Cisco NAC Appliance Hardware Installation Guide, Release 4.8
Installing the Clean Access Manager and Clean Access Server
Downloads: This chapterpdf (PDF - 828.0KB) The complete bookPDF (PDF - 7.16MB) | Feedback

Installing the Clean Access Manager and Clean Access Server

Table Of Contents

Installing the Clean Access Manager and Clean Access Server

Overview

Important Release Information

Installing the Clean Access Manager

Overview

Summary of Steps For New Installation

Connect the Clean Access Manager

Install the Clean Access Manager (CAM) Software from CD-ROM

Perform the Initial CAM Configuration

Configuration Utility Script

Access the CAM Web Console

Install CAM License

Add Additional Licenses

Important Notes for SSL Certificates

Installing the Clean Access Server

Overview

Switch/Router Configuration

Virtual Gateway Mode Connection Requirements

Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)

Determining VLANs For Virtual Gateway

Summary of Steps For New Installation

Connect the Clean Access Server

Install the Clean Access Server (CAS) Software from CD-ROM

Perform the Initial CAS Configuration

Configuration Utility Script

Important Notes for SSL Certificates

Cisco NAC Appliance Connectivity Across a Firewall

Configuring the CAS Behind a NAT Firewall

Connectivity Across a Wide Area Network

Configuring Additional NIC Cards

Serial Connection to the CAM and CAS

Configuring Boot Settings on the Cisco NAC Appliance CAM/CAS

Useful CLI Commands for the CAM/CAS

CAM CLI Commands

CAS CLI Commands

CAS CLI Commands for Cisco NAC Appliance

CAS CLI Commands for Cisco NAC Profiler

Manually Restarting the CAM/CAS Configuration Utility

Troubleshooting the Installation

Verify/Change Current Master Secret on CAM/CAS

Recover From Corrupted Master Secret

Network Interface Card (NIC) Driver Not Supported

Resetting and Restoring an Unreachable Clean Access Server

Enabling TLSv1 on Internet Explorer Version 6

Powering Down the NAC Appliance


Installing the Clean Access Manager and Clean Access Server


This chapter covers the following topics:

Overview

Installing the Clean Access Manager

Installing the Clean Access Server

Cisco NAC Appliance Connectivity Across a Firewall

Connectivity Across a Wide Area Network

Configuring Additional NIC Cards

Serial Connection to the CAM and CAS

Useful CLI Commands for the CAM/CAS

Manually Restarting the CAM/CAS Configuration Utility

Troubleshooting the Installation

Powering Down the NAC Appliance

Overview

This chapter provides installation instructions for Cisco NAC Appliance. It provides instructions for how to initially configure your CAM and CAS using the Configuration Utility, access the CAM web console, and install product licenses. Once the initial configuration of your CAM and CAS is complete, you will be able to access the CAM web console to continue the rest of the configuration for your deployment.

For comprehensive configuration information, refer to the latest Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) and Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) documents available on Cisco.com under http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html. When using the online publications, make sure to refer to the documents that match the software version running on your Cisco NAC Appliance (e.g. "Release 4.8").

Important Release Information

Refer to the Release Notes for Cisco NAC Appliance corresponding to your latest Cisco NAC Appliance release version, for additional and late-breaking information on 4.8(x) software releases.

Installing the Clean Access Manager

This section describes how to install the Clean Access Manager. Topics include:

Overview

Summary of Steps For New Installation

Connect the Clean Access Manager

Install the Clean Access Manager (CAM) Software from CD-ROM

Perform the Initial CAM Configuration

Access the CAM Web Console

Overview

The Cisco NAC Appliance CAM/CAS hardware platforms are Linux-based network hardware appliances which are pre-installed with either the CAM (MANAGER) or CAS (SERVER) application, the operating system, and all relevant components on a dedicated server machine. In Release 4.7(0) and later, the operating system comprises a hardened Linux kernel based on CentOS 5.3. Cisco NAC Appliance does not support the installation of any other packages or applications onto a CAM or CAS dedicated machine.

When you receive a new Cisco NAC Appliance, you will need to connect to the appliance and perform initial configuration.

If you want to install a different version of the software than what is shipped on the appliance, you can perform software installation via CD first. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on the software versions supported on Cisco NAC Appliance CAM/CAS platforms.

This chapter contains information for performing CD software installation and initial configuration of a Clean Access Manager.

With Cisco NAC Appliance software installation via CD, you must select whether to install the Clean Access Manager or Clean Access Server application. Once the CAM or CAS is installed on the dedicated appliance (application, OS, and relevant components), the installation of any other packages or applications on the CAM or CAS is not supported.


Note Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces.



Note For installation details on the Cisco NAC Network Module (CAS on a network module), refer to Getting Started with Cisco NAC Network Modules in Cisco Access Routers.


Summary of Steps For New Installation


Note If relevant, back up your current Clean Access Manager configuration and save the snapshot to your local computer for safekeeping as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).



Step 1 Follow the instructions on your welcome letter to obtain a valid license file for your installation. Refer to the instructions in Cisco NAC Appliance Service Contract/Licensing Support for details. (If you are evaluating Cisco NAC Appliance, visit http://www.cisco.com/go/license/public to obtain an evaluation license.)

When you add the initial CAM license, the top of the CAM web console will display the type of Clean Access Manager license installed:

Cisco Clean Access Lite Manager supports 3 Clean Access Servers

Cisco Clean Access Standard Manager supports 20 Clean Access Servers

Cisco Clean Access Super Manager supports 40 Clean Access Servers
(SuperCAM runs only on the NAC-3390 platform)

Additionally, the Administration > CCA Manager > Licensing page will display the types of licenses present after they are added. See Install CAM License for further details.

Step 2 Obtain a bootable CD of the latest version of the software. You can log in and download the latest 4.8(x) .ISO image from Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml, or click the "Download Software" link from the Cisco NAC Appliance support page here and burn it as a bootable disk to a CD-R.


Note Cisco recommends burning the .ISO image to a CD-R using speeds 10x or lower. Higher speeds can result in corrupted/unbootable installation CDs.


Step 3 Connect the CAM to the network and connect a monitor and keyboard to the CAM, or connect your workstation to the CAM via serial cable, as described in Connect the Clean Access Manager.

Step 4 Install the software as described in Install the Clean Access Manager (CAM) Software from CD-ROM.


Note If your NAC-3310 appliance does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, before proceeding you will need to change the appliance settings to boot from CD ROM as described in Configuring Boot Settings on the Cisco NAC Appliance CAM/CAS.


Step 5 Perform the initial configuration of the CAM, as described in Perform the Initial CAM Configuration.


Note For High Availability mode, install and initially configure each CAM first before configuring HA. Refer to Installing a Clean Access Manager High Availability Pair for details.

You must use identical appliances (e.g. NAC-3350 and NAC-3350) in order to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs).


Step 6 Access the CAM web console and install a valid FlexLM license file for the Clean Access Manager as described in Access the CAM Web Console.

Step 7 In the web console, navigate to Administration > CCA Manager > Licensing to install any additional FlexLM license files for your Clean Access Servers, as described in Install CAM License.

Step 8 Add your Clean Access Server(s) to the Clean Access Manager, as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).


Connect the Clean Access Manager

To install the Clean Access Manager software from CD-ROM or to perform its initial configuration, you will need to connect the target machine and access the CAM's command line.


Step 1 The Clean Access Manager requires one of the two 10/100/1000BASE-TX interface connectors on the back panel of the CAM for its eth0 network interface. Connect the NIC1 network interface on the target machine to your local area network (LAN) using a CAT5 Ethernet cable.

Step 2 Connect the power by plugging one end of the AC power cord into the back of the machine and the other end into an electrical outlet.

Step 3 Connect the external FIPS Smart card reader module to a FIPS 140-2 compliant NAC-3315, NAC-3355, or NAC-3395 by plugging the Smart card reader mini-DIN cable into the female mini-DIN FIPS card port on the back of the appliance (see Figure 1-4, Figure 1-9, and Figure 1-14). (Ensure you also have a Smart card inserted into the reader.)

Step 4 Power on the CAM by pressing the power button on the front of the machine. The diagnostic LEDs will flash a few times as part of an LED diagnostic test. Status messages are displayed on the console as the CAM boots up.

Step 5 Access the CAM's command line by either:

Connecting a monitor and keyboard directly to the CAM via the keyboard connector and video monitor/console connector on the back panel.

Connecting a serial cable from an external workstation (PC/laptop) to the CAM and open a serial connection using terminal emulation software (such as HyperTerminal or SecureCRT) on the external workstation, as described in Serial Connection to the CAM and CAS.


Note Cisco NAC Appliances assume the keyboard connected to be of US layout for both direct and IP-KVM connections. Use a US layout keyboard or ensure that you know the key mapping if you are connecting a keyboard of different layout.




Note The eth1 interface (NIC2) of the CAM is only required when connecting High Availability CAM pairs.



Note Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces.


Install the Clean Access Manager (CAM) Software from CD-ROM

The following steps describe how to perform optional CD installation of the Clean Access Manager software on the NAC-3310/3315 MANAGER, NAC-3350/3355 MANAGER, and NAC-3390/3395 MANAGER appliances.


Step 1 Connect the target installation machine to the network and access the command line of the machine by direct console or over a serial connection, as described in Serial Connection to the CAM and CAS.

Step 2 Download the latest software version supported on the target machine as follows:

a. Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.

b. Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance > Cisco NAC Appliance 4.8.

c. Download the latest 4.8(x) .ISO image (e.g. nac-4.8_3-K9.iso) and burn the image as a bootable disk to a CD-R.


Note Cisco recommends burning the .ISO image to a CD-R using speeds 10x or lower. Higher speeds can result in corrupted/unbootable installation CDs.


Step 3 Insert the CD-ROM containing the Cisco NAC Appliance .ISO file into the CD-ROM drive and reboot the machine.

Step 4 The Cisco Clean Access Installer welcome screen appears after the machine restarts:

Cisco Clean Access 4.8.3 Installer (C) 2012 Cisco Systems, Inc.
 
   
                Welcome to the Cisco Clean Access Installer!
 
   
 -  To install a Cisco Clean Access device, press the <ENTER> key.
 
   
 -  To install a Cisco Clean Access device over a serial console, enter serial a
t the boot prompt and press the <ENTER> key.
 
   
boot: 
 
   

Step 5 At the "boot:" prompt, type one of the following options depending on the type of connection:

Press the Enter key if your monitor and keyboard are directly connected to the appliance.

Type serial and press enter in the terminal emulation console if you are accessing the appliance over a serial connection.

Step 6 If the install CD detects an existing installation of Cisco NAC Appliance, you are presented with the following prompt:

Checking for existing installations.
Clean Access Manager 4.8.0 installation detected.
Please choose one of the following actions:
1) Install.
2) Exit.
 
   

Step 7 Choose 1 to perform a fresh installation of the Cisco NAC Appliance software.

Step 8 Next, the Cisco NAC Appliance software installer asks you to specify whether you are installing a Clean Access Manager or Clean Access Server. At the following prompt, enter 1 to perform the installation for a Clean Access Manager.

Please choose one of the following configurations:
1) CCA Manager.
2) CCA Server.
3) Exit.
 
   

Caution Only one CD is used for installation of the Clean Access Manager or Clean Access Server software. You must select the appropriate type, either CAM or CAS, for the target machine on which you are performing installation.

Step 9 The Clean Access Manager Package Installation then executes. The installation takes several minutes. When finished, the installation script presents the following message, prompting you to press Enter to reboot the CAM and launch the Clean Access Manager quick configuration utility.

Installation complete. Press <ENTER> to continue
 
   

After you press Enter, the welcome screen for the Clean Access Manager quick configuration utility appears, and a series of questions prompt you for the initial configuration, as described in Perform the Initial CAM Configuration, next.


Perform the Initial CAM Configuration

When installing the Clean Access Manager from CD-ROM, the Configuration Utility Script automatically appears after the software packages install to prompt you for the initial configuration.


Note If necessary, you can always manually start the Configuration Utility Script as follows:

1. Over a serial connection or working directly on the CAM, log onto the CAM as user root with correct password.

2. Run the initial configuration script by entering the following command:

service perfigo config

You can run the service perfigo config command to modify the configuration of the CAM if it cannot be reached through the web admin console. For further details on CLI commands, see CAM CLI Commands.


Configuration Utility Script

The configuration utility script suggests default values for particular parameters. To configure the installation, either accept the default value or provide a new one, as described below.


Step 1 After the software is installed from the CD and package installation is complete, the welcome script for the configuration utility appears:

Welcome to the Cisco Clean Access Manager quick configuration utility.
 
   
Note that you need to be root to execute this utility.
 
   
The utility will now ask you a series of configuration questions.
Please answer them carefully.
 
   
Cisco Clean Access Manager, (C) 2012 Cisco Systems, Inc.

Note If this prompt does not appear after you install the Cisco NAC Appliance software and restart the CAM, refer to Manually Restarting the CAM/CAS Configuration Utility.


Step 2 If your CAM is a FIPS-compliant platform (NAC-3315, NAC-3355, or NAC-3395) the first prompt asks if you want to initialize the on-board FIPS card (used to ensure FIPS compliant functions on the appliance). Otherwise, skip to Step 6.

Do you want to initialize the fips cards? (y/n)? [y]
 
   

Step 3 Choose y to enable FIPS on your appliance. The appliance automatically initializes the FIPS card and attempts to establish the security world.

 -- Running startup script 45drivers
 
   
 -- Running startup script 46exard
 
   
 -- Running startup script 50hardserver
 
   
Security world not found
Creating the security world and initializing the smart cards
 
   
Next, the FIPS setup process prompts you to specify how many Smart Cards (from 1-6) you 
want to initialize to enable FIPS compliance on the CAM.
How many cards do you want to initialize (1-6)? [1]
Set ncipher card switch in i mode and press Return to continue
 
   

Step 4 Enter the number of Smart Cards you want to initialize, ensure that the FIPS card operation switch on the back of the CAM is switched to "I" (for "initialize"), and press Return.

Module 1, command ClearUnit: OK
 
   
Create Security World:
 Module 1: 0 cards of 1 written
 Module 1 slot 0: unknown card
 Module 1 slot 0: - no passphrase specified - overwriting card
Module #1 Slot #0: Processing ...
 
   
Card writing complete.
 
   
security world generated on module #1; hknso = 909bd9f06542521a01f42fc881c8abcba
b0812ee
Set ncipher card switch in o mode and press Return to continue
 
   

Step 5 Switch the FIPS card switch back to "O" (for "operational") and press Return.

Module 1, command ClearUnit: OK
 
   
Card(s) check passed
 
   
Do you want to continue with the rest of the NAC Manager Configuration?  (y/n)? [y]
 
   

Step 6 When prompted, enter an IP address for the eth0 (trusted) interface of the CAM.

Configuring the network interface:
 
   
Please enter the IP address for the interface eth0 []: 10.201.240.11
You entered 10.201.240.11 Is this correct? (y/n)? [y]
 
   

At the prompt, enter y to accept the default address, or n to specify another IP address. In this case, type the address you want to use for the trusted network interface in dotted-decimal format. Confirm the value when prompted.

Step 7 Type the subnet mask for the interface address at the prompt or press enter for the default. Confirm the value when prompted.

Please enter the netmask for the interface eth0 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
 
   

Step 8 Specify and confirm the address of the default gateway for the Clean Access Manager. This is typically the IP address of the router between the Clean Access Manager subnet and the Clean Access Server subnet.

Please enter the IP address for the default gateway []: 10.201.240.1
You entered 10.201.240.1. Is this correct? (y/n)? [y]
 
   

Step 9 Provide a host name for the Clean Access Manager. The host name will be matched with the interface address in your DNS server, enabling it to be used to access the Clean Access Manager admin console from a browser. The default host name is nacmanager.

Please enter the hostname [nacmanager]: cam3355
You entered cam3355 Is this correct? (y/n)? [y]
 
   

Step 10 Specify the IP address of the Domain Name System (DNS) server in your environment:

Please enter the IP addresses for the name servers: []: 63.93.96.94
You entered 63.93.96.94 Is this correct? (y/n)? [y] 
 
   

Step 11 The Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to restore database snapshots on the CAM when you need them and are able to fail over to the HA peer CAM/CAS in HA deployments. (You cannot upload a CAM database snapshot that was created when the system was configured with a different master secret password, and HA-Secondary CAMs/CASs are not able to assume the "active" role following a failover event when the master secret passwords are different.) Type and confirm the master secret at the prompts.

The master secret is used to encrypt sensitive data.
Remember to configure all HA pairs with the same secret.
Please enter the master secret:
Please confirm the master secret:

Caution If your master secret is lost or becomes corrupted, use the procedure in Recover From Corrupted Master Secret.

Step 12 Specify the time zone in which the Clean Access Manager is located as follows:

The timezone is currently not set on this system.
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
 
   

a. Choose your region from the continents and oceans list. Type the number next to your location on the list, such as 2 for the Americas, and press Enter. Type 11 to enter the time zone in Posix TZ format, such as GST-10.

b. The next list that appears shows the countries for the region you chose. Choose your country from the country list, such as 47 for the United States, and press Enter.

c. If the country contains more than one time zone, the time zones for the country appears.

d. Choose the appropriate time zone region from the list, such as 21 for Pacific Time, and press Enter.

e. Confirm your choices by entering 1, or use 2 to cancel and start over.

The following information has been given:
        United States
        Pacific Time
Is the above information OK?
1) Yes
2) No
#? 1
 
   

Step 13 Type and confirm the current date and time, using format hh:mm:ss mm/dd/yy.

Current date and time hh:mm:ss mm/dd/yy [11:53:12 08/22/08]: 11:53:12 08/22/08
You entered 11:53:12 08/22/08 Is this correct? (y/n)? [y] y
 
   

Step 14 Follow the prompts to configure the temporary SSL security certificate that enables secure connections between the CAM and the administrator web console as follows:

a. Type the IP address or domain name for which you want the certificate to be issued, or press enter to accept the default IP address (typically the eth0 IP address you already specified, for example 10.201.240.11).


Note This is also the IP address or domain name to which the web server responds. If DNS is not already set up for a domain name, the CAM web console will not load. Make sure to create a DNS entry in your servers, or else use an IP address for the CAM.


b. For the organization unit name, enter the group within your organization that is responsible for the certificate (for example, DOC).

c. For the organization name, type the name of your organization or company for which you would like to receive the certificate (for example, Cisco Systems), and press Enter.

d. Type the name of the city or county in which your organization is legally located (for example, San Jose), and press Enter.

e. Type the two-character state code in which the organization is located (for example, CA or NY), and press Enter.

f. Type the two-letter country code (for example, US), and press Enter.

Step 15 Confirm values and press Enter to generate the SSL certificate or type n to restart.

You entered the following:
Domain: 10.201.240.11
Organization unit: DOC
Organization name: Cisco Systems
City name: San Jose
State code: CA
Country code: US
Is this correct? (y/n)? [y] y

Note You must generate the temporary SSL certificate or you will not be able to access the CAM web console.


Step 16 Specify whether or not you want the CAM to feature Pre-login Banner Support at the following prompt.

Enable Prelogin Banner Support? (y/n)? [n]
 
   

For more information and an example of the Pre-login Banner feature, see Figure 3-2.

Step 17 Configure the root user password for the installed Linux operating system of the Clean Access Manager. The root user account is used to access the system over a serial connection or through SSH.

Cisco NAC Appliance supports using Strong Passwords for root user login. Passwords must be at least 8 characters long and feature a combination of upper- and lower-case letters, digits, and other characters. For example, the password 10-9=One does not satisfy the requirements because it does not contain two characters from each category, but 1o-9=OnE is a valid password. For more details, see the "Administering the CAM" chapter of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).

For security reasons, it is highly recommended that you change the password for the root 
user.
 
   
** Please enter a valid password for root user as per the requirements below! **
 
   
Changing password for user root.
 
   
You can now choose the new password.
 
   
A valid password should be a mix of upper and lower case letters,
digits, and other characters. Minimum of 8 characters and maximum
of 16 characters with characters from all of these classes. Minimum
of 2 characters from each of the four character classes is mandatory.
An upper case letter that begins the password and a digit that ends
it do not count towards the number of character classes used.
 
   
Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully.
 
   

Step 18 Next type the password for the admin user for the CAM direct access web console.

Please enter an appropriately secure password for the web console admin user.
 
   
New password for web console admin:
Confirm new password for web console admin:
Web console admin password changed successfully.
 
   

Note Passwords for web admin console users (including default user admin) are configured through the web console. See the "Manage System Passwords" section in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) for details.


Step 19 The final step in the initial configuration process is to choose whether or not to turn on FIPS mode for your NAC-3315, NAC-3355, or NAC-3395 CAM. To enable FIPS operation, enter y at the following prompt.

Would you like to turn on fips mode? (y/n)? [y]
 
   
 -- Running startup script 45drivers
 
   
 -- Running startup script 46exard
 
   
 -- Running startup script 50hardserver
 
   
Security world already exists
 
   

Step 20 If you want to initialize any additional Smart cards at this time, enter y at the following prompt. Otherwise, enter n to complete the FIPS set up process.

Do you want to recreate security world and initialize cards (y/n)? [n]
writing RSA key
Card(s) check passed
 
   

Step 21 After the configuration is complete, press Enter to reboot the CAM. After rebooting, the CAM will be accessible from the web console.

Configuration is complete.
Changes require a REBOOT of Clean Access Manager.
 
   

Enter the following command to reboot the CAM after configuration is complete:

# reboot
 
   

The CAM initial configuration is now complete.

Step 22 After restarting, test the CAM installation:

a. Ping the eth0 interface address from a command line. If working properly, the interface should respond to the ping.

b. For a FIPS-compliant CAM, verify FIPS functionality as follows:

Ensure the FIPS card operation switch is set to "O" (for operational mode).

Log into the CAM console interface as root.

Navigate to the /perfigo/common/bin/ directory.

Enter ./test_fips.sh info and verify the following output:

Installed FIPS card is nCipher
Info-FIPS file exists
Info-card is in operational mode
Info-httpd worker is in FIPS mode
Info-sshd up
 
   

c. If the CAM does not respond, try connecting to the CAM using SSH (Secure Shell). Connect with the root username and password. Once connected, try pinging the default gateway to see if the CAM can reach the external network.

If after installation you need to reset the initial configuration settings for the CAM, connect to the CAM machine directly or through SSH and use the CLI command service perfigo config.

Once the CAM is configured, you will be able to access the CAM web console to add product licenses, and add initially configured Clean Access Servers to the CAM for management and further configuration, as described in Access the CAM Web Console.

If both tests fail, make sure that you have configured the IP address correctly and that the other network settings are correct.


The CAM should now be accessible through the web console, as described in Access the CAM Web Console.

For the commands to manually stop and start the CAM, see CAM CLI Commands.

For network card configuration issues, see Configuring Additional NIC Cards.

Access the CAM Web Console

The Clean Access Manager web administration console is the primary interface for administering the Cisco NAC Appliance deployment. After initial configuration is complete, use the following steps to access the CAM web console.


Warning You must already have obtained a product or evaluation license to access the CAM/CAS and CAM web console. Refer to Cisco NAC Appliance Service Contract / Licensing Support for complete step-by-step instructions on how to obtain and install product licenses and obtain service contract support for Cisco NAC Appliance.

Step 1 Launch a web browser from a computer accessible to the CAM by network.

Step 2 If you are using Internet Explorer Version 6 to access the CAM (and CAS) web console, ensure you have enabled TLS version 1 in the browser Advanced settings. For details, see Enabling TLSv1 on Internet Explorer Version 6.

Step 3 In the URL/address field, type the IP address of the CAM (or the host name if you have made the required entry in your DNS server).

Step 4 If using a temporary SSL certificate, the security alert appears and you are prompted to accept the certificate. Click Yes to accept the certificate. (If using signed certificates, security dialogs do not appear.)

The Clean Access Manager License Form (Figure 3-1) appears and prompts you to install your CAM FlexLM license file. For reference, the top of the form displays the CAM's eth0 MAC address. You will need to obtain and save your product license files to disk on the PC/laptop from which you are accessing the CAM web console. See Cisco NAC Appliance Service Contract/Licensing Support for details on how to obtain product and evaluation licenses.


Note To aid in license requests, the top of the form displays the CAM's eth0 MAC address.


Figure 3-1 Clean Access Manager License Form

Install CAM License

Step 5 Browse to the license file you received in the Clean Access Manager License File field and click the Install License button.

Step 6 To enter a license in the Clean Access Manager License File field, click the Browse button to locate the license file you received for the CAM and click the Install License button.


Note If you have purchased a CAM Failover (HA) license, install the Failover license to the Primary CAM first, then load all the other licenses. This facilitates upgrading CAM HA-pairs.


Step 7 Once the license is accepted, the customizable CAM Pre-login Banner (Figure 3-2) appears (if you have chosen to enable Pre-login Banners during your initial CAM configuration) or the web admin console login window appears (Figure 3-3). Type the username admin and web admin user password, and click Login.

Figure 3-2 CAM Prelogin Banner Example

The Pre-login Banner enables you to present a broad range of messages, including warnings, system/network status, access requirements, etc., to administrator users before they enter authentication credentials in the CAM/CAS. Administrators can specify the text of the Pre-login Banner by enabling this feature on the appliance, logging into the command-line console, and editing the /root/banner.pre file. The text of the Pre-login Banner appears in both the web console interface and the command-line interface when admin users are logging into the CAM/CAS.

You can enable or disable the Pre-login Banner during the initial CAM/CAS configuration CLI session and whenever you choose to alter your base CAM/CAS configuration with the service perfigo config CLI command.

Figure 3-3 CAM Administrator Web Console Login Page

Step 8 The Monitoring > Summary page and left-hand navigation pane appears (Figure 3-4).

Step 9 Type the username admin and web console admin password you specified during installation and initial configuration, and click Login.

Figure 3-4 Monitoring Summary Page

Add Additional Licenses

Step 10 To add additional licenses for your Clean Access Servers, go to Administration > CCA Manager > Licensing (Figure 3-5) in the CAM administrator web console.


Note A Manager Failover license must be present for HA-CAS machines. When a Manager Failover license is installed, the Server count increment can represent either 1 standalone CAS or 1 CAS HA-pair.


Figure 3-5 Licensing Page

Step 11 In the Clean Access FlexLM License File(s) field, Browse to the license file for your CAS or CAS bundle, and click Install License. You should see a green confirmation text string at the top of the page which indicates: success/failure to install the license, type of license added, and, for a CAS license, the Server increment count (for example, "License added successfully. CCA Manager License added. Out-of-Band Server Count is now 20."). The status text at the bottom of the page will indicate the presence of a Lite, Standard or Super Manager license and whether it is Failover, as well as the IB or OOB CAS license count.

Step 12 Repeat Step 11 for each license file you need to install (you should have received one license file per PAK submitted during customer registration). The Server Count information at the bottom of the page will display the total number of CASs enabled per successful license file installation.


Note Clicking the Remove All Licenses button removes all FlexLM license files from the system. You cannot remove individual license files. (Authenticated user traffic will continue to pass through if you remove all licenses and install them again.)

You must enter the CAM license to be able to access the administrator web console. Refer to Cisco NAC Appliance Service Contract/Licensing Support for details.


Step 13 Licenses are now installed. You can continue the configuration of your deployment using the CAM web console. Refer to the following documents for further configuration guidelines:

Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3)

Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3)

Step 14 To log out of the web console, either click the administrator session Logout button, at the top right-hand corner of the console, or simply close the browser.


Important Notes for SSL Certificates

1. You must generate the temporary SSL certificate during CAM installation or you will not be able to access your CAM as an end user.

2. After CAM and CAS installation, make sure to synchronize the time on the CAM and CAS via the web console interface before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based.

3. In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.

4. Before deploying the CAM in a production environment, Cisco strongly recommends acquiring a trusted certificate from a third-party Certificate Authority to replace the temporary certificate (in order to avoid the security warning that is displayed to the web user during admin login).

For further details on the CAM, see the "Set System Time" and "Manage CAM SSL Certificates" sections of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). For details on the CAS, see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3).


Note If your previous deployment uses a chain of SSL certificates that is incomplete, incorrect, or out of order, CAM/CAS communication may fail after upgrade to release 4.8(x). You must correct your certificate chain to successfully upgrade to release 4.8(x). For details on how to fix certificate errors on the CAM/CAS after upgrade to release 4.8(x), refer to the How to Fix Certificate Errors on the CAM/CAS After Upgrade Troubleshooting Tech Note.


Installing the Clean Access Server


Note The installation example and references in this chapter focus on Cisco NAC Appliance CAMs/CASs. For Cisco NAC network module installation information, refer to Getting Started with Cisco NAC Network Modules in Cisco Access Routers and Installing Cisco Network Modules in Cisco Access Routers.



Note If you are configuring the Cisco NAC Appliance Profiler Collector on the Clean Access Server, refer to the Cisco NAC Profiler Configuration Guide for additional details.


This section describes how to install and initially configure the Clean Access Server (CAS). Topics include:

Overview

Virtual Gateway Mode Connection Requirements

Summary of Steps For New Installation

Connect the Clean Access Server

Install the Clean Access Server (CAS) Software from CD-ROM

Perform the Initial CAM Configuration

Overview

When you receive a new Cisco NAC Appliance, you will need to connect to the appliance and perform initial configuration. If you want to install a different version of the software than what is shipped on the appliance, you can perform software installation via CD first. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on the software versions supported on Cisco NAC Appliance CAM/CAS platforms.

This chapter contains information for performing CD software installation and initial configuration of a Clean Access Server. With Cisco NAC Appliance software installation via CD, you must select whether to install the Clean Access Manager or Clean Access Server application. Once the CAM or CAS is installed on the appliance (application, OS, and relevant components), the installation of any other packages or applications on the CAM or CAS is not supported.


Note Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces.


Switch/Router Configuration

The Clean Access Server does not advertise routes. Instead, static routes must be added to the next hop router indicating that traffic to the managed subnets must be relayed to the Clean Access Server's trusted interface.

When the Clean Access Server is in Real-IP Gateway mode, it can act as a DHCP Server or DHCP Relay. With DHCP functionality enabled, the CAS provides the appropriate gateway information (that is, the CAS's untrusted interface IP address) to the clients. If the CAS is working as a DHCP Relay, then the DHCP server in your network must be configured to provide the managed clients with the appropriate gateway information (that is, the Clean Access Server's untrusted interface IP address).

Virtual Gateway Mode Connection Requirements

For all deployments, if planning to configure the Clean Access Server in Virtual Gateway mode (IB or OOB), do not connect the untrusted interface (eth1) of the standalone CAS or HA-Primary CAS until after you have added the CAS to the CAM from the web admin console. For Virtual Gateway HA-CAS pairs, also do not connect the eth1 interface of the HA-Secondary CAS until after HA configuration is fully complete. Keeping the eth1 interface connected while performing initial installation and configuration of the CAS for Virtual Gateway mode can result in network connectivity issues.

When setting up a CAS in Virtual Gateway mode, you specify the same IP address for the trusted (eth0) and untrusted (eth1) network interfaces during the initial installation of the CAS via CLI. At this point in the installation, the CAS does not recognize that it is a Virtual Gateway. It will attempt to connect to the network using both interfaces, causing collisions and possible port disabling by the switch. Disconnecting the untrusted interface until after adding the CAS to the CAM in Virtual Gateway mode prevents these connectivity issues. Once the CAS has been added to the CAM in Virtual Gateway mode, you can reconnect the untrusted interface.

Administrators must use the following procedure for correct configuration of a Virtual Gateway Central Deployment. To prevent looping on any central/core switch as you plug both interfaces of the Clean Access Server into the switch, perform the following steps:


Step 1 Before you connect both interfaces of the CAS to the switch, physically disconnect the eth1 interface.

Step 2 Physically connect the eth0 interface of the CAS to the network.

Step 3 Add the CAS to the CAM in the CAM web console under Device Management > CCA Servers > New Server, as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).

Step 4 Manage the CAS by accessing the CAS management pages, via Device Management > CCA Servers > Manage [CAS_IP] as described in the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3).

Step 5 Configure VLAN mapping. This is a mandatory step for a Central Deployment where both interfaces of the CAS connect to the same switch. (Note that you can configure VLAN mapping in Edge Deployments with no adverse affect, but you are not required to do so.)

a. Make sure you check the "Enable VLAN Mapping" checkbox and click Update.

b. Make sure to set the Untrusted VLAN-to-Trusted VLAN mapping under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. See the "VLAN Mapping in Virtual Gateway Modes" section in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).


Note Enable VLAN Pruning is checked by default on the Virtual Gateway CAS (starting from release 4.1(1) and later) under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping.


Step 6 Once the preceding steps are completed, physically connect the eth1 interface of the CAS to the switch.


Note If the CAM is down and the CAS is performing VLAN mapping in "fail open" state, do not reboot the CAS because the VLAN mapping capability will be lost until the CAM comes back online.


Step 7 For the 802.1q ports configuration on the switch, make sure to prune all other VLANs for switches trunking to eth0 and eth1 of the CAS except those used for the CAS Management VLAN and the User VLANs.

Step 8 Prune VLAN 1 on the switch ports connecting to the CAS eth0 and eth1 interfaces. For details, see: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/12122ea7/scg/swvlan.htm#wp1150302.


Switch Support for CAS Virtual Gateway/VLAN Mapping (IB and OOB)

For details on Cisco Catalyst switch model/NME support for the Virtual Gateway VLAN Mapping feature of the Clean Access Server for either in-band (IB) or out-of-band (OOB) deployments, refer to Switch Support for Cisco NAC Appliance.

Determining VLANs For Virtual Gateway

Before you start the initial installation for a Clean Access Server Virtual Gateway deployment, ensure that following is in place for your deployment:

The CAS and CAM must be on different subnets (and VLANs).

The CAS management VLAN must be on a different VLAN than the user authentication and access VLANs.

Configure the native VLAN to be different than the CAS management VLAN. Setting native VLANs helps prevent inadvertent switching loops. The native VLAN must not be the same on the eth0 and eth1 interfaces of the CAS.

CAS native VLAN (eth0) (e.g. unused "dummy" VLAN 999)

CAS native VLAN (eth1) (e.g. unused "dummy" VLAN 998)

Configure different user authentication and access VLANs on the switches, and configure untrusted subnets on the CAS as Managed Subnets (refer to Configuring Managed Subnets).

Ensure there are no common VLANs being forwarded on the switch ports connecting the trusted (eth0) and untrusted (eth1) ports of the CAS. For every VLAN that is allowed on the trunk links going to the Virtual Gateway CAS, there must be a corresponding VLAN Mapping entry (except for the CAS management VLAN).

Make sure the eth1 untrusted interface of the CAS is not connected to the network until after VLAN Mapping is configured.

Switch(es) must not have SVI (Layer 3) interfaces for the user authentication VLANs anywhere on the network.

User authentication VLANs should be on the CAS untrusted interface only and must be pruned from all other trunk links.

See the "Understanding VLAN Settings" and "VLAN Mapping in Virtual Gateway Modes" sections in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) for additional details.

Summary of Steps For New Installation


Note Refer to the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) for additional deployment information for new installations.



Step 1 Follow the instructions on your welcome letter to obtain a valid license file for your installation. Refer to the instructions in Cisco NAC Appliance Service Contract/Licensing Support for details. (If you are evaluating Cisco NAC Appliance, visit http://www.cisco.com/go/license/public to obtain an evaluation license.)


Note CAS licenses are generated based on the eth0 address of the CAM. Both CAM and CAS licenses are installed via the CAM web admin console.


Step 2 Obtain a bootable CD of the latest version of the software. You can log in to Cisco Secure Software and download the latest 4.8(x) .ISO image.

Step 3 Connect the CAS to the network and connect a monitor and keyboard to the CAS, or connect your workstation to the CAS via serial cable, as described in Connect the Clean Access Server.

Step 4 Install the software as described in Install the Clean Access Server (CAS) Software from CD-ROM.


Note If your NAC-3310 appliance does not read the software on the CD ROM drive and instead attempts to boot from the hard disk, before proceeding you will need to change the appliance settings to boot from CD ROM as described in Configuring Boot Settings on the Cisco NAC Appliance CAM/CAS.


Step 5 Perform the initial configuration of the CAS, as described in Perform the Initial CAS Configuration.


Note For High Availability mode, install and initially configure each CAS first before configuring HA. Refer to Installing a Clean Access Server High Availability Pair for details.

You must use identical appliances (e.g. NAC-3350 and NAC-3350) in order to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs).


Step 6 Make sure your Clean Access Manager is installed and initially configured as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). Valid FlexLM license file(s) for your Clean Access Server (s) must be installed via the Clean Access Manager web console to complete configuration of the CAS.

Step 7 Add your Clean Access Server(s) to the Clean Access Manager, as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). From this point, you can configure your Clean Access Servers via the CAM web console, or via the CAS direct access web console for certain specific settings.


Connect the Clean Access Server

To install the Clean Access Server software from CD-ROM or to perform its initial configuration, you will need to connect the target machine and access the CAS command line interface.


Step 1 The Clean Access Server requires two 10/100/1000BASE-TX interface connectors on the back panel of the CAS for its eth0 (trusted) and eth1 (untrusted) network interface. Connect the NIC1 (eth0) network interface on the target machine to your local area network (LAN) using a CAT5 Ethernet cable.


Warning Do not physically connect the eth1 (NIC2) untrusted network interface on a Virtual Gateway CAS until the proper configuration has been performed. Refer to Install the Clean Access Server (CAS) Software from CD-ROM for details.

Step 2 Connect the power by plugging one end of the AC power cord into the back of the machine and the other end into an electrical outlet.

Step 3 Connect the external FIPS Smart card reader module to a FIPS 140-2 compliant NAC-3315, NAC-3355, or NAC-3395 by plugging the Smart card reader mini-DIN cable into the female mini-DIN FIPS card port on the back of the appliance (see Figure 1-4, Figure 1-9, and Figure 1-14). (Ensure you also have a Smart card inserted into the reader.)

Step 4 Power on the machine by pressing the power button on the front of the appliance. The diagnostic LEDs will flash a few times as part of an LED diagnostic test. Status messages are displayed on the console as the CAS boots up.

Step 5 Access the command line or the CAS by either:

a. Connecting a monitor and keyboard directly to the CAS via the keyboard connector and video monitor/console connector on the back panel.

b. Or, connecting a serial cable from an external workstation (PC/laptop) to the CAS and open a serial connection using terminal emulation software (such as HyperTerminal or SecureCRT) on the external workstation, as described in Serial Connection to the CAM and CAS.


Note Cisco NAC Appliances assume the keyboard connected to be of US layout for both direct and IP-KVM connections. Use a US layout keyboard or ensure that you know the key mapping if you are connecting a keyboard of different layout.




Note Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces.


Install the Clean Access Server (CAS) Software from CD-ROM

The following steps describe how to perform optional CD installation of the Clean Access Server software on NAC-3310/3315 SERVER or NAC-3350/3355 SERVER appliances.


Step 1 Connect the target installation machine to the network and access the command line of the machine by direct console or over a serial connection, as described in Serial Connection to the CAM and CAS.

Step 2 Download the latest software version supported on the target machine as follows:

a. Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.

b. Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance > Cisco NAC Appliance 4.8.

c. Download the latest 4.8(x) .ISO image (e.g. nac-4.8_3-K9.iso) and burn the image as a bootable disk to a CD-R.


Note Cisco recommends burning the .ISO image to a CD-R using speeds 10x or lower. Higher speeds can result in corrupted/unbootable installation CDs.


Step 3 Insert the CD-ROM containing the Clean Access Server .ISO file into the CD-ROM drive of the target CAS machine.

Step 4 Reboot the machine. The Cisco Clean Access Installer welcome screen appears after the machine restarts:

Cisco Clean Access 4.8.3 Installer (C) 2012 Cisco Systems, Inc.
 
   
                Welcome to the Cisco Clean Access Installer!
 
   
 -  To install a Cisco Clean Access device, press the <ENTER> key.
 
   
 -  To install a Cisco Clean Access device over a serial console, enter serial a
t the boot prompt and press the <ENTER> key.
 
   
boot: 
 
   

Step 5 At the "boot:" prompt, type one of the following options depending on the type of connection:

Press the Enter key if your monitor and keyboard are directly connected to the CAS.

Type serial and press enter in the terminal emulation console if you are accessing the appliance over a serial connection.

Step 6 If the install CD detects an existing installation of Cisco NAC Appliance, you are presented with the following prompt:

Checking for existing installations.
Clean Access Server 4.8.0 installation detected.
Please choose one of the following actions:
1) Install.
2) Exit.
 
   

Step 7 Choose 1 to perform a fresh installation of the Cisco NAC Appliance software.

Step 8 Next, the Cisco NAC Appliance software installer asks you to specify whether you are installing a Clean Access Manager or Clean Access Server. At the following prompt, enter 2 to perform the installation for a Clean Access Server.

Please choose one of the following configurations:
1) CCA Manager.
2) CCA Server.
3) Exit.
 
   

Caution Only one CD is used for installation of the Clean Access Manager or Clean Access Server software. You must select the appropriate type, either CAM or CAS, for the target machine on which you are performing installation.

Step 9 The Clean Access Server Package Installation then executes. The installation takes several minutes. When finished, the installation script presents the following message, prompting you to press Enter to reboot the CAS and launch the Clean Access Server quick configuration utility.

Installation complete. Press <ENTER> to continue
 
   

When finished, the welcome screen for the Clean Access Server quick configuration utility appears, and a series of questions prompt you for the initial CAS configuration, as described in Configuration Utility Script.


Perform the Initial CAS Configuration

When installing the Clean Access Server from CD-ROM, the Configuration Utility Script automatically appears after software package installation to prompt you for the initial CAS configuration.


Note If necessary, you can always manually start the Configuration Utility Script as follows:

1. Over a serial connection or working directly on the CAS, log onto the CAS as user root with the root user password.

2. Run the initial configuration script by entering the following command:

service perfigo config
 
   

You can run the service perfigo config command to modify the configuration of the CAS if it cannot be reached through the web admin console. For further details on CLI commands, see CAS CLI Commands.


Configuration Utility Script


Step 1 The configuration utility script suggests default values for particular parameters. To configure the installation, either accept the default value or provide a new one, as described below.

Step 2 After the software is installed from the CD and package installation is complete, the welcome script for the configuration utility appears:

Welcome to the Cisco Clean Access Server quick configuration utility.
 
   
Note that you need to be root to execute this utility.
 
   
The utility will now ask you a series of configuration questions.
Please answer them carefully.
 
   
Cisco Clean Access Server, (C) 2012 Cisco Systems, Inc.

Note If this prompt does not appear after you install the Cisco NAC Appliance software and restart the CAS, refer to Manually Restarting the CAM/CAS Configuration Utility.


Step 3 If your CAS is a FIPS-compliant platform (NAC-3315 or NAC-3355) the first prompt asks if you want to initialize the on-board FIPS card (used to ensure FIPS compliant functions on the appliance). Otherwise, skip to Step 7.

Do you want to initialize the fips cards? (y/n)? [y]
 
   

Step 4 Choose y to enable FIPS on your appliance. The appliance automatically initializes the FIPS card and attempts to establish the security world.

-- Running startup script 45drivers
 
   
 -- Running startup script 46exard
 
   
 -- Running startup script 50hardserver
 
   
Security world not found
Creating the security world and initializing the smart cards
 
   

Next, the FIPS setup process prompts you to specify how many Smart Cards (from 1-6) you want to initialize to enable FIPS compliance on the CAS.

How many cards do you want to initialize (1-6)? [1]
Set ncipher card switch in i mode and press Return to continue
 
   

Step 5 Enter the number of Smart Cards you want to initialize, ensure that the FIPS card operation switch on the back of the CAS is switched to "I" (for "initialize"), and press Return.

Module 1, command ClearUnit: OK
 
   
Create Security World:
 Module 1: 0 cards of 1 written
 Module 1 slot 0: unknown card
 Module 1 slot 0: - no passphrase specified - overwriting card
Module #1 Slot #0: Processing ...
 
   
Card writing complete.
 
   
security world generated on module #1; hknso = 65cc642b8d38a1f99b58c8afa560f4d94
522d2ad
Set ncipher card switch in o mode and press Return to continue
 
   

Step 6 Switch the FIPS card switch back to "O" (for "operational") and press Return.

Module 1, command ClearUnit: OK
 
   
Card(s) check passed
 
   
Do you want to continue with the rest of the NAC Server Configuration?  (y/n)? [y]
 
   

Step 7 When prompted, enter an IP address for the eth0 (trusted) interface of the CAS. Confirm the value when prompted, or type n and press Enter to correct the entry.

Configuring the network interfaces:
 
   
Please enter the IP address for the interface eth0 []: 10.201.1.20
You entered 10.201.1.20 Is this correct? (y/n)? [y]
 
   

At the prompt, type the eth0 IP address of the CAS and press Enter. Note that the eth0 IP address of the CAS is the same as the Management IP address. At the confirmation prompt, type y to accept the entry or type n to change it and enter another address for the trusted eth0 network interface. When prompted, press Enter to confirm the value.


Note The eth0 IP address of the CAS is the same as the Management IP address.


Step 8 Type the subnet mask of the eth0 interface or press Enter to accept the default of 255.255.255.0. Confirm the value at when prompted.

Please enter the netmask for the interface eth0 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y]
 
   

Step 9 Accept the default gateway address or enter a default gateway for the eth0 address of the CAS. Confirm the default gateway at the prompt.

Please enter the IP address for the default gateway []: 10.201.240.1
You entered 10.201.240.1 Is this correct? (y/n)? [y]
 
   

Step 10 At the Vlan Id Passthrough prompt, type n and press Enter (or just press Enter) to keep VLAN ID passthrough disabled as the default behavior of the CAS. By default, VLAN IDs are stripped from traffic passing through the interface to the CAS. Typing y enables VLAN IDs to be passed through the CAS for traffic from the trusted to the untrusted network.

[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.
Would you like to enable it? (y/n)? [n]

NoteIn most cases, enabling VLAN ID passthrough is not needed. Only enable VLAN ID passthrough if you are sure you need it. If you choose not to enable it at this time, you can always change this option later from the CAS Network > IP page of the web console or using the service perfigo config utility. Note that either method requires a reboot of the CAS.

Faulty VLAN settings can render the Clean Access Server unreachable from the Clean Access Manager, so use caution when configuring VLAN settings.


By default, the VLAN ID is not passed through, that is, the VLAN ID is stripped from packets passed through the CAS, as illustrated in Figure 3-6. The IDs are retained by the Clean Access Server and attached to response messages passed from the untrusted network back to the trusted network.

Figure 3-6 VLAN ID Termination

In VLAN ID passthrough, the identifier is retained on traffic that passes through the interface.

Figure 3-7 VLAN ID Passthrough

Step 11 At the Management VLAN Tagging prompt, type n and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default). Or, type Y and press Enter to enable Management VLAN tagging with the specified VLAN ID for the eth0 interface. (You can change the Management VLAN ID later from the CAS Network > IP web console page; however, changing settings on the CAS IP page requires a reboot of the CAS.)

[Management Vlan Tagging] for egress packets of eth0 is disabled.
Would you like to enable it? (y/n)? [n]

Note CAS eth0 interface settings are required for basic connection to the CAM. CAS eth1 interface settings can be reconfigured later from the CAM web console.


A Management VLAN identifier is a default VLAN identifier that is added to a packet if it does not have its own VLAN identifier or if the identifier was originally stripped by the adjacent interface. The setting at the prompt applies to traffic passing from the untrusted network to the trusted network.

Figure 3-8 Eth0 Egress Packets with Management VLAN ID Tagging


NoteIn most cases, enabling Management VLAN tagging is not needed. You should only enable it if you are sure it is necessary. If you choose not to enable it at this time, you can change the option later in the web console or using service perfigo config utility. (Management VLAN tagging is necessary when the trusted side of the CAS is a trunk, such as in Virtual Gateway deployments. In this case, you will need to enable Management VLAN tagging and specify the VLAN ID to which the trusted interface of the CAS belongs.)

Also note that faulty VLAN settings can render the Clean Access Server unreachable from the Clean Access Manager, so be sure to use care when configuring VLAN settings.


Step 12 Next configure the untrusted interface. This is the interface to the untrusted (managed) network. At the prompt type the address you want to use for the untrusted interface (eth1) and press Enter. Unless deploying the Clean Access Server in a bridge (Virtual Gateway) configuration, the trusted and untrusted interfaces must be on separate subnets. Confirm the value when prompted.

Please enter the IP address for the untrusted interface eth1 []: 10.10.10.10
You entered 10.10.10.10 Is this correct? (y/n)? [y]

Note For Virtual Gateways, the eth1 address most commonly used is the eth0 address. To prevent looping, do not connect eth1 to the network until after you have added the CAS to the CAM in the web console. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for further details.


Step 13 Type the subnet mask of the eth1 interface or press Enter to accept the default of 255.255.255.0. Confirm the value at when prompted.

Please enter the netmask for the interface eth1 []: 255.255.255.0
You entered 255.255.255.0, is this correct? (y/n)? [y] 
 
   

Step 14 Enter the default gateway address for the untrusted interface:

If the Clean Access Server will act as a Real-IP gateway, this should be the IP address of the CAS's untrusted interface eth1.

If the Clean Access Server will act as a Virtual gateway (i.e. a bridge), this can be the same default gateway address used for the trusted side.

Please enter the IP address for the default gateway []: 10.10.10.1
You entered 10.10.10.1 Is this correct? (y/n)? [y]
 
   

Step 15 Specify VLAN passthrough behavior for traffic passing from the untrusted to the trusted network. At the prompt, type n and press Enter (or just press Enter) to accept the default behavior (disabled) or enter y to enable VLAN ID passthrough for traffic from the untrusted network.

[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.
Would you like to enable it? (y/n)? [n] 
 
   

Figure 3-9 VLAN ID Passthrough

Step 16 Specify Management VLAN Tagging for the untrusted interface at the next prompt. Type N and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default). Or, type Y and press Enter to enable Management VLAN tagging and specify the Management VLAN ID to use for the CAS untrusted interface.

[Management Vlan Tagging] for egress packets of eth1 is disabled.
Would you like to enable it? (y/n)? [n]
 
   

Note You can change the Management VLAN ID later from the CAS Network > IP web console page; however, changing settings on the CAS IP page requires a reboot of the CAS.


Figure 3-10 Eth1 Egress Packets with Management VLAN ID Tagging

Step 17 Specify the host name for the Clean Access Server (nacserver is the default). Type and confirm the address when prompted:

Please enter the hostname [nacserver]: cas1
You entered cas1 Is this correct? (y/n)? [y] 
 
   

Step 18 Specify the IP address of the Domain Name System (DNS) server in your environment. Type and confirm the address when prompted:

Please enter the IP address for the name server: []: 172.10.16.16
You entered 172.10.16.16 Is this correct? (y/n)? [y] 
 
   

Step 19 The Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to restore database snapshots on the CAM when you need them and are able to fail over to the HA peer CAM/CAS in HA deployments. (You cannot upload a CAM database snapshot that was created when the system was configured with a different master secret password, and HA-Secondary CAMs/CASs are not able to assume the "active" role following a failover event when the master secret passwords are different.) Type and confirm the master secret at the prompts.

The master secret is used to encrypt sensitive data.
Remember to configure all HA pairs with the same secret.
Please enter the master secret:
Please confirm the master secret:

Caution If your master secret is lost or becomes corrupted, use the procedure in Recover From Corrupted Master Secret.

Step 20 Specify time settings for the Clean Access Server as follows:

a. Choose your region from the continents and oceans list. Type the number next to your location on the list, such as 2 for the Americas, and press Enter. Type 11 to enter the time zone in Posix TZ format, such as GST-10.

b. The next list that appears shows the countries for the region you chose. Choose your country from the country list, such as 47 for the United States, and press Enter.

c. If the country contains more than one time zone, the time zones for the country appears.

d. Choose the appropriate time zone region from the list, such as 21 for Pacific Time, and press Enter.

e. Confirm your choices by entering 1, or use 2 to cancel and start over.

The following information has been given:
        United States
        Pacific Time
Is the above information OK?
1) Yes
2) No
#? 1
 
   

Step 21 Type and confirm the current date and time, using format hh:mm:ss mm/dd/yy.

Updating timezone information...
 
   
Current date and time hh:mm:ss mm/dd/yy [07:52:52 04/30/07]: 15:52:00 04/30/07
You entered 15:52:00 04/30/07 Is this correct? (y/n)? [y]
Mon Apr 30 15:52:00 PDT 2007

Note The time set on the CAS must fall within the creation date/expiry date range set on the CAM's SSL certificate. The time set on the user machine must fall within the creation date /expiry date range set on the CAS's SSL certificate.


Step 22 Press Enter to configure the temporary SSL certificate. The certificate secures the login exchange between the Clean Access Server and untrusted (managed) clients. Configure the certificate as follows:

a. Type the IP address or domain name for which you want the certificate to be issued.


Note This is also the IP address or domain name to which the web server responds. If DNS is not already set up for a domain name, the CAS web console will not load. Make sure to create a DNS entry in your servers, or else use an IP address for the CAS.


b. For the organization unit name, enter the group within your organization that is responsible for the certificate (for example, doc).

c. For the organization name, type the name of your organization or company for which you would like to receive the certificate (for example, Cisco Systems), and press Enter.

d. Type the name of the city or county in which your organization is legally located (for example, San Jose), and press Enter.

e. Type the two-character state code in which the organization is located (for example, CA or NY), and press Enter.

f. Type the two-letter country code (for example, US), and press Enter.

Step 23 Confirm values and press Enter to generate the SSL certificate, or type n to restart:

You entered the following:
Domain: 10.201.240.10
Organization unit: doc
Organization name: Cisco Systems
City name: San Jose
State code: CA
Country code: US
Is this correct? (y/n)? [y] y

Note You must generate the temporary SSL certificate or you will not be able to access your CAS as an end user.


Step 24 Specify whether or not you want the CAS to feature Pre-login Banner Support at the following prompt.

Enable Prelogin Banner Support? (y/n)? [n]
 
   

For more information and an example of the Pre-login Banner feature, see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3).

Step 25 Configure the root user password for the installed Linux operating system of the Clean Access Server. The root user account is used to access the system over a serial connection or through SSH.

Cisco NAC Appliance supports using Strong Passwords for root user login. Passwords must be at least 8 characters long and feature a combination of upper- and lower-case letters, digits, and other characters. For example, the password 10-9=One does not satisfy the requirements because it does not contain two characters from each category, but 1o-9=OnE is a valid password. For more details, see the "Administering the CAM" chapter of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).

For security reasons, it is highly recommended that you change the password for the root 
user.
 
   
** Please enter a valid password for root user as per the requirements below! **
 
   
Changing password for user root.
 
   
You can now choose the new password.
 
   
A valid password should be a mix of upper and lower case letters,
digits, and other characters. Minimum of 8 characters and maximum
of 16 characters with characters from all of these classes. Minimum
of 2 characters from each of the four character classes is mandatory.
An upper case letter that begins the password and a digit that ends
it do not count towards the number of character classes used.
 
   
Enter new password:
Re-type new password:
passwd: all authentication tokens updated successfully.
 
   

Step 26 Next type the password for the admin user for the CAS direct access web console.

Please enter an appropriately secure password for the web console admin user.
 
   
New password for web console admin:
Confirm new password for web console admin:
Web console admin password changed successfully.
 
   

Step 27 The final step in the initial configuration process is to choose whether or not to turn on FIPS mode for your NAC-3315 or NAC-3355 CAS. To enable FIPS operation, enter y at the following prompt.

Would you like to turn on fips mode? (y/n)? [y]
 
   
 -- Running startup script 45drivers
 
   
 -- Running startup script 46exard
 
   
 -- Running startup script 50hardserver
 
   
Security world already exists
 
   

Step 28 If you want to initialize any additional Smart cards at this time, enter y at the following prompt. Otherwise, enter n to complete the FIPS set up process.

Do you want to recreate security world and initialize cards (y/n)? [n]
writing RSA key
Card(s) check passed
 
   

Step 29 After the configuration is complete, press Enter to reboot the CAS.

Configuration is complete.
Changes require a REBOOT of Clean Access Server.
 
   

Step 30 Enter the following command to reboot the CAS after configuration is complete:

# reboot
 
   

The CAS initial configuration is now complete. Once the Clean Access Manager is also installed and initially configured, use the CAM web administration console to add the CAS to the CAM as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).

Step 31 Following CAS installation and initial configuration:

a. Ping the eth0 interface address from a command line. If working properly, the interface should respond to the ping.

b. For a FIPS-compliant CAS, verify FIPS functionality as follows:

Ensure the FIPS card operation switch is set to "O" (for operational mode).

Log into the CAS console interface as root.

Navigate to the /perfigo/common/bin/ directory.

Enter ./test_fips.sh info and verify the following output:

Installed FIPS card is nCipher
Info-FIPS file exists
Info-card is in operational mode
Info-httpd worker is in FIPS mode
Info-sshd up
 
   

c. If the CAS is not responding, try connecting to the CAS using SSH (Secure Shell). Connect with the root username and password. Once connected, try pinging the gateway and/or an external website from the CAS to see if the CAS can reach the external network.

If both tests fail, make sure that you have configured the IP address correctly and that the other network settings are correct.


If after installation you need to reset the initial configuration settings for the Clean Access Server, connect to the CAS machine directly or through SSH and use the service perfigo config command.

Important Notes for SSL Certificates

1. You must generate the temporary SSL certificate during CAS installation or you will not be able to access your CAS. Before deploying in a live environment, obtain a trusted certificate for the CAS from a Certificate Authority to replace the temporary certificate.

2. After CAM and CAS installation, make sure to synchronize the time on the CAM and CAS via the web console interface before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based.

3. In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa.

4. Before deploying the CAS in a production environment, Cisco Strongly recommends acquiring a trusted certificate from a third-party Certificate Authority to replace the temporary certificate (in order to avoid the security warning that is displayed to end users during user login).

For further details, see the "Manage CAS SSL Certificates" and "Synchronize System Time" sections of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3). For details on CAM certificates, see the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).

Cisco NAC Appliance Connectivity Across a Firewall

The Clean Access Manager (CAM) uses Java Remote Method Invocation (RMI) for parts of its communication with the Clean Access Server (CAS), which means it uses dynamically allocated ports for this purpose. If your deployment has a firewall between the CAS and the CAM, you will need to set up rules in the firewall to allow communication between the CAS and CAM machines, that is, a rule that allows traffic originating from the CAM destined to the CAS and vice versa.


Note If there is a NAT router between the CAS and CAM, also refer to section "Configuring the CAS Behind a NAT Firewall" in the Installation chapter of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for additional details.


Table 3-1 lists the ports that are required for communication between the CAS and the CAM (per version of Cisco NAC Appliance).

Table 3-1 Port Connectivity for CAM/CAS

Cisco NAC Appliance Version
Required Ports
4.8
4.7(x)
4.6(1)
4.5(x)
4.1(x)
4.0(x)

TCP ports 443, 1099, and 8995~8996

3.6(x)

TCP ports 80, 443, 1099, and 8995~8996

3.5(x)

TCP ports 80, 443, 1099, and 32768~61000 (usually 32768~32999 are sufficient).


For example, for Single Sign-On (SSO) capabilities, additional ports must be opened on the CAS and firewall (if any) to allow communication between the Agent and the Active Directory Server, as shown in Table 3-2. Table 3-2 provides further details about communicating devices, the ports affected, and the purpose of each port.

Table 3-2 Port Usage  

Device
Communicating Devices
Ports to Open
Purpose

Firewall, if any

CAM and CAS

TCP 8995, 8996

TCP 1099

Java Management Extensions (JMX) communication between the CAM and CAS, such as pre-connect and connect messages.

TCP 443

HTTP over Secure Sockets Layer (SSL) communication between Agent/CAS/CAM, such as end user machine remediation via the Agent.

TCP 80 (for version 3.6.x and earlier)

HTTP communication between Agent/CAS/CAM. Used to download the Agent from the CAM to an end user machine.

CAS and Agent

UDP 8905, 8906

SWISS, a proprietary CAS-Agent communication protocol used by the Agent for UDP discovery of the CAS. UDP 8905 is used for Layer 2 discovery; and 8906 is used for Layer 3 discovery.

For more information, see the "Connecting to the CAS Using the SWISS Protocol" section in the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3).

TCP 443

HTTP over SSL communication between Agent/CAS/CAM, such as for user redirection to a web login page.

TCP 80 (for version 3.6.x and earlier)

HTTP communication between Agent/CAS/CAM. Used to download the Agent from the CAM to an end user machine.

CAS and firewall (if any)

Agent (Windows OS) and Active Directory (AD) Server

TCP 88, 135, 389, 445, 1025, 1026

UDP 88, 389

AD SSO requires the following ports to be open:

TCP 88 (Kerberos)

TCP 135 (RPC)

TCP 389 (LDAP) or TCP 636 (LDAP with SSL)

Note When using LDAP to connect to the AD server, Cisco recommends using TCP/UDP port 3268 (the default Microsoft Global Catalog port) instead of the default port 389. This allows for a more efficient search of all directory partitions in both single and multi domain environments.

TCP 445 (Microsoft-SMB; e.g. needed for password change notices from DC to PC)

TCP 1025 (RPC)-non-standard

TCP 1026 (RPC)-non-standard

If it is not known whether the AD server is using Kerberos, you must open the following UDP ports instead:

UDP 88 (Kerberos)

UDP 389 (LDAP) or UDP 636 (LDAP with SSL)

Note When using LDAP to connect to the AD server, Cisco recommends using TCP/UDP port 3268 (the default Microsoft Global Catalog port) instead of the default port 389. This allows for a more efficient search of all directory partitions in both single and multi domain environments.

If your deployment requires LDAP services, use TCP/UDP 636 (LDAP with SSL encryption) instead of TCP/UDP 389 (plain text).

For more information on AD SSO, see the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3).


Configuring the CAS Behind a NAT Firewall


Caution If deploying a NAT firewall between the CAS and the CAM, the CAS must be in Standalone mode. Cisco NAC Appliance does not support High Availability CAS pairs when a NAT firewall is deployed on the trusted side of the CAS HA pair.

If deploying the Clean Access Server behind a firewall (there is a NAT router between CAS and CAM), you will need to perform the following steps to make the CAS accessible:


Step 1 Connect to the CAS by SSH or use a serial console. Log in as root user.

Step 2 Change directories to /perfigo/access/bin/.

Step 3 You will need to edit two files: restartweb and starttomcat.

Step 4 Locate the CATALINA_OPTS variable definition in each file.

Step 5 Add -Djava.rmi.server.hostname=<caserver1_hostname> to the variable, replacing caserver1_hostname with the host name of the server you are modifying. For example:

CATALINA_OPTS="-server -Xms64m -Xmx${MAX}m -Xincgc 
-Djava.util.logging.config.file=${CATALINA_HOME}/conf/redirect-log.properties 
-Dperfigo.jmx.context=${PERFIGO_SECRET} 
-Djava.security.auth.login.config=${CATALINA_HOME}/conf/sso-login.conf 
-Dsun.net.inetaddr.ttl=60 -Dsun.net.inetaddr.negative.ttl=10 
-Djava.security.egd=file:/dev/urandom"
-Djava.rmi.server.hostname=caserver1"
 
   

Step 6 Restart the CAS by entering the service perfigo restart command.

Step 7 Repeat the preceding steps for each Clean Access Server in your deployment.

Step 8 Connect to the Clean Access Manager by SSH or using a serial console. Login as root.

Step 9 Change directories to /etc/.

Step 10 Edit the hosts file by appending the following line:

<public_IP_address>  <caserver1_hostname> <caserver2_hostname> 
 
   

where:

<public_IP_address> - The address that is accessible outside the firewall.

<caservern_hostname> - The host name of each Clean Access Server behind the firewall.

The Clean Access Server(s) should now be addressable behind the firewall.


Connectivity Across a Wide Area Network

When deploying the CAM/CAS across a WAN, you must prioritize all CAM/CAS traffic and SNMP traffic, and include the eth0/eth1 IP addresses of the CAM and CAS in addition to the Service IP address for HA pairs.

Configuring Additional NIC Cards

The Configuration Utility script requires that the CAM and CAS machines come with eth0 (NIC1) and eth1 (NIC2) interfaces by default and prompts you to configure these during initial installation. If your system has additional network interface cards (e.g. NIC3, NIC4), you can use the following instructions to configure the additional interfaces (e.g. eth2, eth3) on those cards. Typically, eth2 needs to be configured when setting up CAS systems for High Availability (HA). For HA, once the eth2 (NIC3) interface is configured with the proper addressing, it can then be configured as the dedicated and/or redundant UDP heartbeat interface for the HA-CAM/CAS.


NoteFor Cisco NAC Appliance hardware, the following instructions assume that the NIC is plugged in and "working" (i.e. recognized by BIOS and by Linux).

If the NIC card is not recognized by BIOS (for example, for a non-appliance server machine), you may need to adjust IRQ/memory settings as per the manufacturer's recommendations.

Once the NIC is recognized by BIOS, it should be automatically recognized by the software (Linux). If for some reason, the NIC is recognized by BIOS, but not by Linux, then login to the system and run "kudzu". This will bring up a utility that helps you configure the NIC.


To Configure an Additional NIC:


Step 1 To verify that the NIC has been recognized by Linux, type ifconfig ethn (where n is the interface number). For example, if adding a NIC to a system that already has two built-in Ethernet interfaces (eth0 and eth1), n is 2 and you enter ifconfig eth2.

Step 2 Verify that the output displays information about the interface including MAC address and transmit and receive counters. This means the interface is recognized by Linux and can be used.

Step 3 Change to the following directory:

cd /etc/sysconfig/network-scripts
 
   

Step 4 Use vi to edit the ifcfg-ethn file for the interface, for example:

vi ifcfg-eth2 
 
   

Step 5 Add the following lines into the file—replacing IPADDR, NETMASK, BROADCAST, and NETWORK values with the actual values suitable for your network:

DEVICE=eth2
IPADDR=192.168.0.253
NETMASK=255.255.255.252
BROADCAST=192.168.0.255
NETWORK=192.168.0.252
BOOTPROTO=static
ONBOOT=yes
TYPE=Ethernet
 
   

Step 6 Save the file and reboot the system. The network interface is now ready to be used for HA.



Note If the NIC card is not recognized by BIOS (for example, for a non-appliance server machine), you may need to adjust IRQ/memory settings as per the manufacturer's recommendations.

Once the NIC is recognized by BIOS, it should be automatically recognized by the software (Linux). If for some reason, the NIC is recognized by BIOS, but not by Linux, then login to the system and run kudzu. This brings up a utility that helps you to configure the NIC.



Note Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces.


See Chapter 4 "Configuring High Availability (HA)"for details on configuring HA.

Serial Connection to the CAM and CAS

This section details how to access the CAM and CAS command line via serial connection.


Step 1 Connect the serial port of your admin computer to an available serial port on the CAM or CAS with a serial cable.


Note If the CAM or CAS is already configured for High-Availability (failover), one of its serial connections may be in use for the peer heartbeat connection. In this case, the machine must have at least two serial ports to be able to manage the peer CAM or CAS over a serial connection. If it does not, you can use an Ethernet port for the peer connection. For more information, see Installing a Clean Access Manager High Availability Pair.



Caution To help prevent a potential network security threat, Cisco strongly recommends physically disconnecting from the Cisco NAC console management port when you are not using it. For more details, see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms.

Step 2 After physically connecting the workstation to the CAM or CAS, access the serial connection interface using any terminal emulation software. The following steps describe how to connect using Microsoft® HyperTerminal. If you are using different software, the steps may vary.

Setting Up the HyperTerminal Connection

Step 3 Open the HyperTerminal window by clicking Start > Programs > Accessories > Communications > HyperTerminal.

Step 4 Type a name for the session and click OK.

Step 5 In the Connect using list, choose the COM port on the workstation to which the serial cable is connected (usually either COM1 or COM2) and click OK.

Step 6 Configure the Port Settings as follows:

Bits per second - 9600

Data bits - 8

Parity - None

Stop bits - 1

Flow control - None

Step 7 Go to File > Properties to open the Properties dialog for the session and change the Emulation setting to VT100.

Step 8 You should now be able to access the command interface for the CAM or CAS. You can now:

Install the Clean Access Manager (CAM) Software from CD-ROM

Install the Clean Access Server (CAS) Software from CD-ROM

Perform the Initial CAM Configuration

Perform the Initial CAS Configuration


Note If you already performed the initial installation, but need to modify the original settings, you can log in as user root and run the service perfigo config command.



Configuring Boot Settings on the Cisco NAC Appliance CAM/CAS

If your CAM or CAS does not read the software on the CD-ROM drive, and instead attempts to boot from the hard disk, use the following steps to configure the appliance to boot from CD-ROM before attempting to re-image or upgrade the appliance from CD.


Step 1 Press the F10 key while the system is booting.

Step 2 Go to the Boot menu (Figure 3-11).

Figure 3-11 Boot Menu

Step 3 Change the setting to boot from CD ROM by selecting "CD-ROM Drive" from the menu and pressing the plus ("+") key (Figure 3-12).

Figure 3-12 Boot from CD-ROM Drive

Step 4 Press the F10 key to Save and Exit.


Useful CLI Commands for the CAM/CAS

This section covers CLI commands for both the Clean Access Manager and Clean Access Server:

CAM CLI Commands

CAS CLI Commands

CAM CLI Commands

You can perform most administration tasks for the Clean Access Manager through the web admin console, such as configure behavior, and perform operations such as starting and rebooting the CAM. However, in some cases you may need to access the CAM configuration directly, for example if the web admin console is unavailable due to incorrect network or VLAN settings. You can use the Cisco NAC Appliance command line interface (CLI) to set basic operational parameters directly on the CAM.

To run the CLI commands, access the CAM using SSH and log in as user root and enter the corresponding password. If already serially connected to the CAM, you can run CLI commands from the terminal emulation console after logging in as root (see Connect the Clean Access Manager). The format service perfigo <command> is used to enter a command from the command line. Table 3-3 lists the commonly used Cisco NAC Appliance CLI commands.

Table 3-3 CLI Commands

Command
Description
service perfigo start

Starts up the appliance. If the CAM is already running, a warning message appears. The CAM must be stopped for this command to be used.

service perfigo stop

Shuts down the Cisco NAC Appliance service.

service perfigo restart

Shuts down the Cisco NAC Appliance service and starts it up again. This is used when the service is already running and you want to restart it.

Note service perfigo restart should not be used to test high availability (failover). Instead, Cisco recommends "shutdown" or "reboot" on the machine to test failover, or if a CLI command is preferred, service perfigo stop and service perfigo start.

service perfigo reboot

Shuts down and reboots the machine. You can also use the Linux reboot command.

service perfigo config

Starts the configuration script to modify the CAM configuration. After completing service perfigo config, you must reboot the CAM.

service perfigo time

Use to modify the time zone settings.


Power Down the CAM

To power down the CAM, use one of the following recommended methods while connected via SSH:

Type service perfigo stop, then power down the machine, or

Type /sbin/halt, then power down the machine.

Restart Initial Configuration

To start the configuration script, type service perfigo config while connected through SSH. For example: [root@camanager root]# service perfigo config

This command causes the configuration utility script to start (on either the CAS or CAM). The script lets you configure the network settings for the CAM (see Perform the Initial CAM Configuration for instructions). After running and completing service perfigo config, make sure to run service perfigo reboot or reboot to reset the CAM with the modified configuration settings.


Note For details on restoring the database from automated and manual backup snapshots via command line utility, see the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).


CAS CLI Commands

The CAM web admin console allows you to perform most of the tasks required for administering Cisco NAC Appliance deployment. However, there are two cases where the command line interface of the CAS can be or must be used:

Use the CAS CLI Commands for Cisco NAC Appliance to access the CAS configuration directly for initial configuration of the CAS or if the web admin console is unavailable due to incorrect network or VLAN settings.

If you have purchased the Cisco NAC Profiler solution, use the CAS CLI Commands for Cisco NAC Profiler to enable the Cisco NAC Profiler Collector application on the Clean Access Server.

To run the CLI commands, access the CAS using SSH and log in as user root and enter the root user password. If already serially connected to the CAS, you can run CLI commands from the terminal emulation console after logging in as root (see Connect the Clean Access Manager).

CAS CLI Commands for Cisco NAC Appliance

The format service perfigo <command> is used to enter a command from the command line. Table 3-3 lists the commonly used Cisco NAC Appliance CLI commands.

Table 3-4 Cisco NAC Appliance CLI Commands for CAS

Command
Description
service perfigo start

Starts up the CAS. If the CAS is already running, a warning message appears. The CAS must be stopped for this command to be used.

service perfigo stop

Shuts down the Cisco NAC Appliance service.

Note When the management VLAN is set, this command will cause the CAS to lose network connectivity when issued. You can use service perfigo maintenance instead.

service perfigo maintenance

This command brings the CAS to maintenance mode, in which only the basic CAS router runs and continues to handle VLAN-tagged packets. The command allows communication through the management VLAN and is intended for environments where the CAS is in trunk mode and the native VLAN is different than the management VLAN.

Note You can use service perfigo maintenance to stop the service when testing high availability (failover) for Virtual Gateway CASs over an SSH connection.

service perfigo platform

This command allows you to determine whether the CAS is a standard Clean Access Server appliance or a Cisco NAC network module installed in a Cisco ISR router chassis. The output displays either "APPLIANCE" or "NME-NAC" as the platform setting.

For detailed installation and configuration information, see Getting Started with Cisco NAC Network Modules in Cisco Access Routers and Installing Cisco Network Modules in Cisco Access Routers.

service perfigo restart

Shuts down the Cisco NAC Appliance service and starts it up again. This is used when the service is already running and you want to restart it.

Note service perfigo restart should not be used to test high availability (failover). Instead, Cisco recommends "shutdown" or "reboot" on the machine to test failover, or, if a CLI command is preferred, service perfigo stop or service perfigo maintenance followed by service perfigo start

service perfigo reboot

Shuts down and reboots the machine. You can also use the Linux reboot command.

service perfigo config

Starts the configuration script to modify the CAS configuration. After completing service perfigo config, you must reboot the CAS. For instructions on using the script, see Perform the Initial CAM Configuration

service perfigo time

Use to modify the time zone settings.


CAS CLI Commands for Cisco NAC Profiler

All Cisco NAC Appliance releases are shipped with a default version of the Cisco NAC Profiler Collector component. Cisco NAC Appliance 4.8(x) releases are shipped with Collector version 3.1.0-24 by default. When upgrading the NAC Server to a newer NAC Appliance release, the current version of the Collector will be replaced with the default version of the Collector shipped with the NAC Appliance release. For example, if you are running Release 4.7(2) and Collector 3.1.1, and you upgrade to NAC 4.8(x), Collector will be downgraded to 3.1.0.24. You need to manually upgrade the 3.1.0.24 Collector to 3.1.1 again and configure it after the NAC Server upgrade.

The Clean Access Server is shipped with a default version of the Cisco NAC Profiler Collector component, which needs to be enabled and configured separately when integrating with the Cisco NAC Profiler solution. Table 3-5 lists CLI commands issued on the CAS for the Cisco NAC Profiler Collector service. For complete details on the Cisco NAC Profiler solution, refer to the Cisco NAC Profiler Installation and Configuration Guide and Release Notes for Cisco NAC Profiler.


Note To display the version of the Collector on the CAS, SSH to the CAS machine running the Collector service and type rpm -q Collector.


Table 3-5 Cisco NAC Profiler Collector CLI Commands for CAS

Command
Description

service collector start

Starts the Collector service on the CAS.

service collector stop

Shuts down the Collector service on the CAS.

service collector verify

Displays the configured Collector Services running on the CAS

Collector Network Configuration
Collector Name    = bcas1-fw
Connection Type   = server
Listen on IP      = 10.40.1.10
Network IP ACL
127.0.0.1
10.10.0.211
10.10.0.210
10.10.0.212
Port Number       = 31416
Encryption type   = AES
Shared secret     = profiler

service collector status

Displays the running status of the individual Collector modules on the CAS, for example:

Profiler Status
  o Server      Not Installed
  o Forwarder   Running
  o NetMap      Running
  o NetTrap     Running
  o NetWatch    Running
  o NetInquiry  Running
  o NetRelay    Running

service collector restart

Stops and then restarts the Collector service on the CAS. This is used when the service is already running and you want to restart it.

service collector config

Starts the Collector service configuration script to allow communication with the Cisco NAC Profiler Server. For example:

[root@caserver12 /]# service collector config
Enable the NAC Collector (y/n) [y]: 
Configure NAC Collector (y/n) [y]: 
Network configuration to connect to a NAC Profiler 
Server
  Connection type (server/client) [client]: 
  Connect to IP [127.0.0.1]: 192.168.96.20
  Port number [31416]: 
  Encryption type (AES, blowfish, none) [AES]: none
  Shared secret []: cisco1232
-- Configured caserver12-fw
-- Configured caserver12-nm
-- Configured caserver12-nt
-- Configured caserver12-nw
-- Configured caserver12-ni
-- Configured caserver12-nr
 
        
        NAC Collector has been configured
 
        

For detailed installation and configuration information, see the Cisco NAC Profiler Installation and Configuration Guide.


Manually Restarting the CAM/CAS Configuration Utility

If after installation you need to reset the configuration settings, or if you need to start the configuration utility manually, you can issue the service perfigo config CLI command on either the Clean Access Server or Clean Access Manager. When using service perfigo config, you will also need to enter service perfigo reboot or reboot after configuration is complete to reboot the machine.


Step 1 Connect to the CAS or CAM through direct console connection, serial connection, or SSH.

Step 2 Login as root with the correct password.

Step 3 Enter the service perfigo config command.

Step 4 Accept the default values or provide new ones for all prompts (as described in Perform the Initial CAM Configuration or Perform the Initial CAS Configuration).

Step 5 When configuration is done, enter service perfigo reboot or reboot to reboot the machine.


Troubleshooting the Installation

This section addresses the following troubleshooting topics:

Verify/Change Current Master Secret on CAM/CAS

Recover From Corrupted Master Secret

Network Interface Card (NIC) Driver Not Supported

Resetting and Restoring an Unreachable Clean Access Server

Enabling TLSv1 on Internet Explorer Version 6


Note If the FIPS card in a Cisco NAC-3315/3355/3395 CAM/CAS ceases to work correctly, make sure the FIPS card operation switch is set to "O" (for operational mode), as described in the "FIPS 140-2 Compliance" section of the Release Notes for Cisco NAC Appliance, corresponding to your latest Cisco NAC Appliance release version. If the FIPS card is still not operational, you will need to RMA the appliance with Cisco Systems and replace it with a new Cisco NAC-3315/3355/3395. Refer to the "Cisco NAC Appliance RMA and Licensing" section of Cisco NAC Appliance Service Contract/Licensing Support for details.


For further troubleshooting information, see the latest version of the Release Notes.

Verify/Change Current Master Secret on CAM/CAS

Clean Access Managers and Clean Access Servers use a local master secret password to encrypt and protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords to ensure that you are able to fail over to the HA peer CAM/CAS in an HA deployment. (HA-Secondary CAMs/CASs are not able to assume the "active" role following a failover event when the master secret passwords are different.) If you suspect that the CAM/CAS master secret is different from its peer in an HA deployment, you can do the following to verify and/or change the master secret on CAM/CAS HA peers:


Step 1 Log in to the CLI of the HA-Primary CAM/CAS as "root."

Step 2 Enter cat /root/.perfigo/master and record the master secret signatures for that CAM/CAS.

Step 3 Log in to the CLI of the HA-Secondary CAM/CAS as "root" and enter the same cat /root/.perfigo/master command.

Step 4 If the two CAM/CAS master secret signatures are different, use service perfigo config to "reconfigure" the CAM/CAS with the incorrect master secret, accepting the previous values for all settings other than the master secret, which, in the case of an HA peer, you specify to match the other appliance in the HA pair.

a. Enter service perfigo stop on the HA-Secondary CAM/CAS.

b. Enter service perfigo stop on the HA-Primary CAM/CAS.

c. Enter service perfigo config to "reconfigure" the CAM/CAS with the incorrect master secret. (Once you have completed the initial configuration, you will also need to reboot the appliance.)

d. Enter service perfigo start to bring up the HA-Primary CAM/CAS.

e. When the HA-Primary CAM/CAS comes back up, enter service perfigo start to bring up the HA-Secondary CAM/CAS.

After approximately 5 minutes, an HA-Secondary CAM automatically synchronizes with the HA-Primary.


Recover From Corrupted Master Secret


Note This procedure applies to both standalone and HA CAMs and CASs. In order to use this procedure for an HA CAM/CAS with a corrupted master secret, you must bring both peers in the HA deployment to "standalone" state before performing the steps necessary to recover from the corrupted master secret.


If the master secret changes (by using service perfigo config, for example) and the CAM/CAS database is synchronized from a peer CAM/CAS that has a different master secret, the database can become corrupted rendering the appliance unusable. You can recover from this scenario by going through the following steps:


Step 1 Log in to the CLI of the CAM/CAS with the corrupted master secret as "root."

Step 2 Remove /root/.perfigo/master file from the affected CAM/CAS.

Step 3 Use service perfigo config to "reconfigure" the CAM/CAS initial configuration, accepting the previous values for all settings other than the master secret, which, in the case of an HA peer, you specify to match the other appliance in the HA pair.

Step 4 If deployed as part of an HA pair, bring the HA-Primary CAM/CAS back up, and then bring the HA-Secondary CAM/CAS back up. Database synchronization between active and standby CAMs takes place automatically, restoring the proper master secret in both the database and file system.


Network Interface Card (NIC) Driver Not Supported

For complete details, refer to the "Troubleshooting Network Card Driver Support Issues" section of the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access).

Resetting and Restoring an Unreachable Clean Access Server

If incorrect network, SSL certificate, or VLAN settings have rendered the Clean Access Server unreachable from the Clean Access Manager, you can reset the Clean Access Server's configuration. Note that resetting the configuration restores the Clean Access Server configuration to its install state. Any configuration settings made since installation will be lost.

To reset the configuration:


Step 1 Connect to the Clean Access Server by SSH.

Step 2 Delete the env file:

# rm /perfigo/access/bin/env

Step 3 Then reboot using:

# service perfigo reboot

You can now add the CAS to the CAM. See the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3).


Enabling TLSv1 on Internet Explorer Version 6

Cisco NAC Appliance network administrators managing the CAM/CAS via web console and client machine browsers accessing a FIPS-compliant Cisco NAC Appliance Release 4.8(x) network require TLSv1 in order to "talk" to the network, which is disabled by default in Microsoft Internet Explorer Version 6.

To locate and enable this setting in IE version 6:


Step 1 Got to Tools > Internet Options.

Step 2 Select the Advanced tab.

Step 3 Scroll down to locate the Use TLS 1.0 option under Security.

Step 4 Click on the checkbox to enable the Use TLS 1.0. option and click Apply.

Step 5 If necessary, close the browser and open a new one where the TLS 1.0 option should now be automatically enabled.



Note Mozilla Firefox has not shown this limitation.


Powering Down the NAC Appliance

To power down the CAM/CAS, use one of the following recommended methods while connected via console/SSH. These methods prevent database corruption when powering down the CAM.

Type service perfigo stop and power down the machine.

Type /sbin/halt and power down the machine.