Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.6(1)
Installing the Clean Access Manager
Downloads: This chapterpdf (PDF - 594.0KB) The complete bookPDF (PDF - 21.46MB) | Feedback

Installing the Clean Access Manager

Table Of Contents

Installing the Clean Access Manager

Overview

Cisco NAC Appliance Hardware Platforms

Important Release Information

Summary of Steps For New Installation

Connect the Clean Access Manager

Serial Connection to the CAM

Configuring Boot Settings on NAC-3310 Based Appliances

Install the Clean Access Manager Software from CD-ROM

CD Installation Steps

Perform the Initial Configuration

Configuration Utility Script

Access the CAM Web Console

Important Notes for SSL Certificates

CAM CLI Commands

Troubleshooting Network Card Driver Support Issues

Connectivity Across a Wide Area Network

Cisco NAC Appliance Connectivity Across a Firewall


Installing the Clean Access Manager


This chapter describes how to install the Clean Access Manager. Topics include:

Overview

Summary of Steps For New Installation

Connect the Clean Access Manager

Install the Clean Access Manager Software from CD-ROM

Perform the Initial Configuration

Access the CAM Web Console

CAM CLI Commands

Troubleshooting Network Card Driver Support Issues

Cisco NAC Appliance Connectivity Across a Firewall

Overview

The Cisco NAC Appliance 3300 Series hardware platforms are Linux-based network hardware appliances which are pre-installed with either the CAM (MANAGER) or CAS (SERVER) application, the operating system, and all relevant components on a dedicated server machine. The operating system comprises a hardened Linux kernel based on a Fedora core. Cisco NAC Appliance does not support the installation of any other packages or applications onto a CAM or CAS dedicated machine.

When you receive a new Cisco NAC Appliance, you will need to connect to the appliance and perform initial configuration.

If you want to install a different version of the software than what is shipped on the appliance, you can perform software installation via CD first. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on the software versions supported on Cisco NAC Appliance 3300 Series platforms.


Tip The Cisco NAC Appliance Hardware Installation Quick Start Guide covers all necessary instructions for powering up a new Cisco NAC Appliance.


This chapter contains information for performing CD software installation and initial configuration of a Clean Access Manager.

With Cisco NAC Appliance software installation via CD, you must select whether to install the Clean Access Manager or Clean Access Server application. Once the CAM or CAS is installed on the dedicated appliance (application, OS, and relevant components), the installation of any other packages or applications on the CAM or CAS is not supported.


Caution Cisco NAC Appliance Release 4.5 only supports and can only be installed on the following Cisco NAC Appliance platforms: Cisco CCA-3140, Cisco NAC-3310, Cisco NAC-3350, Cisco NAC-3390, Cisco NAC Network Module (NME-NAC-K9). You will not be able to install release 4.5 and later on any other platform.


Note Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces.



NoteFor installation details on NAC-3300 Series appliances, refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide.

For installation details on the Clean Access Server, refer to the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.6(1).

For installation details on the Cisco NAC Network Module (CAS on a network module), refer to Getting Started with Cisco NAC Network Modules in Cisco Access Routers.


Cisco NAC Appliance Hardware Platforms

Starting from Cisco NAC Appliance Release 4.5, Cisco NAC Appliance software only supports and can only be installed on the following Cisco NAC Appliance platforms:

Cisco CCA-3140

Cisco NAC-3310

Cisco NAC-3350

Cisco NAC-3390

Cisco NAC Network Module (NME-NAC-K9)


Note Refer to the Release Notes for Cisco NAC Appliance, Version 4.6(1) for additional hardware compatibility information in Release 4.6(1).


The Cisco NAC Appliance 3300 Series provides Linux-based network hardware appliances which are pre-installed with either the CAM (MANAGER) or CAS (SERVER) application, the operating system and all relevant components on a dedicated server machine.

The Cisco NAC network module is a CAS you can install in a Cisco 2800 and 3800 Series ISR chassis that features all of the same features and functionality as a stand-alone CAS appliance with one exception; the Cisco NAC network module does not support high availability.


Note For more information on the Cisco NAC network module, see Getting Started with NAC Network Modules in Cisco Access Routers and Installing Cisco Network Modules in Cisco Access Routers.


The Cisco NAC Appliance operating system is comprised of a hardened Linux kernel based on a Fedora core. Cisco NAC Appliance does not support the installation of any other packages or applications onto a CAM or CAS dedicated machine.


Note The Cisco NAC Appliance 3100 Series includes the Cisco CCA-3140 (CCA-3140-H1) NAC Appliance (EOL). The CCA-3140-H1 requires CD installation of either the Clean Access Server or Clean Access Manager software.


Refer the Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.5 for further details on the Cisco NAC Appliance 3300 Series appliances.

Important Release Information

Refer to the Release Notes for Cisco NAC Appliance, Version 4.6(1) for additional and late-breaking information on 4.6(1) software releases.

Summary of Steps For New Installation


Note If relevant, back up your current Clean Access Manager configuration and save the snapshot to your local computer for safekeeping as described in Manual Backups from Web Console, page 15-56.



Step 1 Follow the instructions on your welcome letter to obtain a valid license file for your installation. Refer to the instructions in Cisco NAC Appliance Service Contract/Licensing Support for details. (If you are evaluating Cisco NAC Appliance, visit http://www.cisco.com/go/license/public to obtain an evaluation license.)

When you add the initial CAM license, the top of the CAM web console will display the type of Clean Access Manager license installed:

Cisco Clean Access Lite Manager supports 3 Clean Access Servers

Cisco Clean Access Standard Manager supports 20 Clean Access Servers

Cisco Clean Access Super Manager supports 40 Clean Access Servers
(SuperCAM runs only on the NAC-3390 platform)

Additionally, the Administration > CCA Manager > Licensing page will display the types of licenses present after they are added. See Licensing, page 15-26 for further details.

Step 2 Obtain a bootable CD of the latest version of the software. You can log in to Cisco Secure Software and download the latest 4.6(1) .ISO image from http://www.cisco.com/pcgi-bin/apps/tblbld/tablebuild.pl?topic=279515766, or click the "Download Software" link from the Cisco NAC Appliance support page here and burn it as a bootable disk to a CD-R.


Note Cisco recommends burning the .ISO image to a CD-R using speeds 10x or lower. Higher speeds can result in corrupted/unbootable installation CDs.


Step 3 Connect the CAM to the network, as described in Connect the Clean Access Manager.

Step 4 Connect a monitor and keyboard to the CAM, or connect your workstation to the CAM via serial cable, as described in Connect the Clean Access Manager.

Step 5 Install the software as described in Install the Clean Access Manager Software from CD-ROM.


Note If your NAC-3310 appliance does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, before proceeding you will need to change the appliance settings to boot from CD ROM as described in Configuring Boot Settings on NAC-3310 Based Appliances.


Step 6 Perform the initial configuration of the CAM, as described in Perform the Initial Configuration.


Note For High Availability mode, install and initially configure each CAM first before configuring HA. Refer to Chapter 16, "Configuring High Availability (HA)" for details.

You must use identical appliances (e.g. NAC-3350 and NAC-3350) in order to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs).


Step 7 Access the CAM web console and install a valid FlexLM license file for the Clean Access Manager as described in Access the CAM Web Console.

Step 8 In the web console, navigate to Administration > CCA Manager > Licensing to install any additional FlexLM license files for your Clean Access Servers, as described in Licensing, page 15-26.

Step 9 Add your Clean Access Server(s) to the Clean Access Manager, as described in Add Clean Access Servers to the Managed Domain, page 3-2.


Connect the Clean Access Manager

To install the Clean Access Manager software from CD-ROM or to perform its initial configuration, you will need to connect the target machine and access the CAM's command line.


Step 1 The Clean Access Manager requires one of the two 10/100/1000BASE-TX interface connectors on the back panel of the CAM for its eth0 network interface. Connect the NIC1 network interface on the target machine to your local area network (LAN) using a CAT5 Ethernet cable.

If needed, refer to "Cisco NAC Appliance Hardware Summary" in the Cisco NAC Appliance Hardware Installation Quick Start Guide, or the documentation that came with your CAM to find the serial and Ethernet connectors.

Step 2 Connect the power by plugging one end of the AC power cord into the back of the machine and the other end into an electrical outlet.

Step 3 Power on the CAM by pressing the power button on the front of the machine. The diagnostic LEDs will flash a few times as part of an LED diagnostic test. Status messages are displayed on the console as the CAM boots up.

Step 4 Access the CAM's command line by either:

Connecting a monitor and keyboard directly to the CAM via the keyboard connector and video monitor/console connector on the back panel.

Connecting a serial cable from an external workstation (PC/laptop) to the CAM and open a serial connection using terminal emulation software (such as HyperTerminal or SecureCRT) on the external workstation, as described in Serial Connection to the CAM.



Note The eth1 interface (NIC2) of the CAM is only required when connecting High Availability CAM pairs. Refer to "Configuring Additional NIC Cards" in the Cisco NAC Appliance Hardware Installation Quick Start Guide for details.



Note Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces.


Serial Connection to the CAM

This section details how to access the CAM command line via serial connection.


Step 1 Connect the serial port of your admin computer to an available serial port on the CAM with a serial cable.


Note If the CAM is already configured for High-Availability (failover), one of its serial connections may be in use for the peer heartbeat connection. In this case, the machine must have at least two serial ports to be able to manage the CAM over a serial connection. If it does not, you can use an Ethernet port for the peer connection. For more information, see Chapter 16, "Configuring High Availability (HA)."


Step 2 After physically connecting the workstation to the CAM, access the serial connection interface using any terminal emulation software. The following steps describe how to connect using Microsoft® HyperTerminal. If you are using different software, the steps may vary.

Setting Up the HyperTerminal Connection

Step 3 Click Start > Programs > Accessories > Communications > HyperTerminal to open the HyperTerminal window.

Step 4 Type a name for the session and click OK.

Step 5 In the Connect using list, choose the COM port on the workstation to which the serial cable is connected (usually either COM1 or COM2) and click OK.

Step 6 Configure the Port Settings as follows:

Bits per second - 9600

Data bits - 8

Parity - None

Stop bits - 1

Flow control - None

Step 7 Go to File > Properties to open the Properties dialog for the session and change the Emulation setting to VT100.

Step 8 You should now be able to access the command interface for the CAM. You can now:

Install the Clean Access Manager Software from CD-ROM

Perform the Initial Configuration


Configuring Boot Settings on NAC-3310 Based Appliances

If your NAC-3310 appliance does not read the software on the CD ROM drive, and instead attempts to boot from the hard disk, use the following steps to configure the appliance to boot from CD ROM before attempting to re-image or upgrade the appliance from CD.


Step 1 Press the F10 key while the system is booting.

Step 2 Go to the Boot menu (Figure 2-1).

Figure 2-1 Boot Menu

Step 3 Change the setting to boot from CD ROM by selecting "CD-ROM Drive" from the menu and pressing the plus ("+") key (Figure 2-2).

Figure 2-2 Boot from CD-ROM Drive

Step 4 Press the F10 key to Save and Exit.


Install the Clean Access Manager Software from CD-ROM

Once you are connected to the command line of the CAM (as described in Connect the Clean Access Manager) use the following steps to install the Clean Access Manager software from CD-ROM.


Caution Cisco NAC Appliance software is not intended to coexist with other software or data on the target machine. The installation process formats and partitions the target hard drive, destroying any data or software on the drive. Before starting the installation, make sure that the target machine does not contain any data or applications that you need to keep.

CD Installation Steps

The entire installation process, including the configuration steps described in Perform the Initial Configuration should take about 15 minutes.


Step 1 Insert the CD-ROM that contains the Clean Access Manager .ISO file into the CD-ROM drive of the target machine.

Step 2 Reboot the machine. The welcome screen appears after the machine restarts:

Cisco Clean Access 4.6-1 Installer (C) 2009 Cisco Systems, Inc.

                Welcome to the Cisco Clean Access 4.6-1 Installer!

 -  To install a Cisco Clean Access device, press the <ENTER> key.
 -  To install a Cisco Clean Access device over a serial console, enter serial at the boot 
prompt and press the <ENTER> key.

boot: 

Note If your NAC-3310 appliance does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, before proceeding you will need to change the appliance settings to boot from CD ROM as described in Configuring Boot Settings on NAC-3310 Based Appliances.


Step 3 At the "boot:" prompt, type one of the following options depending on the type of connection:

Press the Enter key if your monitor and keyboard are directly connected to the appliance.

Type serial and press enter in the terminal emulation console if you are accessing the appliance over a serial connection.

Step 4 The Install selection option appears next, prompting you to perform a brand new installation of Cisco NAC Appliance or exit/cancel the install process. At the following prompt, enter 1 to install a new version of Cisco NAC Appliance.

Checking for existing installations.
Clean Access Manager 4.1.2.1 installation detected.
Please choose one of the following actions:
1) Install.
2) Exit.

Step 5 Next, the Cisco NAC Appliance software installer asks you to specify whether you are installing a Clean Access Manager or Clean Access Server. At the following prompt, enter 1 to perform the installation for a Clean Access Manager.

Please choose one of the following configurations:
1) CCA Manager.
2) CCA Server.


Caution Only one CD is used for installation of the Clean Access Manager or Clean Access Server software and the installation script does not automatically detect CAM or CAS installation for the target machine. You must select the appropriate type, either CAM or CAS, for the target machine on which you are performing installation.

Step 6 The Clean Access Manager Package Installation then executes. The installation takes several minutes. When finished, the installation script presents the following message, prompting you to press Enter to reboot the CAM and launch the Clean Access Manager quick configuration utility.

Installation complete. Press <ENTER> to continue

After you press Enter, the welcome screen for the Clean Access Manager quick configuration utility appears, and a series of questions prompt you for the initial configuration, as described in the next section, Configuration Utility Script.



Note If after installation you need to reset the CAM configuration settings (such as the eth0 IP address), connect to the CAM machine serially or via SSH and run the service perfigo config command. See CAM CLI Commands for details. Most other settings can also be modified later from the web admin console.


Perform the Initial Configuration

When installing the Clean Access Manager from CD-ROM, the Configuration Utility Script automatically appears after the software packages install to prompt you for the initial configuration.


Note If necessary, you can always manually start the Configuration Utility Script as follows:

1. Over a serial connection or working directly on the CAM, log onto the CAM as user root with correct password.

2. Run the initial configuration script by entering the following command:

service perfigo config

You can run the service perfigo config command to modify the configuration of the CAM if it cannot be reached through the web admin console. For further details on CLI commands, see CAM CLI Commands.


Configuration Utility Script

The configuration utility script suggests default values for particular parameters. To configure the installation, either accept the default value or provide a new one, as described below.


Step 1 After the software is installed from the CD and package installation is complete, the welcome script for the configuration utility appears:

Welcome to the Cisco Clean Access Manager quick configuration utility.

Note that you need to be root to execute this utility.

The utility will now ask you a series of configuration questions.
Please answer them carefully.

Cisco Clean Access Manager, (C) 2009 Cisco Systems, Inc.

Step 2 You are first prompted for the IP address of the interface eth0:

Configuring the network interface:

Please enter the IP address for the interface eth0 []: 10.201.2.11
You entered 10.201.2.11 Is this correct? (y/n)? [y]

At the prompt, enter y to accept the default address, or n to specify another IP address. In this case, type the address you want to use for the trusted network interface in dotted-decimal format. Confirm the value when prompted.

Step 3 Type the subnet mask for the interface address at the prompt or press enter for the default. Confirm the value when prompted.

Please enter the netmask for the interface eth0 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y] y

Step 4 Specify and confirm the address of the default gateway for the Clean Access Manager. This is typically the IP address of the router between the Clean Access Manager subnet and the Clean Access Server subnet.

Please enter the IP address for the default gateway []: 10.201.240.1
You entered 10.201.2.1 Is this correct? (y/n)? [y] y

Step 5 Provide a host name for the Clean Access Manager. The host name will be matched with the interface address in your DNS server, enabling it to be used to access the Clean Access Manager admin console from a browser. The default host name is nacmanager.

Please enter the hostname [nacmanager]: cam1
You entered cam1 Is this correct? (y/n)? [y] y

Step 6 Specify the IP address of the Domain Name System (DNS) server in your environment:

Please enter the IP addresses for the name servers: []: 172.10.16.16
You entered 172.10.16.16 Is this correct? (y/n)? [y] y

Step 7 The Clean Access Manager and Clean Access Servers in a deployment authenticate each other through a shared secret. The shared secret serves as an internal password for the deployment. The default shared secret is cisco123. Type and confirm the shared secret at the prompts.

The shared secret used between Clean Access Manager and Clean Access Server is the default 
string: cisco123

This is highly insecure. It is recommended that you choose a string that is unique to your 
installation.

Please remember to configure all Clean Access Devices with the same string.
Only the first 8 characters supplied will be used.
Please enter the shared secret between Clean Access Server and Clean Access Manager: 


Caution The shared secret must be the same for the Clean Access Manager and all Clean Access Servers in the deployment. If they have different shared secrets, they cannot communicate.

Step 8 Specify the time zone in which the Clean Access Manager is located as follows:

a. Choose your region from the continents and oceans list. Type the number next to your location on the list, such as 2 for the Americas, and press enter. Enter 11 to enter the time zone in Posix TZ format, such as GST-10.

The timezone is currently not set on this system.
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
 1) Africa
 2) Americas
 3) Antarctica
 4) Arctic Ocean
 5) Asia
 6) Atlantic Ocean
 7) Australia
 8) Europe
 9) Indian Ocean
10) Pacific Ocean
11) none - I want to specify the time zone using the Posix TZ format.

b. The next list that appears shows the countries for the region you chose. Choose your country from the country list, such as 45 for the United States, and press enter.

Please select a country.
 1) Anguilla              18) Ecuador               35) Paraguay
 2) Antigua & Barbuda     19) El Salvador           36) Peru
 3) Argentina             20) French Guiana         37) Puerto Rico
 4) Aruba                 21) Greenland             38) St Kitts & Nevis
 5) Bahamas               22) Grenada               39) St Lucia
 6) Barbados              23) Guadeloupe            40) St Pierre & Miquelon
 7) Belize                24) Guatemala             41) St Vincent
 8) Bolivia               25) Guyana                42) Suriname
 9) Brazil                26) Haiti                 43) Trinidad & Tobago
10) Canada                27) Honduras              44) Turks & Caicos Is
11) Cayman Islands        28) Jamaica               45) United States
12) Chile                 29) Martinique            46) Uruguay
13) Colombia              30) Mexico                47) Venezuela
14) Costa Rica            31) Montserrat            48) Virgin Islands (UK)
15) Cuba                  32) Netherlands Antilles  49) Virgin Islands (US)
16) Dominica              33) Nicaragua
17) Dominican Republic    34) Panama

c. If the country contains more than one time zone, the time zones for the country appear. Choose the appropriate time zone region from the list and press enter (for example, 19 for Pacific Time).

Please select one of the following time zone regions.
 1) Eastern Time
 2) Eastern Time - Michigan - most locations
 3) Eastern Time - Kentucky - Louisville area
 4) Eastern Time - Kentucky - Wayne County
 5) Eastern Time - Indiana - most locations
 6) Eastern Time - Indiana - Crawford County
 7) Eastern Time - Indiana - Starke County
 8) Eastern Time - Indiana - Switzerland County
 9) Central Time
10) Central Time - Indiana - Daviess, Dubois, Knox, Martin, Perry & Pulaski Counties
11) Central Time - Indiana - Pike County
12) Central Time - Michigan - Dickinson, Gogebic, Iron & Menominee Counties
13) Central Time - North Dakota - Oliver County
14) Central Time - North Dakota - Morton County (except Mandan area)
15) Mountain Time
16) Mountain Time - south Idaho & east Oregon
17) Mountain Time - Navajo
18) Mountain Standard Time - Arizona
19) Pacific Time
20) Alaska Time
21) Alaska Time - Alaska panhandle
22) Alaska Time - Alaska panhandle neck
23) Alaska Time - west Alaska
24) Aleutian Islands
25) Hawaii

d. Confirm your choices by entering 1, or use 2 to cancel and start over.

The following information has been given:

        United States
        Pacific Time

Is the above information OK?
1) Yes
2) No

e. Confirm the current date and time at the next prompt by pressing enter, or provide the correct date and time in the format shown. Confirm the values when prompted.

Current date and time hh:mm:ss mm/dd/yy [11:53:12 08/22/08]: 11:53:12 08/22/08
You entered 11:53:12 08/22/08 Is this correct? (y/n)? [y] y

Step 9 Now configure the temporary SSL certificate that enables secure connections between the Clean Access Manager and the web-based administrator console as follows:

a. Type the IP address or domain name for which you want the certificate to be issued.


Note This is also the IP address or domain name to which the web server responds. If DNS is not already set up for a domain name, the CAM web console will not load. Make sure to create a DNS entry in your servers, or else use an IP address for the CAM.


b. For the organization unit name, enter the group within your organization that is responsible for the certificate (for example, test or engineering).

c. For the organization name, type the name of your organization or company for which you would like to receive the certificate (for example, access), and press enter.

d. Type the name of the city or county in which your organization is legally located, and press enter.

e. Enter the two-character state code in which the organization is located, such as CA or NY, and press enter.

f. Type the two-letter country code, such as US, and press enter.

g. A summary of the values you entered appears. Press enter to accept the values or N to start over.

You entered the following:
Domain: mydomain.com
Organization unit: test
Organization name: access
City name: My Town
State code: CA
Country code: US
Is this correct? (y/n)? [y] 

Step 10 Specify whether or not you want the CAM to feature Pre-login Banner Support at the following prompt.

Enable Prelogin Banner Support? (y/n)? [n]

For more information and an example of the Pre-login Banner feature, see Figure 2-4.

Step 11 Configure the root user password for the installed Linux operating system of the Clean Access Manager. The root user account is used to access the system over a serial connection or through SSH.

Cisco NAC Appliance supports using Strong Passwords for root user login. Passwords must be at least 8 characters long and feature a combination of upper- and lower-case letters, digits, and other characters. For example, the password 10-9=One would not satisfy the requirements because it does not feature two characters from each category, but 1o-9=OnE is a valid password. For more details, see Manage System Passwords, page 15-51.

For security reasons, it is highly recommended that you change the password for the root 
user.

** Please enter a valid password for root user as per the requirements below! **

Changing password for user root.

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits, and other characters. Minimum of 8 characters and maximum
of 16 characters with characters from all of these classes. Minimum
of 2 characters from each of the four character classes is mandatory.
An upper case letter that begins the password and a digit that ends
it do not count towards the number of character classes used.

Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully.

Step 12 Next type the password for the admin user for the CAM direct access web console.

Please enter an appropriately secure password for the web console admin user.

New password for web console admin:
Confirm new password for web console admin:


Note Passwords for web admin console users (including default user admin) are configured through the web console. See Manage System Passwords, page 15-51 for details.


Step 13 When performing a CD install, the following message appears after configuration is complete:

Configuration is complete.
Changes require a REBOOT of Clean Access Manager.

Enter the following command to reboot the CAM after configuration is complete:

# reboot


After restarting, the CAM is accessible through the web console, as described in Access the CAM Web Console.

For the commands to manually stop and start the CAM, see CAM CLI Commands.

For network card configuration issues, see Troubleshooting Network Card Driver Support Issues.

Access the CAM Web Console

The Clean Access Manager web administration console is the web interface for administering the Cisco NAC Appliance deployment.


Warning You must already have obtained a product or evaluation license to access the CAM/CAS and CAM web console. Refer to Cisco NAC Appliance Service Contract / Licensing Support for complete step-by-step instructions on how to obtain and install product licenses and obtain service contract support for Cisco NAC Appliance.



Step 1 Launch a web browser from a computer accessible to the CAM by network. The web console supports Internet Explorer 6.0 or 7.0.

Step 2 In the URL field, type the IP address of the CAM (or host name if you have made the required entry in your DNS server).

Step 3 If using a temporary SSL certificate, click Yes at the security alert prompt to accept the certificate. (If using signed certificates, this security dialog does not appear.)

Step 4 The Clean Access Manager License Form (Figure 2-3) appears and prompts you to install your CAM FlexLM license file. For reference, the top of the form displays the CAM's eth0 MAC address.

Figure 2-3 Clean Access Manager License Form

Step 5 Browse to the license file you received in the Clean Access Manager License File field and click the Install License button.


Note Refer to Cisco NAC Appliance Service Contract / Licensing Support for complete step-by-step instructions for how to obtain and install product licenses and obtain service contract support for Cisco NAC Appliances.



Caution Cisco recommends obtaining a permanent license before continuing with full-scale deployment. Evaluation licenses are intended for trial purposes and expire after 30 days. Once a license expires, you cannot start Cisco NAC Appliance. Contact a Cisco representative to purchase a permanent license.

Step 6 Once the license is accepted, the customizable CAM Pre-login Banner (Figure 2-4) appears (if you have chosen to enable Pre-login Banners during your initial CAM configuration) or the web admin console login window appears (Figure 2-5). Type the username admin and web admin user password, and click Login.

Figure 2-4 CAM Prelogin Banner Example

The Pre-login Banner enables you to present a broad range of messages, including warnings, system/network status, access requirements, etc., to administrator users before they enter authentication credentials in the CAM/CAS. Administrators can specify the text of the Pre-login Banner by enabling this feature on the appliance, logging into the command-line console, and editing the /root/banner.pre file. The text of the Pre-login Banner appears in both the web console interface and the command-line interface when admin users are logging into the CAM/CAS.

You can enable or disable the Pre-login Banner during the initial CAM/CAS configuration CLI session and whenever you choose to alter your base CAM/CAS configuration with the service perfigo config CLI command.

Figure 2-5 CAM Web Admin Console Login Page

Step 7 Type the username admin and web admin user password, and click Login.

The Monitoring summary page and left-hand navigation pane displays (Figure 2-6). You can now configure your deployment through the modules of the web admin console.

To log out of the web admin console, either click the Logout button or close the browser. For further details on creating different levels of admin users for the web console, see Admin Users, page 15-44.


Important Notes for SSL Certificates

You must generate the temporary SSL certificate during CAM installation or you will not be able to access your CAM as an end user.

After CAM and CAS installation, make sure to synchronize the time on the CAM and CAS via the web console interface before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. For further details on the CAM, see:

Set System Time, page 15-4

Manage CAM SSL Certificates, page 15-6

For details on the CAS, see the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.6(1).

Before deploying the CAM in a production environment, Cisco strongly recommends acquiring a trusted certificate from a third-party Certificate Authority to replace the temporary certificate (in order to avoid the security warning that is displayed to the web user during admin login).


Note If present on the CAS, you will see messages on the CAS web console (Figure 2-6) warning that the "EMAILADDRESS=info@perfigo.com, CN=www.perfigo.com, OU=Product, O="Perfigo, Inc.", L=San Francisco, ST=California, C=US" certificate authority can render your CAS and associated client machines vulnerable to security attacks. To locate and remove this certificate authority from the CAS database, use the instructions in Manage Trusted Certificate Authorities, page 15-16.


Figure 2-6 Administrator Web Console Messages Warning to Obtain Trusted Certificate Authority and Remove Existing "www.perfigo.com" Certificate

CAM CLI Commands

You can perform most administration tasks for the Clean Access Manager through the web admin console, such as configure behavior, and perform operations such as starting and rebooting the CAM. However, in some cases you may need to access the CAM configuration directly, for example if the web admin console is unavailable due to incorrect network or VLAN settings. You can use the Cisco NAC Appliance command line interface (CLI) to set basic operational parameters directly on the CAM.

To run the CLI commands, access the CAM using SSH and log in as user root and enter the corresponding password. If already serially connected to the CAM, you can run CLI commands from the terminal emulation console after logging in as root (see Connect the Clean Access Manager). The format service perfigo <command> is used to enter a command from the command line. Table 2-1 lists the commonly used Cisco NAC Appliance CLI commands.

Table 2-1 CLI Commands

Command
Description
service perfigo start

Starts up the appliance. If the CAM is already running, a warning message appears. The CAM must be stopped for this command to be used.

service perfigo stop

Shuts down the Cisco NAC Appliance service.

service perfigo restart

Shuts down the Cisco NAC Appliance service and starts it up again. This is used when the service is already running and you want to restart it.

Note service perfigo restart should not be used to test high availability (failover). Instead, Cisco recommends "shutdown" or "reboot" on the machine to test failover, or if a CLI command is preferred, service perfigo stop and service perfigo start.

service perfigo reboot

Shuts down and reboots the machine. You can also use the Linux reboot command.

service perfigo config

Starts the configuration script to modify the CAM configuration. After completing service perfigo config, you must reboot the CAM.

service perfigo time

Use to modify the time zone settings.


Power Down the CAM

To power down the CAM, use one of the following recommended methods while connected via SSH:

Type service perfigo stop, then power down the machine, or

Type /sbin/halt, then power down the machine.

Restart Initial Configuration

To start the configuration script, type service perfigo config while connected through SSH. For example: [root@camanager root]# service perfigo config

This command causes the configuration utility script to start (on either the CAS or CAM). The script lets you configure the network settings for the CAM (see Perform the Initial Configuration for instructions). After running and completing service perfigo config, make sure to run service perfigo reboot or reboot to reset the CAM with the modified configuration settings.


Note For details on restoring the database from automated and manual backup snapshots via command line utility, see Database Recovery Tool, page 15-61.


Troubleshooting Network Card Driver Support Issues

For complete details, refer to the "Troubleshooting Network Card Driver Support Issues" section of the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).

Connectivity Across a Wide Area Network

When deploying the CAM/CAS across a WAN, you must prioritize all CAM/CAS traffic and SNMP traffic, and include the eth0/eth1 IP addresses of the CAM and CAS in addition to the Service IP address for HA pairs.

Cisco NAC Appliance Connectivity Across a Firewall

The Clean Access Manager (CAM) uses Java Remote Method Invocation (RMI) for parts of its communication with the Clean Access Server (CAS), which means it uses dynamically allocated ports for this purpose. If your deployment has a firewall between the CAS and the CAM, you will need to set up rules in the firewall to allow communication between the CAS and CAM machines, that is, a rule that allows traffic originating from the CAM destined to the CAS and vice versa.


Note If there is a NAT router between the CAS and CAM, also refer to section "Configuring the CAS Behind a NAT Firewall" in the Installation chapter of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.6(1) for additional details.


Table 2-2 lists the ports that are required for communication between the CAS and the CAM (per version of Cisco NAC Appliance).

Table 2-2 Port Connectivity for CAM/CAS

Cisco NAC Appliance Version
Required Ports
4.6(1)
4.5(x)
4.1(x)
4.0(x)

TCP ports 443, 1099, and 8995~8996

3.6(x)

TCP ports 80, 443, 1099, and 8995~8996

3.5(x)

TCP ports 80, 443, 1099, and 32768~61000 (usually 32768~32999 are sufficient).


For example, for Single Sign-On (SSO) capabilities, additional ports must be opened on the CAS and firewall (if any) to allow communication between the Agent and the Active Directory Server, as shown in Table 2-3. Table 2-3 provides further details about communicating devices, the ports affected, and the purpose of each port.

Table 2-3 Port Usage  

Device
Communicating Devices
Ports to Open
Purpose

Firewall, if any

CAM and CAS

TCP 8995, 8996

TCP 1099

Java Management Extensions (JMX) communication between the CAM and CAS, such as pre-connect and connect messages.

TCP 443

HTTP over Secure Sockets Layer (SSL) communication between Agent/CAS/CAM, such as end user machine remediation via the Agent.

TCP 80 (for version 3.6.x and earlier)

HTTP communication between Agent/CAS/CAM. Used to download the Agent from the CAM to an end user machine.

CAS and Agent

UDP 8905, 8906

SWISS, a proprietary CAS-Agent communication protocol used by the Agent for UDP discovery of the CAS. UDP 8905 is used for Layer 2 discovery; and 8906 is used for Layer 3 discovery.

For more information, see the "Connecting to the CAS Using the SWISS Protocol" section in the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.6(1).

TCP 443

HTTP over SSL communication between Agent/CAS/CAM, such as for user redirection to a web login page.

TCP 80 (for version 3.6.x and earlier)

HTTP communication between Agent/CAS/CAM. Used to download the Agent from the CAM to an end user machine.

CAS and firewall (if any)

Agent (Windows OS) and Active Directory (AD) Server

TCP 88, 135, 389, 445, 1025, 1026

UDP 88, 389

AD SSO requires the following ports to be open:

TCP 88 (Kerberos)

TCP 135 (RPC)

TCP 389 (LDAP) or TCP 636 (LDAP with SSL)

Note When using LDAP to connect to the AD server, Cisco recommends using TCP/UDP port 3268 (the default Microsoft Global Catalog port) instead of the default port 389. This allows for a more efficient search of all directory partitions in both single and multi domain environments.

TCP 445 (Microsoft-SMB; e.g. needed for password change notices from DC to PC)

TCP 1025 (RPC)-non-standard

TCP 1026 (RPC)-non-standard

If it is not known whether the AD server is using Kerberos, you must open the following UDP ports instead:

UDP 88 (Kerberos)

UDP 389 (LDAP) or UDP 636 (LDAP with SSL)

Note When using LDAP to connect to the AD server, Cisco recommends using TCP/UDP port 3268 (the default Microsoft Global Catalog port) instead of the default port 389. This allows for a more efficient search of all directory partitions in both single and multi domain environments.

If your deployment requires LDAP services, use TCP/UDP 636 (LDAP with SSL encryption) instead of TCP/UDP 389 (plain text).

For more information on AD SSO, see the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.6(1).