Guest

Cisco NAC Appliance (Clean Access)

Cisco NAC Appliance Service Contract/Licensing Support

  • Viewing Options

  • PDF (556.3 KB)
  • Feedback
Cisco NAC Appliance Service Contract and Licensing Support

Table Of Contents

Cisco NAC Appliance Service Contract and Licensing Support

Service Contract Support

Ordering Information

Ordering Cisco NAC Appliance

Ordering Cisco NAC Appliance 3300 Series

Ordering Cisco NAC Network Module

Ordering Cisco NAC Profiler Server/Collector

Ordering Cisco NAC Guest Server

Licensing Support

Cisco NAC Appliance Licenses

How Users Are Counted

How to Obtain and Install New Cisco NAC Appliance Licenses

Cisco NAC Profiler/Collector Licenses

How to Obtain and Install New Cisco NAC Profiler Server/Collector Licenses

Cisco NAC Guest Server Licensing

How to Obtain and Install New Cisco NAC Guest Server License

How to Obtain Evaluation Licenses

Obtaining Evaluation License

Legacy Perfigo License Keys

Replacing Perfigo License Keys with FlexLM License Files

Cisco NAC Appliance RMA and Licensing

Replacing Clean Access Manager Hardware

Obtaining CAM Replacement License

Replacing Clean Access Manager in High-Availability (HA) Mode

Replacing Clean Access Server Hardware

Replacing a Clean Access Server in High-Availability (HA) Mode

Replacing Cisco NAC Profiler Server Hardware

Obtaining NAC Profiler Server Replacement License

Replacing Cisco NAC Profiler Server in High-Availability (HA) Mode

Replacing Cisco NAC Guest Server Hardware

Obtaining NAC Guest Server Replacement License


Cisco NAC Appliance Service Contract and Licensing Support


Revised: November 27, 2012, OL-11553-01

Note This document is available under: http://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.html
For the most current Cisco NAC Appliance (Cisco Clean Access) documentation, refer to: http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html


This document describes:

Service Contract Support—How Cisco NAC Appliance hardware and software are supported

Ordering Information—Information and links to ordering guides

Licensing Support—How to obtain permanent or evaluation licenses and work with legacy licenses

Cisco NAC Appliance RMA and Licensing—How to obtain licenses after a product is exchanged and how to replace hardware for HA pairs

Service Contract Support

Cisco NAC Appliance hardware (e.g. Cisco NAC-3415, Cisco NAC-3355, Cisco NAC Profiler Server, Cisco NAC Guest Server) is supported under Cisco SMARTnet. For details, see the following web site: http://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/serv_home.html

Cisco NAC Appliance software (e.g. release 4.7(x), 4.8(x) and 4.9(x)) is supported under Cisco SAS/SASU (Software Application Support and Cisco Software Application Support Plus Upgrades). For details see the following web site:
http://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2993/serv_group_home.html


Note Cisco Technical Assistance Center (TAC) only supports hardware installation questions on platforms listed in the Supported Hardware and System Requirements for Cisco NAC Appliance.


Ordering Information

This section describes the following:

Ordering Cisco NAC Appliance

Ordering Cisco NAC Profiler Server/Collector

Ordering Cisco NAC Guest Server

Ordering Cisco NAC Appliance

Ordering Cisco NAC Appliance 3300 Series

For ordering details for the Cisco NAC Appliance 3300 Series, refer to the Cisco NAC Appliance Ordering Guide.


Note You must use identical appliances (e.g. NAC-3355 and NAC-3355) to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs).


For licensing information, refer to Cisco NAC Appliance Licenses.

Ordering Cisco NAC Network Module

The Cisco NAC Network Module for Integrated Services Routers (NME-NAC-K9) offers the Clean Access Server functionality on the next generation service module for the Cisco 2800 and 3800 Integrated Services Routers.


Note The Cisco NAC Network Module is not supported in Cisco NAC Appliance Release 4.7(x).


If you are ordering a new ISR to implement NAC:

Select one of these Integrated Services Routers: 2811, 2821, 2851, 3825, or 3845

Select NM, then NME-NAC-K9 under ISR options to order the NAC network module

Select either the 50-user license (NACNM-50-K9) or 100-user license (NACNM-100-K9)

If you already have an ISR and want to add the NAC network module:

Select the spare SKU (NME-NAC-K9=) to order the NAC network module

Select either NACNM-50-K9 (50-user license) or NACNM-100-K9 (100-user license)

If you already have a 50-user NAC network module and want to add more users:

Select the user license upgrade SKU (NACNM-50UL=) to obtain an upgrade license from 50 to 100 users

Once user licenses are obtained for the NME-NAC-K9, they are added to the Clean Access Manager in the same way as any other Clean Access Server license.

For additional details on ordering Cisco NAC Network Module, see:

Cisco NAC Appliance Ordering Guide

Cisco NAC Network Module for Integrated Services (product literature)

For licensing information, refer to Cisco NAC Appliance Licenses.

Ordering Cisco NAC Profiler Server/Collector

The Cisco NAC Profiler ships in two components: Cisco NAC Profiler Server and Cisco NAC Profiler Collector:

Cisco NAC Profiler Server is a standalone or failover hardware appliance based on the Cisco NAC-3355 supporting a maximum of 10,000 endpoints.

Cisco NAC Profiler Collector is an application component that resides on a standalone or failover Cisco Clean Access Server (CAS) appliance (starting from release 4.1.2.1 and later). You can configure one Profiler Collector per CAS.

For ordering details for Cisco NAC Profiler, refer to the Cisco NAC Profiler Ordering Guide.

For licensing information, refer to Cisco NAC Profiler/Collector Licenses.

Ordering Cisco NAC Guest Server

The Cisco NAC Guest Server is a standalone hardware appliance based on the Cisco NAC-3415 and NAC-3315 platform. For ordering details, refer to the Cisco NAC Guest Server Data Sheet.

For licensing information, refer to Cisco NAC Guest Server Licensing.

Licensing Support

This section describes the following:

Cisco NAC Appliance Licenses

Cisco NAC Profiler/Collector Licenses

Cisco NAC Guest Server Licensing

How to Obtain Evaluation Licenses

Legacy Perfigo License Keys

Cisco NAC Appliance RMA and Licensing

Cisco NAC Appliance Licenses

Cisco NAC Appliance incorporates industry leading FlexLM licensing to support flexible licensing schemes.

You need at least 1 Clean Access Manager (CAM) license and 1 Clean Access Server (CAS) license for your Cisco NAC Appliance system to work. Both licenses are installed via the CAM web admin console. See How to Obtain and Install New Cisco NAC Appliance Licenses for details on installing permanent licenses and see How to Obtain Evaluation Licenses for details on installing evaluation licenses.

A customer can purchase the following license options: Clean Access Manager (CAM) Licenses, Clean Access Server (CAS) Licenses.

Clean Access Manager (CAM) Licenses

The Clean Access Manager (CAM) (NAC Appliance MANAGER) is licensed based on the number of Clean Access Servers (CASs) it supports. There is a 3, 20, and 40 (Super Manager) standalone or failover license for the CAM:

Cisco Clean Access Lite Manager (CAM Lite)

NAC-3315 hardware platform

Supports up to 3 CASs (or 3 HA-CAS pairs)

Manager for CASs supporting 500 or fewer users, including NAC network module


Note FIPS 140-2 compliant NAC-3315 CAS can support only 250 or 500 users.


Cisco Clean Access Standard Manager

NAC-3355 hardware platform

Supports up to 20 CASs (or 20 HA-CAS pairs).

Manager for any size CAS, including NAC network module

Cisco Clean Access Super Manager

NAC-3395 platform only

Supports up to 40 CASs (or 40 HA-CAS pairs)

Manager for any size CAS, including NAC network module

Cisco Clean Access UCS Manager

NAC-3415 hardware platform

Supports up to 3 CASs (or 3 HA-CAS pairs)

Manager for CASs supporting 500 or fewer users, including NAC network module

Cisco Clean Access Super Manager

NAC-3495 hardware platform

Supports up to 40 CASs (or 40 HA-CAS pairs)

Manager for any size CAS, including NAC network module

Once the CAS license count limit is reached, additional CASs cannot be added to the CAM.

Clean Access Server (CAS) Licenses

The Clean Access Server (CAS) is licensed based on the number of online, concurrent users traversing each CAS (see How Users Are Counted for further details). A Clean Access Server (CAS) can either be a Cisco NAC Appliance 3300 Series SERVER or a Cisco NAC Network Module for Integrated Services Routers (NME-NAC-K9).

For NAC Appliance SERVER, there is a 100-, 250-, 500-, 1500-, 2500- (NAC-3355 and NAC-3495), 3500-user (NAC-3355 and NAC-3495), and 5000 (NAC-3355 and NAC-3495) standalone or failover user license. (See How to Obtain and Install New Cisco NAC Appliance Licenses for further details.)

For NAC Network Module, there is a 50- or 100- user license. There is no failover supported on NAC network modules. (See Ordering Cisco NAC Network Module for further details.)


NoteYou must install the CAM license to be able to access the CAM web admin console.

The CAS is added to the CAM as either an in-band (IB) CAS or an out-of-band (OOB) CAS. The CAM can manage both IB and OOB CASs.



Note You must use identical appliances (e.g. NAC-3355 and NAC-3355) to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs).



Note New licenses ordered for 4.1/4.0/3.6 deployments enable both IB and OOB features by default. If you ordered an IB or OOB license prior to 4.1/4.0/3.6 upgrade, your previous options are preserved. If your previous license enabled only IB, you must obtain a new 4.1/4.0/3.6 license in order to enable OOB.


How Users Are Counted

Cisco NAC Appliance counts current, online users/devices that go through posture assessment toward the Clean Access Server license limit. There is no difference between In-Band (IB) and Out-of-Band (OOB) deployments, since user traffic in each deployment must pass through the Clean Access Server for authentication and/or posture assessment and remediation.

Both IB and OOB users are removed from the count when they disconnect from the network (e.g. linkdown), are logged out by Cisco NAC Appliance (e.g. via session timer), or log themselves out manually (e.g. Agent Logout button).

IB users are also removed from the count when the inactivity timer or "logout user on Windows machine logoff/shutdown" option are configured.

The following devices are not counted towards the user-license limit:

Any device configured with the "Ignore" option in the Device Filter list, such as an IP Phone.

Any device configured with the "Allow" option in the Device Filter list, such as a printer ("Allow" bypasses NAC authentication and posture assessment for the device).

Devices entered into the CAM using the "addmac" API with type "allow" or "ignore."


Note Devices configured in "Check" device filters do count towards the user-license limit.


How to Obtain and Install New Cisco NAC Appliance Licenses

Use the following steps to obtain and install your FlexLM product (permanent) license files for Cisco NAC Appliance.


Step 1 With FlexLM licensing, you will receive a Product Authorization Key (PAK) for each software CD package that you purchase. The PAK is affixed as a sticky label on the Software License Claim Certificate card that is included in your CD-ROM package.


Warning The PAK is NOT the Cisco NAC Appliance license. The PAK is used to obtain the Cisco NAC Appliance license, as described below.

Step 2 Log in as a registered CCO user and fill out the Customer Registration form found at the PAK Cisco Technical Support site: http://www.cisco.com/go/license. During customer registration, submit each PAK you receive and the MAC address of your Clean Access Manager (CAM) as follows:

For CAM, or CAS, or CAS Failover (HA) licenses, submit the primary CAM's eth0 MAC address.

For CAM Failover (HA) license only, submit the eth0 MAC address of the secondary CAM.


Warning The eth0 MAC address(es) entered for the Clean Access Manager must be in UPPER CASE (i.e. hexadecimal letters must be capitalized). Do not enter colons (":") in between characters.

Please follow the instructions on the license web pages carefully to ensure that the correct MAC addresses are entered.


Note For each PAK that you submit, a license file is generated and sent to you via email.


Step 3 Save each license file you receive to disk on a local machine.

Step 4 Make sure your Clean Access Manager and Clean Access Server machines are initially configured as described in the Cisco NAC Appliance Hardware Installation Guide (applicable to your release). If adding a Cisco NAC Network Module, make sure it is initially configured as described in Getting Started with Cisco NAC Network Modules in Cisco Access Routers.


Note To add Cisco NAC Network Module, your existing CAM and CAS machines must be running release 4.1(2) or later, excluding Cisco NAC Appliance Release 4.7(x). Refer to the latest Release Notes for Cisco NAC Appliance for upgrade instructions.


Step 5 Access the web admin console of your Cisco NAC Appliance MANAGER by opening a web browser and entering the IP address of the Clean Access Manager (CAM) as the URL. The Clean Access Manager License Form (Figure 1) appears the first time you do this and prompts you to install your CAM FlexLM license file. For reference, the top of the form displays the eth0 MAC address of the CAM machine.

Figure 1 Clean Access Manager License Form

Step 6 For the Clean Access Manager License File field, Browse to the license file you received for the CAM and click the Install License button.


Note If you have purchased a CAM Failover (HA) license, install the Failover license to the Primary CAM first, then load all the other licenses. This facilitates upgrade of HA-CAM pairs.

For NAC-3415 and NAC-3495 platforms you need get Standalone license for standalone systems and Failover license for HA-pairs.


Step 7 Once the license file for the Clean Access Manager is installed, you should be redirected to the admin login page of the CAM web console (Figure 2).

Figure 2 CAM Web Console Login


Note For releases 4.1(0)+/4.0(4)+, when you add the CAM license, the top of the CAM web console displays the type of CAM license installed. Additionally, the Administration > CCA Manager > Licensing page (Figure 3) displays the types of licenses present after they are added.


Step 8 Login with the username/password you configured during CAM installation.

Step 9 In the web console, go to Administration > CCA Manager > Licensing (Figure 3). The Licensing page allows administrators to install license files, view the server count associated with the license, and remove licenses.

Figure 3 CAM Web Console Licensing Page

Step 10 In the Clean Access FlexLM License File(s) field, Browse to the license file for your Clean Access Server or Server bundle, and click Install License. You should see a green confirmation text string at the top of the page which indicates:

Success/failure to install the license

Type of license added

For a CAS license, the Server increment count (for example, "License added successfully. Out-of-Band Server Count is now 10.")

The status text at the bottom of the page indicates the presence of a Lite, Standard or Super Manager license and whether it is for Failover (high-availability), as well as the IB or OOB CAS license count. A Manager Failover license must be present for HA-CAS machines. When a Manager Failover license is installed, the Server count increment can represent either 1 standalone CAS or 1 HAS-CAS pair.

Step 11 Repeat Step 10 for each Clean Access Server license file you need to install (you should have received one license file per PAK submitted during customer registration). The status information at the bottom of the page displays the total number of Clean Access Servers enabled per successful license file installation.


Tip If you forget to upload the CAS license to the CAM, the error message "Failed to Add Server: Maximum limit for Clean Access Servers supported has been reached" will display when you try to add the CAS to the CAM later via the web console.



NoteClicking the Remove All Licenses button removes all FlexLM license files from the system. You cannot remove individual license files. (Authenticated user traffic will continue to pass through the CAS if you remove all licenses and install them again.)

You must enter the CAM license to be able to access the web admin console.

Once installed, a permanent FlexLM license takes precedence and replaces an evaluation FlexLM license.

Once installed, FlexLM licenses (either permanent or evaluation) take precedence and replace legacy license keys (even though the legacy key is still installed).

When an evaluation FlexLM expires, or is removed, an existing legacy license key will again take effect.


Cisco NAC Profiler/Collector Licenses

The Cisco NAC Profiler enhances the deployment and administration of Cisco NAC Appliance by maintaining a real-time list of all network-attached endpoints for which user authentication does not apply, such as IP phones and networked printers.

The Cisco NAC Profiler Server appliance communicates with the Cisco NAC Profiler Collector component that resides on the Clean Access Server. Cisco NAC Profiler uses FlexLM licensing and requires the following:

A Profiler Server license—installed on the Profiler Server

A Profiler Collector license for each CAS Collector—installed on the Profiler Server

Both the Profiler Server and Profiler Collector licenses are generated with the MAC address of the Profiler Server appliance.


Caution License generation for the Cisco NAC Profiler and Collector is case sensitive. When entering the MAC address to generate the license, you must enter all lower case hexadecimal characters.


Note Make sure you have both the Profiler Server and Profiler Collector licenses installed in the Cisco NAC Profiler Server. Otherwise, Cisco NAC Profiler will not start or run.


Cisco NAC Profiler Server license—There is one Profiler Server per Clean Access Manager deployed. Cisco NAC Profiler can manage multiple Collectors on multiple Clean Access Servers up to a maximum of 40,000 endpoint devices. The license options per platform are:

Standalone Profiler Server

Failover Profiler Servers (for an HA pair)

Cisco NAC Profiler Collector license—There is one Collector component per Clean Access Server. The Collector license is based on the number of endpoint devices supported and corresponds to the CAS license size. When the CAS is used for both posture assessment and endpoint profiling, the Collector license enables the same number of endpoint devices as users. If the CAS is used for endpoint profiling only, then the Collector license enables double the number of endpoint devices only. For example, standalone or failover Collector licenses for a NAC-3355 SERVER supports 1500/2500/3500/5000 users AND 1500/2500/3500/5000 endpoint devices, or 3000/5000/7000/10000 endpoint devices only.


Note Failover Collector licenses are needed for NAC-3355 HA-CAS pairs.


See How to Obtain and Install New Cisco NAC Profiler Server/Collector Licenses for details on permanent licenses.

See How to Obtain Evaluation Licenses for details on evaluation licenses.

How to Obtain and Install New Cisco NAC Profiler Server/Collector Licenses

Use the following steps to obtain and install your FlexLM product (permanent) license files for Cisco NAC Profiler Server/Collector.


Step 1 With FlexLM licensing, you will receive a Product Authorization Key (PAK) for each Profiler/Collector that you purchase. The PAK is affixed as a sticky label on the Software License Claim Certificate card that is included in your package.


Warning The PAK is NOT the Cisco NAC Profiler/Collector license. The PAK is used to obtain the Cisco NAC Profiler/Collector license, as described below.

Step 2 Log in as a registered CCO user and fill out the Customer Registration form found at the PAK Cisco Technical Support site: http://www.cisco.com/go/license. During customer registration, submit each PAK you receive and the MAC address of your Cisco NAC Profiler Server as follows:

For a stand-alone NAC Profiler, submit the eth0 MAC address NAC Profiler Server

For a failover pair of NAC Profilers, submit the eth0 MAC address of both the HA-Primary and HA-Secondary NAC Profiler Servers to generate the two necessary licenses


Warning The eth0 MAC address(es) entered for the Profiler Server must be in UPPER CASE (i.e. hexadecimal letters must be capitalized). Do not enter colons (":") in between characters.

Please follow the instructions on the license web pages carefully to ensure that the correct MAC addresses are entered.


Note For each PAK that you submit, a license file is generated and sent to you via email.


Step 3 Save each license file you receive to disk on a local machine.

Step 4 Make sure your Cisco NAC Profiler Server is configured as described in the installation section of the Cisco NAC Profiler Installation and Configuration Guide.

Step 5 Make sure your CAS and CAM machines are running release 4.1(2) or later, and are configured as described in the Cisco NAC Appliance Hardware Installation Guide.

Step 6 Open a web browser and type the management interface IP address of the NAC Profiler Server as the URL to access the user interface of your Cisco NAC Profiler Server. You will be prompted to log in as the admin web UI user (default password: profiler).

https://[configured Profiler Server IP address]

Step 7 The Home page of the Cisco NAC Profiler web console appears by default when you first log in(Figure 4).

Figure 4 Cisco NAC Profiler Server Web Console

Step 8 Click the Upload Licenses link in the left navigation bar of the page to bring up the Import FlexLM License form (Figure 5).

Figure 5 Import FlexLM License

Step 9 In the License file name field, click the Browse button to locate the license file (.lic) for your NAC Profiler Server, and click Import License.

Step 10 Browse to each Collector license (.lic) file to be installed and click Import License to import your Collector license(s).


Note Each component of the system (e.g. Server or Server HA pair and Collector or Collector HA pair) requires a valid license in order to run.


Step 11 To verify the NAC Profiler Server and Collector license(s) are correctly installed, navigate to Configuration > Profiler Modules > List Profiler Modules (Figure 6).

Figure 6 Verifying Server/Collector Status

If the Server reports a "Running" status, the license for the NAC Profiler Server is successfully installed.

If the Table of Collectors shows "All Modules Running", the Profiler Server has contacted all modules of the Collector and the Collector is online and running normally.

For further details refer to:

Release Notes for Cisco NAC Profiler

Cisco NAC Profiler Installation and Configuration Guide


Cisco NAC Guest Server Licensing

The Cisco NAC Guest Server is a standalone component that can be added to Cisco NAC or wireless deployments to integrate secure guest access. Cisco NAC Guest Server facilitates the creation of guest accounts for temporary network access by permitting any internal user to sponsor a guest and create the guest account in a simple and secure manner.

Cisco NAC Guest Server can be integrated with the Cisco NAC Appliance Manager through its API, or with Cisco Wireless LAN controllers through the RADIUS protocol. Guest and Sponsor accounts can be controlled directly on the Cisco NAC Guest Server.

You can purchase the Cisco NAC Guest Server with a Clean Access Manager, or as a standalone solution with no NAC components to work with RADIUS devices such as the Wireless LAN Controller. See How to Obtain and Install New Cisco NAC Guest Server License for steps to install a permanent license and see How to Obtain Evaluation Licenses for details on evaluation licenses.

How to Obtain and Install New Cisco NAC Guest Server License

Use the following steps to obtain and install your FlexLM product (permanent) license files for Cisco NAC Guest Server. The Cisco NAC Guest Server only supports one license at a time, so any "additional" licenses you import automatically overwrite the previous license on the Guest Server.


Step 1 With FlexLM licensing, you will receive a Product Authorization Key (PAK) for each Guest Server that you purchase. The PAK is affixed as a sticky label on the Software License Claim Certificate card that is included in your package.


Warning The PAK is NOT the Cisco NAC Guest Server license. The PAK is used to obtain the Cisco NAC Guest Server license, as described below.

Step 2 Log in as a registered CCO user and fill out the Customer Registration form found at the PAK Cisco Technical Support site: http://www.cisco.com/go/license. During customer registration, submit each PAK you receive and the eth0 MAC address of your Cisco NAC Guest Server.


Warning The eth0 MAC address entered for the Guest Server must be in UPPER CASE (i.e. hexadecimal letters must be capitalized). Do not enter colons (":") in between characters.

Please follow the instructions on the license web pages carefully to ensure that the correct MAC addresses are entered.


Note For each PAK that you submit, a license file is generated and sent to you via email.


Step 3 Save each license file you receive to disk on a local machine.

Step 4 Make sure your Cisco NAC Guest Server is configured as described in the installation section of the Cisco NAC Guest Server Installation and Configuration Guide.

Step 5 Access the web UI of the Cisco NAC Guest Server by opening a web browser and entering the following as the URL:

For HTTP access, open http://<guest_server_ip_address>/admin

For HTTPS access, open https://<guest_server_ip_address>/admin

Figure 7 Guest Server License Form (example)

Step 6 In the Guest Server License Form (Figure 7), click the Choose File or Browse button (depending on which browser you are using) and locate the license file.

Step 7 Click Submit to install the license.

Step 8 The administration interface displays. Login as the admin user. The default user name/password is admin/admin.


How to Obtain Evaluation Licenses

To evaluate Cisco NAC Appliance, Cisco NAC Profiler, or Cisco NAC Guest Server an official PAK is not required. A Cisco Clean Access Evaluation License enables:

1 Clean Access Manager (CAM)

1 IB Clean Access Server 100 User (CAS)

1 OOB Clean Access Server 100 User (CAS)

1 IB Clean Access Server Failover 100 User (CAS)

1 OOB Clean Access Server Failover 100 User (CAS)

1 Clean Access Server Failover 50 User (Network Module)

1 Cisco NAC Profiler Server

1 Cisco NAC Profiler Server - Failover

1 Cisco NAC Collector 100 Device (on CAS)

1 Cisco NAC Collector 100 Device - Failover (on HA-CAS pair)

1 Cisco NAC Guest Server

You do not need to submit MAC addresses for your machines to obtain an evaluation license. Use the following steps to obtain and install an evaluation license file. You can use the same 30-day evaluation license to enable Cisco NAC Appliance, Cisco NAC Profiler, and Cisco NAC Guest Server.


Caution Cisco recommends obtaining a permanent license before continuing with full-scale deployment. Evaluation licenses are intended for trial purposes and expire after 30 days. Once a license expires, you cannot start Cisco NAC Appliance. Contact a Cisco representative to purchase a permanent license.

Obtaining Evaluation License


Caution You cannot add a time-limited or evaluation license to a Clean Access Manager which already has a production license. You must use all evaluation licenses or all production licenses for your Cisco NAC Appliance system. If you already have a production license but want to evaluate a different type of deployment, Cisco recommends that you do not alter your production deployment. Instead, we recommend that you set up trial equipment in a lab and obtain evaluation licenses for the test setup.


Step 1 You will need to register and obtain a Cisco.com user ID in order to generate an evaluation license. Access the Product Evaluation License Cisco Technical Support site, and follow the instructions to register: http://www.cisco.com/go/license/public.

Step 2 If you have already registered, log into http://www.cisco.com/go/license to access the Product License Registration page.

Step 3 In the "Licenses Not Requiring a PAK" section of the page, click the link for "If you do not have a Product Authorization Key (PAK), please click here for available licenses."

Step 4 Scroll down the page and click the link for "Cisco NAC Appliance Evaluation License."

Step 5 Follow the instructions to obtain a 30-day evaluation license. The evaluation license file is generated and sent to you via Email. Save the evaluation license file you receive to disk.

Step 6 Import the evaluation license to the applicable component as described in the instructions below:

Adding Evaluation License to Cisco NAC Appliance

Adding Evaluation License to Cisco NAC Profiler

Adding Evaluation License to Cisco NAC Guest Server


Adding Evaluation License to Cisco NAC Appliance


Caution You cannot add a time-limited or evaluation license to a Clean Access Manager which already has a production license. You must use all evaluation licenses or all production licenses for your Cisco NAC Appliance system. If you already have a production license but want to evaluate a different type of deployment, Cisco recommends that you do not alter your production deployment. Instead, we recommend that you set up trial equipment in a lab and obtain evaluation licenses for the test setup.


Step 1 Make sure your Clean Access Manager and Clean Access Server machines are initially configured as described in the Cisco NAC Appliance Hardware Installation Guide (applicable to your release) available under http://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.html.


Note To evaluate Cisco NAC Network Module, your existing Clean Access Manager and Clean Access Server(s) must be running release 4.1(2) or later, excluding Cisco NAC Appliance Release 4.7(x). To upgrade your machines, refer to the "Upgrading" instructions of the Release Notes for Cisco NAC Appliance for Version 4.1(2) or later.


Step 2 Access the Clean Access Manager web admin console by opening a web browser and entering the IP address of the Manager as the URL. The Clean Access Manager License Form appears the first time you do this and prompts you to install your FlexLM license file.

Step 3 Browse to your saved evaluation license and install it in the Clean Access Manager License File field.

Step 4 In the web console, go to Administration > CCA Manager > Licensing to view the days remaining for your evaluation period.


Adding Evaluation License to Cisco NAC Profiler


Step 1 Make sure your Cisco NAC Profiler Server is initially configured as described in the installation section of the Cisco NAC Profiler Installation and Configuration Guide.

Step 2 Make sure your Clean Access Server (and Clean Access Manager) machines are running release 4.1(2) or later, and initially are configured as described in the Cisco NAC Appliance Hardware Installation Guide.

Step 3 Access the web UI of the Cisco NAC Profiler Server by opening a web browser and entering the IP address of the Profiler Server as the URL. Log in as user admin (default password: profiler).

Step 4 Navigate to the Home tab > Upload Licenses | Import FlexLM License.

Step 5 Browse to the evaluation license and click Import License.

Step 6 To verify the NAC Profiler Server/Collector evaluation license is correctly installed, navigate to Configuration > Profiler Modules > List Profiler Modules.


Adding Evaluation License to Cisco NAC Guest Server


Step 1 Make sure your Cisco NAC Guest Server is initially configured as described in the installation section of the Cisco NAC Guest Server Installation and Configuration Guide.

Step 2 Access the web UI of the Cisco NAC Guest Server by opening a web browser and entering the following as the URL:

For HTTP access, open http://<guest_server_ip_address>/admin

For HTTPS access, open https://<guest_server_ip_address>/admin

Step 3 In the Guest Server License Form, click the Browse button and locate the license file.

Step 4 Click Submit to install the license.

Step 5 The administration interface displays. Login as the admin user. The default user name/password is admin/admin.


Legacy Perfigo License Keys

If you are an existing customer, you can continue to use your existing license key and upgrade to other non-Switch Management (non-OOB) features of release 4.1/4.0/3.6. In this case, use the lower portion (Non PAK) of the Clean Access Manager License Form to enter and re-enter your product license key in the Enter Product License and Re-Enter Product License fields in order to access the web admin console.

However, please take the following considerations into account:

You cannot mix and match legacy Perfigo license keys and new FlexLM license files on a Cisco NAC Appliance.

If you buy a new CAM/CAS with FlexLM licensing, you must replace all Perfigo licenses with new FlexLM licenses. For example, if you are adding a new CAS to a legacy Clean Access system which uses a Perfigo license key, you must obtain new FlexLM licenses not only for the new CAS, but also for your existing CAM/CAS machines. Note that FlexLM licenses for all CAS machines are based on the MAC address of the Primary CAM. For HA-CAM license generation, both the Primary and Secondary CAM MAC addresses are needed. See Replacing Perfigo License Keys with FlexLM License Files for details.

If you want to enable Cisco NAC Appliance Out-of-Band, you will have to obtain a PAK by purchasing the software CD package.

If your license key does not work or you cannot use the PAK you received, contact Cisco Licensing at licensing@cisco.com.

Replacing Perfigo License Keys with FlexLM License Files


Step 1 Obtain all FlexLM licenses for all of your CAM and CAS machines as described in "How to Obtain and Install New Cisco NAC Appliance Licenses" section.

Step 2 Verify the licenses are correct with TAC/Licensing.

Step 3 In the CAM web console, go to Administration > CCA Manager > Licensing and click Remove All Licenses.

Step 4 Add new FlexLM licenses in the following order:

1. CAM License first
Note: If you have purchased a CAM Failover (HA) license, install the Failover license to the Primary CAM first, then load all the other licenses.

2. CAS License next

Step 5 You should now be able to access and manage your CAM and CAS machines from the CAM web console.


Cisco NAC Appliance RMA and Licensing

The Cisco SMARTnet customer is responsible for obtaining a return-materials-authorization (RMA) number to return the product. This section describes the following:

Replacing Clean Access Manager Hardware

Obtaining CAM Replacement License

Replacing Clean Access Manager in High-Availability (HA) Mode

Replacing Clean Access Server Hardware

Replacing a Clean Access Server in High-Availability (HA) Mode

Replacing Cisco NAC Profiler Server Hardware

Obtaining NAC Profiler Server Replacement License

Replacing Cisco NAC Profiler Server in High-Availability (HA) Mode

Replacing Cisco NAC Guest Server Hardware

Obtaining NAC Guest Server Replacement License


Note For further details, log in with your Cisco ID to the Support Tools & Resources site at `http://www.cisco.com/public/support/tac/tools_tab_tools.html#r. Click "Show All Tools" and refer to the "RMA and Orders" links.


Replacing Clean Access Manager Hardware

If you replace a Cisco NAC Appliance via Cisco SMARTnet Services, you will need to obtain a replacement product license if you are replacing the Clean Access Manager (CAM). This is because licensing generation and operation require the eth0 MAC address information of the CAM.

Obtaining CAM Replacement License


Step 1 Obtain the new eth0 NIC MAC address for the new Primary CAM (and new Secondary CAM for High-Availability (HA) CAM pairs only).

Step 2 Submit a request for a replacement license to licensing@cisco.com and include:

Eth0 MAC address of Primary CAM

Eth0 MAC address of Secondary CAM—Only for CAM HA licenses

Cisco Support Contract number

Cisco RMA (return-materials-authorization) number

Cisco Sales Order number


Replacing Clean Access Manager in High-Availability (HA) Mode


Note You must use identical appliances (e.g. NAC-3355 and NAC-3355) to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs).


The following steps summarize how to replace a CAM in an HA-CAM pair.


Step 1 Perform initial configuration on the replacement appliance (i.e. service perfigo config) so that the previous network configuration is rebuilt on the replacement CAM.

Step 2 Make sure both the active CAM and replacement CAM are running the same version of the Cisco NAC Appliance software (e.g., release 4.9). Upgrade the replacement CAM if necessary.

Step 3 On the active CAM, go to Administration > CCA Manager > Licensing and click "Remove All Licenses."


Note Removing old licenses is not required but will prevent invalid license errors in the log files.


Step 4 Install the new CAM replacement license you obtained on the active CAM. (See Obtaining CAM Replacement License for details.)

Step 5 Install the new CAM replacement license you obtained on the replacement CAM.

Step 6 Synchronize the time on the replacement CAM (Administration > CCA Manager > System Time)

Step 7 Export the currently installed certificate information (Private Key, Root Certificate, Identity Certificate) from the Active CAM and save it to a temporary location. Import the key and certificates to the replacement CAM (under Administration > CCA Manager > SSL Certificate). Delete the temporarily stored certificate information when done.

Step 8 Configure the replacement CAM as either the HA-Primary or HA-Secondary, depending on which CAM is being replaced (refer to the Configuring High Availability (HA) chapter of the Clean Access Manager guide for details).

Step 9 Reboot the active CAM or restart perfigo service of active CAM, before adding the replacement standby CAM. Ensure the active CAM remains in the active state after rebooting. This is required so that HA works properly after the replacement. Refer to CSCtj82347 for more details.

Step 10 Physically connect the replacement CAM to the Active CAM:

a. Connect the eth1 ports of the CAM machines using crossover cable for the UDP heartbeat interface.

b. Connect the serial ports (highly recommended) using null modem serial cable for an additional heartbeat serial exchange between the failover peers.

Step 11 Reboot the Active CAM to make the replacement CAM become the Active machine.


Note Cisco recommends rebooting during a normal maintenance time frame.


Step 12 Verify that replacement CAM has become the Active CAM.



Note For additional details on restoring a CAM/CAS configuration from a CAM snapshot, refer to the "Administering the CAM" chapter of the Cisco NAC Appliance - Clean Access Manager Configuration Guide.


Replacing Clean Access Server Hardware

If replacing the hardware for a Clean Access Server (CAS), a replacement license is not necessary and you can continue to use your existing CAS license. Your current license should work.

Replacing a Clean Access Server in High-Availability (HA) Mode


Note You must use identical appliances (e.g. NAC-3355 and NAC-3355) to configure High Availability (HA) pairs of Clean Access Managers (CAMs) or Clean Access Servers (CASs).



Note High-Availability (HA) mode is not supported on Cisco NAC Network Module for Integrated Services Routers.


The following steps summarize how to replace a CAS in an HA-CAS pair.


Step 1 Perform initial configuration on the replacement appliance (i.e. service perfigo config) so that the previous network configuration is rebuilt on the replacement CAS.

Step 2 Make sure both the Active CAS and replacement CAS are running the same version of the Cisco NAC Appliance software (e.g. 4.1(3)). Upgrade the replacement CAS if necessary.

Step 3 Synchronize the time on the replacement CAS:

From CAS web console: https://<CAS_eth0_IP>/admin/ [Administration > Time Server]

Or, from CAM web console: Device Management > CCA Servers > Manage [CAS_IP] > Misc > Time

Step 4 Export the currently installed certificate information (Private Key, Root Certificate, Identity Certificate) from the Active CAS and save it to a temporary location. Import the key and certificates to the replacement CAS.

From CAS web console: https://<CAS_eth0_IP>/admin/ [Administration > SSL Certificate]

Or, from CAM web console: Device Management > CCA Servers > Manage [CAS_IP] > Network > Certs

Delete the temporarily stored certificate information when done.

Step 5 Configure the replacement CAS as either the HA-Primary or HA-Secondary, depending on which CAS is being replaced (refer to the "Configuring High Availability" chapter of the Cisco NAC Appliance Hardware Installation Guide for details).

Step 6 Configure DHCP failover on the replacement CAS (if the HA-CAS pair are acting as a DHCP Server).

Step 7 Reboot the active CAS or restart perfigo service of active CAS, before adding the replacement standby CAS. Ensure the active CAS remains in the active state after rebooting.

Step 8 Physically connect the replacement CAS to the Active CAS using one of the following dedicated connections:

Connect the serial ports using null modem serial cable for serial heartbeat interface

Connect the eth2 dedicated Ethernet NIC ports of the CAS machines using crossover cable for UDP heartbeat interface

Connect the serial ports using null modem serial cable, and connect the eth0 ports of the CAS machines using crossover cable for the additional UDP heartbeat interface

Step 9 Reboot the Active CAS to make the replacement CAS become the Active machine.


Note Cisco recommends rebooting during a normal maintenance time frame.


Step 10 Verify that replacement CAS has become the Active CAS.



Note For additional details on restoring a CAM/CAS configuration from a CAM snapshot, refer to the "Administering the CAM" chapter of the Cisco NAC Appliance - Clean Access Manager Configuration Guide.


Replacing Cisco NAC Profiler Server Hardware

If replacing Cisco NAC Profiler Server hardware, you will need to obtain a replacement product license.

Obtaining NAC Profiler Server Replacement License


Step 1 Obtain the new eth0 NIC MAC address for the new NAC Profiler Server (and new Secondary NAC Profiler Server for High-Availability (HA) pairs only).

Step 2 Submit a request for a replacement license to licensing@cisco.com and include:

Eth0 MAC address of Primary NAC Profiler Server

Eth0 MAC address of Secondary NAC Profiler Server—Only for HA licenses

Cisco Support Contract number

Cisco RMA (return-materials-authorization) number

Cisco Sales Order number


Replacing Cisco NAC Profiler Server in High-Availability (HA) Mode

The following steps summarize how to replace a NAC Profiler Server in an HA-pair.


Step 1 Perform initial configuration on the replacement appliance so that the previous network configuration is rebuilt on the replacement Profiler Server.

Step 2 Configure the replacement Profiler Server as the Primary or Secondary, depending on which Profiler Server is being replaced. Refer to the "Installation and Initial Configuration" chapter of the Cisco NAC Profiler Installation and Configuration Guide for detailed steps.

Step 3 Make sure both the Active Profiler Server and replacement Profiler Server are running the same version of the software (e.g. 2.1.7). Upgrade the replacement Profiler Server, if necessary.

Step 4 Install the new Profiler Server replacement license you obtained on the Active Profiler Server. (See Obtaining NAC Profiler Server Replacement License for details.)

Step 5 Install the new Profiler Server replacement license you obtained on the replacement Profiler Server.

Step 6 Connect the eth0 (management) interface of the replacement Profiler Server to the network.

Step 7 Connect the eth1 ports of the Profiler Server machines using crossover cable for the UDP heartbeat interface.

Step 8 Reboot the Active Profiler Server to make the replacement Profiler Server become the Active machine.


Note Cisco recommends rebooting during a normal maintenance time frame.


Step 9 Verify that replacement Profiler Server has become the Active Profiler Server.


Replacing Cisco NAC Guest Server Hardware

If replacing Cisco NAC Guest Server hardware, you will need to obtain a replacement product license.

Obtaining NAC Guest Server Replacement License


Step 1 Obtain the new eth0 NIC MAC address for the new NAC Guest Server.

Step 2 Submit a request for a replacement license to licensing@cisco.com and include:

Eth0 MAC address of Cisco NAC Guest Server

Cisco Support Contract number

Cisco RMA (return-materials-authorization) number

Cisco Sales Order number