Guest

Cisco NAC Appliance (Clean Access)

Getting Started with Cisco NAC Network Modules in Cisco Access Routers

  • Viewing Options

  • PDF (766.0 KB)
  • Feedback
Getting Started with Cisco NAC Network Modules in Cisco Access Routers

Table Of Contents

Getting Started with Cisco NAC Network Modules in Cisco Access Routers

Contents

About Cisco NAC Network Module for Integrated Services Routers

Cisco NAC Appliance

Cisco NAC Network Module

Prerequisites for Cisco NAC Network Module

Router

Network Module

Accessing the Cisco NAC Network Module

Restrictions for Cisco NAC Network Module

Cisco NAC Network Module and Clean Access Server Software

System Licenses

Deployment Overview

Cisco NAC Network Module (CAS) Deployment Modes

Interface Description

Example Layer 2 Inband Virtual Gateway Configuration

Network Diagram (L2 IB VGW)

CAS Configuration (L2 IB VGW)

Integrated Services Router Configuration (L2 IB VGW)

EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)

Example Layer 2 Out-of-Band Real-IP Gateway Configuration

Network Diagram (L2 OOB RGW)

CAS Configuration (L2 OOB RGW)

Integrated Services Router Configuration (L2 OOB RGW)

EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)

Additional References

How to Configure the Cisco NAC Network Module

Hardware Interfaces

Cisco NAC Network Module Configuration Worksheet

Setting Up Network Module Interfaces

Examples

Opening and Closing a Session

Running Clean Access Server Software Configuration Utility

Important Notes for SSL Certificates

How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module

Shutting Down and Starting Up Cisco NAC Network Module

Verifying System Status

Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module

CAS Upgrade via CLI

CAS Upgrade via Web Console

Re-Installing Cisco NAC Network Module Software

Re-Imaging the Network Module

Configuring and Administering Cisco NAC Appliance

Technical Assistance

Documentation

Related Documents

Glossary

Obtaining Documentation and Submitting a Service Request


Getting Started with Cisco NAC Network Modules in Cisco Access Routers


Revised: November 27, 2012, OL-2609-01

Contents

About Cisco NAC Network Module for Integrated Services Routers

Prerequisites for Cisco NAC Network Module

Cisco NAC Network Module and Clean Access Server Software

Deployment Overview

How to Configure the Cisco NAC Network Module

How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module

Configuring and Administering Cisco NAC Appliance

Technical Assistance

Documentation

Obtaining Documentation and Submitting a Service Request

About Cisco NAC Network Module for Integrated Services Routers

The Cisco® NAC Network Module for Integrated Services Routers (NME-NAC-K9) brings the feature-rich Cisco NAC Appliance Server capabilities to Cisco 2800 and 3800 Series Integrated Services Routers.

In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco 2900 and 3900 Series Integrated Services Routers.

Cisco NAC Appliance

Cisco NAC Appliance (also known as Cisco Clean Access) is a Network Admission Control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops, and corporate assets are compliant with a network's security policies, and it repairs any vulnerabilities before permitting access to the network.

Cisco NAC Appliance is a network-centric integrated solution that is:

Administered from the web console of the Clean Access Manager (CAM)

Enforced through the Clean Access Server (CAS)

Applied on clients through the Clean Access Agent (CAA) client software

You can deploy the Cisco NAC Appliance solution in the configuration that best meets the needs of your network.

Cisco NAC Network Module

The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers. The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code.

In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco 2911/2921/2951 and 3925/3945 access routers.

The Clean Access Server operating system is based on an optimized version of Linux. The NAC network module is an ideal NAC solution for small groups of users in remote locations where an integrated services router is used. The NAC network module can be equipped with either a 50-user or 100-user license to support branch offices.

The Clean Access Manager is purchased separately as a NAC-3300 series appliance and is the primary point of configuration and management for all Clean Access Servers—whether implemented as a Cisco NAC Network Module in an Integrated Services Router, or as a NAC-3310 or NAC-3350 SERVER appliance. Once initial configuration is complete, the NAC network module is added and managed by the Clean Access Manager like any other Clean Access Server through the CAM web console (GUI) interface.

For further details on the NAC-3300 series server platforms refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide.

Prerequisites for Cisco NAC Network Module

Router

Plan software upgrades or downgrades for times when you can take all applications that run on the host router out of service or offline.

Ensure that you have the appropriate Cisco access router to serve as the host router. The Cisco NAC Network Module is supported on the following Cisco access routers:

Cisco 2811

Cisco 2821

Cisco 2851

Cisco 3825

Cisco 3845

In addition to the above routers, Cisco NAC Appliance Releases 4.8 and later support the following Cisco access routers.

Cisco 2911

Cisco 2921

Cisco 2951

Cisco 3925

Cisco 3945


Note The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code. Ensure that you are upgrading it to Cisco NAC Appliance Releases 4.8 or later to support the above Cisco access routers.


Ensure that the host router is running Cisco IOS Release 12.4(11)T or a later release. To learn which release your router is currently running, examine output from the show version command.


Note When minimum release requirements are met, you can change images on either the router or the network modules without affecting performance.


Network Module


Note Cisco NAC Network Module supports Cisco NAC Appliance Release 4.5, but does not support Wireless Out-of-Band (OOB). The Wireless OOB feature introduced in Release 4.5 only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.

Cisco NAC Network Module supports L3 Wireless Out-of-Band (L3 OOB) introduced in Cisco NAC Appliance Release 4.8(2).



Warning The Cisco NAC network module must run the same version of the Cisco NAC Appliance software as the Clean Access Manager and any other Clean Access Servers in the deployment. For example, all must run 4.7(x), or a later supported version.

Release 4.1.2.1 of the Cisco NAC Appliance software is the minimum software release supported on the Cisco NAC Network Module.

Refer to the latest version of the Release Notes for Cisco NAC Appliance for enhancement details for each applicable release.

To physically install the NAC network module use the Cisco Network Modules Hardware Installation Guide and Cisco Network Modules and Interface Cards Regulatory Compliance and Safety Information.

The Cisco NAC Network Module for Integrated Services Routers ships from the factory with the hardware listed in Table 1 preinstalled. There are no memory options. (See How to Configure the Cisco NAC Network Module for further details.)

Table 1 Network Module Hardware Specifications

Model
Processor
Hard Disk
Memory
CompactFlash

NME-NAC-K9

1 GHz Celeron M

80 GB (SATA)

512 MB DDR

64 MB


Make a note of the network module's location in the host router:

slot—Number of the router chassis slot for the module. After you install the module, you can get this information from the router's show running-config command output.

unit—Number of the daughter card on the module. This value should be 0.


Note You need this information for the "Setting Up Network Module Interfaces" section and the "Opening and Closing a Session" section.


File Server

(Optional) Verify that your download FTP or TFTP file server is accessible:

FTP file server—Use for backups and restores.

TFTP file server—Use (on the FTP-file-server machine) for boothelper operations to recover from a failed installation.

Accessing the Cisco NAC Network Module

You can configure software on the network module only from a console that connects to a single serial-port console port on the host router.


Note Telnet is not recommended.


You can access the Clean Access Server software running on the network module by accessing one of the following:

The router's Cisco IOS command-line interface (CLI)

The CAS management pages of the CAM web console (Device Management > CCA Servers > Manage [CAS_IP] )

The CAS direct access console (https://<CAS_eth0_IP>/admin/)

Secure-shell (SSH) connection to the internal interface (CAS eth0 trusted interface) of the NAC network module.

All Clean Access Servers which are configured have a direct web console interface which can be optionally accessed for certain limited settings, such as HA or SSL certificates, or to download support logs. For the NAC network module, all CAS configuration settings can be accessed via the the CAS management pages of the CAM web console, except for CAS support logs which need to be accessed via the direct CAS web console interface, by typing https://<CAS_eth0_IP>/admin/ into a web browser. Additionally, because the NAC network module does not support HA, there is no "Failover" tab in the direct access web console.

Restrictions for Cisco NAC Network Module

Deployment

The NAC network module does not support High Availability (HA) mode. HA functionality is disabled on the GUI interface of the NAC network module.

The NAC network module does not support the Cisco NAC Profiler Collector module for the CAS.

The NAC network module does not support port-based VLAN mapping when deployed as an Out-of-Band Virtual Gateway. A change in the client IP address is always required when the NAC network module is configured as an L2 OOB Virtual Gateway.

Cisco NAC Network Module does not support Wireless Out-of-Band (OOB). The Wireless OOB feature introduced in Release 4.5 only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.

Upgrade

After upgrading from Release 4.6(1) to Release 4.8, there may be a drift in the clock for NAC-NME module. This may result in CAS on the NME module not being connected to CAM after upgrade from 4.6.1, as the certificate dates will fall out of range.

To resolve this, check the system clock after upgrading, set it once and reboot. To set the date again use the following command and reboot.

Syntax:

date -s "dd MMM YYYY hh:mm:ss"

Example:

date -s "15 APR 2010 19:49:00"
 
   

You can also synchronize the time using the CAS web console. In the CAS web console, perform the following steps:


Step 1 Navigate to Administration > Time Server.

Step 2 Select the Time Zone and enter the appropriate time server in the Time Servers field.

Step 3 Click Synchronize Time.

Step 4 Reboot the system.


The Cisco NAC Appliance architecture is not designed for heterogeneous support—that is, some Clean Access Servers running 4.1(3) software and some running 4.1(2) software. Because the NAC network module is only supported starting from release 4.1(2) and later, to introduce a NAC network module to an existing NAC Appliance deployment (e.g. running 4.1.1), you must upgrade your Clean Access Manager and all your Clean Access Servers concurrently to release 4.1.2.1 or later.


Note Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for the latest compatibility details.



Note Release 4.1.2.1 is the minimum mandatory version for all appliances, and is required to support HA-CAS pairs. For compatibility with CAM/CAS appliances running 4.1.2.1, you must use the standard product upgrade file to upgrade the Cisco NAC network module to 4.1.2.1. See Configuring and Administering Cisco NAC Appliance for additional information.



Note Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.



Note Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.


Cisco NAC Network Module and Clean Access Server Software

The Clean Access Server is a Linux-based application that resides on the NAC network module that plugs into a host Cisco router running Cisco IOS software.

The network module is a standalone services engine with its own startup and run-time configurations that are independent of the Cisco IOS configuration on the router. The module does not have an external console port. Instead, you launch and configure the module through the router, by means of a configuration session on the module. After the session, you return to the router CLI and clear the session.

This arrangement—host router plus network module (the latter is also sometimes called an appliance or blade or, with installed software, a service or services engine)—provides a router-integrated application platform for accelerating data-intensive applications. Such applications typically involve the following and more:

Application-oriented networking

Contact centers and interactive-voice-response applications

Content caching and delivery

Data and video storage

Network analysis

Voice-mail and auto-attendant applications

Network Admission Control (NAC) enabled by Cisco NAC Appliance is such an application.

This section contains the following information:

System Licenses

Deployment Overview

How to Configure the Cisco NAC Network Module

System Licenses

Cisco NAC Appliance product licensing treats the Cisco NAC Network Module as any other Clean Access Server. In order for a NAC network module to work in your system, you need the following:

Clean Access Manager appliance (MANAGER) which will manage the NAC network module within the ISR.

Clean Access Manager license.
The CAM license is based on the eth0 IP address of the CAM and corresponds to the number of Clean Access Servers it supports. There are licenses for: Lite Manager (supports 3 CASs), Standard Manager (supports 20 CASs), and Super Manager (supports 40 CASs) .

NAC network module license
This is a type of Clean Access Server license. The CAS license is based on the number of concurrent users it supports. The NAC network module can support up to 100 online, concurrent users. Table 2 shows the license types available for the NAC network module. These software licenses can also be used for the ordering of a spare NAC network module.

Table 2 Cisco NAC Network Module Licenses

License/Software SKU
Description

NACNM-50-K9

NAC Network Module Server License—max 50 users

NACNM-100-K9

NAC Network Module Server License—max 100 users

NACNM-50UL=

NAC Network Module Server License—Upgrade only- 50 to 100 users



Note All Cisco NAC product licenses are added to the Clean Access Manager in your system. You add the CAM license the first time you access the CAM web console, then use the Administration > Licensing pages of the CAM web console to add the NAC network module or CAS licenses thereafter.


For complete details on licensing, refer to Cisco NAC Appliance Service Contract / Licensing Support .

Deployment Overview

This section provides a overview of Cisco NAC Network Module deployment with some configuration examples. If you already know how you want to deploy your NAC network module, continue to How to Configure the Cisco NAC Network Module for detailed initial configuration steps.

It contains the following:

Cisco NAC Network Module (CAS) Deployment Modes

Interface Description

Example Layer 2 Inband Virtual Gateway Configuration

Example Layer 2 Out-of-Band Real-IP Gateway Configuration

Cisco NAC Network Module (CAS) Deployment Modes

Table 3 shows the Clean Access Server deployment modes supported by the Cisco NAC Network Module.

Table 3 CAS Deployment Modes Supported by Cisco NAC Network Module

Deployment Mode
Options 1

Physical deployment

Edge deployment only

CAS traffic passing

Virtual Gateway (bridged mode)

Real IP Gateway (routed mode)

Client access

Layer 2—client is adjacent to NAC network module (CAS)

Layer 3—client is multiple hops away from NAC network module (CAS)

Traffic flow

In-band—CAS is always inline with traffic

Out-of-Band—CAS is inline with traffic only during posture assessment/remediation

1 The Cisco NAC Network Module does not support Wireless Out-of-Band deployment (Release 4.5 and later). Wireless OOB only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.


From a physical deployment perspective, all NAC network modules are Edge Deployments. This means each port (eth0 and eth1) of the NAC network module (CAS) is connected to a different device.

The eth1 (untrusted) interface of the NAC network module can be connected to an external switch or to an EtherSwitch Service Module (NME-ESW) for 3800 series integrated services routers supporting multiple slots (e.g. 3845).

Interface Description

Table 4 describes the interface terminology used in the example deployments shown in Figure 1 and Figure 2.

The example scenarios illustrate the NAC network module (NME-NAC) in a 3800 Series Integrated Services Router (ISR) when an EtherSwitch Service Module (NME-ESW) is used instead of an external switch.

In both examples, the eth1(untrusted) interface of the NAC network module (Clean Access Server) is connected via external link to the EtherSwitch module (instead of internal Gigabit Serdes (GigSerdes) connection)

Table 4 Cisco NAC Network Module Interface Description  

Interface
Description

Integrated Service Engine 1/0
(int-svr-eng 1/0)

Internal port connecting the integrated services router to the eth0 Trusted port of the CAS (NAC module). It is treated like any other Layer 3 port.

ESW internal port
(Gig1/0/2)

Internal link connecting the integrated services router to the Gig 1/0/2 interface of an EtherSwitch (ESW) module. Treated like any other Layer 3 port. Depending on the ISR slot, displays as Gig2/0 or Gig3/0 on the router.

Gigabit Serdes
(GigSerdes)

(Optional) Internal port that can be configured to connect the eth1 Untrusted port of the CAS (NAC module) with an EtherSwitch (ESW) Gig 1/0/2 port, via CLI command:

connect 1 module Integrated-Service-Engine 1/0 0 module GigabitEthernet2/0 0

Where:

Integrated-Service-Engine 1/0 0 is the CAS eth1 Untrusted port

GigabitEthernet2/0 0 is the Gig 1/0/2 port of the EtherSwitch

The configuration applied to the Gig 1/0/2 port of the EtherSwitch applies to the GigSerdes port.

Note If Gigabit Serdes is used, the external ports should not be connected.


Example Layer 2 Inband Virtual Gateway Configuration

This section describes the following:

Network Diagram (L2 IB VGW)

CAS Configuration (L2 IB VGW)

Integrated Services Router Configuration (L2 IB VGW)

EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)

Network Diagram (L2 IB VGW)

Figure 1 shows the Cisco NAC Network Module deployed as a CAS in Layer 2 inband Virtual Gateway mode.

Figure 1 NME-NAC (CAS) Layer 2 Inband Virtual Gateway Deployment with NME-ESW

Key Points

No VLAN mapping is required for Edge Deployment

Int int-svr-eng 1/0 of the ISR is the Default Gateway for all users

Int int-svr-eng 1/0 of the ISR is configured as a Layer 2 trunk with subinterfaces to/from each data VLAN

Link between the switch (NME-ESW) and CAS (NME-NAC) via external link or internal GigSerdes link (on 3800) carries data VLANs 51,52

No VLAN 51, 52 traffic on internal GE link between NME-ESW and ISR

IP Phone traffic on VLAN 15 sent directly to int Gig2/0 of the ISR

CAS Configuration (L2 IB VGW)

The example in this section illustrates the main concepts for configuring the CAS as a Layer 2 Inband Virtual Gateway.

CAS IP Form (L2 IB VGW)

CAS Managed Subnet Form (L2 IB VGW)

CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning)

CAS IP Form (L2 IB VGW)

CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > IP

Clean Access Server Type: Virtual Gateway

Both Trusted (eth0) and Untrusted (eth1) Interface IP Addresses are the same: 10.10.55.2

Both Trusted and Untrusted Interface Default Gateway is the same: 10.10.55.1

Trusted Interface (eth0) Management VLAN ID needs to be set (55).


Note For Virtual Gateway, the Management VLAN for the CAS must be different from the CAM. Management VLANs must be set for the CAM and CAS, solely to manage the CAS from the CAM.


CAS Managed Subnet Form (L2 IB VGW)

CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > Managed Subnet

A managed subnet is added for each user VLAN (51, 52) and verified in the list at the bottom of the page.

Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS.

For all CAS modes in L2 deployment (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface.

You must configure the untrusted interface (Auth) VLAN in the VLAN ID field of each Managed Subnet.

For Virtual Gateways, the managed subnet form essentially assigns an IP address to the CAS that is otherwise unused on the subnet. The CAS is not the gateway, but owns that address for the specified VLAN/subnet in order to send ARP queries.

CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning)

CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > VLAN Mapping

On a Cisco NAC Network Module, the CAS is always an edge deployment. Therefore no VLAN Mapping is required because the eth0 and eth1 interfaces of the CAS are connected to different devices.


Caution The " Enable VLAN Pruning" option is enabled by default for CAS Virtual Gateways. Make sure that " Enable VLAN Pruning" is turned off when "VLAN Mapping" is disabled. Turning the "Enable VLAN Pruning" option on when the "VLAN Mapping" option is disabled can cause the CAS to discard all VLAN packets from passing through in either direction.

When a CAS operates in Virtual Gateway mode, it passes network traffic from its eth0 interface to eth1 and from eth1 to eth0 without changing the VLAN tag. VLAN Mapping is necessary only for In-band Virtual Gateways when both interfaces of the CAS are connected to the same Layer 2 switch. It allows putting incoming traffic to the CAS on a different VLAN from the outgoing traffic of the CAS. This is not needed for the NAC network module.

Integrated Services Router Configuration (L2 IB VGW)

ISR Configuration—Layer 2 Inband Virtual Gateway
ISR# sh run
Building configuration...
!
ip dhcp excluded-address 10.10.15.1
ip dhcp excluded-address 10.10.51.1
ip dhcp excluded-address 10.10.52.1
ip dhcp excluded-address 10.10.53.1
ip dhcp excluded-address 10.10.51.254
ip dhcp excluded-address 10.10.52.254
ip dhcp excluded-address 10.10.53.254
!
ip dhcp pool vlan51
   network 10.10.51.0 255.255.255.0
   default-router 10.10.51.1 
!
ip dhcp pool vlan52
   network 10.10.52.0 255.255.255.0
   default-router 10.10.52.1 
!
ip dhcp pool vlan53
   network 10.10.53.0 255.255.255.0
   default-router 10.10.53.1 
!
ip dhcp pool vlan15
   network 10.10.15.0 255.255.255.0
   default-router 10.10.15.1 
 
        
 
        
interface Integrated-Service-Engine1/0
 description "Internal link between ISR & 
CAS"
 ip address 10.10.50.1 255.255.255.0
 no keepalive
!
interface Integrated-Service-Engine1/0.51
 encapsulation dot1Q 51
 ip address 10.10.51.1 255.255.255.0
!
interface Integrated-Service-Engine1/0.52
 encapsulation dot1Q 52
 ip address 10.10.52.1 255.255.255.0
!
interface Integrated-Service-Engine1/0.53
 encapsulation dot1Q 53
 ip address 10.10.53.1 255.255.255.0
!
interface Integrated-Service-Engine1/0.55
 encapsulation dot1Q 55
 ip address 10.10.55.1 255.255.255.0
!
 
        
 
        
interface GigabitEthernet2/0
 description "Internal link between ISR & 
NME-ESW switch"
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet2/0.15
 encapsulation dot1Q 15
 ip address 10.10.15.1 255.255.255.0
!
interface GigabitEthernet2/0.16
 encapsulation dot1Q 16
 ip address 10.10.16.1 255.255.255.0
!
end

EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)

EtherSwitch (NME-ESW) Configuration—Layer 2 Inband Virtual Gateway
NME-Switch# sh run
!
vlan 15,16,51-53 
!
interface FastEthernet1/0/1
 switchport access vlan 51
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet1/0/2
 switchport access vlan 52
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet1/0/3
 switchport access vlan 53
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet1/0/16
 description EXTERNAL LINK Between NME-ESW 
switch and CAS
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 51-53
 switchport mode trunk
!
 
        
interface GigabitEthernet1/0/2
 description INTERNAL LINK Between NME-ESW 
switch and ISR
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 15,16
 switchport mode trunk
!
interface Vlan16
 ip address 10.10.16.2 255.255.255.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.16.1
ip http server
!
end
 
        
 
        

Example Layer 2 Out-of-Band Real-IP Gateway Configuration

This section describes the following:

Network Diagram (L2 OOB RGW)

CAS Configuration (L2 OOB RGW)

Integrated Services Router Configuration (L2 OOB RGW)

EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)

Network Diagram (L2 OOB RGW)

Figure 2 shows the NAC module deployed as a CAS in Layer 2 out-of-band Real-IP Gateway mode.

Figure 2 NME-NAC (CAS) Layer 2 Out-of-Band Real-IP Gateway Deployment with NME-ESW

Key Points

Link between NME-ESW switch and CAS via external link or GigSerdes (on 3800) carries Auth VLAN 53

No VLAN 53 traffic on internal GE link between NME-ESW and ISR

User Access VLAN and phone VLAN is sent via internal link to Gig2/0 interface of ISR.

CAS Configuration (L2 OOB RGW)

The example in this section illustrates the main concepts for configuring the CAS as a Layer 2 Out-of-Band Real-IP Gateway.

CAS IP Form (L2 OOB RGW)

CAS Managed Subnet Form (L2 OOB RGW)

CAS DHCP Form (L2 OOB RGW)

CAM - Switch Profile (L2 OOB RGW)

CAM - Port Profile (L2 OOB RGW)

CAM - SNMP Receiver (L2 OOB RGW)

CAM - Ports Management (L2 OOB RGW)

CAS IP Form (L2 OOB RGW)

CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > IP

Clean Access Server Type: Real-IP Gateway

Trusted (10.10.55.2) and Untrusted (10.10.51.1) Interface IP Addresses are different

Trusted Interface Default Gateway (10.10.55.1) and Untrusted Interface Default Gateway (10.10.51.1) are different.

Trusted Interface Management VLAN ID (55) and Untrusted Interface Management VLAN ID (51) are different.


Note Management VLANs must be set for the CAM and CAS to manage the CAS from the CAM.


CAS Managed Subnet Form (L2 OOB RGW)

CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > Managed Subnet

A managed subnet is added for the Authentication VLAN (53) and verified in the list at the bottom of the page.

Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS.

For all CAS modes in L2 deployment (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface.

You must configure the untrusted interface (Auth) VLAN in the VLAN ID field of each Managed Subnet.

For a Real-IP Gateway, the CAS will own the gateway IP address of the managed subnet.

CAS DHCP Form (L2 OOB RGW)

CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > DHCP

CAS is configured as a DHCP Relay.

CAM - Switch Profile (L2 OOB RGW)

CAM web console: Switch Management > Profiles >Switch > New/Edit

A Switch profile is created for the NME-ESW. Supported NME EtherSwitch service modules are added as 3750 Switch Models. Refer to Switch Support for Cisco NAC Appliance for details.

CAM - Port Profile (L2 OOB RGW)

CAM web console: Switch Management > Profiles > Port > New/Edit

A Port profile is created for the NME-ESW to map Authentication VLAN 53 to Access VLAN 11.

CAM - SNMP Receiver (L2 OOB RGW)

CAM web console: Switch Management > Profiles > SNMP Receiver

A Community String (public) is configured for the CAM SNMP Receiver.

CAM - Ports Management (L2 OOB RGW)

CAM web console: Switch Management > Devices > Switches > (Manage) Ports [Switch_IP]

The Profile (ISR_NME_switch) is applied to the switch port, and settings are updated on the switch.

Integrated Services Router Configuration (L2 OOB RGW)

ISR Configuration—Layer 2 Out-of-Band Real-IP Gateway
ISR# sh run
Building configuration...
!
ip dhcp excluded-address 10.10.53.1
ip dhcp excluded-address 10.10.53.254
ip dhcp excluded-address 10.10.11.1
ip dhcp excluded-address 10.10.12.1
ip dhcp excluded-address 10.10.15.1
!
ip dhcp pool vlan53
   network 10.10.53.0 255.255.255.0
   default-router 10.10.53.1 
!
ip dhcp pool vlan11
   network 10.10.11.0 255.255.255.0
   default-router 10.10.11.1 
!
ip dhcp pool vlan12
   network 10.10.12.0 255.255.255.0
   default-router 10.10.12.1 
!
ip dhcp pool vlan15
   network 10.10.15.0 255.255.255.0
   default-router 10.10.15.1 
!
 
        
 
        
interface Integrated-Service-Engine1/0
 description "Internal link between ISR and 
CAS"
 ip address 10.10.50.1 255.255.255.0
 no keepalive
!
interface Integrated-Service-Engine1/0.55
 encapsulation dot1Q 55
 ip address 10.10.55.1 255.255.255.0
!
 
        
interface GigabitEthernet2/0
 description "Internal link between ISR & 
NME-ESW switch"
 ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet2/0.11
 encapsulation dot1Q 11
 ip address 10.10.11.1 255.255.255.0
!
interface GigabitEthernet2/0.12
 encapsulation dot1Q 12
 ip address 10.10.12.1 255.255.255.0
!
interface GigabitEthernet2/0.15
 encapsulation dot1Q 15
 ip address 10.10.15.1 255.255.255.0
!
interface GigabitEthernet2/0.16
 encapsulation dot1Q 16
 ip address 10.10.16.1 255.255.255.0
!
end

EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)

EtherSwitch (NME-ESW) Configuration—Layer 2 Out-of-Band Real-IP Gateway
NME-Switch# sh run
!
vlan 11,12,15,16,53 
!
interface FastEthernet1/0/1
 switchport access vlan 12
 switchport mode access
 spanning-tree portfast
 
        
 
        
 
        
interface FastEthernet1/0/16
 description EXTERNAL LINK Between NME 
switch and CAS
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 53
 switchport mode trunk
!
interface GigabitEthernet1/0/2
 description INTERNAL LINK Between NME 
switch and ISR
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 11,12,15,16
 switchport mode trunk
!
interface Vlan16
 ip address 10.10.16.2 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 10.10.16.1
!
snmp-server community public RO
snmp-server community private RW
snmp-server trap-source Vlan16
snmp-server enable traps snmp linkdown 
linkup
snmp-server enable traps mac-notification
snmp-server host 10.10.100.2 public 
mac-notification
!
end
 
        
 
        

Additional References

For more information on Gigabit Serdes/HIMI, refer to:

Cisco High-Speed Intrachassis Module Interconnect (HIMI) Configuration Guide

For more information on EtherSwitch Service Modules, refer to:

Interface Cards and Modules (LAN section)

EtherSwitch Service Module (ES) Configuration Example

For more information on Clean Access Server configuration, refer to the applicable:

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide

For OOB support information, see:

Switch Support for Cisco NAC Appliance

How to Configure the Cisco NAC Network Module

This section contains the following information:

Hardware Interfaces

Cisco NAC Network Module Configuration Worksheet

Setting Up Network Module Interfaces

Opening and Closing a Session

Running Clean Access Server Software Configuration Utility


Note If you lose power or connection during any of the following procedures, the system usually detects the interruption and tries to recover. If it fails to do so, fully reinstall the system using the boothelper, as described in Re-Installing Cisco NAC Network Module Software.


Initial configuration of the network module is done via CLI (router console). Thereafter, the Cisco NAC Network Module is a Clean Access Server that is managed via Clean Access Manager (CAM) web console. The CAS on the NAC network module can be accessed by: router console, CAM/CAS web console, and SSH.

This document presents router console configuration instructions.

For CAM/CAS web console (GUI) configuration instructions, refer to the following guides. Refer to the document version corresponding to the release you are running on your machines:

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide

Hardware Interfaces

The host router and network module use several interfaces for internal and external communication (see Figure 3). Each interface is configurable—for the router by using the Cisco IOS CLI and for the module by using the module firmware's CLI, GUI, or SSH.

Figure 3 Router and Network Module Interfaces

 
On This Hardware Interface...
Configure These Settings...
Using This Configuration Interface
1

Router interface to external link (GigabitEthernet slot/0)

Note For ISR 2811 only, this is Fast Ethernet slot/0

Standard router settings

Router's Cisco IOS CLI

2

Router interface to module (integrated-service-engine slot/0)

Module's IP address and default gateway router

3

eth0 (trusted) interface of the Clean Access Server

Module interface to router (GigabitEthernet 0/1)

NAC network module settings

NAC network module's CLI, GUI, or SSH interface

4

eth1 (untrusted) interface of the Clean Access Server

Module interface to external link (GigabitEthernet 0/0)

Untrusted interface (client-side network) settings


Cisco NAC Network Module Configuration Worksheet

You will need to collect the information in Table 5, first to configure the Cisco NAC Network Module within the Integrated Services Router (ISR), then to configure the Clean Access Server software that will run on the NAC network module.

Table 5 CAS Configuration Utility Worksheet

ISR Configuration Value
Address or Value
NAC Clean Access Server Configuration Value

service-module ip address

module-side-ip-address

 

a. IP address for eth0 interface (trusted)

subnet-mask

 

b. Subnet mask (IP netmask) for eth0 interface

service-module ip default-gateway

gateway-ip-address

 

c. Default gateway IP address for eth0 interface.

Note This is the same IP as the router-side interface to the module.

Note For Virtual Gateway, eth0 and eth1 have the same default gateway.

service-module external ip address

external-ip-address

 

d. IP address for eth1 interface (untrusted)

subnet-mask

 

e. Subnet mask (IP netmask) for eth1 interface

n/a

 

f. Default gateway IP address for eth1 interface:

Note For Virtual Gateway, eth0 and eth1 have the same default gateway.

n/a

 

g. Host name for your CAS

n/a

 

h. IP address of Domain Name Server on your network

n/a

 

i. Shared secret

Note Must be the same for the CAM and all CAS(s)

n/a

 

j. Date, time and timezone

n/a

 

k. To generate the required temporary SSL certificate (you can change this at a later time):

- FQDN or eth0 IP address of CAS:
- Organization unit (e.g. Sales)
- Organization name (e.g. Cisco)
- Organization location (e.g. San Jose, CA, US)

Note If using FQDN, make sure your DNS server is set up for the domain name.

n/a

 

l. Root user password

n/a

 

m. Web console password


Setting Up Network Module Interfaces

Your first configuration task is to set up network module interfaces to the host router and to its external links, which enables you to access the module to install and configure NAC.


Note The first few steps open the host-router CLI and access the router's interface to the module. The subsequent steps configure the interface.


SUMMARY STEPS

From the Host-Router CLI

1. enable

2. configure terminal

3. interface integrated-service-engine slot/0

4. ip address router-side-ip-address subnet-mask

or

ip unnumbered type number

5. service-module ip address module-side-ip-address subnet-mask

6. service-module external ip address external-ip-address subnet-mask

7. service-module ip default-gateway gateway-ip-address

8. end

9. copy running-config startup-config

10. show running-config

DETAILED STEPS

 
Command or Action
Purpose
 
From the Host-Router CLI

Step 1 

enable

Example:

Router> enable

Enters privileged EXEC mode on the host router. Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode on the host router.

Step 3 

interface integrated-service-engine slot/0

Example:

ISR 2811 (one-slot only):

Router(config)# interface integrated-service-engine 1/0

Example:

ISR 3845 (multiple-slot):

Router(config)# interface integrated-service-engine 3/0

Enters interface configuration mode for the slot and port where the network module resides.

Step 4 

ip address router-side-ip-address subnet-mask

or

ip unnumbered type number

Example:

Router(config-if)# ip address 10.30.30.10 255.255.255.0

or

Router(config-if)# ip unnumbered ethernet 0

Specifies the router interface to the module (#2 in Figure 3). Arguments are as follows:

router-side-ip-address subnet-mask—IP address and subnet mask for the interface.

type number—Type and number of another serial interface on which the router has an assigned IP address. It cannot be another unnumbered interface. Serial interfaces using High Level Data Link Control (HDLC), Point-to-Point Protocol (PPP), Link Access Procedure, Balanced (LAPB), Frame Relay encapsulations, Serial Line Internet Protocol (SLIP), and tunnel interfaces can be unnumbered.

Step 5 

service-module ip address module-side-ip-address subnet-mask

Example:

Router(config-if)# service-module ip address 10.30.30.9 255.255.255.0

Specifies the IP address for the module interface to the router (#3 in Figure 3).

Note This is the trusted (eth0) interface of the Clean Access Server.

Arguments are as follows:

module-side-ip-address—IP address for the interface

subnet-mask—Subnet mask to append to the IP address; must be in the same subnet as the host router

Step 6 

service-module external ip address external-ip-address subnet-mask

Example:

Router(config-if)# service-module external ip address 172.0.0.30 255.255.255.0

Specifies the IP address for the external LAN interface on the module (#4 in Figure 3).

Note This is the untrusted (eth1) interface of the Clean Access Server.

Arguments are as follows:

external-ip-address—IP address for the interface

subnet-mask—Subnet mask to append to the IP address

Step 7 

service-module ip default-gateway gateway-ip-address

Example:

Router(config-if)# service-module ip default-gateway 10.30.30.10

Specifies the IP address for the default gateway router for the module. The argument is as follows:

gateway-ip-address—IP address for the gateway router

Step 8 

end

Example:

Router(config-if)# exit

Returns to global configuration mode on the host router.

Step 9 

copy running-config startup-config

Example:

Router# copy running-config startup-config

Saves the router's new running configuration.

Step 10 

show running-config

Example:

Router# show running-config

Displays the router's running configuration, so that you can verify address configurations.

Examples

The following partial output from the show running-config command shows how the interfaces are configured.

 
   
NME-NAC-3845#sh run interface integrated-service-engine 3/0
Building configuration...
 
Current configuration : 197 bytes
!
interface integrated-service-engine3/0
 ip address 10.30.30.10 255.255.255.0
 service-module ip address 10.30.30.9 255.255.255.0
 service-module ip default-gateway 10.30.30.10
 no keepalive
end
 
   

Opening and Closing a Session

You can now open and close a session on the network module.


NoteYou can conduct only one session at a time.

The first few steps open the host-router CLI and access the module. The subsequent steps configure the module. The last steps return you to the host-router CLI.


SUMMARY STEPS

From the Host-Router CLI

1. enable

2. service-module integrated-service-engine slot/0 status

3. service-module integrated-service-engine slot/0 session

From the Service-Module Interface

4. Perform the configuration detailed in Running Clean Access Server Software Configuration Utility.

5. Control-Shift-6 x

From the Host-Router CLI

6. service-module integrated-service-engine slot/0 session clear

DETAILED STEPS

 
Command or Action
Purpose
 
From the Host-Router CLI

Step 1 

enable

Example:

Router> enable

Enters privileged EXEC mode on the host router. Enter your password if prompted.

Step 2 

service-module integrated-service-engine slot/0 status

Example:

Router# service-module integrated-service-engine 2/0 status

Displays the status of the specified module, so that you can ensure that the module is running (that is, in steady state).

Note If the module is not running, start it with one of the startup commands listed in the "Shutting Down and Starting Up Cisco NAC Network Module" section.

Step 3 

service-module integrated-service-engine slot/0 session

Example:

Router# service-module integrated-service-engine 1/0 session

Trying 10.10.10.1, 2065 ... Open

Begins a session on the specified module. Do one of the following:

To interrupt the auto-boot sequence and access the bootloader, quickly type ***. This should only be done if the machine cannot boot. In this case, refer to Re-Installing Cisco NAC Network Module Software for detailed steps.

To start a configuration session, press Enter.

 
From the Service-Module Interface

Step 4 

Fedora Core release 4 (Stentz)

Kernel 2.6.11-perfigo on an i686

NME-NAC login: root

See Running Clean Access Server Software Configuration Utility for instructions on how to perform the initial configuration of the Clean Access Server software on the NAC network module.

Step 5 

Press Control-Shift-6 x.

Closes the service-module session and returns to the router CLI.

Note The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.

 
From the Host-Router CLI

Step 6 

service-module integrated-service-engine slot/0 session clear

Example:

Router# service-module service-engine 1/0 session clear

Clears the service-module session for the specified module. When prompted to confirm this command, press Enter.

Running Clean Access Server Software Configuration Utility

The first time the NAC network module session is initiated, the Clean Access Server quick configuration utility prompts appears. This section details the CAS Configuration Utility steps.

DETAILED STEPS

 
Command or Action
Purpose
 
From the Service-Module Interface

Step 1 

root

Example:
Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686
NME-NAC login: root
 
        
Welcome to the Cisco Clean Access Server quick 
configuration utility.
Note that you need to be root to execute this 
utility.
The utility will now ask you a series of 
configuration questions. Please answer them 
carefully.
Cisco Clean Access Server, (C) 2008 Cisco 
Systems, Inc.
Please use ^H to delete
 
        

Configuring the network interfaces:

From the network module prompt, log into the Clean Access Server Configuration Utility as the root user.
The first time you login, there is no password prompt.

Note After the module is initially configured, you can bring up this Configuration Utility again by:

Starting a configuration session on the module and entering the NAC Appliance CLI command, service perfigo config.

Using SSH to connect to the module (CAS eth0 IP address) and entering service perfigo config

Step 2 

module-side-ip-address

Example:

Please enter the IP address for the interface eth0 [10.201.2.30]: 10.201.217.203

You entered 10.201.217.203 Is this correct? (y/n)? [y]

At the first prompt, type an IP address for the eth0 (trusted) interface of the CAS (from field a of the CAS Worksheet) and press Enter. Confirm the value when prompted, or type n and press Enter to correct the entry.

Note The eth0 IP address of the CAS is the same as the Management IP address.

Step 3 

module-side-ip-address subnet-mask

Example:

Please enter the netmask for the interface eth0 [255.255.255.0]:

You entered 255.255.255.0, is this correct? (y/n)? [y]

Type the subnet mask for the interface address (from field b) at the prompt or press Enter for the default (255.255.255.0). Confirm the value when prompted.

Step 4 

service-module ip default-gateway

Example:

Please enter the IP address for the default gateway [10.201.217.1]: 10.201.217.202

You entered 10.201.217.202 Is this correct? (y/n)? [y]

Accept the default gateway address or type a default gateway (from field c) for the eth0 address of the CAS and press Enter. Confirm the default gateway at the prompt.

Step 5 

y-or-n

Example:

[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.

Would you like to enable it? (y/n)? [n]

At the VLAN ID Passthrough prompt, type n and press Enter (or just press Enter) to keep VLAN ID passthrough disabled as the default behavior of the CAS. By default, VLAN IDs are stripped from traffic passing through the interface to the CAS. Typing y enables VLAN IDs to be passed through the CAS for traffic from the trusted to the untrusted network.

Note In most cases, VLAN passthrough is not needed.

Step 6 

y-or-n

Example:

[Management Vlan Tagging] for egress packets of eth0 is disabled.

Would you like to enable it? (y/n)? [n]

At the Management VLAN Tagging prompt, type n and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default). Or, type Y and press Enter to enable Management VLAN tagging with the specified VLAN ID for the eth0 interface.

Note Management VLAN tagging is necessary when the trusted side of the CAS is a trunk, such as in Virtual Gateway deployments. In this case, you will need to enable Management VLAN tagging and specify the VLAN ID to which the trusted interface of the CAS belongs.

Note CAS eth0 interface settings are required for basic connection to the CAM. CAS eth1 interface settings can be reconfigured later from the CAM web console.

Step 7 

external-ip-address

Example:

Please enter the IP address for the untrusted interface eth1 [192.168.110.1]: 10.201.243.49

You entered 10.201.243.49 Is this correct? (y/n)? [y]

Type an IP address for the eth1 (untrusted) interface of the CAS (from field d) and press Enter. Confirm the value when prompted, or type n and press Enter to correct the entry.

Note For Virtual Gateways, the eth1 address most commonly used is the eth0 address. To prevent looping, do not connect eth1 to the network until after you have added the CAS to the CAM in the web console. See the CAS guide for further details.

Step 8 

external-ip-address-subnet-mask

Example:

Please enter the netmask for the interface eth1 [255.255.255.0]: 255.255.255.240

You entered 255.255.255.240, is this correct? (y/n)? [y]

Type the subnet mask of the eth1 interface (from field e) or press Enter to accept the default of 255.255.255.0. Confirm the value at when prompted.

Step 9 

external-ip-address-default-gateway

Example:

Please enter the IP address for the default gateway [10.201.243.1]: 10.201.243.49

You entered 10.201.243.49 Is this correct? (y/n)? [y]

Enter the default gateway address for the eth1 untrusted interface (from field f):

a. If the CAS will be a Real-IP Gateway, this is the IP address of the CAS's untrusted interface eth1.

b. If the CAS will be a Virtual Gateway, this can be the same default gateway address used for the trusted interface.

Step 10 

y-or-n

Example:

[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.

Would you like to enable it? (y/n)? [n]

At the next prompt, type n and press Enter (or just press Enter) to keep VLAN ID passthrough disabled for the eth1 interface.

Step 11 

y-or-n

Example:

[Management Vlan Tagging] for egress packets of eth1 is disabled.

Would you like to enable it? (y/n)? [n]

At the Management VLAN Tagging prompt, type n and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default) for the eth1 interface.

Step 12 

clean-access-server-host-name

Example:

Please enter the hostname [caserver]: cas-10

You entered cas-10 Is this correct? (y/n)? [y]

Type and confirm the host name for the Clean Access Server (from field g).

Step 13 

dns-server-ip-address

Example:

Please enter the IP address for the name server: [171.68.226.120]:

You entered 171.68.226.120 Is this correct? (y/n)? [y]

Type the IP address of the DNS server in your environment (from field h) or accept the default at the following prompt:

Step 14 

nac-shared-secret

Example:

The shared secret used between Clean Access Manager and Clean Access Server is the default string: cisco123

This is highly insecure. It is recommended that you choose a string that is unique to your installation.

Please remember to configure all Clean Access Devices with the same string.

Only the first 8 characters supplied will be used.

Please enter the shared secret between Clean Access Server and Clean Access Manager: cisco1234

You entered: cisco1234

Is this correct? (y/n)? [y]

Type and confirm the shared secret for the CAM and CAS (from field i) at the prompts.


Caution The shared secret must be the same for the Clean Access Manager and all Clean Access Servers in the deployment. If they have different shared secrets, they cannot communicate.

Step 15 

region-number

Example:

>>> Configuring date and time:

The timezone is currently not set on this system.

Please identify a location so that time zone rules can be set correctly.

Please select a continent or ocean.

1) Africa

2) Americas

3) Antarctica

4) Arctic Ocean

5) Asia

6) Atlantic Ocean

7) Australia

8) Europe

9) Indian Ocean

10) Pacific Ocean

11) none - I want to specify the time zone using the Posix TZ format.

#? 2

Specify time settings for the Clean Access Server (from field j) as follows:

Choose your region from the continents and oceans list. Type the number next to your location on the list, such as 2 for the Americas, and press Enter. Type 11 to enter the time zone in Posix TZ format, such as GST-10.

Step 16 

country-number

Example:

Please select a country.

1) Anguilla 18) Ecuador 35) Paraguay

2) Antigua & Barbuda 19) El Salvador 36) Peru

3) Argentina 20) French Guiana 37) Puerto Rico

4) Aruba 21) Greenland 38) St Kitts & Nevis

5) Bahamas 22) Grenada 39) St Lucia

6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon

7) Belize 24) Guatemala 41) St Vincent

8) Bolivia 25) Guyana 42) Suriname

9) Brazil 26) Haiti 43) Trinidad & Tobago

10) Canada 27) Honduras 44) Turks & Caicos Is

11) Cayman Islands 28) Jamaica 45) United States

12) Chile 29) Martinique 46) Uruguay

13) Colombia 30) Mexico 47) Venezuela

14) Costa Rica 31) Montserrat 48) Virgin Islands (UK)

15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US)

16) Dominica 33) Nicaragua

17) Dominican Republic 34) Panama

#? 45

The next list that appears shows the countries for the region you chose. Choose your country from the country list, such as 45 for the United States, and press Enter.

Step 17 

timezone-number

Example:

Please select one of the following time zone regions.

1) Eastern Time

2) Eastern Time - Michigan - most locations

3) Eastern Time - Kentucky - Louisville area

4) Eastern Time - Kentucky - Wayne County

5) Eastern Time - Indiana - most locations

6) Eastern Time - Indiana - Crawford County

7) Eastern Time - Indiana - Starke County

8) Eastern Time - Indiana - Switzerland County

9) Central Time

10) Central Time - Indiana - Daviess, Dubois, Knox, Martin, Perry & Pulaski Counties

11) Central Time - Indiana - Pike County

12) Central Time - Michigan - Dickinson, Gogebic, Iron & Menominee Counties

13) Central Time - North Dakota - Oliver County

14) Central Time - North Dakota - Morton County (except Mandan area)

15) Mountain Time

16) Mountain Time - south Idaho & east Oregon

17) Mountain Time - Navajo

18) Mountain Standard Time - Arizona

19) Pacific Time

20) Alaska Time

21) Alaska Time - Alaska panhandle

22) Alaska Time - Alaska panhandle neck

23) Alaska Time - west Alaska

24) Aleutian Islands

25) Hawaii

#? 19

If the country contains more than one time zone, the time zones for the country appears.

Choose the appropriate time zone region from the list, such as 19 for Pacific Time, and press Enter.

Step 18 

confirmation-number

Example:

The following information has been given:

United States

Pacific Time

Is the above information OK?

1) Yes

2) No

#? 1

Updating timezone information...

Confirm your choices by entering 1, or use 2 to cancel and start over.

Step 19 

y-or-n

or

hh:mm:ss mm/dd/yy

Example:
Current date and time hh:mm:ss mm/dd/yy [11:23:33 
08/22/08]: 11:26:33 08/22/08
You entered 11:26:33 08/22/08  Is this correct? 
(y/n)? [y]

Type and confirm the current date and time, using format hh:mm:ss mm/dd/yy.


Note The time set on the CAS must fall within the creation date/expiry date range set on the CAM's SSL certificate. The time set on the user machine must fall within the creation date /expiry date range set on the CAS's SSL certificate.


Step 20 

<certificate fields>

Example:

You must generate a valid SSL certificate in order to use the Clean Access Server's secure web console.

Please answer the following questions correctly.

Information for a new SSL certificate:

Enter fully qualified domain name or IP: 10.201.217.203

Enter organization unit name: Test

Enter organization name: Cisco Systems

Enter city name: San Jose

Enter state code: California

Enter 2 letter country code: US

Follow the prompts to configure the temporary SSL security certificate that secures the login exchange between the Clean Access Server and untrusted (managed) clients (using field k):

a. For the organization unit name, enter the group within your organization that is responsible for the certificate (for example, Perfigo).

b. For the organization name, type the name of your organization or company for which you would like to receive the certificate (for example, Cisco Systems), and press Enter.

c. Type the name of the city or county in which your organization is legally located (for example, San Jose), and press Enter.

d. Type the two-character state code in which the organization is located (for example, California or NY), and press Enter.

Type the two-letter country code (for example, US),

Step 21 

y-or-n

Example:

You entered the following:

Domain: 10.201.217.203

Organization unit: Test

Organization name: Cisco Systems

City name: San Jose

State code: California

Country code: US

Is this correct? (y/n)? [y]

Generating SSL Certificate...

CA signing: /root/.tomcat.csr -> /root/.tomcat.crt:

CA verifying: /root/.tomcat.crt <-> CA cert

/root/.tomcat.crt: OK

Done

Confirm values and press Enter to generate the SSL certificate, or type n to restart:

Step 22 

y-or-n

Example:
Enable Prelogin Banner Support? (y/n)? [n]

Confirm whether to enable the Pre-login Banner for admin users before they log into the CAS (Release 4.5 and later).

Administrators can specify the text of the Pre-login Banner by enabling this feature on the appliance, logging into the command-line console, and editing the /root/banner.pre file. The text of the Pre-login Banner appears in both the web console interface and the command-line interface when admin users are logging into the CAM/CAS. See the installation chapter of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.5 for details.

Step 23 

root-user-password

Example:
For security reasons, it is highly recommended 
that you change the password for the root user.
** Please enter a valid password for root user as 
per the requirements below! **
 
        
Changing password for user root.
 
        
You can now choose the new password.
 
        
A valid password should be a mix of upper and 
lower case letters,
digits, and other characters. Minimum of 8 
characters and maximum
of 16 characters with characters from all of 
these classes. Minimum
of 2 characters from each of the four character 
classes is mandatory.
An upper case letter that begins the password and 
a digit that ends
it do not count towards the number of character 
classes used.
 
        
Enter new password:
Re-type new password:
passwd: all authentication tokens updated 
successfully.

Type the root user password for the installed Linux operating system of the CAS (from field l). The root user account is used to access the system over direct/serial/SSH connection.

Starting from Release 4.5, the default root user password (cisco123) is removed, and Cisco NAC Appliance supports Strong Passwords only for root user login. Passwords must be at least 8 characters long and contain at least two characters from each of the following four categories: lower-case letters, upper-case letters, numbers (digits), and special characters (such as !@#$%^&*~).

For example, 1o-9=OnE is a valid password, but the password 10-9=One does not satisfy requirements because it does not contain two characters from each category. For further details, see the "Manage System Passwords" section in the "Administer the CAM" chapter of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5.

Step 24 

web-console-admin-password

Example:
Example:

Please enter an appropriately secure password for the web console admin user.

New password for web console admin:

Confirm new password for web console admin:

Web console admin password changed successfully.

Type the admin user password for the CAS direct access web console (from field m). The CAS web console provides limited CAS-specific settings, and is primarily used to set up High Availability.

Step 25 

reboot

Example:
Configuration is complete.
[root@NME-NAC ~]# reboot
Broadcast message from root (ttyS0) (Fri Aug  22 
11:45:36 2008):
The system is going down for reboot NOW!

[root@cas-10 ~]#

After the configuration is complete, wait for the prompt, then type reboot to reboot the CAS.


Note If you used service perfigo config to start the configuration utility, you must type service perfigo reboot or reboot and press Enter to reboot the machine after configuration.


The CAS initial configuration is now complete.

Step 26 

From CAS:

ping cam-ip-address

From CAM (ping CAS eth0 address):

ping 10.201.217.203 ...

Ping the CAM from the CAS to verify that the CAM and CAS can ping (route) to each other.

 
From Web Browser Interfaces

Step 27 

https://<CAS IP address>/admin

Type the CAS IP address into the URL/address field of a web browser to verify you can log into the CAS web console. You will need to use the admin user password you configured in .

Note Make sure to type "https" and "/admin" in the CAS URL or you will get the end user portal.

Step 28 

http://<CAM IP address> /admin

Log into the CAM web console by typing the CAM IP address into the URL/address field of a web browser.

From the CAM web console:

Add the NAC network module license under Administration > CCA Manager > Licensing as described in Cisco NAC Appliance Service Contract / Licensing Support.

Add the CAS to the CAM as described in:

Cisco NAC Appliance Configuration Quick Start Guide, or

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide (applicable to your release)

 
From the Service-Module Interface

Step 29 

Press Control-Shift-6 x.

Close the service-module session and returns to the router CLI.

Note The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.

 
From the Host-Router CLI

Step 30 

service-module integrated-service-engine slot/0 session clear

Example:

Router# service-module service-engine 1/0 session clear

Clear the service-module session for the specified module. When prompted to confirm this command, press Enter.

Important Notes for SSL Certificates

You must generate the temporary SSL certificates during the initial configuration of both the CAM and CAS or you will not be able to access your NAC Appliance as an admin or end user.

Before deploying the CAM or CAS in a production environment, you can obtain a trusted certificate from a Certificate Authority to replace the temporary certificate. A CA-signed certificate for the CAS prevents the security warning when end users log in and a CA-signed certificate for the CAM prevents the admin web login security warning.

Make sure to synchronize the time on the CAM and CAS via the web console interface before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. For further details see the "Set System Time" and "Manage SSL Certificates" sections of the CAM and CAS guides.

How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module

This section contains the following information:

Shutting Down and Starting Up Cisco NAC Network Module

Verifying System Status

Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module

Re-Installing Cisco NAC Network Module Software


NoteThe tables in these sections show only common router and network module commands.

To view a complete list of available commands, type ? at the prompt
(Example: Router(config-if)# ?).

To view a complete list of command keyword options, type ? at the end of the command
(Example: Router# service-module integrated-service-engine ?).

The tables group commands by the configuration mode in which they are available. If the same command is available in more than one mode, it may act differently in each mode.


Shutting Down and Starting Up Cisco NAC Network Module

To shut down or start up the Cisco NAC network module or the Clean Access Server application that runs on the module, use commands as needed from the following list of common router and network module commands (Table 6).


NoteSome shutdown commands can potentially disrupt service. If command output for such a command displays a confirmation prompt, confirm by pressing Enter or cancel by typing n and pressing Enter. Alternatively, prevent the prompt from displaying by using the no-confirm keyword.

Some commands shut the module or application down and then immediately restart it.


Table 6 Common Shutdown and Startup Commands 

Configuration Mode
Command
Purpose
Router#

service-module integrated-service-engine slot/0 reload

(Preferred) Shuts down the network module operating system gracefully, allowing services to execute their shutdown process, then restarts the network module from the bootloader.

This command is similar to executing a reboot from the network module's Linux console.

Note If reload executes, there is no need to use the reset command.

Router#

service-module integrated-service-engines slot/0 reset

(Ungraceful) Resets the hardware on a module via a hardware reset line. This command should only be used to recover from shutdown or a failed state.


Caution Never issue reset before reload.

This command is similar to pressing the reset button on a Linux box; it does not allow services to execute their shutdown process.

Router#

service-module integrated-service-engine slot/0 session

Accesses the specified service engine and begins a network module configuration session.

Router#

service-module integrated-service-engines slot/0 shutdown

Shuts down the network module operating system gracefully. Use when removing or replacing a hot-swappable module during online insertion and removal (OIR).

Router#

service-module integrated-service-engine slot/0 status

Displays configuration and status information for the network module hardware and software.

ServicesEngine 
boot-loader>

boot helper | chainloader

Starts the boothelper or bootloader.

ServicesEngine 
boot-loader> 

reboot

Shuts down the NAC network module without first saving configuration changes, then reboots it from the bootloader.


Verifying System Status

To verify the status of an installation, upgrade, or downgrade or to troubleshoot problems, use commands as needed from the following list of common router and network module commands (Table 7).


Note Among keyword options for many show commands is provision to display diagnostic output on your screen or to pipe it to a file or a URL.


Table 7 Common Verification and Troubleshooting Commands 

Configuration Mode
Command
Purpose
Router#

ping

Pings a specified IP address to check network connectivity (does not accept a hostname as destination).

Router#

show arp

Displays the current Address Resolution Protocol (ARP) table.

Router#

show clock

Displays the current date and time.

Router#

show configuration

Displays the current bootloader configuration as entered by means of the configure command.

Router#

show controllers

Displays interface debug information.

Router#

show diag

Displays standard Cisco IOS diagnostics information, including information about NAC.

Router#

show hardware

Displays information about network module and host-router hardware.

Router#

show hosts

Displays the default domain name, style of name lookup, list of name-server hosts, and cached list of hostnames and addresses

Router#

show interfaces

Displays information about all hardware interfaces, including network and disk.

Router#

show interfaces integrated-service-engine slot/0

Displays information about the module side of the router-module interface.

Router#

show ntp status

Displays information about Network Time Protocol (NTP).

Router#

show processes

Displays a list of the running application processes.

Router#

show running-config

Displays the configuration commands that are in effect.

Router#

show startup-config

Displays the startup configuration.

Router#

show tech-support

Displays general information about the host router that is useful to Cisco technical support for problem diagnosis.

Router#

show version

Displays information about the loaded router, software or network module bootloader version, and also hardware and device information.

ServicesEngine 
boot-loader>

ping

Pings a specified IP address to check network connectivity (does not accept a hostname as destination).

ServicesEngine 
boot-loader>

show config

Displays the startup configuration stored in flash memory.


Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module

To upgrade the Cisco NAC Network Module to the latest supported Cisco NAC Appliance release, a single product upgrade file (cca_upgrade-<version>.tar.gz) is uploaded and applied to the CAS. This section describes the following upgrade procedures:

CAS Upgrade via CLI

CAS Upgrade via Web Console


Note Clean Access Manager/Server appliances and Cisco NAC Network Modules in your deployment must all run the same version of the Cisco NAC Appliance software.



Note Release 4.1.2.1 is the minimum mandatory version for all appliances, and is required to support HA-CAS pairs. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for the latest compatibility details.



Note Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.



Note Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.


See Restrictions for Cisco NAC Network Module for additional information.

CAS Upgrade via CLI

You can upgrade the CAS on your NAC network module by using the command line upgrade procedure described in this section.


Note If upgrading to Cisco NAC Appliance Release 4.5 or later, you must use the command line upgrade procedure only.


SUMMARY STEPS

From the Host-Router CLI

1. enable

2. service-module integrated-service-engine slot/0 status

3. service-module integrated-service-engine slot/0 session

From the Service-Module Interface

4. Perform the upgrade procedure described in DETAILED STEPS (CAS UPGRADE).

5. Control-Shift-6 x

From the Host-Router CLI

6. service-module integrated-service-engine slot/0 session clear

DETAILED STEPS (CAS UPGRADE)

 
Command or Action
Purpose

Step 1 

a. Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.

b. Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance.

c. Navigate to the appropriate release folder (4.1.2.1 or later), for example, "Cisco NAC Appliance Software <version>."

d. Locate the product upgrade (.tar.gz) file for the applicable version:

cca_upgrade-<version>.tar.gz

nme-nac-upgrade-<version>-from-4.6.x.tar.gz (for upgrading from 4.6(1) to 4.8(x))

cca_upgrade-<version>-from-4.7.x-4.8.x.tar.gz (for upgrading from 4.8 to 4.8(x))

nme-nac-upgrade-<version>-from-4.8.x.tar.gz (for upgrading from 4.8(x) to 4.9)

nme-nac-upgrade-<version>-from-4.8.x-4.9.x.tar.gz (for upgrading from 4.8(x) or 4.9(x) to 4.9(1) or 4.9(2))

e. Download and save this file to a local machine that can access the NAC network module over the network.

Note For Release 4.5, the upgrade file name is cca_upgrade-4.5.0-NO-WEB.tar.gz

Download the Cisco NAC Appliance product upgrade file.

 
From the Service-Module Interface

Step 2 

root

Example:
Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686
NME-NAC login: root
 
        
 
        

From the network module prompt, log into the Clean Access Server Configuration Utility as the root user to access the command line of the CAS.

Step 3 

cat /perfigo/build

Example:

[root@cas128 ~]# cat /perfigo/build

VERSION=4.1.2.1

NAME=Clean Access Server

DATE=2007/09/07

Verify the current Cisco NAC Appliance software version on the CAS.

Step 4 

Copy the upgrade file to /store directory of the CAS.

Example:

If using WinSCP or SSH File Transfer:

a. Copy cca_upgrade-<version>.tar.gz to the /store directory of the CAS.

If using PSCP:

a. Open a command prompt on your Windows computer.

b. Cd to the path where your PSCP resides (e.g, C:\Documents and Settings\desktop).

c. Enter the following command to copy the file to the CAS (copy to each CAS):

pscp cca_upgrade-4.5.0-NO-WEB.tar.gz

root@ipaddress_server:/store

Copy the upgrade file to the /store directory of the CAS using WinSCP, SSH File Transfer or PSCP.

Step 5 

cd /store

ls

Example:

[root@cas128 ~]# cd /store

[root@cas128 store]# ls

cca_upgrade-4.5.0-NO-WEB.tar.gz

On the CAS, change directory to /store and verify the upgrade package is there.

Step 6 

tar zxf cca_upgrade-<version>.tar.gz

ls

Example:

[root@cas128 store]# tar xzf cca_upgrade-4.5.0-NO-WEB.tar.gz

[root@cas128 store]# ls

cca_upgrade-4.5.0 cca_upgrade-4.5.0-NO-WEB.tar.gz upload

[root@cas128 store]#

Extract the contents of the upgrade file.

Step 7 .

cd cca_upgrade-<version>

./UPGRADE.sh

Example:

[root@cas128 store]# cd cca_upgrade-4.5.0

[root@cas128 cca_upgrade-4.5.0]# ls

agent-version.sh checksum.txt notes.html version.sh

cam-4.5.x-upgrade.sh checksum.txt.sig RPMS

cas-4.5.x-upgrade.sh dmidecode showstate.sh

cca_upgrade-4.1.6.tar.gz initrd.img UPGRADE.sh

[root@cas128 cca_upgrade-4.5.0]# ./UPGRADE.sh

...stopping CCA Server...

BaseAgent process stopped!

Stopping DHCP...

In Maintenance Mode...

Welcome to the CCA Server migration utility.

...Upgrading to newer rpms of 4.5.0...done.

...Upgrading CCA files... done

Clearing Tomcat cache...checking ssl configuration...done.

[root@cas128 cca_upgrade-4.5.0]#

Change to the /cca_upgrade-<version> directory and execute the upgrade process.

Step 8 

[root@cas128 cca_upgrade-4.5.0]# reboot

Example:

[root@cas128 cca_upgrade-4.5.0]# reboot

Broadcast message from root (pts/0) (Tue Oct 21 18:49:00 2008):

The system is going down for reboot NOW!

[root@cas126 cca_upgrade-4.5.0]#

Reboot the CAS after upgrade is complete.

Step 9 

cat /perfigo/build

Example:

[root@cas128 ~]# cat /perfigo/build

NAME=Clean Access Server

DATE=2008/10/20

AUTHOR=rachnar

BUILD_TAG=NAC-4_5_0-RC9

BUILD_INFO=Experimental

BUILT_ON=mercury

REBUILD_COUNT=0

Verify the new build after the CAS reboot.

Step 10 

Press Control-Shift-6 x.

Close the service-module session and return to the router CLI.

Note The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.

 
From the Host-Router CLI

Step 11 

service-module integrated-service-engine slot/0 session clear

Example:

Router# service-module service-engine 1/0 session clear

Clear the service-module session for the specified module. When prompted to confirm this command, press Enter.

CAS Upgrade via Web Console

If upgrading the CAS on your NAC network module to Cisco NAC Appliance Release 4.1(6) or earlier only, you can use the same web upgrade procedure used to upgrade standalone CAS appliances as described in the "Upgrading" section of the applicable Release Notes for Cisco NAC Appliance.


Note Cisco NAC Appliance Release 4.5 (and later) does not support web upgrade. Refer to the Release Notes for Cisco NAC Appliance, Release 4.5 for details.


CAS Web Upload

If upgrading to Release 4.1.6 or earlier and the upgrade file is uploaded via CAS web upload on a 4.1.6 or earlier CAS, it is placed in /store/upload. The web uploaded file will also have a randomly-generated numeric code appended to the .tar.gz file (e.g. cca_upgrade-<version>.tar<digit code>.gz

If Release 4.5 is already installed and an upgrade file is uploaded via CAS web upload on a 4.5 CAS, it is placed in /store for Release 4.5 and later. The web uploaded file also has a randomly-generated numeric code appended to the .tar.gz file (e.g. cca_upgrade-<version>.tar<digit code>.gz

If upgrading from Release 4.1.x to Release 4.5, web upload of upgrade files to the CAS is not supported.

If upgrading from Release 4.6(1) to Release 4.8(x), the web uploaded file is nme-nac-upgrade-<version>-from-4.6.x.tar.gz

If upgrading from Release 4.8 to Release 4.8(x), the web uploaded file is cca_upgrade-<version>-from-4.7.x-4.8.x.tar.gz

If upgrading from Release 4.8(x) to Release 4.9(x), the web uploaded file is nme-nac-upgrade-<version>-from-4.8.x.tar.gz


Note Cisco NAC Appliance Release 4.5 (and later) does not support web upgrade. Refer to the Release Notes for Cisco NAC Appliance, Release 4.5 for details.



Note Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.



Note Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.


Re-Installing Cisco NAC Network Module Software

By default, the Cisco NAC Network Module is preconfigured to load the operating system and Clean Access Server software from the onboard flash. In most cases, the administrator will only need to perform the initial Clean Access Server configuration of the network module, then can use the normal Cisco NAC Appliance upgrade procedure to later upgrade the software on the module. See Configuring and Administering Cisco NAC Appliance for additional information.

If the machine is corrupt or cannot be booted, you can interrupt and change the boot process (by entering ***) in order to reimage the entire system. This process requires downloading the boot helper and image files separately from the Cisco Secure Software site, and configuring a TFTP server so that the boot helper can be loaded onto the network module from the network.

In this case, two items of boot software may be used:

Bootloader—A small set of system software that runs when the system first powers up. In normal operation, it automatically loads the operating system from compact flash, which in turn loads and runs the Clean Access Server application. In case of disaster recovery, the bootloader process can optionally be interrupted and reconfigured to load the boot helper from the network via a TFTP server.

Boothelper—A small subset of the system software that runs on the module. It boots the module from the network and assists in disaster recovery and other operations when the module cannot access its software.

This section contains the following information:

Re-Imaging the Network Module

Running Clean Access Server Software Configuration Utility

Shutting Down and Starting Up Cisco NAC Network Module

Re-Imaging the Network Module

Re-installing the network module involves installing, configuring, and starting a boothelper image. The boothelper, in turn, starts the Cisco NAC Appliance software installation on the NAC network module and brings up the Clean Access Server Configuration Utility which will prompt you through the configuration of the CAS.

Prerequisites

Have available the IP address of your TFTP file server.

SUMMARY STEPS

From the Host-Router CLI

1. Download the required software.

2. service-module integrated-service-engine slot/0 reset

3. service-module integrated-service-engine slot/0 session, ***

From the Service-Module Interface

4. config

5. show config

6. boot helper

7. Follow boothelper instructions for installing software.

8. Control-Shift-6 x

From the Host-Router CLI

9. service-module integrated-service-engine slot/0 session clear

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

a. Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.

b. Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance.

c. Navigate to the appropriate release folder (4.1.2.1 or later), for example, "Cisco NAC Appliance Software <version>."

d. Locate the NME-NAC image files for the applicable version:

nme-nac-helper-<version>-K9

nme-nac-install-<version>-K9.img

e. Place these files on your TFTP file server.

Download the Cisco NAC Network Module installation-package files (boothelper image and installation image).

Note If NME-NAC images are not available for a specific minor release, you can install the latest available image for the major version, and use the CAS upgrade procedure to upgrade the Cisco NAC Network Module to the minor release. For more information, refer to Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module.

 
From the Host-Router CLI

Step 2 

enable

Example:

Router> enable

Enter privileged EXEC mode on the host router. Enter your password if prompted.

Step 3 

service-module integrated-service-engine slot/0 reset

Example:
Router# service-module 
integrated-service-engine 1/0 reset

After the download completes, reset the system.

Step 4 

service-module integrated-service-engine slot/0 session

***

Example:
Router# service-module 
integrated-service-engine 1/0 session
***

If the reset does not automatically do so, open a session and quickly type *** to interrupt the auto-boot sequence and access the bootloader:

 
From the Service-Module Interface

Step 5 

config
Example:
ServicesEngine boot-loader> config
 
        
IP Address [10.201.243.18] >
Subnet mask [255.255.255.240] > 255.255.255.240 
TFTP server [10.201.210.15] > 
Gateway [10.201.243.17] > 10.201.243.17
Default Helper-file [nme-nac-helper-4.5_0-K9] > 
nme-nac-helper-4.5_0-K9
Ethernet interface [external|internal] 
[internal] > internal
External interface media [copper|fiber] 
[copper] > copper
Debug Statements [enable|disable] [disabled] > 
Default Boot 
[none|disk|compactflash|chainloader] 
[chainloader] > 
Default bootloader [primary|secondary] primary] 
> primary
 
        
Updating flash with bootloader configuration: 1
Please wait ...
.............done.
 
        

Configure the bootloader to load and launch the boothelper.

Prompts to configure the bootloader interface appear in the order listed. For each, enter a value or accept the previously stored input that appears inside square brackets by pressing Enter.

IP address— Service module address or the trusted interface (eth0) address of your NAC network module

Subnet mask—eth0 netmask of your NAC network module

TFTP server— TFTP file-server IP address

Gateway—Gateway-router IP address (normally the IP address for the ISR). The configured IP address your ISR uses to communicate with your NAC network module.

Default Helper-file—Default boothelper image filename: nme-nac-helper-<version>-K9

Ethernet interface: internal or external— Choose internal for NAC network module

External interface media— Choose copper for NAC network module

Debug Statements—Leave as disabled (default)

Default Boot —Choose chainloader as the default boot option for NAC network module

Default bootloader— Choose primary as the default bootloader file to be used on subsequent boot for NAC network module

Step 6 

show config
Example:
ServicesEngine boot-loader> show config
 
        

(Optional) Verify your bootloader configuration settings:

Step 7 

boot helper
Example:
ServicesEngine boot-loader> boot helper

After the new configuration finishes writing, start the boothelper at the boot prompt.

Step 8 

1
Example:
Welcome to the NME-NAC Installer
1 Install everything
2 Install compact flash only
3 Verify Install
4 Root shell
5 Reboot
Please select install option: 1
Creating partitions with fdisk...
 
        

Follow boothelper instructions. The helper will present the following options:

1. Install everything

2. Install compact flash only

3. Verify Install

4. Root shell

5. Reboot

Enter 1 to install everything.

Step 9 

(Virtual Gateway only)

eth0 IP address

subnet mask

default gateway

Example:

Please enter the IP address for the interface 
eth0: 10.201.243.18
You entered 10.201.243.18 Is this correct? 
(y/n)? [y] 
 
        
Please enter the netmask for the interface 
eth0: 255.255.255.240
You entered 255.255.255.240, is this correct? 
(y/n)? [y] 
 
        
Please enter the IP address for the default 
gateway: 10.201.243.17
You entered 10.201.243.17 Is this correct? 
(y/n)? [y] 
 
        
Creating partitions with fdisk...
 
        
 
        

If installing on a previously configured Virtual Gateway system, you will additionally be asked for the eth0 IP address, netmask, and gateway.

Step 10 

nme-nac-install-<version>-K9.img

Example:
Please enter the Image name: 
nme-nac-install-4.5_0-K9.img
You entered nme-nac-install-4.5_0-K9.img Is 
this correct? (y/n)? [y] 
 
        

After partitioning and formatting the hard disk, the helper will ask two more questions (image name and TFTP server address)

Type the image name (e.g. nme-nac-install-<version>-K9.img) and press Enter.

Confirm that this is correct by typing y and pressing Enter.

Step 11 

TFTP server IP address

Example:
Please enter the IP address for the tftp 
server: 10.201.210.15
You entered 10.201.210.15 Is this correct? 
(y/n)? [y] 
 
        
Transferring Image now
Done!Success!

Type the IP address of your TFTP server.

Confirm that this is correct by typing y and pressing Enter.

The helper will then transfer the image. The image is quite large, and the transfer takes a long time. After the image is transferred the helper will display status as RPMs get installed.

Step 12 

Press Enter

Example:
Press enter to reboot 
 
        

At the reboot prompt, press the Enter key and the NAC network module will reboot.

Step 13 

root

Example:
Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686
NME-NAC login: root 

On next boot up, the network module login prompt appears. Login as root

The standard Clean Access Server Configuration Utility questions will then be asked. Follow the instructions in Running Clean Access Server Software Configuration Utility to complete the CAS configuration.

Step 14 

reboot

 
        

After completing the Configuration Utility, at the prompt, reboot your NAC network module.

On next reboot, the NAC network module installation is complete.

Step 15 

Press Control-Shift-6 x.

Close the session by pressing Control-Shift-6 x.

 
From the Host-Router CLI

Step 16 

service-module integrated-service-engine slot/0 session clear

Example:

Router# service-module service-engine 1/0 session clear

From the host-router CLI, clear the session:

Configuring and Administering Cisco NAC Appliance

For comprehensive Cisco NAC Appliance configuration information, refer to the applicable version of the following guides:

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide

Technical Assistance

Description
Link

The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport

Cisco Feature Navigator website

http://www.cisco.com/go/cfn

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. An account on Cisco.com is not required.

Cisco Software Center website

Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.

Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance to download software for Cisco NAC Appliance.


Documentation

Table 8 Updates to this Guide

Date
Description

11/27/12

Updates (for 4.9(x)):

Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module

Restrictions for Cisco NAC Network Module (Added restriction on upgrading from 4.8(x) to 4.9(x))

9/23/10

Updates (for 4.9):

Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module

Restrictions for Cisco NAC Network Module (Added restriction on upgrading from 4.8(x) to 4.9)

7/26/10

Updates (for 4.8):

Router (Added Routers supported by Cisco NAC Appliance Release 4.8)

Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module

Restrictions for Cisco NAC Network Module (Added restriction on upgrading from 4.6(1) to 4.8)

10/3/08

9/25/08

Updates (for 4.5):

Network Module

Restrictions for Cisco NAC Network Module (added WOOB note)

How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module (added link to upgrade section)

Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module (moved and updated section)

Re-Installing Cisco NAC Network Module Software (step 1)

6/11/08

Updated Restrictions for Cisco NAC Network Module with notes for 4.1.2.1

Corrected section CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning)

Updated step 1 of Re-Installing Cisco NAC Network Module Software.

Added section Configuring and Administering Cisco NAC Appliance.

Updated boilerplate and hypertext links

11/02/07

Minor updates/corrections

8/22/07

Cisco NAC Network Module (NME-NAC-K9) release


Related Documents

Related Topic
Document Title
Cisco NAC Appliance

For the latest updates to Cisco NAC Appliance documentation on Cisco.com, visit www.cisco.com/go/nac/appliance. Refer to the document versions that correspond to the release you are running on your machines.

Data sheets

Cisco NAC Appliance

Cisco NAC Network Module for Integrated Services Routers

Ordering guide

Cisco NAC Appliance Ordering Guide

Licensing

Cisco NAC Appliance Service Contract / Licensing Support

System requirements

Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)

Supported switches (OOB)

Switch Support for Cisco NAC Appliance

Release notes

Release Notes for Cisco NAC Appliance (Cisco Clean Access) (Version 4.1(2) or later)

Configuration guides

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide

Appliance hardware (MANAGER/SERVER)

Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1

Network module

Getting Started with Cisco NAC Network Modules in Cisco Access Routers (this guide)

Installing Cisco Network Modules in Cisco Access Routers at

http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/InstNetM.html

Connecting Cisco Network Admission Control Network Modules at

http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/nacnm.html

Additional Cisco Documentation

Cisco IOS software

Cisco IOS Software website at http://www.cisco.com/en/US/products/sw/iosswrel/tsd_products_support_category_home.html

Voice and IP communications

Cisco Voice and IP Communications website at http://www.cisco.com/en/US/products/sw/voicesw/tsd_products_support_category_home.html

Tip To ensure that you are displaying the most current information on the Cisco.com website, force your browser to refresh by pressing Ctrl-F5.

To narrow your Cisco.com search to technical documents, from the Cisco.com home page on the upper right under the Search box, click Advanced Search > Technical Support & Documentation and enter your search criteria.

To provide feedback about the Cisco.com website or a particular technical document, from the top of any Cisco.com web page, click Feedback.

Glossary

blade

Alternate term for network module.

boothelper

A small subset of the system software that runs on the module. It boots the module from the network and assists in software installation and upgrades, disaster recovery, and other operations when the module cannot access its software.

bootloader

A small set of system software that runs when the system first powers up. It loads the operating system (from the disk, network, external compact flash, or external USB flash), which loads and runs the NAC application. The bootloader may optionally load and run the boothelper.

CAM

Clean Access Manager

The policy configuration server and management database for Cisco NAC Appliance deployment. The Clean Access Manager can manage from 1 to 40 Clean Access Servers in a deployment.

CAS

Clean Access Server

The policy enforcement server to which end users connect in Cisco NAC Appliance deployments. The Clean Access Server is managed by the Clean Access Manager.

CCA

Cisco Clean Access (also known as Cisco NAC Appliance software)

Cisco NAC Appliance

Cisco Network Admission Control solution

Cisco NAC Network Module

NME-NAC-K9 network module for Cisco Integrated Services Routers 2811, 2821, 2851, 3825, and 3845. In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco Integrated Services Routers 2911, 2921, 2951, 3925, and 3945. The Cisco NAC Network Module is a Clean Access Server (CAS) platform for 50 or 100 users.

Cisco NAC-3300 Series Appliances

Cisco NAC Appliance hardware appliance platforms for the Clean Access Manager and Clean Access Server:

NAC-3310 SERVER

NAC-3350 SERVER

NAC-3310 MANAGER

NAC-3350 MANAGER

NAC-3390 MANAGER (Super Manager)

service (or services) engine

Alternate term for network module with installed application software.

service module

Standalone content engine with its own startup and run-time configurations that are independent of the Cisco IOS configuration on the router.

TFTP

Trivial File Transfer Protocol. Simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).



Note For terms not included in this glossary, see the following references:

Cisco IOS Voice Configuration Library Glossary

Internetworking Terms and Acronyms


Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.