Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.9(1)
Administering the CAM
Downloads: This chapterpdf (PDF - 1.66MB) The complete bookPDF (PDF - 22.58MB) | Feedback

Administering the CAM

Table Of Contents

Administering the CAM

Overview

Network

Failover

Set System Time

Manage CAM SSL Certificates

SSL Certificate Overview

Web Console Pages for SSL Certificate Management

Typical SSL Certificate Setup on the CAM

Phase 1: Prepare Your CAM and CAS for the Certificate Signing Request (CSR)

Phase 2: Prepare your CAM and CAS For CA-Signed Certs (Production Deployment)

Phase 3: Adding a New CAM or CAS to an Existing Production Deployment

Generate Temporary Certificate

Generate and Export a Certification Request (Non-FIPS CAM Only)

Manage Signed Certificate/Private Key

Import Signed Certificate/Private Key

Export Certificate and/or Private Key

Manage Trusted Certificate Authorities

Import/Export Trusted Certificate Authorities

View Current Private Key/Certificate and Certificate Authority Information

Troubleshooting Certificate Issues

HA Active-Active Situation Due to Expired SSL Certificates

No Web Login Redirect/CAS Cannot Establish Secure Connection to CAM

Private Key in Clean Access Server Does Not Match the CA-Signed Certificate

Regenerating Certificates for DNS Name Instead of IP

Disabling Administrator Prompt for Certificate on IE 8 and 9

Certificate-Related Files

System Upgrade

Licensing

Policy Import/Export

Policy Sync Policies

Policies Excluded from Policy Sync

Example Scenarios

Policy Sync Configuration Summary

Before You Start

Enable Policy Sync on the Master

Configure the Master

Enable Policy Sync on the Receiver

Configure the Receiver

Perform Policy Sync

Perform Manual Sync

Perform Auto Sync

Verify Policy Sync

View History Logs

Troubleshooting Manual Sync Errors

Support Logs

Filtering Logs by CAS and/or Agent IP

Agent Logs

Admin Users

Admin Groups

Add/Edit a Custom Admin Group

Admin Users

Login/Logout an Admin User

Add an Admin User

Edit an Admin User

Active Admin User Sessions

Administrator User Access Restrictions

Manage System Passwords

Change the CAM Web Console Admin Password

Change the CAS Web Console Admin User Password

Backing Up the CAM Database

Automated Daily Database Backups

Manual Backups from Web Console

Restoring a CAM Snapshot—Standalone CAM

Restoring a CAM Snapshot—HA-CAM or HA-CAS

Backing Up and Restoring CAM/CAS Authorization Settings

Database Recovery Tool

API Support


Administering the CAM


This chapter discusses the Administration pages for the Clean Access Manager. Topics include:

Overview

Network

Failover

Set System Time

Manage CAM SSL Certificates

System Upgrade

Licensing

Policy Import/Export

Support Logs

Agent Logs

Admin Users

Manage System Passwords

Backing Up the CAM Database

API Support

For details on the User Pages module, see Chapter 4 "Configuring User Login Page and Guest Access."

For details on high availability configuration, see the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.

Overview

At installation time, the initial configuration script provides for many of the Clean Access Manager's internal administration settings, such as its interface addresses, DNS servers, and other network information. The Administration module (Figure 14-1) allows you to access and change these settings after installation has been performed.

Figure 14-1 Administration Module

The CCA Manager pages of the Administration module allows you to perform the following administration tasks:

Change network settings for the Clean Access Manager. See Network.

Set up Clean Access Manager High-Availability mode. See the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.

Manage Clean Access Manager system time. See Set System Time.

Manage Clean Access Manager SSL certificates. See Manage CAM SSL Certificates.

Upload a software upgrade image onto the Clean Access Manager before performing console/SSH upgrade. See the "Upgrading to a New Software Release" section of the corresponding Release Notes for Cisco NAC Appliance.

Manage Clean Access Manager license files. See Licensing.

Create support logs for the CAM to send to customer support. See Support Logs.

The User Pages tabs of the Administration module allows you to perform these administration tasks:

Add the default login page, and create or modify all web user login pages. See Chapter 4 "Configuring User Login Page and Guest Access."

Upload resource files to the Clean Access Manager. See Upload a Resource File.

The Admin Users pages of the Administration module (see Admin Users) allows you to perform these administration tasks:

Add and manage new administrator groups and admin users/passwords

Configure and manage Administrator privileges as new features are added

The Backup page of the Administration module allows you to make manual snapshots of your Clean Access Manager in order to backup your CAM's configuration. See Backing Up the CAM Database.

In addition, the CAM provides an API interface described in API Support.

Network

You can view or change the Clean Access Manager's network settings from Administration > CCA Manager > Network page.

Changes to the network settings generally require a reboot of the Clean Access Manager machine to take effect. Therefore, if making changes to a production machine, make sure to perform the changes when rebooting the machine will have minimal impact on the users.


Note The service perfigo config configuration utility script also lets you modify CAM network settings. Because the configuration utility is used from the command line, it is particularly useful if the admin console web server is not responsive due to incorrect network or VLAN settings. For further details, see the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.


To modify CAM network settings:


Step 1 Go to Administration > CCA Manager > Network.

Figure 14-2 CAM Network

Step 2 In the Network page, modify the settings as desired from the following fields/controls:

IP Address—The eth0 IP address of the CAM machine.

Subnet Mask—The subnet mask for the IP address.

Default Gateway—The default IP gateway for the CAM.

Host Name—The host name for the CAM. The name is required in high availability mode.

Host Domain—An optional field for your domain name suffix. To resolve a host name to an IP address, the DNS requires the fully qualified host name. Within a network environment, users often type host names in a browser without a domain name suffix, for example:

http://siteserver 
 
   

The host domain value is used to complete the address. For example, with a suffix value of cisco.com, the request URL would be:

http://siteserver.cisco.com 
 
   

DNS Servers—The IP address of the DNS (Domain Name Service) server in your environment. Separate multiple addresses with commas. If you specify more than one DNS server, the Clean Access Manager tries to contact them one by one, and stops when it receives a response.


Note If the setup is in HA mode, then go to Administration > CCA Manager > Failover. Enter appropriate values in the Failover page and click Update.


Step 3 Click Reboot to restart the Clean Access Manager with the new settings.


Failover

You can view or change the Clean Access Manager's failover settings from Administration > CCA Manager > Failover page.

Changes to the network settings generally require a reboot of the Clean Access Manager machine to take effect. Therefore, if making changes to a production machine, make sure to perform the changes when rebooting the machine will have minimal impact on the users.


Note The service perfigo config configuration utility script also lets you modify CAM network settings. Because the configuration utility is used from the command line, it is particularly useful if the admin console web server is not responsive due to incorrect network or VLAN settings. For further details, see the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.


To modify CAM failover settings:


Step 1 Go Administration > CCA Manager > Failover.

Figure 14-3 CAM Failover

Step 2 In the Network page, modify the CAM's operating mode using the Clean Access Manager Mode menu:

Standalone Mode—If the Clean Access Manager is operating alone.

HA-Primary Mode—For the primary Clean Access Manager in a failover configuration.

HA-Standby Mode—For the secondary Clean Access Manager.

If you choose one of the HA (high availability) options, additional fields appear. For information on the fields and setting up high availability, see the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.

Step 3 Click the Update button.


Set System Time

For logging purposes and other time-sensitive tasks (such as SSL certificate generation), the time on the Clean Access Manager and Clean Access Servers needs to be correctly synchronized. The System Time tab lets you set the time on the Clean Access Manager and modify the time zone setting for the Clean Access Manager operating system.

After CAM and CAS installation, you should synchronize the time on the CAM and CAS before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. The easiest way to ensure this is to automatically synchronize time with the time server (Sync Current Time button).


Note The time set on the CAS must fall within the creation date/expiry date range set on the CAM's SSL certificate. The time set on the user machine must fall within the creation date/expiry date range set on the CAS's SSL certificate.


The time can be modified on the CAS under Device Management > CCA Servers > Manage [CAS_IP] > Misc > Time. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(1) for details.

To view the current time:

1. Go to Administration > CCA Manager > System Time.

2. The system time for the Clean Access Manager appears in the Current Time field.

Figure 14-4 System Time

There are two ways to adjust the system time: manually, by typing in the new time, or automatically, by synchronizing from an external time server.

To manually modify the system time:

1. In the System Time form, either:

2. Type the time in the Date & Time field and click Update Current Time. The time should be in the form: mm/dd/yy hh:ss PM/AM

3. Or, click the Sync Current Time button to have the time updated by the time servers listed in the Time Servers field.

To automatically synchronize to the time server:

The default time server is the server managed by the National Institute of Standards and Technology (NIST), at time.nist.gov. To specify another time server:

1. In the System Time form type the URL of the server in the Time Servers field. The server should provide the time in NIST-standard format. Use a space to separate multiple servers.

2. If you want to authenticate the server to get the time, check the Authentication checkbox to enable NTP authentication. Once this option is enabled, you will be able to enter the following:

Key Id—Specify a key number.

Key Type—Currently, only MD5 is supported. The key type MD5 specifies that message authentication support is provided by using the Message Digest 5 hashing algorithm.

Key Value—For MD5 authentication, this is a password consisting of a string of one to eight characters. If the string is longer than eight characters, only the first eight will be used.


Note The NTP Authentication is not available for FIPS-compliant CAMs/CASs.


3. Click Sync Current Time.

If more than one time server is listed, the CAM tries to contact the first server in the list when synchronizing. If available, the time is updated from that server. If it is not available, the CAM tries the next one, and so on, until a server is reached.


Note If the NTP Authentication has been enabled, the same Key Id, Key Type, and Key value are used for all the servers.


To poll the time server periodically, edit the ntp.conf file and then start ntpd as follows:

[root@cam1 init.d]# ./ntpd 
Usage: ./ntpd {start|stop|restart|condrestart|status}
[root@cam1 init.d]# ./ntpd start
Starting ntpd: [  OK  ]

To change the time zone of the server system time:

1. In the Current Time tab of the Administration > CCA Manager page, choose the new time zone from the Time Zone drop-down list.

2. Click Update Time Zone.

Manage CAM SSL Certificates

This section describes the following:

SSL Certificate Overview

Web Console Pages for SSL Certificate Management

Typical SSL Certificate Setup on the CAM

Generate Temporary Certificate

Generate and Export a Certification Request (Non-FIPS CAM Only)

Manage Signed Certificate/Private Key

Manage Trusted Certificate Authorities

View Current Private Key/Certificate and Certificate Authority Information

Troubleshooting Certificate Issues

SSL Certificate Overview

The elements of Cisco NAC Appliance communicate securely over Secure Socket Layer (SSL) connections. Cisco NAC Appliance uses SSL connections for a number of purposes, including the following:

Secure communications between the CAM and the CAS


Caution CAM-CAS communication and HA-CAM and/or HA-CAS peer communication can break down and adversely affect network functionality when SSL certificates expire. For more information, see HA Active-Active Situation Due to Expired SSL Certificates.

Policy Import/Export operations between Policy Sync Master and Policy Sync Receiver CAMs

CAM-to-LDAP authentication server communications where SSL has been enabled for the LDAP authentication provider using the Security Type option on the User Management > Auth Servers > New | Edit page

Between the CAS and end-users connecting to the CAS

Between the CAM/CAS and the browsers accessing the CAM/CAS web admin consoles

During installation, the configuration utility script for both the CAM and CAS requires you to generate a temporary SSL certificate for the appliance being installed (CAM or CAS). For the Clean Access Manager and Clean Access Servers operating strictly in a lab environment, it is not necessary to use a CA-signed certificate and you can continue to use a temporary certificate, if desired. For security reasons in a production deployment, however, you must replace the temporary certificate for the CAM and CAS with a third-party CA-signed SSL certificate.

At installation, a corresponding Private Key is also generated with the temporary certificate. Cisco NAC Appliance Release 4.7(0) uses two types of keys to support FIPS compliance: Private Keys and Shared Master Keys. Both of these key types are managed and stored using the FIPS card installed in the CAM/CAS. During installation, keys are created using the CAM/CAS setup utilities, the keys are then moved to the FIPS card for security, and key-generation files and/or directories are then removed from the CAM/CAS.

In Cisco NAC Appliance Release 4.8 and later, you can no longer export private keys and you cannot generate CSRs using a FIPS 140-2 compliant CAM/CAS. To adhere to FIPS compliance guidelines, you can only import certificates from trusted third-party resources.

For details on managing SSL certificates for the CAS, see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(1).


Note Cisco NAC Appliance supports 1024-, 2048-, and 4096-bit RSA key lengths for SSL certificates.



Note Cisco NAC Appliance supports Extended Validation (EV) SSL certificates.



Note Cisco NAC Appliance does not support wildcard SSL certificates.


The following sections describe how to manage SSL certificates for the CAM:

Generate Temporary Certificate

Generate and Export a Certification Request (Non-FIPS CAM Only)

Manage Signed Certificate/Private Key

Manage Trusted Certificate Authorities

View Current Private Key/Certificate and Certificate Authority Information

Troubleshooting Certificate Issues


Note You cannot use a CA-signed certificate that you bought for the Clean Access Manager on the Clean Access Server. You must buy a separate certificate for each Clean Access Server.


Web Console Pages for SSL Certificate Management

The actual CAM SSL certificate files are kept on the CAM machine, and the CAS SSL certificate files are kept on the CAS machine. After installation, the CAM certificates are managed from the following web console pages (respectively):

Clean Access Manager Certificates:

Administration > CCA Manager > SSL > X509 Certificate—Use this configuration window to import and export temporary or CA-signed certificates, import Private Keys (FIPS and non-FIPS appliances), export Private Keys (non-FIPS appliances only), and generate new temporary certificates

Administration > CCA Manager > SSL > Trusted Certificate Authorities—Use this configuration window to view, add, and remove Certificate Authorities on the CAM

Administration > CCA Manager > SSL > X509 Certification Request (non-FIPS appliances only)—Use this configuration window to generate a new Certificate Signing Request (CSR) for the CAM

The CAM web admin console lets you perform the following SSL certificate-related operations:

Generate a PEM-encoded PKCS #10 CSRs (non-FIPS appliances only).

Import (FIPS and non-FIPS) and export (non-FIPS only) Private Keys. For non-FIPS appliances, you can use this feature to save a backup copy of the Private Key on which the CSR is based. When a CA-signed certificate is returned from the Certificate Authority and imported into the CAM (FIPS and non-FIPS), this Private Key must be used with it or the CAM cannot communicate with any associated machines via SSL.

View, remove, and import/export Trusted CAs in the CAM local trust store.

Generate a temporary certificates (and corresponding Private Keys). Temporary certificates are designed for lab environments only. When you deploy your CAM and CAS in a production environment, Cisco strongly recommends using a trusted certificate from a third-party Certificate Authority to help ensure network security.

Typical SSL Certificate Setup on the CAM

Some typical steps for managing CAM certificates are as follows.

Phase 1: Prepare Your CAM and CAS for the Certificate Signing Request (CSR)


Step 1 Synchronize time.

After CAM and CAS installation, make sure the time on the CAM and CAS is synchronized before regenerating the temporary certificate on which the Certificate Signing Request will be based. See the next section, Set System Time, for details.

Step 2 Check DNS settings for the CAM.

If planning to use the DNS name instead of the IP address of your servers for CA-signed certificates, you will need to verify the CAM settings and regenerate a temporary certificate. See Regenerating Certificates for DNS Name Instead of IP for details.

Step 3 Generate Temporary Certificate.

A temporary certificate and Private Key are automatically generated during CAM installation. If changing time or DNS settings on the CAM, regenerate the temporary certificate and Private Key.

Step 4 Ensure you export the certificate from your CAM, save it on a machine accessible from your CAS, and import the exported certificate on the CAS, and repeat the process in reverse to ensure the CAS certificate also resides on the CAM.

Phase 2: Prepare your CAM and CAS For CA-Signed Certs (Production Deployment)


Warning If your previous deployment uses a chain of SSL certificates that is incomplete, incorrect, or out of order, CAM/CAS communication may fail after upgrade to release 4.5 and later. You must correct your certificate chain to successfully upgrade to release 4.5 and later. For details on how to fix certificate errors on the CAM/CAS after upgrade to release 4.5 and later, refer to the How to Fix Certificate Errors on the CAM/CAS After Upgrade Troubleshooting Tech Note.

Step 5 Export (Backup) the certificate to a local machine for safekeeping.

If you are altering your Cisco NAC Appliance SSL configuration, it is always a good idea to back up the certificate to a local hard drive for safekeeping. See Generate and Export a Certification Request (Non-FIPS CAM Only).

Step 6 (Non-FIPS appliances only) Export the Private Key to a local machine for safekeeping

If you are altering your Cisco NAC Appliance SSL configuration, it is always a good idea to back up the Private Key corresponding to the current certificate to a local hard drive for safekeeping. See Generate and Export a Certification Request (Non-FIPS CAM Only).

Step 7 (Non-FIPS appliances only) Export (save) the Certificate Signing Request (CSR) to a local machine. See Generate and Export a Certification Request (Non-FIPS CAM Only).

Step 8 Send the CSR file to a Certification Authority (CA) authorized to issue trusted certificates.

Step 9 After the CA signs and returns the certificate, import the CA-signed certificate to your server.

When the CA-signed certificate is received from the CA, upload it as PEM-encoded file to the CAM temporary store. See Manage Signed Certificate/Private Key.


Note The CAM and CAS require encrypted communication. Therefore, the CAM must contain the Trusted Certificate Authorities from which the certificates on all of its managed CASs originate, and all CASs must contain the same Trusted Certificate Authority from which the CAM certificate originates before deploying Cisco NAC Appliance in a production environment.


Step 10 If necessary, upload any required intermediate CA certificate(s) as a single PEM-encoded file to the CAM temporary store.

Step 11 Test access to the Clean Access Manager.


Note Make sure the CA-signed certificate you are importing is the one with which you generated the CSR and that you have NOT subsequently generated another temporary certificate. Generating a new temporary certificate will create a new private-public key combination. In addition, always export and save the Private Key to a secure location when you are generating a CSR for signing (for safekeeping and to have the Private Key handy).


For additional details, see also Troubleshooting Certificate Issues.


Phase 3: Adding a New CAM or CAS to an Existing Production Deployment

In production deployments and for FIPS 140-2 compliant appliances, CA-signed certificates are used exclusively. Use the following steps when introducing new appliances (CAM or CAS) to a production deployment. The new appliance should not be added to the deployment until you have requested and are able to import a new third-party CA-signed certificate.


Step 1 Install and initially configure the new appliance as described in the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.

Step 2 Follow the steps in Phase 1: Prepare Your CAM and CAS for the Certificate Signing Request (CSR)

Step 3 (Non-FIPS appliances only) Generate a CSR for the new appliance, as described in Generate and Export a Certification Request (Non-FIPS CAM Only).

Step 4 Obtain and install the CA-signed certificate as described in Import Signed Certificate/Private Key.

Step 5 Add the appliance to your existing production environment.


Generate Temporary Certificate

The following procedure describes how to generate a new temporary certificate for the CAM. Any time you change basic configuration settings on the CAM (date, time, associated DNS server, etc.) you should generate a new temporary certificate.


Caution If you are using FIPS 140-2 compliant appliances, be sure you have your current trusted-CA certificate and Private Key stored on an external machine so you can restore them following this procedure.

If you are using a CA-signed certificate on a non-FIPS appliance, Cisco recommends backing up the Private Key for the current certificate prior to generating any new certificate, as generating a new certificate also generates a new Private Key. See Generate and Export a Certification Request (Non-FIPS CAM Only) for more information.


Step 1 Go to Administration > CCA Manager > SSL > X509 Certificate.

Step 2 Click Generate Temporary Certificate to expose the fields required to construct a temporary certificate (Figure 14-5).

Figure 14-5 Generate Temporary Certificate

Step 3 Type appropriate values for the following fields:

Full Domain Name or IP—The fully qualified domain name or IP address of the Clean Access Manager for which the certificate is to apply. For example: camanager.<your_domain_name>

Organization Unit Name—The name of the unit within the organization, if applicable.

Organization Name—The legal name of the organization.

City Name—The city in which the organization is legally located.

State Name—The full name of the state in which the organization is legally located.

2-letter Country Code—The two-character, ISO-format country code, such as GB for Great Britain or US for the United States.

Step 4 Specify whether you want the new temporary certificate to use a 1024-, 2048-, or 4096-bit RSA Key Size.

Step 5 When finished, click Generate. This generates a new temporary certificate and new Private Key.

Step 6 For FIPS 140-2 compliant appliances, be sure to be sure to restore your current trusted-CA certificate and Private Key from an external machine.


Note The CCA Manager Certificate entry at the top of the certificate display table specifies the full distinguished name of the current CAM SSL certificate. You are required to enter the full distinguished name of the CAM in the CAS web console if you are setting up Authorization between your CAM and CASs. For more information, see Configure Clean Access Manager-to-Clean Access Server Authorization.



Generate and Export a Certification Request (Non-FIPS CAM Only)


Note The Administration > CCA Manager > SSL > X509 Certification Request subtab does not appear in the CAM web console on a FIPS 140-2 compliant appliance.


Generating a CSR creates a PEM-encoded PKCS#10-formatted Certificate Signing Request (CSR) suitable for submission to a certificate authority. Before you send the CSR, make sure to export the existing certificate and Private Key to a local machine to back it up for safekeeping.

To export he CSR/Private Key and create a certificate request from the CAM web console:


Step 1 Go to Administration > CCA Manager > SSL > X509 Certification Request (Figure 14-6).

Figure 14-6 Export CSR/Private Key

Step 2 Click Generate Certification Request to expose the fields required to construct a certificate request.

Step 3 Type appropriate values for the following fields:

Full Domain Name or IP—The fully qualified domain name or IP address of the Clean Access Manager for which the certificate is to apply. For example: camanager.<your_domain_name>

Organization Unit Name—The name of the unit within the organization, if applicable.

Organization Name—The legal name of the organization.

City Name—The city in which the organization is legally located.

State Name—The full name of the state in which the organization is legally located.

2-letter Country Code—The two-character, ISO-format country code, such as GB for Great Britain or US for the United States.

Step 4 Specify whether you want the new temporary certificate to use a 1024-, 2048-, or 4096-bit RSA Key Size.

Step 5 Click Generate to generate a certificate request. Make sure these are the ones for which you want to submit the CSR to the certificate authority.

Step 6 Before you submit the new CSR to the Certificate Authority, save the new certification request and Private Key used to generate the request to your local machine by enabling the checkboxes for the Certification Request and/or Private Key and clicking Export. You are prompted to save or open the file (see Default File Names for Exported Files). Save it to a secure location. Use the CSR file to request a certificate from a certificate authority. When you order a certificate, you may be asked to copy and paste the contents of the CSR file into a CSR field of the order form.

Alternatively, you can immediately Open the CSR in Wordpad or a similar text editor if you are ready to fill out the certificate request form, but Cisco strongly recommends you also save a local copy of the CSR and Private Key to ensure you have them should the request process suffer some sort of mishap or your CAM basic configuration change between submitting the CSR and receiving your CA-signed certificate.

When you receive the CA-signed certificate back from the certification authority, you can import it into the Clean Access Manager as described in Manage Signed Certificate/Private Key. After the CA-signed cert is imported, the "currently installed certificate" is the CA-signed certificate. You can always optionally Export the currently installed certificate if you need to access a backup of this certificate later.


Default File Names for Exported Files

The default file names for SSL Certificate files that can be exported from the CAM are as follows. When you actually save the file to your local machine, you can specify a different name for the file. For example, to keep from overwriting your chain.pem file containing your certificate chain information, you can specify your Private Key filename to be a more appropriate name like priv_key.pem or something similar.

Default File Name 1
Description

cert_request.pem

CAM Certificate Signing Request (CSR)

chain.pem2

CAM Currently Installed Certificate and Currently Installed Private Key

1 For release 3.6.0.1 and below the filename extension is .csr instead of .pem.

2 For release 3.6(1) only, the filename is smartmgr_crt.pem.


Manage Signed Certificate/Private Key

Import Signed Certificate/Private Key

You can import CA-signed PEM-encoded X.509 Certificates and Private Keys using the CAM web console on both FIPS 140-2 compliant and non-FIPS appliances. (Typically, you only need to re-import the Private Key if the current Private Key does not match the one used to create the original CSR on which the CA-Signed certificate is based.) There are two methods administrators can use to import CA-signed certificates, Private Keys, and associated Certificate Authority information into Cisco NAC Appliance:

1. Import the Certificate Authorities and the End Entity Certificates/Private Keys separately:

a. Import the Certificate Authorities into the trust store using the procedures in Manage Trusted Certificate Authorities

b. Import the CAM's end entity certificate and/or Private Key using the instructions below

2. Construct a PEM-encoded X.509 certificate chain (including the Private Key, End Entity, Root CA, and Intermediate CA certificates) and import the entire chain at once using the instructions below

If you have received a CA-signed PEM-encoded X.509 certificate for the Clean Access Manager, you can also import it into the Clean Access Manager as described here.

Before starting, make sure that the root and CA-signed certificate files are in an accessible file directory location and that you have obtained third-party certificates for both your CAM and CASs. If using a Certificate Authority for which intermediate CA certificates are necessary, make sure these files are also present and accessible if not already present on the CAM.


Note Any certificate that is not provided by a public CA or that is not the self-signed certificate is considered a non-standard certificate by the CAM/CAS. When importing certificates to the CAM, make sure to obtain CA-signed certificates for authentication servers.


To import a certificate and/or Private Key for the CAM:


Step 1 Go to Administration > CCA Manager > SSL > X509 Certificate (Figure 14-7).

Figure 14-7 Import Certificate (CAM)

Step 2 Click Browse and locate the certificate file and/or Private Key on your local machine.


Note Make sure there are no spaces in the filename when importing files (you can use underscores).


Step 3 Click Import.


Note Neither the CAM nor CAS will install an unverifiable certificate chain. You must have delimiters (Begin/End Certificate) for multiple certificates in one file, but you do not need to upload certificate files in any particular sequence because they are verified in the temporary store first before being installed.

If you already have other members of the certificate chain in the CAM trust store, you do not need to re-import them. The CAM can build the certificate chain from a combination of newly-imported and existing parts.


If you try to upload a root/intermediate CA certificate for the CAM that is already in the list, you may see an error message reading "This intermediate CA is not necessary." In this case, you must delete the uploaded Root/Intermediate CA in order to remove any duplicate files.


Export Certificate and/or Private Key


Note You cannot export the Private Key for a FIPS 140-2 compliant CAM. You can only export certificates.


To backup your certificate and/or Private Key in case of system failure or other loss, you can export your certificate and/or Private Key information and save a copy on your local machine. This practice also helps you manage certificate/Private Key information for a CAM HA-Pair. By simply exporting the certificate information from the HA-Primary CAM and importing it on the HA-Secondary CAM, you are able to push an exact duplicate of the certificate info required for CAM/CAS communication to the standby CAM.


Step 1 Go to Administration > CCA Manager > SSL > X509 Certificate (Figure 14-7).

Step 2 To export existing certificate/Private Key information:

a. Select one or more certificates and/or the Private Key displayed in the certificates list by clicking on their respective left hand checkboxes.

b. Click Export and specify a location on your local machine where you want to save the resulting file.


Manage Trusted Certificate Authorities

You can locate, remove, and import/export Trusted CAs for the CAM database using the Administration > CCA Manager > SSL > Trusted Certificate Authorities CAM web console page. To keep your collection of trusted certificate authorities easily manageable, Cisco recommends keeping only trusted certificate authority information critical to Cisco NAC Appliance operations in the CAM trust store.

You can also use this function to import Root and Intermediate Certificate Authorities.


Note You must upload the PEM-encoded CA-signed certificate on both the CAM and CASs in your Cisco NAC Appliance network.

If there are multiple Intermediate CA files, you can also copy and paste them into a single Intermediate CA PEM-encoded file for upload to the CAM using the procedure in Manage Signed Certificate/Private Key.


To view and/or remove Trusted CAs from the CAM:


Step 1 Go to Administration > CCA Manager > SSL > Trusted Certificate Authorities (Figure 14-8).

Figure 14-8 CAM Trusted Certificate Authorities

Viewing Trusted CAs

Step 2 If you want to refine the list of Trusted CAs displayed in the CAM web console:

a. Choose an option from the Filter dropdown menu:

Distinguished Name—Use this option to refine the list of Trusted CAs according to whether the Trusted CA name contains or does not contain a specific text string.

Time—Use this option to refine the display according to which Trusted CAs are currently valid or invalid.

You can also combine these two options to refine the Trusted CAs display.

b. Click the Filter button after selecting and defining parameters for the search options to display a refined list of all Trusted CAs that match the criteria.

You can click Reset to negate any of the optional search criteria from the filter dropdown menu and return the Trusted CA display to default settings.

c. You can also increase or decrease the number of viewable items in the Trusted CAs list by choosing one of the options in the dropdown menu at the top-left of the list. The options are 10, 25, or 100 items.

d. If you want to view details about an existing Trusted CA, click the View icon (far-right magnifying glass icon) to see information on the specific certificate authority, as shown in Figure 14-9.

Figure 14-9 Certificate Authority Information

Removing Trusted CAs

Step 3 Select one or more Trusted CAs to remove by clicking on the checkbox for the respective Trusted CA in the list. (Clicking on the empty checkbox at the top of the Trusted CAs display automatically selects or unselects all 10, 25, or 100 Trusted CAs in the viewable list.)

Step 4 Click Delete Selected. All viewable selected items will be deleted. For example, if you selected 25 items from the viewable item dropdown, and clicked the empty checkbox at the top of the Trusted CAs window, the 25 viewable items will be deleted.

Once the CAM removes the selected Trusted CAs from the database, the CAM automatically restarts services to complete the update.


Import/Export Trusted Certificate Authorities

You can use the Trusted Certificate Authorities web console page to import and export Certificate Authorities for the CAM.


Note For standard certificate import and export guidelines, refer to Generate and Export a Certification Request (Non-FIPS CAM Only) and Manage Signed Certificate/Private Key.



Step 1 Go to Administration > CCA Manager > SSL > Trusted Certificate Authorities (Figure 14-8).

Step 2 To import a Trusted Certificate Authority:

a. Ensure you have the appropriate certificate file accessible to the CAM in the network and click Browse.

b. Locate and select the certificate file on your directory system and click Open.

c. Click Import to upload the Trusted Certificate Authority information to your CAM.

Step 3 To export existing Trusted Certificate Authority information:

a. Select one or more Trusted CAs displayed in the Trusted Certificate Authorities list by clicking on their respective left hand checkboxes.

b. Click Export and specify a location on your local machine where you want to save the resulting "caCerts" file.


View Current Private Key/Certificate and Certificate Authority Information

You can verify the following files by viewing them under Administration > CCA Manager > SSL > X509 Certificate (Figure 14-5):

Currently Installed Private Key

Currently Installed End Entity, Root, and Intermediate CA Certificate

Certificate Authority Information


Note You must be currently logged into your web console session to view any Private Key and/or certificate files.


View Currently Installed Private Key

You can view the CAM Private Key by exporting and opening the exported Private Key file in Wordpad or a similar text editor tool to bring up a dialog like the one in Figure 14-10 (BEGIN PRIVATE KEY/END PRIVATE KEY).

Figure 14-10 View Currently Installed Private Key

You can also use this method to view uploaded Private Keys before importing them into your CAM.

View Currently Certificate or Certificate Chain

You can view CAM Private Key and End Entity, Root CA, and Intermediate CA certificates by exporting and opening the saved file in Wordpad or a similar text editor tool to bring up a dialog like the one in Figure 14-11 (BEGIN CERTIFICATE/END CERTIFICATE).

Figure 14-11 View Currently Installed Certificate

You can also use this method to view uploaded certificates before importing them into your CAM.

View Certificate Authority Information

You can view Certificate Authority information for CAM End Entity, Root, and Intermediate CA Certificates by clicking on the respective View icon (magnifying glass) in the right hand column to bring up a dialog like the one in Figure 14-12.

Figure 14-12 View Certificate Authority Information

Troubleshooting Certificate Issues

Issues can arise during Cisco NAC Appliance certificate management, particularly if there are mismatched SSL certificates somewhere along the certificate chain. Common problems on SSL certificates can be time-oriented (if the clocks are not synchronized on the CAM and CAS, authentication fails), IP-oriented (certificates are created for the wrong interface) or information-oriented (wrong or mistyped certificate information is imported). This section describes the following:

HA Active-Active Situation Due to Expired SSL Certificates

No Web Login Redirect/CAS Cannot Establish Secure Connection to CAM

Private Key in Clean Access Server Does Not Match the CA-Signed Certificate

Regenerating Certificates for DNS Name Instead of IP

Disabling Administrator Prompt for Certificate on IE 8 and 9

Certificate-Related Files


Warning If your previous deployment uses a chain of SSL certificates that is incomplete, incorrect, or out of order, CAM/CAS communication may fail after upgrade to release 4.5 and later. You must correct your certificate chain to successfully upgrade to release 4.5 and later. For details on how to fix certificate errors on the CAM/CAS after upgrade to release 4.5 and later, refer to the How to Fix Certificate Errors on the CAM/CAS After Upgrade Troubleshooting Tech Note.

HA Active-Active Situation Due to Expired SSL Certificates

HA communication for both HA-CAMs and HA-CASs is handled over IPSec tunnels to secure all communications between the two HA pair appliances. This IPSec tunnel is negotiated based on the SSL certificates uploaded to the HA pairs for both CAM and CAS. In case the SSL certificates are not trusted by the two HA peers, have expired, or are no longer valid, the HA heartbeat communication between the two HA pairs breaks down, leading both HA pair appliances to assume the Active HA-Primary) role.

For CASs deployed in VGW mode, this can potentially create a Layer 2 loop that could bring down the network. HA-CAMs with expired or invalid SSL certificates could lead to an Active-Active situation where the database is not synced between the two HA-CAM appliances. Eventually, this situation leads to the CAMs losing all recent configuration changes and/or all recent user login information following an HA-CAM failover event.

As HA communication over IPSec tunnels requires valid SSL certificates on both the CAM and CAS, the CAM-CAS communication also breaks down if the SSL certificate expires on either the CAM or CAS. This situation leads to end user authentications failures and the CAS reverting to fallback mode per CAS configuration.

Administrators can minimize HA appliance Active-Active situations due to expired SSL certificates by using SSL certificates with longer validity periods and/or using serial port connection (if available and not used to control another CAM or CAS) for HA heartbeat. However, when you configure HA-CAMs to perform heartbeat functions over the serial link and the primary eth1 interface fails because of SSL certificate expiration, the CAM returns a database error indicating that it cannot sync with its HA peer and the administrator receives a "WARNING! Closed connections to peer [standby IP] database! Please restart peer node to bring databases in sync!!" error message in the CAM web console:


Note Starting with Cisco NAC Appliance Release 4.8, the CAM or CAS generates event log messages to indicate the certificate expiry in addition to the message displayed in the CAM/CAS web console.


No Web Login Redirect/CAS Cannot Establish Secure Connection to CAM

The following client connection errors can occur if the CAS does not trust the certificate of the CAM, or vice-versa:

No redirect after web login— users continue to see the login page after entering user credentials

Agent users attempting login get the following error: "Clean Access Server could not establish a secure connection to the Clean Access Manager at <IPaddress or domain>."

These errors typically indicate one of the following certificate-related issues:

The time difference between the CAM and CAS is greater than 5 minutes

Invalid IP address

Invalid domain name

CAM is unreachable

To identify common issues:

1. Check the CAM's certificate and verify it has not been generated with the IP address of the CAS.

2. Check the time set on the CAM and CAS. The time set on the CAM and the CAS must be 5 minutes apart or less.

To resolve these issues:

1. Set the time on the CAM and CAS correctly first (see Set System Time)

2. Ensure you export the certificate from your CAM, save it on a machine accessible from your CAS, and import the exported certificate on the CAS, and repeat the process in reverse to ensure the CAS certificate also resides on the CAM.

3. Regenerate the certificate on the CAS using the correct IP address or domain.

4. Reboot the CAS.

5. Regenerate the certificate on the CAM using the correct IP address or domain.

6. Reboot the CAM.


Note If you check nslookup and date from the CAS, and both the DNS and TIME settings on the CAS are correct, this can indicate that the caCerts file on the CAS is corrupted. In this case Cisco recommends backing up the existing caCerts file from /usr/java/j2sdk1.4/lib/security/caCerts, then override it with the file from /perfigo/common/conf/caCerts, then perform "service perfigo restart" on the CAS.



Note If the error message on the client is "Clean Access Server is not properly configured, please report to your administrator," this typically is not a certificate issue but indicates that a default user login page has not been added to the CAM. See Add Default Login Page for details.


For additional information, see also:

Troubleshooting when Adding the Clean Access Server

Agent Troubleshooting

Private Key in Clean Access Server Does Not Match the CA-Signed Certificate

This issue can arise if a new temporary certificate is generated but a CA-signed certificate is returned for the Certificate Signing Request (CSR) generated from a previous temporary certificate and Private Key pair.

For example, an administrator generates a CSR, backs up the Private Key, and then sends the CSR to a CA authority, such as VeriSign.

Subsequently, another administrator regenerates a temporary certificate after the CSR has been sent. When the CA-signed certificate is returned from the CA authority, the Private Key on which the CA-certificate is based no longer matches the one in the Clean Access Server.

To resolve this issue, re-import the old Private Key and then install the CA-signed certificate.

Regenerating Certificates for DNS Name Instead of IP

If planning to regenerate certificates based on the DNS name instead of the IP address of your servers:

Make sure the CA-signed certificate you are importing is the one with which you generated the CSR and that you have NOT subsequently generated another temporary certificate. Generating a new temporary certificate will create a new private-public key combination. In addition, always export and save the Private Key when you are generating a CSR for signing (to have the Private Key handy).

When importing certain CA-signed certificates, the system may warn you that you need to import the root certificate (the CA's root certificate) used to sign the CA-signed certificate, or the intermediate root certificate may need to be imported.

Make sure there is a DNS entry in the DNS server.

Make sure the DNS address in your Clean Access Server is correct.

For High-Availability (failover) configurations, use the DNS name for the Service IP (virtual DNS).

Cisco recommends rebooting when you generate a new certificate or import a CA-signed certificate.

When using a DNS-based certificate, if it is not CA-signed, the user will simply be prompted to accept the certificate.

Disabling Administrator Prompt for Certificate on IE 8 and 9

If no certificates or only one certificate is installed in the personal store in Windows then there is an administrator prompt for certificate in IE9. The prompt can be disabled by setting the option on Internet Explorer.

To disable the prompt:


Step 1 Go to Tools > Internet Options.

Step 2 Click the the Security tab. Select a zone to view or change security settings (that the NAC Manager URL falls under).

Step 3 Click Custom level under Security level for this zone.

Step 4 Enable Don't prompt for client certificate selection when no certificates or only one certificate exists.

Certificate-Related Files

For troubleshooting purposes, Table 14-1 lists certificate-related files on the Clean Access Manager. For example, if the admin console becomes unreachable due to a mismatch of the CA-certificate/Private Key combination, these files may need to be modified directly in the file system of the Clean Access Manager.

Table 14-1 Clean Access Manager Certificate-Related Files  

File
Description

/root/.tomcat.key

Private key

/root/.tomcat.crt

Certificate

/root/.tomcat.req

Certificate Signing Request

/root/.chain.crt

Intermediate certificate

/root/.perfigo/caCerts

The root CA bundle


For additional information on Clean Access Manager files, see Cisco NAC Appliance Log Files.

System Upgrade

In Cisco NAC Appliance Release 4.9 and later, you can perform system upgrades from Release 4.7(x) and 4.8(x) by uploading a .tar.gz upgrade file to the CAM/CAS and executing an upgrade script using the appliance's CLI. For complete upgrade details, including instructions for upgrading HA CASs and upgrades via SSH, refer to the "Upgrading" section of the corresponding Release Notes for Cisco NAC Appliance.

You can use the CAM web console to upload Release 4.9(x) .tar.gz upgrade files, and view upgrade logs and upgrade details.


Step 1 Access the CAM software update web console page by navigating to Administration > CCA Manager > Software Upload (Figure 14-13).

Figure 14-13 CAM Administration > Software Upload

Step 2 If you have downloaded a Release 4.9(1) .tar.gz upgrade image to your local machine from the Cisco Software Download Site as described in the "Upgrading" section of the corresponding Release Notes for Cisco NAC Appliance, you can use this web console page to upload that image to the CAM.

a. Click Browse to navigate to the directory on your local machine where you have stored the Release 4.9(1) .tar.gz upgrade file. Depending on the Cisco NAC Appliance release from which you are upgrading, the upgrade image name is cca_upgrade-4.9.1-from-4.7.x-4.8.x-4.9.0.tar.gz

b. Click Upload. After a brief time, the web console screen automatically refreshes, displaying the newly uploaded Release 4.9(x) upgrade image and the date/time when it was uploaded to the CAM.

Step 3 Once you upload a Release 4.9(x) upgrade image to the CAM, you can also use the Notes link that appears after the image file name to view important information about the .tar.gz upgrade image and access a link to the corresponding Release Notes for Cisco NAC Appliance as shown in Figure 14-14.

Figure 14-14 CAM Administration > Software Upload > Notes

Step 4 To view upgrade log information, click on the link under List of Upgrade Logs to launch a browser window displaying a brief summary of the upgrade process including the date and time the upgrade was performed.

Step 5 To view important upgrade process details, click on the link under List of Upgrade Details to launch a browser window displaying the details of the upgrade process, in the following format:

State before upgrade

Upgrade process details

State after upgrade

It is normal for the "state before upgrade" to contain several warning/error messages (e.g. "INCORRECT"). The "state after upgrade" should be free of any warning or error messages.


Licensing

The Clean Access Manager and Clean Access Servers require a valid product license to function. The licensing model for Clean Access incorporates the FlexLM licensing standard.


Note For step-by-step instructions on initially installing the Clean Access Manager license, as well as details on permanent, evaluation, and legacy licenses, see Cisco NAC Appliance Service Contract / Licensing Support.


Install FlexLM License for Clean Access Server:

Once the initial product license for the Clean Access Manager is installed, you can use the Licensing page to add or manage additional licenses (such as CAS licenses, or a second CAM license for HA-CAMs).

1. Go to Administration > CCA Manager > Licensing.

Figure 14-15 Licensing Page

2. In the Clean Access Manager License File field, browse to the license file for your Clean Access Server or Server bundle and click Install License. You will see a green confirmation text string at the top of the page if the license was installed successfully, as well as the CAS increment count (for example, "License added successfully. Out-of-Band Server Count is now 10.").

3. Repeat this step for each Clean Access Server license file you need to install (you should have received one license file per PAK submitted during customer registration). The status information at the bottom of the page will display total number of Clean Access Servers enabled per successful license file installation.


Note The Standby CAM does not read the License file till it becomes Active. Hence, the total number of CAS devices is not displayed in the Licensing page of the Standby CAM GUI.


Remove Product Licenses

1. Go to Administration > CCA Manager > Licensing.

2. Click the Remove All Licenses button to remove all FlexLM license files in the system.

3. The Clean Access Manager License Form will reappear in the browser, to prompt you to install a license file for the Clean Access Manager.


Note Until you enter the license file for the Clean Access Manager, you will not be redirected to the admin user login page of the web admin console.



NoteYou cannot remove individual FlexLM license files. To remove a file, you must remove all license files.

Once installed, a permanent FlexLM license overrides an evaluation FlexLM license.

Once installed, FlexLM licenses (either permanent or evaluation) override legacy license keys (even though the legacy key is still installed).

When an evaluation FlexLM expires, or is removed, an existing legacy license key will again take effect.


Remove Legacy License Keys

1. Go to Administration > CCA Manager > Licensing.

2. To remove an old legacy license key (for releases prior to release 3.5), replace the license key in the Perfigo Product License Key field with a space (or any set of characters that are not the license string), then click Apply Key. This invalidates the license by replacing it whatever is entered so that the CAM does not recognize it as a valid license.

Policy Import/Export

The Policy Import/Export feature allows administrators to propagate device filters, traffic and remediation policies, and OOB port profiles from one CAM to several CAMs. You can define policies on a single CAM and configure it to be the Policy Sync Master. You can then configure up to a maximum of 10 CAMs or 10 CAM HA-pairs to be Policy Sync Receivers. You can export policies manually or schedule an Auto Policy Sync to occur once every x number of days.

A CAM can be either a Master or Receiver for Policy Sync, and only one Master CAM is allowed to push policies for a given set of Receivers. To perform Policy Sync, the Master and Receiver CAMs must authorize each other using the DN from the SSL certificate for each CAM or CAM HA-pair. For production deployments, CA-signed SSL certificates should be used. CAM HA-pairs will need an SSL certificate generated for the Service IP of the pair, with the DN from this certificate used to authorize each CAM in the HA pair for the Policy Sync configuration.

During Policy Sync, the Master configuration completely overrides (and clears) the existing Receiver configuration for the policies that are configured for Policy Sync, such as OOB profiles or user roles. Policies/configurations that are not subject to Policy Sync are otherwise left alone on the Receiver CAM after a Policy Sync.


NoteAll CAMs must run release 4.5 or later to enable Policy Sync.

On CAM HA-pairs, Policy Sync settings are disabled for the Standby CAM.


Policy Sync Policies

Policy Sync enables the following global configurations to be propagated from a Master CAM.

Role-Based Policies

User roles with associated global traffic control policies (IP-based, Host-based, L2 Ethernet) and session timers


Note This includes customized policies and the Default Host Policies, Default L2 Policies from Cisco Updates that are on the Master CAM.


Global device filters with access type: Role or Check

Agent rules (Cisco and AV/AS), requirements, rule-requirement mappings, and role-requirement mappings


Note This includes customized checks/rules and Cisco Checks & Rules and Supported AV/AS Product List (Windows & Macintosh) from Cisco Updates that are on the Master CAM and associated to rules/requirements.


Non Role-Based Policies

Global device filters with access type: Allow, Deny or Ignore

OOB Policies (excludes switch information (i.e. Device/SNMP))

Port Profiles

VLAN Profiles


Note Cisco recommends that you configure auto update settings on the Master CAM (under Device Management > Clean Access > Updates > Update) to ensure the Master CAM has the latest Cisco Updates before you perform a Policy Sync.



Note Policy Sync exports all global device filters created on the Master CAM to the Receiver CAMs. Any MAC address which is in the Master CAM's global Device Filter list will be exported, including Cisco NAC Profiler generated filters. Refer to Global Device and Subnet Filtering for additional details.



Note OOB policies should not be selected for Policy Sync if a Master is not configured for OOB, as this will clear any OOB policies on the Receiver CAM. Refer to Chapter 2 "Switch Management: Configuring Out-of-Band Deployment" for details on OOB.


Policies Excluded from Policy Sync

Policies/configurations that are not listed under Policy Sync Policies are not subject to Policy Sync and are otherwise left alone on the Receiver CAM after a Policy Sync. The following non-exhaustive list describes the kinds of policies/configurations that are not included for Policy Sync:

Cisco NAC Appliance Agents. The Master and Receiver CAMs retain the Agent versions and Agent download and distribution policies they already have. You will still need to require use of the Agent for a role and operating system (e.g. Agent Login/Distribution pages) on each CAM.

Local configuration on the Receiver CAMs such as CAS-specific traffic policies or device filters. Local policies stay the same on the Receiver CAM and are not removed after a Policy Sync.

OOB switch configurations such as Device Profiles and SNMP Receiver settings.

Agent Updates for Cisco NAC Appliance Agents, OS Detection Fingerprinting, and Switch OIDs

User Login pages, Local Users, or Bandwidth policies associated with a user role.

Subnet filters

Authentication server configurations

Certified Device List or Timers

Network Scanning (Nessus) configuration

Example Scenarios

Master is configured, Receiver is not configured:

For the Master CAM:

Role A is configured with traffic and posture assessment policies

Role A requires use of the Agent

For the Receiver CAM:

No roles are configured

After a Policy Sync:

For the Receiver CAM:

Role A is created and configured with traffic and posture assessment policies from the Master CAM.

The administrator still needs to map the Agent Login settings to require use of the Agent for Role A.

Master is configured, Receiver is configured:

For the Master CAM:

Role A is configured with traffic and posture assessment policies

Role A requires use of the Agent for Windows ALL.

For the Receiver CAM:

Role A is configured with different traffic and posture assessment policies

Role A requires use of the Agent for Vista Only.

Role B is configured

After a Policy Sync:

For the Receiver CAM:

Role A is configured with traffic and posture assessment policies from the Master CAM

Role A requires use of the Agent for Vista only.

Role B is removed.

Policy Sync Configuration Summary


Step 1 Before You Start

Step 2 Enable Policy Sync on the Master

Step 3 Configure the Master

Step 4 Enable Policy Sync on the Receiver

Step 5 Configure the Receiver

Step 6 Perform Policy Sync

Step 7 View History Logs

Step 8 Troubleshooting Manual Sync Errors


Before You Start


Step 1 Make sure all CAMs to be used for Policy Sync (Master and Receivers):

Fulfill the Release 4.5 upgrade requirements and are running release 4.5 (or later)

Have a properly configured SSL certificate. For production deployments, make sure SSL certificates are CA-signed.

Step 2 Identify the CAM you want to designate as the Policy Sync Master.

Step 3 Make sure the following are properly configured on the designated Master CAM before you begin:

Cisco NAC Appliance Updates

User roles

Traffic policies and session timers for the user roles

Agent rules, requirements, rule-requirement mappings and requirement-role mappings

Device filters (role/check and allow/deny/ignore)

For OOB deployments, make sure the Master CAM is configured properly for OOB, including Port and VLAN profile configuration. If the Master CAM is not configured for OOB, but a Receiver CAM is, make sure not to push OOB policies from the Master CAM, or you will lose the OOB policies on the Receiver.

Agent Login/Distribution/Installation properties for Master CAM user roles/operating systems. Note that these settings are not exported by Policy Sync. You will need to configure these settings on the Receiver CAMs for any new roles added by Policy Sync.

Step 4 Verify that the policies on the CAMs you want to designate as Receivers can be overwritten by Policy Sync.


Enable Policy Sync on the Master


Step 1 From the web console of the Clean Access Manager you want to designate as the Policy Sync Master, go to Administration > CCA Manager > Policy Sync > Enable (Figure 14-16).

Figure 14-16 Enabling Policy Sync on the Master CAM

Step 2 Click the checkbox for Enable Policy Sync.

Step 3 Click the radio button for Master (Allow policy export).

Step 4 Click Update. This sets the current CAM as the Policy Sync Master and enables the Configure Master, Manual Sync and Auto Sync pages for this CAM (disabling the Configure Receiver page).

Configure the Master


Step 1 From the Policy Sync tab, click the Configure Master link (Figure 14-17).

Figure 14-17 Configure Master

Step 2 Click the checkbox for each set of policies you want to include in the Policy Sync:

Role-based:

Device Management > Clean Access > Clean Access Agent > Rules (all)
Device Management > Clean Access > Clean Access Agent > Requirements (all)
Device Management > Clean Access > Clean Access Agent > Role-Requirements
Device Management > Filters > Devices (Access Type ROLE and CHECK only)
User Management > Traffic Control > IP (any global, no local)
User Management > Traffic Control > Host (any global, no local)
User Management > Traffic Control > Ethernet (any global, no local)
User Management > User Roles > List of Roles/Schedule

Non-role-based Device Filters:

Device Management > Filters > Devices (all Access Types other than ROLE and CHECK)

OOB Port and VLAN Profiles:

OOB Management > Profiles > Port > List

OOB Management > Profiles > VLAN > List

Step 3 Click the Update button. You must click Update each time you change the set of policies to include for Policy Sync.

Step 4 Add each Receiver to the Master as follows:

a. In the Receiver Host Name/IP text box, type the domain name or IP address of the receiver CAM. For HA-CAMs, type the Service IP of the CAM HA pair.

b. Type an optional Receiver Description

c. Click the Add button. (To delete a Receiver, you can click the "X" icon in the Action column.)


Note Policy Sync supports a maximum of 10 CAMs or 10 HA-CAM pairs.


Step 5 Authorize each Receiver CAM as described in the following steps. Authorization allows verification of the Distinguished Name on the SSL certificates of the Master and Receiver CAMs to ensure the communication between them is secure and limited to the respective parties.

a. Obtain the DN of the Receiver CAM as follows:

navigate to Administration > CCA Manager > SSL > x509 Certificate on the Receiver CAM console

click the View button to bring up the Certificate Authority Information dialog.

copy the DN entry (Figure 14-18).

Figure 14-18 Copying the DN Information from the Receiver CAM

b. On the Master CAM, navigate to Administration > CCA Manager > Policy Sync > Configure Master

c. Paste the DN from the SSL certificate of the Receiver CAM into the List of Authorized Receivers by Certificate Distinguished Name text box (Figure 14-19).

Figure 14-19 Authorizing the Receiver on the Master CAM

d. Click the Add button. (To delete a Receiver, you can click the "X" icon in the Action column.)


Note Policy Sync supports a maximum of 10 CAMs or 10 HA-CAM pairs.



Note Authorization must be configured on both the Master and Receiver CAMs for the Master to successfully push policies and for the Receiver to accept them.



Enable Policy Sync on the Receiver

A CAM configured as a Policy Sync Receiver is distinguished by a red-colored product banner, and Master CAM settings are disabled for the Receiver CAM. The red banner is intended to warn administrators not to change any policies on the Receiver CAM for which Policy Sync applies.


Step 1 From the web console of the Receiver CAM, go to Administration > CCA Manager > Policy Sync > Enable (Figure 14-20).

Figure 14-20 Enabling Policy Sync on the Receiver CAM

Step 2 Click the checkbox for Enable Policy Sync.

Step 3 Click the radio button for Receiver (Allow policy import).

Step 4 Click Update. This sets the current CAM as the Policy Sync Receiver. This labels the CAM as "Policy Sync Receiver" and changes the color of the web console product banner to red, as shown in Figure 14-21. It also enables the Configure Receiver page for this CAM and disables the Configure Master, Manual Sync and Auto Sync pages.

Figure 14-21 Policy Sync Receiver (Displays Red Product Banner)


Configure the Receiver

This step consists of authorizing the Master CAM on the Receiver CAM.


Step 1 From the web console of the Receiver CAM, go to Administration > CCA Manager > Policy Sync > Configure Receiver (Figure 14-22).

Figure 14-22 Configure Receiver

Step 2 Authorize the Master CAM with the following steps:

a. Obtain the DN of the Master CAM as follows:

Navigate to Administration > CCA Manager > SSL > x509 Certificate on the Master CAM console

Click the View icon to bring up the Certificate Authority Information dialog

Copy the DN entry (Figure 14-23).

Figure 14-23 Copying the DN Information from the Master CAM

b. On the Receiver CAM, navigate to Administration > CCA Manager > Policy Sync > Configure Receiver.

c. Paste the DN from the SSL certificate of the Master CAM in the Authorized Master text box (Figure 14-22).

Step 3 Click Update.


Perform Policy Sync

You can schedule automatic sync of policies at specific time interval once every x number of days. You can also manually sync policies at any time. You must be logged in as a Full-Control Admin user to the Master CAM in order to perform automated or manual policy sync.

The Master configuration completely overrides (and clears) the existing Receiver configuration for the policies that are configured for Policy Sync, such as OOB profiles or user roles. Policies/configurations that are not subject to Policy Sync are otherwise left alone on the Receiver CAM after a Policy Sync.

Note that when Rules are pushed during a Policy Sync, all associated Checks are automatically pushed as well.

Policy Sync results (manual or auto) are logged on the History page for each Master and Receiver CAM. In addition, Auto Sync results are logged in the Master CAM's Event Logs.


Note The Cisco Updates on the Master override any updates on the Receiver. Therefore, Cisco recommends that you configure auto update settings on the Master (under Device Management > Clean Access > Updates > Update) to ensure the Master has the latest Cisco Updates before performing a Policy Sync.


Perform Manual Sync


Step 1 On the Master CAM, make sure only the policies you want to manually sync are enabled on Configure Master (Figure 14-17) page. Make sure to click the Update button if changing the settings.

Step 2 On the Master CAM go to Administration > CCA Manager > Policy Sync > Manual Sync (Figure 14-24)

Figure 14-24 Manual Sync

Step 3 All configured Policy Receivers appear under the Receiver Host Name/IP column on the page.

Step 4 In the Sync Description text box, type an optional description for the manual sync to be performed. The description labels the manual sync in the Logs on the History page.

Step 5 Click the Manual Sync checkbox for each Receiver CAM to which you want to export polices.

Step 6 Click the Sync button. The pre-sync check screen appears (Figure 14-25).

Figure 14-25 Manual Sync (Authorization Check)

Step 7 Click the Continue button to complete the manual Policy Sync. If successful, the following screen appears (Figure 14-26).

Figure 14-26 Successful Manual Sync

Step 8 Click OK to return to the main screen.


Perform Auto Sync


Note Cisco strongly recommends performing a Manual Sync and verifying that it is working successfully before enabling Auto Sync between your Clean Access Managers.



Step 1 On the Master CAM, make sure only the policies you want to enable for auto sync are selected on the Configure Master page (Figure 14-17). Make sure to click the Update button if changing the settings.

Step 2 On the Master CAM, go to Administration > CCA Manager > Policy Sync > Auto Sync (Figure 14-27)

Figure 14-27 Auto Sync

Step 3 The list of configured Receivers appears under the Receiver Host Name /IP column on the page.

Step 4 Click the checkbox for Automatically sync starting from[]. In the adjoining text box, type the initial time to start and repeat the auto policy sync in hh:mm:ss format (e.g. 22:00:00)

Step 5 In the every [] day(s) text box, type the number of days after which to repeat the auto synchronization. The minimal interval is 1 for 1 day.

Step 6 Click the Auto Sync checkbox for each Receiver CAM to which you want to export polices.

Step 7 Click the Update button to set the schedule. The Master CAM will perform Auto Policy Sync at the interval you specified and will display log results on the History page as "Auto sync" and in the Master CAM's Event Logs.


Verify Policy Sync


Step 1 Go to the Receiver CAM and confirm the Master policies are pushed via Policy Sync.

Step 2 If there are issues, you can troubleshoot further:

View History Logs

Troubleshooting Manual Sync Errors


View History Logs

Details of each manual and automated Policy Sync are logged on the History page for both the Master and Receiver CAMs. Each Master and Receiver CAM keeps up to 300 entries of History logs.

In addition, Auto Sync is logged in the Master CAM's Event Logs when Auto Sync is enabled. The result of each Auto Sync is logged as an Administration event under Monitoring > Event Logs in addition to the Policy Sync > History logs. Refer to Interpreting Event Logs for additional information.


Step 1 To view logs, go to Administration > CCA Manager > Policy Sync > History for the Master (Figure 14-28) or Receiver CAM (Figure 14-29).

Step 2 The columns displayed are as follows:

Sync ID—unique ID for the policy sync session, with format: [start time on Master]_[random number].[an integer for each Receiver, starting from 0 (with sequence 1, 2, 3, and so on)].

Master DN[THIS CAM] if this is the Master or the Master's IP/DN.

Receiver DN[THIS CAM] if this is the Receiver or the Receiver's IP/DN.

Status—"succeeded" or "failed". Policy Sync failure means there is no transmission of policies from Master to Receiver, and no changes to the database for either CAM.

Start Time/End Time—Duration of the policy sync session.

Description—labelled "Auto sync" or blank for manual sync, unless a description is entered.

Log—click the magnifying glass icon to view the individual log files (example Master: Figure 14-30) (example Receiver: Figure 14-31)

Action—Click the "X" icon to remove this log.

Figure 14-28 History Logs for Master CAM

Figure 14-29 History Logs for Policy Sync Receiver

Figure 14-30 Log File for Master

Figure 14-31 Log File for Receiver


Troubleshooting Manual Sync Errors

Failed sanity check with [x.x.x.x]. Receiver denied access. This CAM is not authorized as Policy Sync Master.

This message displays on the Master CAM if the Receiver does not have the Master's DN configured or if the Master's DN is misconfigured on the Configure Receiver page.

To resolve this, navigate to Administration > CCA Manager > Policy Sync > Configure Receiver on the Receiver CAM and ensure the Master's DN is present and/or configured correctly.

Failed sanity check with [x.x.x.x]. The certificate's subject DN of this receiver is not authorized.

This message displays on the Master CAM if the Master does not have the Receiver DN configured or if the Receiver's DN is misconfigured under Configure Master page.

To resolve this, navigate to Administration > CCA Manager > Policy Sync > Configure Master on the Master CAM and ensure the Receiver's DN is present and/or configured correctly in the List of Authorized Receivers by Certificate Distinguished Name.

Failed sanity check with [x.x.x.x]. This host is not configured as policy sync receiver.

This message displays on the Master CAM if Policy Sync is not enabled on the Receiver.

To resolve this, Enable Policy Sync on the Receiver.

Support Logs

The Support Logs page on the Clean Access Manager is intended to facilitate TAC support of customer issues. The Support Logs page allows administrators to combine a variety of system logs (such as information on open files, open handles, and packages) into one tarball that can be sent to TAC to be included in the support case. Administrators should download these support logs when sending their customer support request.

The Support Logs pages on the CAM web console provide web page controls to configure the level of log detail recorded for troubleshooting purposes in /perfigo/control/tomcat/logs/nac_manager.log. These web controls are intended as convenient alternative to using the CLI loglevel command and parameters in order to gather system information when troubleshooting. Note that the log level configured on the Support Logs page does not affect the CAM's Monitoring > Event Log page display.

For normal operation, the log level should always remain at the default setting (INFO). The log level is only changed temporarily for a specific troubleshooting time period—typically at the request of the customer support/TAC engineer. In most cases, the setting is switched from INFO to DEBUG or TRACE for a specific interval, then reset to INFO after data is collected. Note that once you reboot the CAM, or perform the service perfigo restart command, the log level returns to the default setting (INFO).


Caution Cisco recommends using the DEBUG and TRACE options only temporarily for very specific issues. Although the CAM records logging information and stores them in a series of nine 20MB files before discarding any old logs, the large amount of logging information can cause the CAM to run out of available log storage space in a relatively short amount of time.

To Download CAM Support Logs:


Step 1 Go to Administration > CCA Manager > Support Logs.

Figure 14-32 Support Logs

Step 2 Specify the number of days of debug messages to include in the file you will download for your Cisco customer support request.

Step 3 Click the Download button to download the cam_logs.<cam-ip-address>.tar.gz file to your local computer.

Step 4 Send this .tar.gz file with your customer support request.


Note To retrieve the compressed support logs file for the Clean Access Server, log in to the CAS web console and go to Monitoring > Support Logs. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(1) for details.



To Change the Loglevel for CAM Logs:


Step 1 Go to Administration > CCA Manager > Support Logs.

Step 2 Choose the CAM log category to change:

CCA Manager General Logging: This category contains the majority of logging events for the system. Any log event not contained in the other four categories listed below will be found under CCA Manager General Logging (e.g. authentication failures).

CAS/CAM Communication Logging: This category contains CAM/CAS configuration or communication errors, for example, if the CAM's attempt to publish information to the CAS fails, the event will be logged.

General OOB Logging: This category contains general OOB errors that may arise from incorrect settings on the CAM, for example, if the system cannot process an SNMP linkup trap from a switch because it is not configured on the CAM or is overloaded.

Switch Management Logging: This category contains generic SNMP errors that can arise from the CAM directly communicating with the switch, for example, if the CAM receives an SNMP trap for which the community string does not match.

Low-level Switch Communication Logging: This category contains OOB errors for specific switch models.

CAM/ Profiler Communication Logging: This category contains the logs/errors at different levels of the synchronization of the Cisco ISE Profiler with NAC Appliance.


Note This applies only to Cisco ISE Profiler and does not include NAC Profiler.


Step 3 Click the loglevel setting for the category of log:

OFF: No log events are recorded for this category.

ERROR: A log event is written to/perfigo/control/tomcat/logs/nac_manager.log only if the system encounters a severe error, such as:

CAM cannot connect to CAS

CAM and CAS cannot communicate

CAM cannot communicate with database

WARN: Records only error and warning level messages for the given category.

INFO: Provides more details than the ERROR and WARN log levels. For example, if a user logs in successfully an Info message is logged. This is the default level of logging for the system.

DEBUG: Records all debug-level logs for the CAM.

TRACE: This is the maximum amount of log information available to help troubleshoot issues with the CAM/CAS.

Step 4 Click Update to save the settings.


Note Cisco recommends using the Debug and Trace options only temporarily for very specific issues. Although the CAM records logging information and stores them in a series of ten 20MB files before discarding any old logs, the large amount of logging information can cause the CAM to run out of available log storage space in a relatively short amount of time.


For details on the Event Log, see Chapter 12 "Monitoring Event Logs."


Filtering Logs by CAS and/or Agent IP

Starting from Cisco NAC Appliance Release 4.9, you can filter the CAM Logs by CAS and/or Agent machine by specifying the IP Addresses. If the CAS in HA setup, then the service IP and eth0 addresses of both Active and Standby CAS should be entered for the filtering to happen properly.

Under Filter by (Change log level for) CAS/Agent IP Address, enter the following:

CAS IP Address: Enter the IP Address of the specific CAS.

Agent IP Address: Enter the IP Address of the specific client machine.


Note You can enter more than one IP Address by separating them with a comma. You can include the range of IP Addresses as well. For example, you can enter the IP Address as 10.10.10.10,10.10.10.15-20.


Log at Level: Choose the log level.


Note To enable the Filter by CAS / Agent option, set the log levels of all the other categories to OFF.


Click Update Filter to save the settings. Download support logs to view information related to the specified CAS and Agent. To store all events to the nac_manager.log file, enable Store all the events to log file checkbox in the Monitoring > Event Logs > Log Settings page. This option is disabled by default. Refer to Limiting the Number of Logged Events.

Figure 14-33 shows an example of the Log file.

Figure 14-33 NAC Manager Logs

The CAM log statements are stamped by Agent and CAS IP address. The CAS log statements are stamped by Agent IP address.

Agent Logs

The Agent Logs page is available starting from Cisco NAC Appliance 4.9 and can be used to decrypt and upload the Agent Logs to the CAM. These Agent Logs are bundled with the CAM Support Logs into one tar file that can be sent to TAC to be included in the support case. Refer to Create Agent Log Files Using the Cisco Log Packager for saving the Agent log files to your local machine.


Step 1 Go to Administration > CCA Manager > Agent Logs.

Step 2 Click the Browse button and navigate to the directory on your local machine where the Agent Logs file resides, select the file, and click Upload.


The uploaded files are listed in the Agent Logs page as shown in Figure 14-34.

Figure 14-34 Agent Logs

You can click the Preview link next to the Agent Log file to view the contents. The contents of the file are displayed at the bottom of the page.

Click the Download icon next to the file name to download the log file to your local system.

Click the Delete icon next to the file name to remove the log file.


Note You can upload a maximum of five Agent Logs files to the CAM. When you upload the sixth file, the first file is automatically removed.


Admin Users

This section describes how to add multiple administrator users in the Administration > Admin Users module of the CAM web admin console.

Under Administration > Admin Users there are three tabs: Admin Groups, Admin Users, and Access Restrictions.

You can create new admin users and associate them to pre-existing default admin groups, or you can create your own custom admin groups. In either case, the access permissions defined for the admin group are applied to admin users when you add those users to the group.

You can also choose to authenticate admin user credentials entered in both the CAM and CAS via an external Kerberos, LDAP, or RADIUS authentication server (configured using the instructions in Adding an Authentication Provider), or using the local CAM database. See Add an Admin User for details.

Admin Groups

There are three default (uneditable) admin groups in the system, and one predefined custom group ("Help Desk") that you can edit. In addition, you can also create any number of your own custom admin groups under Administration > Admin Users > Admin Groups > New.

The four default admin group types are:

1. Hidden

2. Read-Only

3. Add-Edit

4. Full-Control (has delete permissions)

The three default admin group types cannot be removed or edited. You can add users to one of the three pre-defined groups, or you can configure a new Custom group to create specialized permissions. When creating custom admin permissions, create and set access permissions for the custom admin group first, then add users to that group to set their permissions.

Add/Edit a Custom Admin Group

To create a new admin group:


Step 1 Go to Administration > Admin Users > Admin Groups.

Figure 14-35 Admin Groups

Step 2 Click the New link to bring up the new Admin Group configuration form.

Figure 14-36 New Admin Group

Step 3 Click the Disable this group checkbox if you want to initially create but not yet activate this new administrator group, or if you want to disable an existing administrator group.

Step 4 Enter a Group Name for the custom admin group.

Step 5 Enter an optional Description for the group.

Step 6 Set the access options next to each individual Clean Access Server as no access, view only, add-edit, or local admin. This allows you to restrict access to the individual Clean Access Server for a specified administrator group, enable an administrator group to view permissions on the individual Clean Access Server, and even tailor access to provide an administrator group full control over one or more Clean Access Servers (including delete/reboot capabilities).


Note When a Clean Access Server option is set to no access, the members of the administrator group can still see the specified server in the Device Management > CCA servers > List of Servers page, but they cannot manage, disconnect, reboot or delete the server.


Step 7 Select group access privileges of hidden, read only, add-edit, or full control for each individual module or submodule. This allows you to limit the Clean Access Server modules and submodules available to a specified administrator group and tailor administrative control over modules and/or submodules for the specified administrator group.


Note When a submodule option is set to hidden, the members of the administrator group can still see the given submodule in the left-hand web console pane, but the text is "greyed out" and they cannot access that submodule.


Step 8 Click Create Group to add the group to the Admin Groups list.

You can edit the group later by clicking the Edit icon next to the group in the list. To delete the group click the Delete icon next to the group. Users in an admin group are not removed when the group is deleted, but are assigned to the default Read-Only Admin group.


Note If an administrator changes the permissions of a particular admin group by editing the admin group, the administrator must remove all admin users belonging to that group since the new permissions will only be effective from the next login.



Admin Users


Note The default admin user is in the default Full-Control Admin group and is a special system user with full control privileges that can never be removed from the Clean Access Manager. For example, a Full-Control user can log in and delete his/her own account, but one cannot log in as user admin and delete the admin account.


Admin users are classified according to Admin Group. The following general rules apply:

All admin users can access the Administration > Admin Users module and change their own passwords.

Features that are not available to a level of admin user are simply disabled in the web admin console.

Read-Only users can only view users, devices, and features in the web admin console.

Add-Edit users can add and edit but not remove local users, devices, or features in the web admin console. Add-Edit admin users cannot create other admin users.

Full-Control users can add, edit, and delete all applicable aspects of the web admin console.

Only Full-Control admin users can add, edit, or remove other admin users or groups.

Custom group users (part of the "Help-Desk" admin group type, for example) can be configured to have a combination of access privileges, as described in Add/Edit a Custom Admin Group.

Login/Logout an Admin User

As admin users are session-based, admin users should log out using the Logout icon in the top-right corner of every page of the web admin console. The administrator login page will appear:

Figure 14-37 Admin Login

Additionally, you can use the logout button to log out as one type of admin user and relogin on as another.

Add an Admin User

To add a new administrator user:


Step 1 Go to Administration > Admin Users > New.

Figure 14-38 New Admin User

Step 2 Click the Disable this account checkbox if you want to initially create but not yet activate this new administrator user profile, or if you want to disable an existing administrator user.

Step 3 Enter an Admin User Name.

Step 4 For the Authentication Server dropdown menu, specify the method by which the CAM authenticates the administrator user login credentials entered in the CAM and/or CAS:

Choose Built-in Admin Authentication to verify administrator user credentials against the information stored locally in the CAM database.

Choose the Provider Name of a configured Kerberos, LDAP, or RADIUS authentication server to authenticate the admin user against an external authentication server. For admin users, only Kerberos, LDAP and RADIUS authentication servers are listed in the Authentication Server dropdown. See Adding an Authentication Provider for details.

Step 5 Select an admin group type from the Group Name dropdown list. Default groups are Read-Only, Add-Edit, and Full-Control. To add a user to a custom-access permissions group, add the group first as described in Add/Edit a Custom Admin Group.

Step 6 Enter a password in the Password and Confirm Password fields.

Step 7 Enter an optional Description.

Step 8 Click Create Admin. The new user appears under the Admin Users > List.


Edit an Admin User

To edit an existing admin user:


Step 1 Go to Administration > Admin Users > List.

Figure 14-39 Admin Users List

Step 2 Click the Edit icon next to the admin user.

Figure 14-40 Edit Admin User

Step 3 Change the Password and Confirm Password fields, or other desired fields.

Step 4 Click Save Admin.


Note You can edit all properties of the system admin user, except its group type.



Active Admin User Sessions

You can view which admin users are using the Clean Access Manager web admin console from Administration > Admin Users > Admin Users > Active Sessions. The Active Sessions list shows all admin users that are currently active. Admin users are session-based. Each browser that an admin user opens to connect to the Clean Access Manager webserver creates an entry for the user in the Active Sessions list.

If an admin user opens a browser, closes it, then opens a new browser, two entries will remain for a period of time on the Active Session list. The Last Access time does not change for the ended session, and eventually the entry will be removed by the Auto-logout feature.

Figure 14-41 Admin User Active Sessions

The Active Sessions page includes the following elements:

Admin Name—The admin user name.

IP Address—The IP address of the admin user's machine.

Group Name—The access privilege group of the admin user.

Login Time—The start of the admin user session.

Last Access—The last time the admin user clicked a link anywhere in the web admin console. Each click resets the last access time.

"Auto-Logout Interval for Inactive Admins"—This value is compared against the Login Time and Last Access time for an active admin user session. If the difference between the current time and last access time is greater than the auto-logout interval configured, the user is logged out. This value must be in the range of 1 to 120 minutes, with an interval of 20 minutes set by default.

"Minimum length for Admin Password"—Enter a value here to set minimum password length for the Admin Password.

Kick—Clicking this button logs out an active admin user and removes the session from the active session list.

Administrator User Access Restrictions

The admin user can configure a set of IP addresses of the CAM and CAS web console/SSH that can be blocked. The access is restricted to the list of IP addresses provided by the administrator.

Use the following procedure to enable the access restriction.


Step 1 Go to Administration > Admin Users > Access Restrictions.

Figure 14-42 Administrator User Access Restrictions

Step 2 Check the Enforce IP Access Restriction checkbox.

Step 3 In the IP Restriction White List box, enter the IP Addresses to be allowed by the CAM and CAS. Type one address per line.

Step 4 Click Update.

Step 5 Both the CAM and CAS are enabled with the list of IP Addresses provided.


Note The access list is applied only to the CAS that is already added to the CAM.




Note If you uncheck the Enforce IP Access Restriction checkbox, the IP addresses provided in the list become inactive. The access restriction is not enforced.



Caution If you click Update when the IP Restriction White List field is empty, the CAM/CAS are made inaccessible via web console or SSH. If this happens, you can use the following procedure to unlock CAM/CAS access again.

The following procedure provides instructions on how to unlock the CAM web console. You need to use the Serial Console or keyboard/monitor to access the CAM.


Step 1 Delete the contents of the /perfigo/control/apache/conf/sslacc.conf file in CAM.

Step 2 Run the command /perfigo/control/bin/startapache_g in CAM.

Step 3 This will unlock CAM web console.

Step 4 Login to the CAM web console, edit the access restriction list, and click Update.



Note Once you complete the above steps, both the CAM and CAS are accessible. If you are using HA pairs, you must execute the steps for both the CAMs.


Manage System Passwords


Note For new installations of Cisco NAC Appliance, the root administrator user password must conform to the strong password guidelines outlined below. Existing root administrator user passwords are preserved during upgrade.


It is important to provide secure passwords for the user accounts in Cisco NAC Appliance system, and to change them from time to time to maintain system security. Cisco NAC Appliance prompts you to specify the following administrative user account passwords:

1. Clean Access Manager installation machine root user

2. Clean Access Server installation machine root user

3. Clean Access Server web console admin user

4. Clean Access Manager web console admin user

Passwords are initially set at installation time. To change these passwords at a later time, access the CAM or CAS machine by SSH, logging in as the user whose password you want to change. Use the Linux passwd command to change the user's password.

In all cases, Cisco recommends using strong passwords to maximize network security, but only the root administrator passwords on the CAM and CAS are required to conform to the strong password criteria, that is, passwords containing at least eight characters that feature at least two characters from each of the following four categories:

Lower-case letters

Upper-case letters

Numbers (digits)

Special characters (like !@#$%^&*~)

For example, the password 10-9=One would not satisfy the requirements because it does not feature two characters from each category, but 1o-9=OnE is a valid password.


Note If the first character of a password is an upper-case letter, that character is not counted toward the minimum number of required upper-case letters (two) when determining whether or not the correct number of characters exists in the password.

If the last character of a password is a digit, that character is not counted toward the minimum number of required digits (two) when determining whether or not the correct number of characters exists in the password.


This section describes the following:

Change the CAM Web Console Admin Password

Change the CAS Web Console Admin User Password

Change the CAM Web Console Admin Password

To change the Clean Access Manager web console admin user password, use the following procedure.


Step 1 Go to Administration > Admin Users > List.

Step 2 Click the Edit icon for user admin.

.

Step 3 Type the new password in the Password field.

Step 4 Type the password again in the Confirm Password field.

Step 5 Click the Save Admin button. The new password is now in effect.


Change the CAS Web Console Admin User Password

Most configuration tasks are performed in the CAM web admin console. However, the CAS direct access web console is used to perform several tasks specific to a local CAS configuration, such as configuring High-Availability mode. Use the following instructions to change the CAS web console admin password:


Step 1 Open the Clean Access Server admin console by navigating to the following address in a browser:

https://<CAS_IP>/admin 

where <CAS_IP> is the trusted interface IP address of the CAS. For example, https://172.16.1.2/admin

Step 2 Log in with the admin user name and password.

Step 3 Click the Admin Password link from the left side menu.

Step 4 In the Old Password field, type the current password.

Step 5 Type the new password in the New Password and the Confirm Password fields.

Step 6 Click Update.


Backing Up the CAM Database

You can create a manual backup snapshot of the CAM database to backup the CAM/CAS configuration for the current release. When you create the snapshot, it is saved on the CAM, but you can also download it to another machine for safekeeping. Only the CAM snapshot needs to be backed up. The CAM snapshot contains all database configuration data for the Clean Access Manager, and configuration information for all Clean Access Servers added to the CAM's domain. The snapshot is a standard postgres data dump.

The Clean Access Manager uses a local master secret password to encrypt and protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to restore database snapshots on the CAM when you need them. (You cannot upload a CAM database snapshot that was created when the system was configured with a different master secret password.)


Note Product licenses are stored in the database and are therefore included in the backup snapshot.


Once a CAS is added to the CAM, the CAS gets its configuration information from the CAM every time it contacts the CAM, including after a snapshot configuration is downloaded to the CAM.

If you replace the underlying machine for a CAS that is already added to the CAM, you will need to execute the service perfigo config utility to configure the new machine with the CAS IP address and certificate configuration. Thereafter, the CAM pushes all the other configuration information to the CAS.

The Agent is always included as part of the CAM database snapshot. The Agent is always stored in the CAM database when:

The Agent update is received from web updates

The Agent is manually uploaded to the CAM

However, when the CAM is newly installed from CD or upgraded to the latest release, the Agents are not backed up to the CAM database. In this case, the CAM software contains the new Agent software but this is not uploaded to the CAM database. Agent backups only start when a new Agent is uploaded to the system either manually or by web updates.


Note You can only restore a CAM snapshot that has the same version as the CAM (e.g. release 4.9 snapshot to release 4.9 CAM).



Note For further details on database logs, refer to Cisco NAC Appliance Log Files.


This section describes the following:

Automated Daily Database Backups

Manual Backups from Web Console

Restoring a CAM Snapshot—Standalone CAM

Restoring a CAM Snapshot—HA-CAM or HA-CAS

Backing Up and Restoring CAM/CAS Authorization Settings

Backing Up and Restoring CAM/CAS Authorization Settings

Database Recovery Tool

Automated Daily Database Backups

Cisco NAC Appliance automatically creates daily snapshots of the Clean Access Manager database and preserves the most recent from the last 30 days. It also automatically creates snapshots before and after software upgrades, and before and after failover events. For upgrades and failovers, only the last 5 backup snapshots are kept. See Database Recovery Tool for additional details.

Manual Backups from Web Console

Cisco recommends creating a backup of the CAM before making major changes to its configuration. Backing up the configuration from time to time also ensures a recent backup of a known-good configuration profile, in case of a malfunction due to incorrect settings. Besides protecting against configuration data loss, snapshots provide an easy way to duplicate a configuration among several CAMs.


Note Manually-created snapshots stay on the CAM until they are manually removed.



Step 1 In the Administration > Backup page, type a name for the snapshot in the Database Snapshot Tag Name field. The field automatically populates with a filename that incorporates the current date and time (e.g MM_DD_YY-hh-mm_snapshot). You can either accept the default name or type another.

Step 2 Click Create Snapshot. The Clean Access Manager generates a snapshot file, which is added to the snapshot list. The Version column automatically lists the CAM software version for the snapshot.

Figure 14-43 Backup Snapshot


Note The file still physically resides on the Clean Access Manager machine. For archiving purposes, it can remain there. However, to back up a configuration for use in case of system failure, the snapshot should be downloaded to another computer.


Step 3 To download the snapshot to another computer, click either the Download icon or the Tag Name of the snapshot that you want to download.

Step 4 In the File Download dialog, Save the file to your local computer.

To remove the snapshot from the snapshot list, click the Delete icon.


Restoring a CAM Snapshot—Standalone CAM


Note You can only restore a CAM snapshot that has the same version as the CAM (e.g. release 4.9 snapshot to release 4.9 CAM) and, although you can use the CAM web console to upload the snapshot image you want to restore, you must perform the actual restoration step via the CAM CLI.


The Clean Access Manager uses a local master secret password to encrypt and protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to restore database snapshots on the CAM when you need them. (You cannot upload a CAM database snapshot that was created when the system was configured with a different master secret password.) To restore a standalone Clean Access Manager to the configuration state of the snapshot:


Step 1 Go to Administration > Backup, ensure the snapshot image Tag Name appears in the table, and that the version of the snapshot is the same version currently running on the CAM.

Step 2 If you need to upload the snapshot image from an external machine first, click the Browse button next to the Snapshot to Upload field, find the file in the external directory structure, and click Upload Snapshot.

Step 3 Log into the CAM CLI console and shut down services on the CAM using the service perfigo stop command.

Step 4 Enter the /perfigo/dbscripts/dbbackup.sh command. The existing configuration is overridden by the configuration in the snapshot.


Warning Entering the "./dbbackup.sh" command using "sh ./dbbackup.sh"syntax can cause the backup process to enter an endless loop, repeatedly asking you to verify the restoration process. Do not use the "sh ./dbbackup.sh"syntax.

Step 5 Restart services on the CAM using the service perfigo start command.


Restoring a CAM Snapshot—HA-CAM or HA-CAS


Note The CAM snapshot contains all database configuration data for the Clean Access Manager and configuration information for all Clean Access Servers added to the CAM's domain.


If either of the HA-Primary and HA-Secondary CAMs and/or CASs in your HA deployment lose their configuration, you can retrieve the most recent snapshot (or create one for the existing configuration) from the remaining CAM and load it into your HA system to ensure consistent behavior from both the HA-Primary and HA-Secondary machines.

If both the HA-Primary and HA-Secondary CAMs and or CASs in your HA deployment lose their configuration, you can restore the system using the following guidelines. (For example, if a catastrophic event wipes out the image and database on both the HA-Primary and HA-Secondary machines or forces you to RMA both machines and install new appliances.)


Warning Do not attempt to restore a snapshot on either the active or standby CAM if the standby machine is offline (down or still rebooting).

Restore Both HA-Primary and HA-Secondary CAMs from Snapshot

To restore the HA-Primary and HA-Secondary CAMs in a failover deployment to the configuration state of the snapshot:


Step 1 Install and initially configure the HA-Primary CAM and HA-Secondary CAM so that they feature the same attributes as before your HA deployment went down as described in the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.

Step 2 Apply your CAM user license(s) to both the HA-Primary and HA-Secondary CAMs.

Step 3 Reconfigure the HA-Primary and HA-Secondary CAMs as an HA pair as described in the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.

Step 4 Shut down the HA-Secondary CAM to prevent it from automatically assuming the "active" role during database restoration.

Step 5 Navigate to the Administration > Backup web console page on the HA-Primary CAM, click the Browse button next to the Snapshot to Upload field, find the file in the external directory structure, and click Upload Snapshot.

Step 6 Log into the HA-Primary CAM CLI console and shut down services on the CAM using the service perfigo stop command.

Step 7 Enter the /perfigo/dbscripts/dbbackup.sh command. The existing configuration is overridden by the configuration in the snapshot.


Warning Entering the "./dbbackup.sh" command using "sh ./dbbackup.sh"syntax can cause the backup process to enter an endless loop, repeatedly asking you to verify the restoration process. Do not use the "sh ./dbbackup.sh"syntax.

Step 8 Restart services on the HA-Primary CAM using the service perfigo start command.

Step 9 To complete the snapshot restoration, bring up the HA-Secondary CAM and wait approximately 5 minutes for the HA-Secondary CAM to automatically "sync up" with the HA-Primary.

Step 10 Reboot the HA-Primary CAM. Once the CAM has restarted and you can log in via the web console, reboot the HA-Secondary CAM.


Restore Both HA-Primary and HA-Secondary CASs from Snapshot

To restore the HA-Primary and HA-Secondary CASs in a failover deployment to the configuration state of the snapshot:

1. Install and initially configure the HA-Primary CAS and HA-Secondary CAS so that they feature the same attributes as before your HA deployment went down as described in the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.

2. Reconfigure both the HA-Primary and HA-Secondary CASs as an HA pair as described in the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.


Warning Ensure you follow the instructions in the "Configuring High Availability (HA)" chapter in the order they are presented to successfully re-establish your CAS HA connection.

3. Simulate failover events between the HA-Primary and HA-Secondary CASs by shutting down/disconnecting the HA-Primary CAS to allow the HA-Secondary CAS to assume access control functions. Once the standby CAS assumes the active role, simulate the same failover for the HA-Secondary CAS (the new active CAS) when the HA-Primary (standby) comes back "online."

Performing these failover simulations on both the HA-Primary and HA-Secondary CASs ensures that each one gets the current database information from the CAM.


Backing Up and Restoring CAM/CAS Authorization Settings

As an added security measure, Authorization and certificate trust store settings are not backed up with other elements of the CAM/CAS configuration. Therefore, when backing up your CAM/CAS configuration, you must back up Authorization and certificate trust store files separately from the standard database backup/snapshot.

For high-availability pairs, Authorization settings are not automatically passed from the HA-Primary CAM/CAS to the HA-Secondary when deployed as a high-availability pair. You can also use the following procedure to populate the Authorization settings on an HA-Secondary CAM/CAS to ensure both appliances in the HA-pair share exactly the same Authorization and certificate trust store settings and list of Authorized Clean Access Servers (or Clean Access Managers if backing up an HA-Primary Clean Access Server).


Note If you have a large CAS deployment managed from a single CAM, this procedure can save considerable time when configuring the secondary CAM.


Table 14-2 lists the files typically found in the /root/.perfigo/ directory (depending on your particular configuration).

Table 14-2 Authorization Backup Files

File Name
Description

auth_nac_en.txt

If this file is present in the CAM/CAS's /root/.perfigo/ directory, the CAM/CAS has enabled the Authorization feature.

auth_nac.txt

This file contains the actual Clean Access Manager or Clean Access Server Authorization entries that populate the Authorized CCA Servers/Authorized CCA Managers lists on the CAM Device Management > CCA Servers > Authorization web console page or CAS Device Management > Authorization web console page.

auth_warn_nac_en.txt

If this file is present in the CAM/CAS's /root/.perfigo/ directory, the CAM/CAS has enabled the Test CCA Server Authentication option and is logging Authorization operations as SSL Certificate events.

caCerts

This file contains the collection of end entity certificates on the CAM/CAS.


To back up CAM/CAS Authorization and certificate trust store settings and upload them to a redundant or HA-Secondary CAM/CAS:


Step 1 Telnet or SSH to the command line interface of the primary CAM/CAS, navigate to the /root/.perfigo/ directory, and view the contents of the /root/.perfigo/ directory:

[root@cam1]# cd /root/
[root@cam1]# cd .perfigo/
[root@cam1]# ls -l
-rw-r--r--  1 root root    0 Jul 21 11:09 auth_nac_en.txt
-rw-r--r--  1 root root   80 Jul 21 11:09 auth_nac.txt
-rw-r--r--  1 root root   16 Jul 21 11:09 auth_warn_nac_en.txt
-rw-r--r--  1 root root 1346 Jul 20 21:49 caCerts
 
   

Step 2 Create the tar file to upload. You will need to specify a file name (for example, "authorization.tar.gz").

[root@cam1]# tar cvzf authorization.tar.gz *
auth_nac_en.txt
auth_nac.txt
auth_warn_nac_en.txt
caCerts
 
   

Step 3 Upload the new tar file to the destination CAM/CAS for backup or to populate an HA-Standby CAM/CAS.

[root@cam1]# scp authorization.tar.gz root@<IP address>
root@<IP address>'s password:
authorization.tar.gz                                100% 1107     1.1KB/s   00:00
 

Step 4 Telnet or SSH to the command line interface of the secondary CAM/CAS, navigate to the /root/.perfigo/ directory, and extract the contents of the uploaded tar file.

[root@cam2]# cd /root/
[root@cam2]# cd .perfigo/
[root@cam2]# tar xvzf authorization.tar.gz
auth_nac_en.txt
auth_nac.txt
auth_warn_nac_en.txt
caCerts
 
   

Step 5 Verify that the files have been uploaded and extracted correctly.

[root@cam2]# ls -l
-rw-r--r--  1 root root    0 Jul 21 11:09 auth_nac_en.txt
-rw-r--r--  1 root root   80 Jul 21 11:09 auth_nac.txt
-rw-r--r--  1 root root   16 Jul 21 11:09 auth_warn_nac_en.txt
-rw-r--r--  1 root root 1346 Jul 20 21:49 caCerts
 
   

Step 6 Stop and Restart the secondary CAM/CAS to apply the duplicate settings.

[root@cam2]# service perfigo stop
Stopping High-Availability services:
[  OK  ]
[root@cam2]# service perfigo start
Starting High-Availability services:
[  OK  ]
Please wait while bringing up service IP.
Heartbeat service is running.
Service IP is up on the peer node.
Stopping postgresql service: [  OK  ]
Starting postgresql service: [  OK  ]
CREATE DATABASE
DROP DATABASE
CREATE DATABASE
DROP DATABASE
Database synced
[root@cam2]#

Note This example addresses a CAM HA-pair, but the same functions and process apply to a CAS HA-pair.


For more information on CAM and CAS HA-pairs, see the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.


Database Recovery Tool

The Database Recovery tool is a command line utility that can be used to restore the database from the following types of backup snapshots:

Automated daily backups (the most recent 30 copies)

Backups made before and after software upgrades

Backups made before and after failover events

Manual snapshots created by the administrator via the web console

Although the web console already allows you to manually create and upload snapshots (via Administration > Backup), the CLI tool presents additional detail. The tool provides a menu that lists the snapshots from which to restore, and the uncompressed size and table count. Note that a file which is corrupt or not in the proper format (e.g. not .tar.gz) will show a remediation warning instead of an uncompressed size and a table count.


Caution The CAM must be stopped before you can run this utility and must be rebooted after the utility is run.

To run the command utility:

1. Access your Clean Access Manager by SSH.

2. Login as user root with the root password.

3. CD to the directory of the database recovery tool: cd /perfigo/dbscripts.

4. Run service perfigo stop to stop the Clean Access Manager.

5. Run ./dbbackup.sh to start the tool.


Warning Entering the "./dbbackup.sh" command using "sh ./dbbackup.sh"syntax can cause the backup process to enter an endless loop, repeatedly asking you to verify the restoration process. Do not use the "sh ./dbbackup.sh"syntax.

6. Follow the prompts to perform database restore.

7. Run reboot to reboot the Clean Access Manager after running the utility.


Note For general information on CLI commands, see the "CAM CLI Commands" section in the Cisco NAC Appliance Hardware Installation Guide, Release 4.9.


API Support

Cisco NAC Appliance provides a utility script called cisco_api.jsp that allows you to perform certain operations using HTTPS POST. The Cisco NAC Appliance API for your Clean Access Manager is accessed from a web browser as follows: https://<ccam-ip-or-name>/admin/cisco_api.jsp.

For usage and authentication requirements, guest access support, and operations summary information, see "API Support".