) to both the HA-Primary and HA-Secondarty CAMs.

3. Reconfigure the HA-Primary and HA-Secondary CAMs as an HA pair as described in Chapter 15, "Configuring High Availability (HA)."

4. Reload the most recent CAM configuration snapshot onto your HA-Primary CAM from a backup server as described in Restore from Downloaded Snapshot.

5. To complete the snapshot restoration, wait approximately 5 minutes for the HA-Secondary CAM to automatically "sync up" with the HA-Primary.

6. Reboot the HA-Primary CAM. Once the CAM has restarted and you can log in via the web console, reboot the HA-Secondary CAM.

Restore Both HA-Primary and HA-Secondary CASes from Snapshot

To restore the HA-Primary and HA-Secondary CASes in a failover deployment to the configuration state of the snapshot:

1. Install and initially configure the HA-Primary CAS and HA-Secondary CAS so that they feature the same attributes as before your HA deployment went down as described in the "Installing the Clean Access Server" chapter of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(2).

2. Reconfigure both the HA-Primary and HA-Secondary CASes as an HA pair as described in the "Configuring High Availability (HA)" chapter of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.1(2).


Warning Ensure you follow the instructions in the "Configuring High Availability (HA)" chapter in the order they are presented to successfully re-establish your CAS HA connection.


3. Simulate failover events between the HA-Primary and HA-Secondary CASes by shutting down/disconnecting the HA-Primary CAS to allow the HA-Secondary CAS to assume access control functions. Once the standby CAS assumes the active role, simulate the same failover for the HA-Secondary CAS (the new active CAS) when the HA-Primary (standby) comes back "online."

Performing these failover simulations on both the HA-Primary and HA-Secondary CASes ensures that each one gets the current database information from the CAM.

Database Recovery Tool

The Database Recovery tool is a command line utility that can be used to restore the database from the following types of backup snapshots:

Automated daily backups (the most recent 30 copies)

Backups made before and after software upgrades

Backups made before and after failover events

Manual snapshots created by the administrator via the web console

Although the web console already allows you to manually create and upload snapshots (via Administration > Backup), the CLI tool presents additional detail. The tool provides a menu that lists the snapshots from which to restore, and the uncompressed size and table count. Note that a file which is corrupt or not in the proper format (e.g. not .tar.gz) will show a remediation warning instead of an uncompressed size and a table count.


Caution The CAM must be stopped before you can run this utility and must be rebooted after the utility is run.

To run the command utility:

1. Access your Clean Access Manager by SSH.

2. Login as user root with the root password (default password is cisco123)

3. Cd to the directory of the database recovery tool: cd /perfigo/dbscripts

4. Run service perfigo stop to stop the Clean Access Manager.

5. Run ./dbbackup.sh to start the tool.

6. Follow the prompts to perform database restore.

7. Run reboot to reboot the Clean Access Manager after running the utility.


Note For general information on CLI commands, see Using the Command Line Interface (CLI), page 2-10.


Manual Database Backup from SSH

If the web admin console becomes inaccessible, you can perform a manual database backup as follows:

1. Login as root on the Clean Access Manager box.

2. Switch user to postgres by typing: su - postgres

3. Create the dump of the database by typing: pg_dump -h 127.0.0.1 controlsmartdb -D -f sm_back_092004.sql

4. This command creates a file called sm_back_092004.sql in the /var/lib/pgsql directory.

5. You can SCP that file.

API Support

Cisco NAC Appliance provides a utility script called cisco_api.jsp that allows you to perform certain operations using HTTPS POST. The Clean Access API for your Clean Access Manager is accessed from a web browser as follows: https://<ccam-ip-or-name>/admin/cisco_api.jsp.

For usage and authentication requirements, guest access support, and operations summary information, see Appendix B, "API Support".