Cisco NAC Profiler Installation and Configuration Guide, Release 3.1.1
Installing and Performing an Initial Configuration
Downloads: This chapterpdf (PDF - 2.46MB) The complete bookPDF (PDF - 15.68MB) | Feedback

Installing and Performing an Initial Configuration

Table Of Contents

Installing and Performing an Initial Configuration

Cisco NAC Profiler Collector/Server Hardware Overview

Cisco NAC Profiler Collector

Cisco NAC Profiler Server

Cisco NAC Profiler Server Hardware Summary

Cisco NAC Profiler Lite Front/Rear Panels (Based on NAC-3310)

Cisco NAC Profiler Server Front/Rear Panels (Based on NAC-3350)

Cisco NAC Profiler Server Front/Rear Panels (Based on NAC-3355)

Installing the Cisco NAC Profiler Server

Configuring a Standalone Cisco NAC Profiler Server

Collecting the Necessary Configuration Data

Performing an Initial System Network Configuration

Configuring NTP on Cisco NAC Profiler Servers

Configuring Operational Parameters for the Cisco NAC Profiler Server

Generating a Self-Signed Digital Certificate for the Standalone Cisco NAC Profiler Server

Configuring a Cisco NAC Profiler Server HA Pair

Collecting Necessary Configuration Data

Sequence for Configuring a Cisco NAC Profiler HA pair

Configuring the Primary Cisco NAC Profiler Server of the HA Pair

Generating a Self-Signed Digital Certificate for the Cisco NAC Profiler Server HA Pair

Configuring the Secondary Cisco NAC Profiler Server of the HA Pair

Starting Up Cisco NAC Profiler Collectors

Determining NAC Profiler Collector Connection Type Requirements

Starting Up a Standalone NAC Profiler Collector using the Client Connection Type

NAC Profiler Collector HA-Pair Startup

Starting Up a Standalone NAC Profiler Collector using the Server Connection Type

Configuring Profiler Collectors to Use with DHCP Analysis via IP Helper

Issuing CLI Commands to the Cisco NAC Profiler Collector


Installing and Performing an Initial Configuration


This chapter contains the following sections:

Cisco NAC Profiler Collector/Server Hardware Overview

Installing the Cisco NAC Profiler Server

Configuring a Standalone Cisco NAC Profiler Server

Configuring a Cisco NAC Profiler Server HA Pair

Starting Up Cisco NAC Profiler Collectors

Configuring Profiler Collectors to Use with DHCP Analysis via IP Helper

Issuing CLI Commands to the Cisco NAC Profiler Collector

Cisco NAC Profiler Collector/Server Hardware Overview

This section describes installation details for the two primary components of Cisco NAC Profiler:

Cisco NAC Profiler Collector

Cisco NAC Profiler Server

You can obtain additional information from the following documents:

For ordering details, refer to the Cisco NAC Profiler Ordering Guide.

For licensing details, refer to Cisco NAC Appliance Service Contract/Licensing Support.

For details on Cisco NAC Appliance hardware platforms, refer to the Cisco NAC Appliance Hardware Installation Guide for the hardware version you are running.

For details on software compatibility between the CAS, Collector, and Profiler Server, refer to the Release Notes for Cisco NAC Profiler for the software version you are running.


Note Cisco NAC Appliance Release 4.7.(0) and Release 4.8 are the only tested FIPS 140-2 compliant releases. Cisco NAC Profiler and Cisco NAC Guest Server are not supported in FIPS-compliant deployments in Cisco NAC Appliance Release 4.7.(0) or 4.8.


Cisco NAC Profiler Collector

The Cisco NAC Profiler Collector is a distributed component that resides on the Cisco NAC Appliance Server - Clean Access Server (CAS) and communicates with the Cisco NAC Profiler Server. A default version of the Cisco NAC Profiler Collector is shipped with each CAS, and there is one Cisco NAC Profiler Collector per CAS. The Cisco NAC Profiler Collector gathers information about endpoints using the following:

SNMP

NetFlow

DHCP

Active profiling

The Cisco NAC Profiler Collector uses the 4th NIC of the CAS to collect data from a SPAN port, SNMP, or NetFlow. The Cisco NAC Profiler Collector aggregrates the relevant data, consolidates it, and then forwards it on to the Cisco NAC Profiler Server.

The Cisco NAC Profiler Server performs the profiling and categorization function, and then updates the Cisco NAC Manager automatically. The Cisco NAC Profiler Collector requires the following conditions to be met for it to function:

A Cisco NAC Profiler Collector license must be obtained and installed on the Cisco NAC Profiler Server. Refer to Cisco NAC Appliance Service Contract/Licensing Support for details on obtaining and installing product licenses for the Cisco NAC Profiler.

The Cisco NAC Profiler Collector must be initially configured and enabled using the CAS CLI as described in Starting Up Cisco NAC Profiler Collectors.

The version of the Cisco NAC Profiler Collector on the CAS must be compatible with the Cisco NAC Profiler software version that is running on the Cisco NAC Profiler Server. You can upgrade the Cisco NAC Profiler Collector version independently of the Cisco NAC Appliance software on the CAS appliance. For Release 3.1.1 instructions, refer to the "Upgrading Collector Service on the CAS" section of the Release Notes for Cisco NAC Profiler, Release 3.1.1.

Table 4-1 summarizes the number of endpoints supported when the Cisco NAC Profiler Collector is enabled on the CAS for each Cisco NAC Appliance Server hardware platform.


Note All Cisco NAC Appliance releases are shipped with a default version of the Cisco NAC Profiler Collector component. When upgrading the NAC Server to a newer NAC Appliance release, the current version of the NAC Collector is replaced with the default version of the NAC Collector that shipped with the NAC Appliance release.


For example, if you have NAC 4.7.x with Profiler 3.1.0 installed and you upgrade to Cisco NAC Appliance 4.8. After the Cisco NAC Appliance 4.8 upgrade, you can install the Cisco NAC Profiler 3.1.1 Collector and perform a service collector restart.


Note After the Cisco NAC 4.8 upgrade, your Cisco NAC Profiler Collector configuration should require no re-configuration.


Table 4-1 Cisco NAC Appliance Server Hardware Summary and Collector Support 

Clean Access Server (CAS)
Platform
Number of Supported Hosts 1
Users/Endpoints
Endpoints Only

NAC-3310 Server

100/100
250/250
500/500

200
500
1000

NAC-3350 Server

1500/1500
2500/2500
3500/3500

3000
5000
7000

NAC-3355 Server

1500/1500
2500/2500
3500/3500
5000/5000

3000
5000
7000
10000

1 Cisco NAC Profiler Collector licensing has a 1:1 or 2:1 relationship to Clean Access Server user limits in a Cisco NAC Appliance deployment, depending on whether posture assessment is used. For example, a 2500-user CAS can support 2500 users and 2500 Collector endpoints, or up to 5000 Collector endpoints-only if there is no posture assessment.


Cisco NAC Profiler Server

The Cisco NAC Profiler Server is an appliance that aggregates and classifies data from Cisco NAC Profiler Collectors and manages a database of endpoint information. The Cisco NAC Profiler Server updates the Cisco NAC Appliance Manager -Clean Access Manager (CAM) device filter list to place endpoints into appropriate access roles.

The Cisco NAC Profiler Server can communicate with multiple Cisco NAC Profiler Collectors on multiple CAS Servers. The Cisco NAC Profiler Server has a 1:1 relationship with the CAM. There is one Cisco NAC Profiler Server for each CAM in a Cisco NAC Appliance deployment.

There are three platforms available for Cisco NAC Profiler Server standalone or failover appliances:

Cisco NAC Profiler Server hardware platform (maximum 10,000 endpoints supported), based on the Cisco NAC-3355 hardware platform

Cisco NAC Profiler Server hardware platform (maximum 7,000 endpoints supported), based on the Cisco NAC-3350 hardware platform.

Cisco NAC Profiler "Lite" platform (maximum 5,000 endpoints supported), based on the Cisco NAC-3310 hardware platform.


Note The Cisco NAC Profiler Lite platform is supported as a new installation only and requires its own ISO file (the upgrade process does not apply). Only the nac-profilerlite-3.1.1-18-K9.iso file can be installed on the Cisco NAC Profiler Lite platform.


There are standalone and failover licences for each hardware platform, as well as Cisco NAC Profiler Collector licenses associated to the CAS size and Cisco NAC Profiler platform size. For details, refer to the Cisco NAC Profiler Ordering Guide.

Cisco NAC Profiler Server Hardware Summary


Note The Cisco NAC Profiler Server is only supported on the NAC-3355 hardware platform. If ordering a NAC Profiler Lite, you will actually receive a NAC-3355 based appliance with a NAC Profiler Lite License.


Table 4-2 summarizes the hardware specifications for the three supported Cisco NAC Profiler Server platforms.

Table 4-2 Cisco NAC Profiler Server Hardware Summary  

Cisco NAC Profiler Server Platform
Hardware Specifications
Diagrams

Profiler Lite 1
(based on NAC-3310
2 ,3 )

Single processor: Xeon 2.33 GHz dual core

1 GB RAM

160 GB NHP SATA HDD

Note Newer Cisco NAC-3310 based platforms feature a 160GB hard drive, while older NAC-3310 platforms originally shipped with 80GB hard drives. Both of these hard drive sizes support High Availability (HA) deployments, and you can safely deploy a 160GB model in an HA pair with an 80GB model.

4 10/100/1000 LAN ports [2 Broadcom 5721 integrated NICs; 2 Intel e1000 PCI-X NICs (HP #NC360T)]

CD/DVD-ROM Drive

4 USB Ports (2 front, 2 rear)

Note NAC-3310 is based on the Hewlett-Packard (HP) ProLiant DL140 G3.

Figure 4-1, "Cisco NAC Profiler Lite Front Panel (NAC-3310)"

Figure 4-2, "Cisco NAC Profiler Lite Front Panel LEDs/Buttons"

Figure 4-3, "Cisco NAC Profiler Lite Rear Panel (NAC-3310)"

Figure 4-4, "Cisco NAC Profiler Lite Rear Panel LEDs"

Profiler Server
(based on NAC-33504 )

Single processor: Intel Xeon 3.0 GHz dual core

Dual power supply

2 GB RAM

2 x 72 GB SFF SAS RAID HDD

Smart Array E200i Controller

4 10/100/1000 LAN ports [2 Broadcom 5708 integrated NICs; 2 Intel e1000 PCI-X NICs (HP #NC360T)]

CD/DVD-ROM Drive

4 USB Ports (1 front, 1 internal, 2 rear)

Note NAC-3350 is based on HP ProLiant DL360 G5.

Figure 4-5, "Cisco NAC Profiler Front Panel (NAC-3350)"

Figure 4-6, "Cisco NAC Profiler Front Panel LEDs/Buttons"

Figure 4-7, "Cisco NAC Profiler Rear Panel (NAC-3350)"

Figure 4-8, "Cisco NAC Profiler Rear Panel LEDs"

Profiler Server
(based on NAC-3355)5

Single processor: Intel Xeon (Nehalem) quad-core

Dual 675W power supply (redundant)

4 GB RAM

2 x 300 GB SAS RAID HDD

4 10/100/1000 LAN ports [2 integrated NICs; 2 Gigabit NICs (PCI-E)]

CD/DVD-ROM Drive

4 USB Ports (1 front, 1 internal, 2 rear)

Cavium CN1120-NHB-E SSL Accelerator Card or nCipher Card

Note The NAC-3355 is based on the IBM System x3550 M2 server platform.

Figure 4-9, "Cisco NAC Profiler Front Panel (NAC-3355)"

Figure 4-10, "Cisco NAC Profiler Front Panel LEDs/Buttons"

Figure 4-11, "Cisco NAC Profiler Rear Panel (NAC-3355)"

Figure 4-12, "Cisco NAC Profiler Rear Panel LEDs"

1 The Profiler Lite platform is supported as a new installation only and requires its own ISO file (upgrade does not apply). Only the nac-profilerlite-3.1.0-24-K9.iso file can be installed on the Profiler Lite platform.

2 NAC-3310 may require firmware/BIOS upgrades for the HP ProLiant DL140 G3. See the "DL140 G3 Required BIOS/Firmware Upgrades" section of the Supported Hardware and System Requirements for Cisco NAC Appliance (Clean Access) for details.

3 NAC-3310 supports iLO (Lights Out 100i Remote Management). The default iLO "Administrator" account has default username/password: admin/admin. Defaults can be changed through the BIOS setup.

4 NAC-3350 supports iLO2 (Integrated Lights Out, version 2). See panel tags for admin account details.

5 NAC-3355 supports up to 20 standalone or high-availability (HA) CASs.


5 NAC 3315 and 3355 Hardware platforms also support NAC Profiler version 3.1.1-18 in FIPS 140-2 mode.



Cisco NAC Profiler Lite Front/Rear Panels (Based on NAC-3310)

This section illustrates and describes the front and rear panels of the Cisco NAC-3310 platform.

Figure 4-1 Cisco NAC Profiler Lite Front Panel (NAC-3310)

1

Hard disk drive (HDD) bay

6

HDD activity LED indicator (green)

2

CD-ROM/DVD drive

7

Power button with LED indicator (bicolor: green/amber)

3

UID (Unit identification) button with recessed LED indicator (blue)

8

Thumbscrews for the front bezel

4

System health LED indicator (amber)

9

Front USB ports

5

Activity/link status LED indicators for NIC 1 (eth0) and NIC2 (eth1) (green)

   

Figure 4-2 Cisco NAC Profiler Lite Front Panel LEDs/Buttons

1

UID LED (recessed)

Blue = A UID button has been pressed.

2

System health LED

Off = System health is normal.
Amber = A pre-failure system threshold has been breached. This can be any of the following:

At least one fan failure (system or processor fan).

At least one of the temperature sensors reached critical level (system or processor thermal sensors).

At least one memory module failure.

A power supply unit error has occurred.

3

Activity/link status LED for NIC 1 (eth0) and NIC 2 (eth1)

Solid green = An active network link exists.
Flashing green = An ongoing network data activity exists.
Off = The server is off-line.

4

HDD activity LEDs

Flashing green = Ongoing drive activity.
Off = No drive activity.

5

Power status LED (recessed)

Green = The server has AC power and is powered up.
Amber = The server has AC power and is in standby mode.
Off = The server is powered off (AC power disconnected).


Figure 4-3 Cisco NAC Profiler Lite Rear Panel (NAC-3310)

1

Ventilation holes

9

UID button with recessed LED indicator (blue)

2

Thumbscrew for the top cover

10

Rear USB ports (black)

3

Thumbscrews for the PCI riser board assembly

11

Video port (blue)

4

NIC 3 (eth2) and NIC 4 (eth3) PCI Express GbE LAN (RJ-45) ports (Intel)

12

Serial port

5
13

PS/2 keyboard port (purple)

6

Standard height/full-length PCI Express x16/PCI-X riser board slot cover

14

PS/2 mouse port (green)

7

Power supply cable socket

15

10/100 Mbps iLO LAN port for IPMI management (RJ-45)

8

NIC 1 (eth0) and NIC 2 (eth1) integrated GbE LAN (RJ-45) ports (Broadcom)

   

Figure 4-4 Cisco NAC Profiler Lite Rear Panel LEDs

1

NIC activity/link status LEDs for NIC 1 (eth0) and NIC 2 (eth1)

Solid green = An active network link exists.
Flashing green = An ongoing network data activity exists.
Off = The server is off-line.

2

NIC network speed LEDs

Steady amber = The LAN connection is using a GbE link.
Steady green = The LAN connection is using a 100 Mbps link.
Off = The LAN connection is using a 10 Mbps link.

3

UID LED (recessed)

Blue = A UID button has been pressed.

4

Link status LED for the 10/100 Mbps LAN port

Green = A network link exists.
Off = No network link exists.

5

Activity status LED for the 10/100 Mbps LAN port

Flashing green = Network activity exists.
Off = No network activity exists.


Cisco NAC Profiler Server Front/Rear Panels (Based on NAC-3350)

This section illustrates and describes the front and rear panels of the Cisco NAC-3350 platform.

Figure 4-5 Cisco NAC Profiler Front Panel (NAC-3350)

1

Hard drive bay 1

4

Video connector

2

Hard drive bay 2

5

HP Systems Insight Display

3

CD-ROM/DVD drive

6

USB connector


Figure 4-6 Cisco NAC Profiler Front Panel LEDs/Buttons

1

Power On/Standby button and system power LED

Green = System is on.
Amber = System is shut down, but power is still applied.
Off = Power cord is not attached, power supply failure has occurred, no power supplies are installed; facility power is not available, or disconnected power button cable.

2

UID button/LED

Blue = Identification is activated
Flashing blue = System is being managed remotely
Off = Identification is deactivated

3

Internal health LED

Green = System health is normal.
Amber = System health is degraded. (To identify the component in a degraded state, refer to "HP Systems Insight Display and LEDs.")
Red = System health is critical. (To identify the component in a critical state, refer to "HP Systems Insight Display and LEDs.")
Off = System health is normal when in standby mode.

4

External health LED (power supply)

Green = Power supply health is normal.
Amber = Power redundancy failure occurred.
Off = Power supply health is normal when in standby mode.

5

NIC 1 (eth0) link/activity LED

Green = Network link exists
Flashing green = Network link and activity exist.
Off = No link to network exists.
If power is off, the front panel LED is not active. For status, view the rear panel LED for the RJ-45 connector (Figure 4-8)

6

NIC 2 (eth1) link/activity LED

Green = Network link exists
Flashing green = Network link and activity exist.
Off = No link to network exists.
If power is off, the front panel LED is not active. For status, view the rear panel LED for the RJ-45 connector (Figure 4-8)


Figure 4-7 Cisco NAC Profiler Rear Panel (NAC-3350)

1

NIC 3 (eth2) PCI-X port (Intel)

8

Keyboard connector (purple)

2

NIC 4 (eth3) PCI-X port (Intel)

9

Mouse connector (green)

3

PCI Express expansion slot 2

10

Video connector (blue)

4

Power supply bay 1

11

Serial connector

5

Power supply bay 2

12

USB connector

6

Integrated NIC 2 (eth1) port (Broadcom)

13

USB connector

7

Integrated NIC 1 (eth0) port (Broadcom)

14

iLO 2 NIC connector (RJ-45)


Figure 4-8 Cisco NAC Profiler Rear Panel LEDs

1

iLO 2 NIC activity LED

Green = Activity exists
Flashing green = Activity exists
Off = No activity exists

2

iLO 2 NIC link LED

Green = Link exists
Off = No link exists

3

10/100/1000 NIC 3 (Intel) Activity LED

Steady green = High activity
Flashing green = Activity exists
Off = No activity (if link LED is off, link is dead)

4

10/100/1000 NIC 3 (Intel) Link LED

Orange = 1000 Mbps
Green = 100 Mbps
Off = 10 Mbps (if activity LED is off, link is dead)

5

10/100/1000 NIC 4 (Intel) Activity LED

Steady green = High activity
Flashing green = Activity exists
Off = No activity (if link LED is off, link is dead)

6

10/100/1000 NIC 4 (Intel) Link LED

Orange = 1000 Mbps
Green = 100 Mbps
Off = 10 Mbps (if activity LED is off, link is dead)

7

10/100/1000 NIC 1 (Broadcom) Activity LED

Green = Activity exists
Flashing green = Activity exists
Off = No activity exists

8

10/100/1000 NIC 1 (Broadcom) Link LED

Green = Link exists
Off = No link exists

9

10/100/1000 NIC 2 (Broadcom) Activity LED

Green = Activity exists
Flashing green = Activity exists
Off = No activity exists

10

10/100/1000 NIC 2 (Broadcom) Link LED

Green = Link exists
Off = No link exists

11

UID button/LED

Blue = Identification is activated
Flashing blue = System is being managed remotely
Off = Identification is deactivated

12

Power supply 1 LED

Green = Normal
Off = System is off or power supply has failed.

13

Power supply 2 LED

Green = Normal
Off = System is off or power supply has failed.



Note See the in-box documentation that shipped with your Cisco NAC Profiler Server for information on using the controls and interpreting the status LEDs on the front panel of the unit.


Cisco NAC Profiler Server Front/Rear Panels (Based on NAC-3355)

The Cisco NAC-3355 platform provides enhanced capability for enterprise-wide deployments and is equipped with four network interfaces to provide flexibility in NIC interface selection and high availability configurations.

Figure 4-9 Cisco NAC Profiler Front Panel (NAC-3355)

1

Hard disk drive (HDD) bay 0

8

Front USB port 1

2

Empty (unused) hard disk drive (HDD) bay 1

9

Front USB port 2

3

Empty (unused) hard disk drive (HDD) bay 1

10

CD-ROM/DVD drive

4

Power button with LED indicator (bicolor: green/amber)

11

Empty (unused) hard disk drive (HDD) bay 1

5

Operator information panel

12

Empty (unused) hard disk drive (HDD) bay 1

6

Operator information panel release switch

13

Hard disk drive (HDD) bay 1

7

Video port

 

1 Cisco does not support installing additional hard drives in the NAC-3355 appliance.


Figure 4-10 Cisco NAC Profiler Front Panel LEDs/Buttons

1

HDD activity LED

Green = Hard disk drive activity
Flashing Green = Hard disk drive activity
Off = Hard disk drive is idle or disabled

2

HDD status LED

Amber = Hard disk drive is in error state
Off = Hard disk drive is functioning or disconnected from power

3

Power switch button cover

Slides left and right to expose or protect power switch

4

Ethernet icon LED

Green = Ethernet interfaces are configured and up
Off = No Ethernet interfaces are currently configured or Ethernet interfaces are all down

5

Ethernet interface activity LEDs (NIC 1 and NIC 2)

Green = Activity exists
Flashing green = Activity exists
Off = No activity exists

6

Information LED

Amber = A non-critical system event has occurred
Off = System is functioning normally

7

System health LED

Off = System health is normal
Amber = A pre-failure system threshold has been breached. This can be any of the following:

At least one fan failure (system or processor fan)

At least one of the temperature sensors reached critical level (system or processor thermal sensors)

At least one memory module failure

A power supply unit error has occurred

8

Front Locator button/LED

Flashing blue = The Locator button has been pressed.

9

Ethernet interface activity LEDs (NIC 3 and NIC 4)

Green = Activity exists
Flashing green = Activity exists
Off = No activity exists

10

Power button with LED

Green = The appliance has AC power and is powered up
Rapidly flashing green = The appliance is off and is not yet ready to be turned on (the appliance typically only remains in this state for 1 to 3 minutes)
Slowly flashing green = The appliance is currently off and ready to be turned on
slowly fading on/off green = The appliance is in power-save mode and is ready to be turned on
Off = The appliance is powered off (AC power disconnected)


Figure 4-11 Cisco NAC Profiler Rear Panel (NAC-3355)

1

Empty (unused) PCI Express slot

8

NIC 1 (eth0) GbE interface

2

Video port

9

NIC 4 (eth3) add-on card

3

Rear USB port 4

10

NIC 3 (eth2) add-on card

4

Power supply cable sockets

11

Console port

5

Rear USB port 3

 
6

Serial port

 
7

NIC 2 (eth1) GbE interface

 

Figure 4-12 Cisco NAC Profiler Rear Panel LEDs

1

NIC 1 (eth0) activity LED

Green = Activity exists
Flashing green = Activity exists
Off = No activity exists

2

NIC 1 (eth0) link LED

Green = Link exists
Off = No link exists

3

AC power LED

Green = AC power source is connected to power supply
Off = No AC power source is connected to power supply

4

DC power LED

Green = DC power source is connected to power supply
Off = No DC power source is connected to power supply

5

Power supply error LED

Amber = Power source to power supply is present, but power supply is in error state
Off = Power supply is functioning normally (if AC and DC power indicators are green) or power supply is disconnected

6

System error LED

Amber = Indicates that a system error has occurred
Off = The system is functioning normally

7

Rear Locator LED

Flashing blue = The Front Locator button has been pressed

8

Power LED

Green = The appliance has AC power and is powered up
Rapidly flashing green = The appliance is off and is not yet ready to be turned on (the appliance typically only remains in this state for 1 to 3 minutes)
Slowly flashing green = The appliance is currently off and ready to be turned on
slowly fading on/off green = The appliance is in power-save mode and is ready to be turned on
Off = The appliance is powered off (power is disconnected)


Installing the Cisco NAC Profiler Server


Caution Before performing the following procedure, read the safety instructions and important regulatory information in the Important Safety Information documentation packet.

Use the following steps to power-up the Cisco NAC Profiler Server and establish a network connection with the Management interface of the appliance:


Step 1 Carefully open the shipping carton and remove the appliance. Remove any packing material from the appliance.

Step 2 Confirm that the box contains the items shown in Figure 4-13.

Figure 4-13 Shipping Box Contents


Note Retain the carton and the shipping materials in the event that the unit needs to be shipped in the future.


Step 3 Check the unit for obvious damage. If the appliance appears to be damaged, DO NOT INSTALL the unit. Contact customer support for instructions on how to obtain a replacement unit. Refer to Cisco NAC Appliance Service Contract /Licensing Support for details.

Step 4 The appliance may be operated as a free-standing unit or mounted in a standard 19-inch equipment rack or cabinet.


Note A rack-mounting kit is included in the shipment. For rack-mounting information and instructions, refer to the 1U Rack Hardware Installation Instructions for HP Products document also included in the shipment.


Step 5 After mounting the unit in the desired location, connect the power cable to the device's AC power receptacle located on the rear of the appliance and plug the other end of the power cable into a grounded AC outlet.

Step 6 Connect a monitor, keyboard, and mouse to the Cisco NAC Profiler Server either directly or via a KVM switch by making the appropriate connections using the keyboard, mouse and video connectors provided on the rear of the Cisco NAC Profiler Server as shown in Figure 4-7. Alternatively, a laptop or desktop computer running HyperTerminal or similar terminal emulation program can be used to access the Cisco NAC Profiler Server command line interface. Connect the RJ-45 connector of console cable to serial port B on the Cisco NAC Profiler Server, and the DB9F connector to the serial port of the laptop/desktop. Use the following parameters for the serial connection: 9600 Baud, 1 stop bit, 8 data bits, no parity.


Note These peripherals are necessary only for the initial IP configuration of the management interface of the Cisco NAC Profiler Sever that establishes a valid IP configuration and network connectivity for access to the web-based user interface later.


Step 7 To connect the management interface of the Cisco NAC Profiler Server to the network, attach an appropriate Ethernet cable (equipped with an RJ-45 connector) to the copper Ethernet port labeled NIC 1 (eth0) located on the rear of the appliance. (See Figure 4-7.)

Step 8 Power on the Cisco NAC Profiler Server by pressing the power button on the front of the appliance. The diagnostic LEDs will flash a few times as part of the power-on self-test (POST). Status messages are displayed on the console as the appliance boots up.

Step 9 Confirm the network connectivity to the Cisco NAC Profiler Server management interface (eth0) by observing the Ethernet port's status LEDs. The LEDs on the NIC cards of the Cisco NAC Profiler Server are interpreted as described in the table under Figure 4-8.


Tip If the NIC port LEDs do not indicate properly after connecting the cable from the appliance to the network port, check to make sure that the correct type of cable has been used to connect the Cisco NAC Profiler Server to the network and that the switch port is enabled and properly configured.


The Cisco NAC Profiler Server may be operated as a single appliance, non-redundant standalone system or it can be configured as high-availability pair of servers:

If implementing the system as a single Profiler Server, follow the instructions outlined in Configuring a Standalone Cisco NAC Profiler Server.

If implementing the system as a HA pair of Profiler Servers, you will receive two physical appliances, which you will need to connect together and configure via the startup scripts to create a High-Availability pair. Refer to Configuring a Cisco NAC Profiler Server HA Pair for details.


Configuring a Standalone Cisco NAC Profiler Server

The Cisco NAC Profiler Server ships with the Cisco NAC Profiler software pre-installed on the hard drive. When the system is started for the first time, a series of startup scripts guide the installer through several tasks necessary to provide an initial configuration for the Cisco NAC Profiler Server and establish IP connectivity so that the web-based Cisco NAC Profiler user interface can be accessed via standard web browser from any point on the network.

Collecting the Necessary Configuration Data

Prior to beginning the setup of a Cisco NAC Profiler Server in a Standalone configuration, collect and record the data that you will need in Table 4-3 to make the setup process easier.


Note The following characters cannot be used for UI usernames/passwords throughout the Cisco NAC Profiler System: ;`'|"()[]{} also newline (\n), carriage return (\r), and null.


Table 4-3 Standalone Cisco NAC Profiler Server Appliance—Configuration Data 

Parameter
Value

Password for root system user (CLI Access)

 

Password for beacon system user (CLI Access)

 

Hostname

 

Management Interface IP address

 

Management Interface Net Mask

 

Default Gateway

 

Name Server IP address

 

NTP Server(s) FQDN or IP address(es)

 

Web Admin User Password
(default: profiler)

 

The following standalone Cisco NAC Profiler Server startup tasks are completed via the command line using the keyboard and monitor connected to the appliance peripheral ports or through a laptop/desktop computer running terminal emulation as described Installing the Cisco NAC Profiler Server. The scripts guide the user through input of basic configuration information to enable the Cisco NAC Profiler Server component of the Cisco NAC Profiler system.

As part of the startup startups of the Cisco NAC Profiler Server appliance, a digital certificate is created/self-signed to enable SSL encryption, along with a Certificate Signing Request (CSR).


Tip Consideration should be given to creating a DNS entry for Cisco NAC Profiler Server appliance prior to beginning the system startup.


Information for creation of the self-signed digital certificate/CSR such as the FQDN, organization unit identifier, organization identifier, etc. should be close at hand before beginning the startup procedures for Cisco NAC Profiler Server appliances.

Performing an Initial System Network Configuration

After the necessary configuration data is collected, the Profiler Server appliance should be powered on if it is not already running.

When booting the appliance for the first time, a standard login prompt is presented either on the monitor connected to the appliance or displayed through terminal emulation on a connected laptop/desktop as illustrated in Figure 4-14.

Follow the steps in this section to begin configuring a standalone Cisco NAC Profiler Server Appliance, which provides the system with its basic network configuration.


Step 1 Enter root at the login prompt (Figure 4-14) to log into the appliance as the 'root' system user, and press Enter.

Figure 4-14 Profiler System Login Prompt


Tip On the first boot of the Cisco NAC Profiler Server appliance, there are no passwords set for the root or beacon system user accounts. Passwords for the system user accounts will be established during startup.


Upon logging in as root, the system will display the dialog shown in Figure 4-15.


Tip If the dialog in Figure 4-15 is not shown upon first login as the root system user, enter the command service profiler config to start the Profiler startup scripts manually.


For new installations select OK and press Enter, which will result in the execution of the startup scripts in their entirety as described in this section.

Figure 4-15 Initial Configuration Dialog: Cisco NAC Profiler Lite


Note Selecting Control-C or selecting Cancel on one of the user input screens while running the startup scripts will result in the bypassing of the configuration scripts, and returning the user back to the system prompt without completing any initial configuration. The scripts can be restarted at any time by entering the service profiler config command as the root system user.


Step 2 Verify that the correct Cisco NAC Profiler Server load has been installed on the Appliance. For Cisco NAC Profiler Systems, the screen illustrated in Figure 4-15 will indicate either "NAC Profiler Server" or "NAC Profiler Lite".

The initial configuration scripts will then step the installer through several screens to set a number of environment-specific IP configuration parameters for the newly installed standalone Profiler Server appliance including:

Hostname

Management interface IP address and mask

Default gateway

Name server (DNS server)

Step 3 Assign the Profiler appliance its hostname using the Configure Hostname form illustrated in Figure 4-16 which appears after selecting OK on the Initial Configuration Dialog.

Figure 4-16 Configure Hostname

Step 4 Enter the desired hostname for this Cisco NAC Profiler Server. Select OK and press Enter to go on to the next step of the configuration script, configuring the Network Management Interface, which displays the screen shown in Figure 4-17.

The management interface (eth0) is the primary communications interface for the Cisco NAC Profiler Server, and it must be assigned IP configuration parameters appropriate for its operating environment.

Figure 4-17 Configure Network Management Interface: IP Address

Step 5 Enter the desired IP host address for the Cisco NAC Profiler Server management interface using the dotted decimal notation (for example, 10.10.10.1), press Enter to go to the next step, and enter the network mask of the management interface via the next screen, Figure 4-18.

Figure 4-18 Configure Network Management Interface Network Mask

Step 6 Enter the network mask to be utilized by the management interface using dotted decimal notation (for example, 255.255.0.0), and press Enter to go to the next configuration page which enables the setting of the default gateway IP address, Figure 4-19.

The default gateway is the IP address of the router interface servicing the network segment to which the Cisco NAC Profiler Server management interface is physically connected. This parameter specifies the router the Cisco NAC Profiler Server will use to reach other subnets and networks beyond its own.

Figure 4-19 Configure Network Management Interface: Gateway

Step 7 Enter the IP address of the desired default gateway for the Cisco NAC Profiler Server using dotted decimal notation (for example, 10.10.10.254), press Enter to move onto the next step, which provides the name server (DNS) to be utilized by the NAC Profiler Server, Figure 4-20.

Figure 4-20 Configure Network Management Interface: Name Server

Step 8 After entering the name server IP address and pressing enter, a summary of the IP Information that has been configured currently will be displayed as shown in Figure 4-21.

Figure 4-21 Verify Network Information

Step 9 Verify that the information entered to this point is correct. If changes are required, use the arrow keys to select No and press Enter. This will cause the scripts to restart from the beginning of the assignment of the IP parameters. All data entered for these parameters will be lost and the data entry steps beginning with the assignment of the management interface IP address will restart.

If the information is correct, make certain that Yes is selected and press Enter to save the network configuration for the NAC Profiler Server. The configuration scripts will restart all the network interfaces on the appliance to make the configuration changes active on the management interface. After the interfaces restart successfully, the screen in Figure 4-22 is displayed indicating that the IP configuration has been completed and that the startup scripts are continuing with the configuration of the Network Time Protocol (NTP) for the appliance as described in the following section.



Tip At this time, the validity of the completed IP configuration can be verified by issuing a Ping command to the IP address of the Cisco NAC Profiler Server from a network attached endpoint. Successfully pinging the appliance indicates a valid IP configuration which is necessary for management of the system via the web-based user interface.


Configuring NTP on Cisco NAC Profiler Servers

It is recommended that NTP be configured on all Cisco NAC Profiler Server appliances. Using NTP with Cisco NAC Profiler Server will provide accurate timestamps for the logs and statuses of various UI display screens.

Select Yes and complete the following steps to configure NTP. If No is selected on the NTP configuration screen, the startup scripts will proceed onto the next startup task (see Configuring Operational Parameters for the Cisco NAC Profiler Server) and use the appliance hardware clock and default time zone.

Figure 4-22 NTP Configuration


Step 1 Ensure Yes is selected and press Enter to start the NTP Configuration portion of the Profiler Server start-up scripts from the NTP Configuration screen shown in Figure 4-22. This displays the Time Zone Selector screen, Figure 4-23.

Step 2 Select the correct Time Zone Region using the up or down arrow keys, ensure that OK is selected (using the tab key) and press Enter to select the region in which the appliance is physically located.

The scripts advance to the Country/Region selector (Figure 4-24).

Figure 4-23 : Select Region

Step 3 Select the correct Country using the up or down arrow keys, ensure that OK is selected (using the tab key) and press Enter to select the country in which the appliance is physically located.

The next screen allows you to select the Time Zones available for the selected Region/Country.

Figure 4-24 Select Country

Step 4 Select the desired Time Zone using the up or down arrow keys, ensure that OK is selected (using the tab key) and press Enter to select the desired time zone. (Figure 4-25, uses the United States Eastern time in the example.)

Figure 4-25 Select Time Zone

Step 5 To confirm the correct Time Zone when prompted by the pop-up dialog (Figure 4-26), press Enter with Yes selected, or use the right arrow to highlight No if the time zone needs to be changed.

Figure 4-26 Confirm Time Zone

Step 6 Enter the FQDN (preferred) or the IP address of the primary NTP Server that this NAC Profiler Server Appliance will use as its time server in the Configure Network Time Server form that is displayed next, as shown in Figure 4-27.

Enter only one IP/DNS address in this screen and use the Enter key to select OK. The screen will loop allowing the entry of multiple NTP servers.


Note As NTP Servers are entered, the NAC Profiler Server will attempt to confirm NTP connectivity with the specified server. If the system is unable to get an NTP response from the IP/DNS entered, a message indicating that NTP connectivity with the last IP/DNS entered has failed and the scripts will allow the entry of an alternative NTP server. The Configure Network Time Server screen will appear again allowing entry of an alternate NTP Sever for the system to be entered.


Step 7 Continue this process until all NTP Servers that the appliance should use for time service have been added to the configuration.

Figure 4-27 Configure Network Time Server(s)

Step 8 When all of the desired NTP Servers have been added to the configuration, type `done' in the field, tab to select OK, and press Enter to proceed with the next step in the NTP setup as shown in Figure 4-28.

Figure 4-28 Done with NTP Server(s)

Figure 4-29) enables verification that the NTP Server(s) that have been added to the NAC Profiler Server appliance configuration,

Step 9 Select Yes (using the tab key) and press Enter to proceed to the next phase of appliance startup.


Tip If it is necessary to make a change to the configured NTP servers at this time, use the tab key to select No. The NTP server list will be cleared and the form in Figure 4-27 is re-displayed to allow the re-entry of NTP servers.


Figure 4-29 Verify NTP Server(s)



Tip The NTP configuration scripts can be run/re-run in their entirety by entering the command service profiler setupntp at the command line as the root system user.


After the successful start of NTP, the screen in Figure 4-30 is displayed indicating that the scripts are continuing and creating the base Cisco NAC Profiler Server configuration for the appliance.

Ensure that OK is selected and press Enter to begin the initial configuration of the NAC Profiler Server functionality of the system as described in the following section.

Figure 4-30 Welcome to the NAC Profiler

Configuring Operational Parameters for the Cisco NAC Profiler Server

While the command line of the Cisco NAC Profiler Server appliance is not used frequently, access to the command line may be necessary at certain times. Therefore, it is highly recommended that the passwords for the system user accounts for Cisco NAC Profiler Server systems be noted and recorded for future use when command line access is required. Complete the following steps to continue configuration of the NAC Profiler Server:


Note Please utilize strong password guidelines when choosing the password for the root and the beacon system user accounts on all Cisco NAC Profiler Server appliances. Using strong passwords prevents unauthorized access to the systems via the console or SSH.



Tip SSH access to the NAC Profiler Server is enabled only for the beacon system user. SSH connections to the root system user account will be refused. SSH as the beacon system user and use the su command to elevate to root privileges.



Step 1 Click OK to be prompted to create/confirm a password for the root system user account on this Cisco NAC Profiler Server appliance. (See Figure 4-31 and Figure 4-32)

Figure 4-31 Setting Root Password


Note The following characters cannot be used for UI usernames/passwords throughout the Cisco NAC Profiler Server System: ;`'|"()[]{} also newline (\n), carriage return (\r), and null.


Figure 4-32 Enter Root Password & Confirm

Step 2 The scripts will prompt for an entry/confirmation of a password for the beacon system user account. The beacon user account is used primarily for command-line access to the Cisco NAC Profiler Server appliance via SSH. In addition, this account provides access to the Cisco NAC Profiler Server system files and control of the Cisco NAC Profiler Server software processes and the database. (See Figure 4-33 and Figure 4-34).

Figure 4-33 Setting Beacon Password


Note The following characters cannot be used for UI usernames/passwords throughout the Cisco NAC Profiler Server System: ;`'|"()[]{} also newline (\n), carriage return (\r), and null


Figure 4-34 Enter Beacon Password & Confirm

Step 3 The scripts will now setup and initialize the Cisco NAC Profiler database.

The next screen displays the end-user license for Zend Optimizer, Figure 4-35. The Zend Optimizer is used to accelerate PHP performance within the Cisco NAC Profiler Server user interface. Review the license for the Zend Optimizer, using the arrow keys to scroll up and down.

Figure 4-35 Zend Optimizer License

Step 4 When you have completed reading the license agreement and agree to the terms, select Exit and press Enter. The following screen (Figure 4-36) displays that enables the installer to accept the agreement (by pressing Enter to select Yes) and proceed with installation of the Zend Optimizer.

Figure 4-36 Zend Optimizer License Acceptance

Upon completion of the Zend installation, the scripts proceed onto setting the web-based user interface password for the admin user, which defaults to `profiler' as shown in Figure 4-37.


Note The admin web user account has full administrative access to the system configuration, including the creation and deletion of user accounts via the web interface. The admin user account is the only UI user setup during Profiler Server configuration and must be used for initial access to the web-based UI.


Figure 4-37 Set Admin Web UI Password

Step 5 If the default password is acceptable, press Enter to accept and move onto the next step, or edit the password as desired. Select OK to proceed with the next step of the configuration which designates whether this Cisco NAC Profiler Server will operate as a single server or in a High Availability (HA) pair.

Figure 4-38 HA Configuration

Step 6 Select No and press Enter to configure this Cisco NAC Profiler for standalone operation.


When declining the HA configuration option, the startup scripts will advance automatically into the SSL Certificate setup portion of the Cisco NAC Profiler Server startup. Proceed with the instructions in the next section to create a self-signed digital certificate that allows initial access to the web UI.

Generating a Self-Signed Digital Certificate for the Standalone Cisco NAC Profiler Server

The Cisco NAC Profiler Server system web based UI uses digital certificates so that the authenticity of the embedded web server can be verified by the browser as it connects for access to the Cisco NAC Profiler Server user interface served by HTTPS. The system leverages one of the most common applications of PKI (Public Key Infrastructure) and digital certificates where the web browser validates that an SSL (Secure Sockets Layer) web server is authentic.

This allows the user to feel secure that their interaction with the web server is in fact trusted and their communications with it secure. This is the same mechanism that is used today for securing e-commerce and other secure communications with web sites of many types using SSL. The Cisco NAC Profiler Server system in version 3.1.1 does not ship with a digital certificate installed.

As part of the system startup of standalone Cisco NAC Profiler Server appliance, the required procedure is to create a self-signed certificate using the local parameters for the Cisco NAC Profiler Server system so that the UI can be accessed securely via standard SSL. When the self-signed certificate is created or installed through the startup scripts, a Certificate Signing Request (CSR) for the system is also created automatically.

As an optional step, the CSR can be downloaded from the appliance and submitted to either an internal or external Certificate Authority (CA) for digital signature if desired or required by a local security policy. The following steps outline the required steps for creating/installing the self-signed certificate and the optional steps for downloading the CSR for submission to a CA.


Tip Instructions for replacing the self-signed certificate with a digitally signed certificate from a CA are outlined in Chapter 5, "Importing a Digitally Signed SSL Certificate into the Cisco NAC Profiler System" section on page 5-17.



Step 1 From the "Initial Certificate Setup" screen shown in Figure 4-39, ensure Proceed is selected and click Enter to move to the next screen and begin the certificate setup on the Cisco NAC Profiler Server system being started-up. (See Figure 4-39.)

Figure 4-39 Certificate Setup

Step 2 From the "Choose Certificate Action" screen (Figure 4-40), ensure that option A, Create/Update Self-signed Cert & CSR and OK are selected. Tab to select OK then press Enter to proceed to create a self-signed SSL certificate and CSR for the standalone NAC Profiler Server.

Figure 4-40 Select Certificate Action

Step 3 Upon selecting option A, the screen shown in Figure 4-41 allows for entry of the parameters required for the self-signed certificate and CSR that will be created by the scripts. Note that all fields in this form must be entered to successfully create a self-signed certificate and CSR.


Tip Navigation between the fields for the certificate information is provided by the arrow keys. Use the tab key to toggle between field entry and access to the Submit and Cancel actions.


Figure 4-41 Certificate Details

Step 4 Enter the following parameters for the self-signed certificate and CSR that will be created for the Cisco NAC Profiler Server system:

a. FQDN of this Cisco NAC Profiler Server system (preferred) or alternatively the IP address of the Cisco NAC Profiler Server's Management Interface (eth0).


Note If the FQDN is specified, the Domain Name of the Cisco NAC Profiler Appliance must be resolvable via DNS by the system during setup. If DNS configuration of the local name server or the appliance itself was not completed, use the IP address option.


b. Organization Unit Name

c. Organization Name

d. City Name

e. State or Province Name

f. Two-letter Country Code

Step 5 Use the Up/Down arrow keys to move from one parameter to the next.

Once all the certificate details have been entered, use the Tab key to select Submit and press Enter to generate the self-signed certificate and CSR.

Step 6 After selecting Submit, the self-signed digital certificate is created/installed. The system displays "processing," and then presents the following screen (Figure 4-42) which acknowledges the successful completion of the self-signed certificate and prompts the user to transfer the CSR off the appliance for submission to a CA (if desired). The CSR is created in the /home/beacon/ssl directory on the appliance and can be transferred off the appliance for submission to a CA if desired.

Select OK and press Enter to proceed.

Figure 4-42 Certificate Installed

Step 7 The Choose Certificate Action screen is presented again, but with the `Current Cert Domain' attribute populated with new self-signed certificate information populated as shown in Figure 4-43.

Figure 4-43 Certificate Details

Step 8 Use the Up/Down arrow keys to select option 0. 'Exit (done with certificates)' on the form. Tab and Ensure 'OK' is selected and press the Enter key to exit the SSL Certificate startup script and complete the startup of the standalone NAC Profiler Server


Successful completion of the initial configuration of the standalone NAC Profiler Server is indicated by the messages displayed at the console as shown in Figure 4-44

Figure 4-44 Standalone Cisco NAC Profiler Installation Complete

The next step in the installation and configuration of the Cisco NAC Profiler System is the startup/configuration of the NAC Profiler Collector(s) deployed in the system that collect endpoint profiling data and send it to the NAC Profiler Server system for processing.

Turn to Starting Up Cisco NAC Profiler Collectors and perform the required steps to configure the NAC Profiler Collectors that will be deployed along with the standalone NAC Profiler Server just installed and configured.

Configuring a Cisco NAC Profiler Server HA Pair

The Cisco NAC Profiler Server can be configured to run as a High Availability (HA) pair. In this configuration two Cisco NAC Profiler Server appliances are deployed, that take on the duties of the Primary and Secondary nodes of the HA pair. Profiler Server high-availability mode is an Active/Passive two-appliance configuration in which a standby Profiler Server appliance acts as a backup to an active Profiler Server appliance.

While the active Profiler Server carries most of the workload under normal conditions, the standby monitors the active Profiler Server and keeps its data store synchronized with the active Profiler Server's data. The data store includes system configuration information as well as the endpoint database. If a failover event occurs, such as the active Profiler Server is shut down or stops responding to the peer's "heartbeat" signal, the standby assumes the role of the active Profiler Server.

When configuring an HA pair, the steps outlined in this section should be followed carefully to ensure successful start-up of the system in HA mode. It is highly recommended that this section be read in its entirety prior to beginning configuration.

Before powering either appliance on and beginning any configuration activities, the following steps should be completed.

1. Both Cisco NAC Profiler Server appliances in the pair should be installed with power available, but not powered on.

2. The eth0 (management) interfaces should be connected to the network on ports that are configured appropriately to allow IP connectivity between the appliances when they are powered-up and configured as directed later in this section.

3. The eth1 (heartbeat) interfaces should be interconnected in such a way as to provide a private LAN for maintaining heartbeat and synchronization of the database.


Note The heartbeat network connection between the nodes of a NAC Profiler Server pair should be via a category 5 EIA/TIA 568A crossover cable or a single standalone switch (maximum 1 switch hop) for maintenance of the heartbeat signal between the appliances within the latency tolerances of the protocol.



Note It is essential that connectivity between the appliances in an HA pair is established over the heartbeat network prior to performing the initial setup procedure detailed in this guide. After connecting the eth1 interfaces and powering on the appliances, ensure that there is link indicated by the LEDs on the eth1 interfaces of both appliances, see Table 4-8, "Cisco NAC Profiler Rear Panel LEDs," on page 11, in the previous section.


4. Determine the host address of a third device, preferably on the same subnet with ICMP enabled (required) which both Cisco NAC Profiler Server Appliances in the pair can ping regularly in order to determine that they are still able to communicate with the network via their management interface (eth0).

This mechanism adds to the failover capability by detecting/reacting to the failure of a network interface on the appliance itself or other network connectivity issue that might isolate an otherwise functional Cisco NAC Profiler Server appliance from the network.

This ensures that an appliance that is Primary relinquishes control of the VIP if its primary network connection via its management interface (eth0) either fails or is inadvertently disconnected. Without this mechanism, it is possible that a Primary appliance that loses network connectivity via eth0 with heartbeat maintained over eth1 will not relinquish Primary duties to the Secondary as designed.

Gather and record the required configuration parameters for each individual appliance and the HA pair as outlined in the next section.

Collecting Necessary Configuration Data

Prior to beginning the setup of a Cisco NAC Profiler HA Pair, the data in the following tables should be collected and recorded to ease the setup process. Data that is specific to the Primary and Secondary nodes at the time of initial configuration, as well as data that is shared by the pair needs to be collected and should be available for reference during the configuration steps outlined in the remainder of this section.

Table 4-4 Primary Cisco NAC Profiler Server Appliance 

Parameter
Value

Password for root system user (CLI access)1

 

Password for beacon system user (CLI access)1

 

Appliance Hostname

 

Management Interface IP address

 

Management Interface Net Mask

 

Default Gateway

 

Name Server IP address

 

NTP Server(s) FQDN or IP address(es)

*NTP configuration mandatory for Profiler Server HA Pairs *

 

Web Admin User Password1

 

1 System user passwords for the root and beacon system user accounts, the Cisco NAC Profiler admin web UI password should be identical for both appliances in the HA pair.


Table 4-5 Secondary Cisco NAC Profiler Server Appliance 

Parameter
Value

Password for root system user (CLI access)1

 

Password for beacon system user (CLI Access)1

 

Appliance Hostname

 

Management Interface IP address

 

Management Interface Net Mask

 

Default Gateway

 

Name Server IP address

 

NTP Server(s) FQDN or IP address(es)

*NTP configuration mandatory for Profiler Server HA Pairs*

 

Web Admin User Password1

 

1 System user passwords for the root and beacon system user accounts, the Cisco NAC Profiler admin web UI password should be identical for both appliances in the HA pair.


In addition to the standard parameters that are specific to the Primary and Secondary Cisco NAC Profiler Server appliances in the HA pair; there are also several parameters that are required for the configuration of the Profiler Server virtualization and will be requested during the setup scripts:

Virtual HA IP Address—The IP host address of the virtual management interface of the HA pair. This is the IP address that will be used to communicate with the Cisco NAC Profiler HA pair, and used by the HA pair when communicating with other network entities, regardless of which physical appliance is the Master. It is specified as a host address in dotted-decimal notation with the number of mask bits specified in CIDR format (for example, 10.1.1.200/24)

Local HA Network—Specify the first three octets of a private network IP address (for example, 192.168.1) to be used for the heartbeat network between the 2 appliances (eth1 interfaces).

HA Authentication Key—Specify a text-string to be utilized by the appliances to authenticate. It is important to note that the HA Shared Key must be entered identically (observing case-sensitivity) on both appliances in order to properly establish the relationship.

Redundant Heartbeat Communication—This parameter enables heartbeat link communication between the members of the HA pair over their primary interfaces to ensure that the heartbeat status is maintained between the two devices. The eth0 IP address of the management interface (eth0) of the peer appliance is specified on each appliance to enable it to monitor the status of the other appliance in the pair.

HA External Ping Host—This is the host IP address of another network device, preferably on the same subnet as the HA pair that will respond to ICMP echo requests from the Cisco NAC Profiler Server appliances. Both Profiler Server appliances will ping this external device regularly to ensure that they still have network connectivity as a measure to detect the failure of their network interface (eth0).


Note Configuration of the external ping host feature is mandatory. If the 0.0.0.0 address that is configured by default is not changed to be a pingable host, the pair will not fail over if the Primary node loses its management interface connectivity to the network but otherwise continues to operate normally. In this scenario, if the eth1 connection is maintained heartbeat and database synchronization is maintained and the Primary node will not relinquish the VIP rendering the NAC Profiler system unreachable in the case of the Primary node losing its primary network interface (eth0).


Table 4-6 Cisco NAC Profiler Server HA Pair Parameters 

Parameter
Value
Virtual HA IP address
 
Local HA Network
 
Hostname of Primary Appliance
 
Hostname of Secondary Appliance
 
HA Authentication Key
 
Redundant Heartbeat Communication - Primary's Eth0 IP address
 
Redundant Heartbeat Communication - Secondary's Eth0 IP address
 
HA External Ping Host
 

Lastly, as part of the HA pair configuration a SSL certificate will be created for the virtualized Cisco NAC Profiler Server service (VIP) that will be installed on both members of the pair automatically through the startup scripts. This self-signed certificate will enable the web-based user interface for the system to be brought up with an SSL-encrypted connection. Optionally, this process will also create a Certificate Signing Request (CSR) that can be submitted to a CA for signing. In order to create the self-signed certificate and CSR, the following information for the SSH certificate should be collected prior to initiating the startup scripts:

Domain Name (preferred, or IP address if DNS is not set up prior to configuration of the pair) of the Cisco NAC Profiler Server system. For HA systems, this should be for the VIP/Service Address of the HA Cisco NAC Profiler Server system with the same certificate placed on both members of the HA pair.

Organization Unit Name

Organization Name

City Name

State or Province Name

2-letter Country code

Once this information is collected, the configuration of the HA pair can be initiated.

Sequence for Configuring a Cisco NAC Profiler HA pair

It is important to follow the proper sequence of configuration steps and these must be completed as outlined to successfully establish the NAC Profiler Server HA pair. The proper sequence is as follows:

1. Complete the startup scripts in their entirety for the Cisco NAC Profiler Server Appliance that will be the Primary node at time of installation.

At the completion of this process, the original Primary node will wait for completion of the setup of the Secondary node and establishment of keyless SSH over the heartbeat network, starting heartbeat and database synchronization upon setup of the secure connection.

2. Configure the Cisco NAC Profiler Server Appliance that will be the Secondary node at time of installation. As the original Secondary appliance configuration is completed, the user will be prompted to enter the password for the beacon user on the Primary node to initiate the setup of a keyless SSH session between members of the HA pair.

Upon successful establishment of that session the HA pair synchronizes and the automatic failover provided by the HA protocol enabled.

These steps will be outlined in more detail in the subsequent sections of this chapter.

Configuring the Primary Cisco NAC Profiler Server of the HA Pair

Power-on the Cisco NAC Profiler Server designated as the Primary node of the pair at initial configuration with the data collection sheet completed in the last section readily available.

The base configuration of the Cisco NAC Profiler Server appliances in an HA pair is identical to that of a Standalone to the point in the scripts where the user is queried if the system will be used in an HA pair.

Complete the following steps to provide the original Primary node in an HA pair with the necessary configuration:


Step 1 Refer back to the procedure for configuration of a standalone NAC Profiler Server beginning at Performing an Initial System Network Configuration.

Step 2 Complete the scripts using that procedure on the appliance chosen as the Primary node for the NAC Profiler Server pair until the dialog shown in Configure HA Pair appears on the screen. This corresponds with Step 5 on page 4-22.


Warning NTP must be enabled on both members of a NAC Profiler Server HA pair to ensure proper operation of the database synchronization protocol.


Figure 4-45 Configure HA Pair

Step 3 Select Yes using the arrow keys and press Enter to configure this Cisco NAC Profiler appliance for HA operation as the Primary node.

Selecting Yes causes the script to ask the installer if this Cisco NAC Profiler Server will be the Primary via the dialog shown in Figure 4-46.

Figure 4-46 HA Configuration—Primary Appliance

Step 4 Use the arrow keys to select Yes, and press Enter to set up the Primary node of Cisco NAC Profiler Server pair.

Refer to Table 4-6 for the HA pair-specific parameters.

The next several screens allow for the entry of the HA pair attributes for the Primary, beginning with the Virtual HA IP address, as shown in Figure 4-47.

Figure 4-47 Set Virtual IP Address of Primary

Step 5 Input the host address chosen for the virtual IP address of the Profiler Server HA pair, at which point the script will prompt for the local HA network address (eth1-to-eth1 heartbeat network), as shown in Figure 4-48.

Figure 4-48 Set Local HA Network for Primary

Step 6 Specify the first three octets of the unused class C network selected for the private LAN between the appliances used for the maintenance of heartbeat and database synchronization between the Primary and Secondary nodes during HA operation. Select OK and Enter to proceed to the next parameter, the hostname of the other appliance (Secondary node) in the next screen shown in Figure 4-49.

Figure 4-49 Set Pairs Hostname for Primary

Step 7 Enter the hostname of the Secondary HA Cisco NAC Profiler Server; refer to the data sheets collected (Table 4-5) to ensure that the hostname entered here is an exact match to the hostname that will be configured on the Secondary node.

Step 8 Select OK and Enter to enter the next parameter, the HA Authentication Key in the next screen shown in Figure 4-50.

Figure 4-50 Set HA Authentication Key for Primary

Step 9 Ensure that the HA authentication key entered in this step for the Primary appliance is entered identically to that specified for the Secondary appliance in the previous step of the configuration process (refer again to Table 4-6). Once the desired HA authentication key is entered, select OK and press Enter to advance to the next parameter, the Redundant Heartbeat Communication that is entered as shown in Figure 4-51.

Figure 4-51 Redundant Heartbeat Communication for Primary

Step 10 Enter the IP address of the management (eth0) interface that will be configured on the Secondary node, refer to Table 4-5 to verify the address. Ensure OK is selected and press Enter to proceed with setting the External Ping Host for the Primary node using the form in Figure 4-52.

Figure 4-52 External Ping Host for Primary

Step 11 Enter the IP address of the External Ping Host the Primary node will use to continuously check that it has network connectivity via its management (eth0) interface. Ensure OK is selected and press Enter to proceed with the configuration of the Primary node.


Note Both nodes in the Profiler Server pair should be configured with an External Ping host as outlined in the beginning of this section.


After the external ping host is entered, the startup scripts display a summary of all the HA parameters entered for the Primary appliance as shown in Figure 4-53.

Figure 4-53 Verify HA Information for Primary

This screen allows for the checking of all the HA parameters entered for the Primary Cisco NAC Profiler Server in the HA pair being configured.


Note Before selecting Yes and proceeding with the setup of HA on the Primary node, ensure that the HA parameters on the Primary have been entered correctly. In particular, ensure that the appliance hostnames, HA interface prefix, HA auth string and Ping HA system (eth0 of Secondary node) are configured correctly on the Primary node. Remember that all parameters are case sensitive. Doing so will ensure that the HA pair will come up successfully on the first attempt. It is also good to verify again that the crossover cable for the heartbeat between the appliances is connected to the eth1 interface on both appliances, with link indicated on both sides prior to proceeding.


Step 12 If all the parameters are correct, select Yes and Enter to complete the HA Configuration of the Primary node.


Tip If a correction or change needs to be made, selecting No will restart the process—all previously entered HA parameters for the Primary will be lost and will have to be entered again.



Upon selecting Yes, the Primary Cisco NAC Profiler Server node will initialize the HA configuration. The messages shown in Figure 4-54 will be seen at the console, prior to the Primary node continuing with the startup scripts to finish its initial configuration.


Note The members of the HA pair use the heartbeat network to monitor status of the other member and keep the database synchronized. As the HA protocol is setup on the Primary node, it attempts to establish a keyless SSH session with the Secondary. Because the Secondary node has not yet been configured, this attempt will fail which is the expected result as the Secondary node has yet to be configured with its startup configuration. As the Secondary node is setup, the Secondary will re-attempt the establishment of the connection over the heartbeat network and fully establish HA operation as described in Configuring the Secondary Cisco NAC Profiler Server of the HA Pair.


Figure 4-54 HA Configuration Script Completion on the Primary Node

The console messages shown in Figure 4-54 properly reflect the fact that at this point, the HA protocol is not fully enabled, and is still awaiting the configuration of the Secondary node.

The startup scripts will resume with the setup of the remaining parameters for the Primary NAC Profiler Server, the configuration of the SSL Certificate for the NAC Profiler Server HA pair.

Generating a Self-Signed Digital Certificate for the Cisco NAC Profiler Server HA Pair

The Cisco NAC Profiler Server system web based UI uses digital certificates so that the authenticity of the embedded web server can be verified by the browser as it connects for access to the Cisco NAC Profiler Server user interface served by HTTPS. The system leverages one of the most common applications of PKI (Public Key Infrastructure) and digital certificates where the web browser validates that an SSL (Secure Sockets Layer) web server is authentic, so that the user can feel secure that their interaction with the web server is in fact trusted and their communications with it secure. This is the same mechanism that is used today for securing commerce and other secure communications with web sites of many types using SSL.

The Cisco NAC Profiler Server system in Release 3.1.1 does not ship with a digital certificate installed. As part of the system startup of a Cisco NAC Profiler Server HA pair, the required procedure is to create a self-signed certificate using the local parameters for the Cisco NAC Profiler Server system so that the UI can be accessed securely via standard SSL. When the self-signed certificate is created/installed through the startup scripts, a Certificate Signing Request (CSR) for the system is also created automatically. As an optional step, the CSR can be downloaded off the appliance and submitted to either an internal or external CA for digital signature if desired/required by local security policy. The following steps outline the required steps for creating/installing the self-signed certificate and the optional steps for downloading the CSR for submission to a CA.


Tip Instructions for replacing the self-signed certificate with a digitally signed certificate from a CA are outlined in Chapter 5, "Importing a Digitally Signed SSL Certificate into the Cisco NAC Profiler System" section on page 5-17.


Again, it must be emphasized that when configuring an HA pair, the SSL certificate is created for the VIP for the HA pair as the UI for the HA system is served by the Primary node. The certificate (and CSR) for the VIP is generated during the configuration of the Primary appliance only. As the Secondary HA device is configured, the Primary HA device will `push' the certificate and supporting files to the Secondary HA appliance automatically as the Secondary configuration is completed. This ensures that the same SSL certificate issued by both members of the pair regardless of which appliance is currently Primary and serving the UI for the system via the VIP for the pair.


Step 1 From the "Initial Certificate Setup" screen shown below which is displayed at the completion of the HA setup scripts on the Primary node, ensure Proceed is selected and press Enter to move to the next screen Figure 4-56 to begin certificate setup.

Figure 4-55 Certificate Setup for HA pair via Primary Node Configuration

Step 2 From the "Choose Certificate Action" screen (Figure 4-56), ensure that option A, Create/Update Self-signed Cert & CSR and OK are selected. Tab to select OK and press Enter to proceed with creation of a self-signed SSL certificate and CSR for the NAC Profiler Server HA pair.

Figure 4-56 Choose Certificate Action

Step 3 Upon selecting option A, the screen shown in Figure 4-57, which allows entry of the parameters required for the self-signed certificate and CSR that will be created, is displayed by the scripts. Note that all fields in this form must be entered to successfully create a self-signed certificate and CSR.


Tip Navigation between the fields for the certificate information is provided by the arrow keys. Use the tab key to toggle between field entry and access to the Submit and Cancel actions.


Figure 4-57 Certificate Details

Step 4 Enter the following parameters for the self-signed certificate and CSR that will be created for the Cisco NAC Profiler Server HA pair:

a. FQDN of this Cisco NAC Profiler Server system VIP (preferred) or alternatively the VIP IP host address of the Cisco NAC Profiler Server HA pair.


Note If the FQDN is specified, the Domain Name of the Cisco NAC Profiler VIP must be resolvable via DNS by the system during setup. If DNS configuration was not completed, use the IP address option, specifying the VIP.


b. Organization Unit Name

c. Organization Name

d. City Name

e. State or Province Name

f. Two-letter Country Code

Step 5 Use the Up/Down arrow keys to move one parameter to the next.

Once all the certificate details have been entered, use the Tab key to select Submit and press Enter to generate the self-signed certificate and CSR.

Step 6 After selecting Submit, the self-signed digital certificate is created/installed. The system displays "processing," and then presents the following screen (Figure 4-58) which acknowledges successful completion of the self-signed certificate and prompts the user to transfer the CSR off the appliance for submission to a CA (if desired). The CSR is created in the /home/beacon/ssl directory on the appliance and can be transferred off the appliance for submission to a CA if desired.

Select OK and Enter to proceed.

Figure 4-58 Certificate Installed

Step 7 The Choose Certificate Action screen is presented again, but with the `Current Cert Domain' attribute populated with new self-signed certificate information populated as shown in Figure 4-59.

Figure 4-59 Certificate Exit

Step 8 Use the Up/Down arrow keys to select option 0, Exit (done with certificates) on the form. Tab and ensure OK is selected and press Enter to exit the SSL Certificate startup script and complete the startup of the standalone NAC Profiler Server

Successful completion of the initial configuration of the Primary node of the NAC Profiler Server HA pair is indicated by the messages in Figure 4-60 displayed at the console.

Figure 4-60 Primary Cisco NAC Profiler Installation Complete


Proceed with the configuration of the Secondary node as described in the following section to complete the configuration of the NAC Profiler Server HA pair.

Configuring the Secondary Cisco NAC Profiler Server of the HA Pair

Power-on the Cisco NAC Profiler Server designated as the Secondary appliance of the pair with the data collection sheet completed in the last section readily available.

The base configuration of the Cisco NAC Profiler Server appliances in an HA pair is identical to that of a Standalone to the point in the scripts where the user is queried if the system will be used in an HA pair.

Complete the following steps to provide the original Secondary node in an HA pair with the necessary configuration and complete the setup of a Cisco NAC Profiler Server HA pair:


Step 1 Refer back to the procedure for configuration of a standalone NAC Profiler Server beginning at Performing an Initial System Network Configuration. Complete the scripts using that procedure on the appliance chosen as the Secondary node for the NAC Profiler Server pair until the dialog shown in Configure HA Pair appears on the screen. This corresponds with Step 5 on page 4-22.

Selecting Yes progresses the script to asking the installer if this Cisco NAC Profiler Server will be the Primary node as shown in Figure 4-61.


Warning NTP must be enabled on both members of a NAC Profiler Server HA pair to ensure proper operation of the database synchronization protocol.


Figure 4-61 HA Configuration - Secondary Appliance

Step 2 Ensure No is selected and press Enter to proceed with the setup of the Secondary node.

Refer to Table 4-6 for the HA pair-specific parameters.

The next several screens allow for the entry of the HA pair attributes for the Secondary node, beginning with the Virtual HA IP address, as shown in Figure 4-62.

Figure 4-62 Set Virtual IP Address of Secondary

Step 3 Input the host address chosen for the virtual IP address of the HA pair. When the desired virtual HA IP address has been entered, select OK.

Next, the script will prompt for the local HA network address, as shown in Figure 4-63.

Figure 4-63 Set Local HA Network for Secondary

Step 4 Specify the first three octets of the class C network selected for the private LAN between the appliances used for the maintenance of heartbeat. This must match what was configured on the Primary node. Select OK and Enter to proceed with entering the next parameter, the hostname of the Primary appliance in the next screen shown in Figure 4-64.

Figure 4-64 Set Pairs Hostname for Secondary

Step 5 Enter the hostname of the Primary HA Cisco NAC Profiler Server, refer to the data sheets collected at the beginning of the installation process to ensure that the hostname entered here exactly matches the hostname of the other appliance in the HA pair.

Step 6 Select OK and Enter to enter the next parameter, the HA Authentication Key in the next screen.

Figure 4-65 Set HA Authentication Key for Secondary

The HA authentication key is a secret shared between the two appliances. The HA authentication key between the two members of an HA pair must match exactly in order for the HA relationship to be established. Ensure that the HA authentication key entered in this step for the Secondary node exactly matches that entered for the Primary node.

Step 7 Once the desired HA authentication key is entered, select OK and press Enter to move to the next parameter, the Redundant Heartbeat Communication which is entered as shown in Figure 4-66.

Figure 4-66 Redundant Heartbeat Communication for Secondary

Step 8 Enter the IP address of the management (eth0) interface that was configured on the Primary node, refer to Table 4-4 to verify the address. Ensure OK is selected and press Enter to proceed with setting the External Ping Host for the Secondary node using the form in Figure 4-67

Figure 4-67 External Ping Host for Secondary

Step 9 Enter the IP address of the External Ping Host the Secondary node will use to continuously check that it has network connectivity via its management (eth0) interface. Ensure OK is selected and press Enter to proceed with the configuration of the Secondary node.


Note Both nodes in the Profiler Server pair should be configured with an External Ping host as outlined in the beginning of this section.


After the external ping host is entered, the startup scripts display a summary of all the HA parameters entered for the Secondary appliance as shown in Figure 4-68.

Figure 4-68 Verify HA Information for Secondary Node

This screen allows for the verification of all the HA parameters entered for the Secondary Cisco NAC Profiler Server in the HA pair being configured.

Step 10 If all the parameters are correct, select Yes and Enter to commit the HA parameters shown in the Verify screen above to the Secondary appliance configuration.


Tip If a correction or change to the HA parameters of the Secondary node is required, selecting No and pressing Enter will restart the process of entering the Secondary HA parameters from the beginning, and all previously entered parameters will be lost.


Upon selecting Yes on this screen, the Secondary node will initialize the HA configuration.

Once the operator commits the HA parameters on the Secondary, the scripts will proceed with the setup of communications with the Primary node in the pair that was configured in the previous steps.

Step 11 As illustrated in Figure 4-69, a message stating that the HA systems will be set up to allow direct (keyless) SSH to each other over the heartbeat network (eth1).

In order for the setup of direct SSH to be successful, the operator must press Enter and correctly enter the password for the beacon system user entered on both members of the pair when prompted.


Warning Failure to setup the direct SSH connection between the Secondary and Primary nodes in a NAC Profiler Server pair during this step will cause the HA setup to fail. Ensure that the eth1 cable is in place and that link is established between the members of the HA pair.


Figure 4-69 SSH Setup Over Heartbeat Network

Step 12 Figure 4-70 shows the console messages that result from successful establishment of HA as the Secondary appliance configuration is completed. Note that the console messages reflect the setup of keyless SSH (over the heartbeat network, note the private network addresses in the example), as well as the transfer of the SSL certificate (profiler.crt) from the Primary to the Secondary.


Tip The "is secondary" and "Add node to origin and subscribe" messages at the console session to the Secondary node shown in Figure 4-70 at the bottom are good indicators that the HA protocol and database synchronization has successfully completed. Additional and/or error messages at this point indicate that the HA setup failed. In either case, the scripts will proceed to the next step. It is highly recommended that these steps are carefully followed and the console messages described above observed by the installer.


Figure 4-70 Completion of SSH Setup between HA Pair Nodes


Note If there are errors or other indications of a failed startup of HA services on the pair, the HA configuration should be removed and re-added to the system. Follow the procedure provided in "Repairing the Configuration of an HA Pair" section on page 18-14 to remove and re-add the HA-specific configuration to the NAC Profiler Server HA pair.


Step 13 The Choose Certificate Action screen (Figure 4-71) is presented next during the configuration of the original Secondary. Note that the `Current Cert Domain' attribute populated with the certificate information as shown in the figure below. This information was `pushed' by the Primary node to the Secondary node as the HA setup on the Secondary was completed (push is echoed to the command line as shown in Figure 4-70).

Remember that the certificate for the HA pair was created when configuring the Primary node. There is no action required from this screen when configuring the Secondary other than verifying that the `Current cert domain' attribute is populated with the certificate information from the Primary.

If the `Current cert domain' attribute is not populated, failure of the HA setup may be indicated. However, at this point proceed with the steps previously outlined that culminate with verification and correction steps if HA was not established.

Step 14 Use the Up/Down arrow keys to select option 0, Exit (done with certificates) then tab to select OK and press Enter to exit the SSL Certificate management script and complete the startup of the Secondary node.

Figure 4-71 Certificate Details

Step 15 Verify that the console messages shown in Figure 4-72 appear signifying the successful startup of the Secondary node.

Figure 4-72 Installation of Secondary Complete


This completes the startup of the Cisco NAC Profiler Server HA pair.

The next step in the installation and configuration of the Cisco NAC Profiler System is the startup/configuration of the NAC Profiler Collector(s) deployed in the system that collect endpoint profiling data and send it to the NAC Profiler Server system for processing.

Refer to Starting Up Cisco NAC Profiler Collectors and perform the required steps to configure the NAC Profiler Collectors that will be deployed along with the NAC Profiler Server HA pair just installed and configured.

Starting Up Cisco NAC Profiler Collectors

The Cisco NAC Profiler Collector module co-resides on the Cisco NAC Server. NAC Profiler Collectors added to a NAC Profiler System must be provided with an initial configuration so that they can establish network communications with the NAC Profiler Server so that they can be provided with their full configuration and forward data to the Profiler Server.


Tip Profiler Collectors may be run alongside the Cisco NAC Server services on the NAC Server, or they may run independently. In either case however, basic NAC Server installation and configuration must be completed so that the Collector service may be run on the NAC Server hardware.



Note All Cisco NAC Appliance releases are shipped with a default version of the Cisco NAC Profiler Collector component. When upgrading the NAC Server to a newer NAC Appliance release, the current version of the NAC Collector is replaced with the default version of the NAC Collector that shipped with the NAC Appliance release.


For example, if you have NAC 4.7.x with Profiler 3.1.0 installed and you upgrade to Cisco NAC Appliance 4.8. After the Cisco NAC Appliance 4.8 upgrade, you can install the Cisco NAC Profiler 3.1.1 Collector and perform a service collector restart.


Note After the Cisco NAC 4.8 upgrade, your Cisco NAC Profiler Collector configuration should require no re-configuration.


The Profiler Collector runs as a software service on the NAC Server. On standalone NAC Servers (non HA pairs) a single instance of the Collector service runs on the NAC Server. It receives its full configuration from the NAC Profiler Server, and sends collected data back to the NAC Profiler Server for processing via communications with the Profiler Server established by the Forwarder module on the Collector.

NAC Profiler Collectors can also be deployed on NAC Server HA pairs utilizing the HA functionality of the NAC Server pair to provide HA for the Profiler Collector. In this configuration, the Collector service runs on both members of the NAC Server pair, but only the Collector service on the Primary NAC Server node is in communication with the NAC Profiler Server at a given time.

Regardless of operating mode, standalone or HA, the Collector service on each NAC Profiler Collector in a system, must be provided with an initial configuration at startup of the Collector service so that it can communicate with the NAC Profiler Server (or Server HA-pair) for the system.

See Issuing CLI Commands to the Cisco NAC Profiler Collector for additional instructions for configuring and verifying Collector configuration via the NAC Server command line.

Determining NAC Profiler Collector Connection Type Requirements

The primary initial configuration task for NAC Profiler Collectors is providing the Collector service with the information it needs to communicate with the NAC Profiler Server for the system.

Each NAC Profiler Collector in a Cisco NAC Profiler system communicate with the NAC Profiler Server in one of two possible ways that are specified in the initial configuration of a Collector performed at startup:


Step 1 Collector Connection Type of 'Client' - when configured in this manner, the Forwarder module of the Collector initiates the connection to the NAC Profiler Server which is configured to listen for inbound connections (for example, Profiler Server is configured with a Network Connection of type 'Server').


Note The Connection Type of Client on a Collector is only valid for standalone (non HA) NAC Profiler Collectors. HA Collectors deployed on NAC Server HA pairs must be configured with Connection Type of Server, see NAC Profiler Collector HA-Pair Startup.


The procedure for startup of a standalone NAC Profiler Collector configured to use the Client Connection Type Option is provided in Starting Up a Standalone NAC Profiler Collector using the Client Connection Type.

Step 2 Collector Connection Type of 'Server' - when configured in this manner, the Forwarder module (or modules for Collector HA-pairs) listens for connections initiated by the NAC Profiler Server which is configured to initiate the connection to a specified Collector (for example, the Profiler Server is configured with a Network Connection of type `Client'.)' This communication is via the VIP of the NAC Server pair which is held by the Primary node.

The Collector Network Connection Type of 'Server' is used in the following cases:

a. HA Collector pairs running on NAC Server HA pairs will always use this Connection Type. The procedure for configuration of a NAC Profiler Collector HA-pair is provided in NAC Profiler Collector HA-Pair Startup.

b. Standalone (non-HA) Profiler Collectors deployed outside of firewalls and that are unable to initiate a TCP connection to the NAC Profiler Server. The procedure for configuration of a standalone NAC Profiler Collector using this Connection Type option is provided in Starting Up a Standalone NAC Profiler Collector using the Server Connection Type. This configuration option is rarely used.

Along with the Connection Type, several other parameters that govern the communication between a Profiler Collector and its NAC Profiler Server are set during the initial configuration of the Collector performed via the NAC Server command line described in the following sections.

It is essential that the parameters configured on the Collectors in a system at startup are known as the NAC Profiler Server configuration is begun as outlined in Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment". Mismatch of these parameters will prevent the NAC Profiler Server and Collector(s) from communicating normally over the network, preventing the Collectors from getting their configurations from the Server, and failure of endpoint data collected by the Collectors from getting forwarded to the Profiler Server correctly.


Note Be sure to note the Connection Type and associated parameters configured on each NAC Profiler Collector at startup so that the correct Server-side configuration can be completed when the Remote Collection service(s) are added to the system configuration as described in Chapter 6, "Configuring the Cisco NAC Profiler Server".



Tip Best practice dictates that the network connection between the NAC Profiler Server and the Collectors be encrypted. AES and Blowfish encryption is supported in the current version. Ensure the encryption type and shared secret configured on Collectors is noted and available when configuring the NAC Profiler Server Network Connections to prevent authentication/encryption failures between the NAC Profiler Server and the Collectors.


Starting Up a Standalone NAC Profiler Collector using the Client Connection Type


Note This option is only valid for non-HA Collectors.



Step 1 Connect to the NAC Server and access its command line by direct console, serial connection, or SSH.

Step 2 Login as user root with the root password (default is cisco123).

Step 3 At the command line, type service collector config:

[root@CAS_OOB /]# service collector config 

This starts the short initial configuration script for the Collector service running on the NAC Server. Either type a value or press Enter to accept the default value (shown in brackets [ ]) for each of the following prompts.

Step 4 Type y or press Enter to enable the Collector service on the CAS:

Enable the NAC Collector (y/n) [y]: y

Step 5 Type y or press Enter to enter configure network settings for the Collector so that it can connect to the Cisco NAC Profiler Server (or HA-pair):

Configure NAC Collector (y/n) [y]: y 

Enter the name for this remote collector. Please note that if
this collector exists on a HA pair that this name must match
its pair's name for proper operation. (24 char max) [GBS-CAS]:


Warning Collector Names must be 24 characters or less.


Step 6 Type this Collector's name or accept the default (NAC Server hostname) and press Enter.

Network configuration to connect to a NAC Profiler Server 

Step 7 Press Enter to configure the Collector as a client (default):

 Connection type (server/client) [client]: 

Step 8 Type the IP address of the Cisco NAC Profiler Server that the Collector will communicate with. For NAC Profiler Server HA-pairs, the address entered should be the Profiler Server HA-pair VIP to ensure the connection is made to the Primary node at all times:

 Connect to IP [127.0.0.1]: 10.30.30.5

Step 9 Press Enter to accept the default port number (31416), or alternatively specify port number 31417 for communication with the Cisco NAC Profiler Server:

 Port number [31416]: 

Step 10 Type none if no encryption is desired (not recommended), or select AES (default) or type blowfish to configure encryption:

Encryption type (AES, blowfish, none) [AES]: none 

Step 11 Type the shared secret for the encrypted connection with the NAC Profiler Server.

 Shared secret []: cisco123 

Step 12 The NAC Collector configuration utility will next show status for each of the modules (Forwarder, NetMap, NetTrap, NetWatch, NetInquiry, NetRelay) in the Collector followed by a final confirmation:

-- Configured CAS_OOB-fw
-- Configured CAS_OOB-nm
-- Configured CAS_OOB-nt
-- Configured CAS_OOB-nw
-- Configured CAS_OOB-ni
-- Configured CAS_OOB-nr

        NAC Collector has been configured
[root@CAS_OOB /]#  

Step 13 Ensure the Collector service is running by issuing the following command:

[root@CAS_OOB /]# service collector restart


Proceed with the startup configuration of any remaining NAC Profiler Collectors in the system, and when all Collectors have been successfully started and configured, proceed to Chapter 5, "Configuring the Cisco NAC Profiler for the Target Environment".

NAC Profiler Collector HA-Pair Startup

The NAC Profiler Collector service can utilize the HA option of the NAC Server to provide High Availability of the Profiler Collector service. In this mode, the Collector service runs on both nodes in the NAC Server pair, but only the Collector running on the Primary NAC Server node is in communication with the NAC Profiler Server at any point in time. If the NAC Server fails over, the Collector service on the Secondary node receives an updated configuration from the NAC Profiler Server and takes over the collection function for the system seamlessly.

In order to function in this manner however, when the Collector service is deployed on HA NAC Server pairs, the Collector must be added to the NAC Profiler Server configuration as a single Profiler Collector instance. In addition, the Collector service on both nodes of the NAC Server pair must be configured with a network connection of type "Server" so that the Collector on the Primary node of the NAC Server pair listens for the connection initiated by the NAC Profiler Server to the VIP of the NAC Server Pair.

Use the following procedure when starting up NAC Profiler Collector HA-pairs to configure the Collector service on both nodes of the NAC Server pair:


Step 1 Configure the NAC Server appliances in the pair HA mode operation and verify that the HA protocol is operational. This step is critical to complete first to ensure that the HA protocol between the NAC Servers is operating normally and the VIP is available for use by the Collector service.

Step 2 Determine a name for the virtualized Collector service to run on the CAS pair. The name must be less than 24 characters, and is configured for the Collector service as it is initially configured on both nodes of the NAC Server Pair as the NAC Profiler system is started up.


Tip A name that associates the HA Collector service on the NAC Server pair is recommended such as "Building-26-CAS" for example. This name will be used in the NAC Profiler Server configuration to identify the Collector service on the HA NAC Server Pair so that it can be managed via the Profiler UI as a single, virtual Collector instance.


Configuring the Collector Service on a Primary NAC Server Node

Step 3 Login as user root with the root password (default is cisco123)

Step 4 At the command line, type service collector config.

[root@CAS_OOB /]# service collector config 

This starts the short configuration script for the Collector service. Either type a value or press Enter to accept the default value (shown in brackets [ ]) for each of the following prompts.

Step 5 Type y or press Enter to enable the Collector service on the CAS:

Enable the NAC Collector (y/n) [y]: y 

Step 6 Type y or press Enter to enter configure network settings for the Collector so that it can connect to the Cisco NAC Profiler Server:

Configure NAC Collector (y/n) [y]: y 

Step 7 Type this Remote Collector's name and press Enter.

Enter the name for this remote collector. Please note that if
this collector exists on a HA pair that this name must match
its pair's name for proper operation. (24 char max) [GBS-CAS]:

Note An identical name for the Collector service must be used in the configuration on both NAC Servers in the Collector HA pair. The hostname of the CAS appliance is chosen by default by the configuration scripts but is not acceptable. When configuring NAC Server/Collector HA pairs, a name for the virtualized Collector service must be chosen and used on both nodes in the pair identically (for example, case sensitive, spaces, etc.)



Warning Collector Names must be 24 characters or less.


Step 8 The Connection type for the Collector configuration must be set to 'Server'. For Collector HA-pairs, the Profiler Server will have to initiate the connection to the Collector service running on the pair. This is accomplished by selecting the Server Connection Type for the Collector configuration.

Network configuration to connect to a NAC Profiler Server
	Connection type (server/client) [client]:server

Step 9 Listen on IP - the Collector should be configured to listen on the VIP/Service IP address assigned to the NAC Server HA-pair during the NAC Server HA configuration.

	Listen on IP [10.40.1.10]:

Step 10 Provide the Collector service with the IP(s) that it should accept connections from: the eth0 IP address of the standalone NAC Profiler Server, or for NAC Profiler Server HA-pairs, the eth0 interface IP addresses of both members of the Profiler Server HA pair need to be entered in this step along with the VIP Profiler Server HA-pair (as illustrated in the example below).

Step 11 Enter the IP address of the eth0 interface of the first Profiler Server appliance, press Enter; enter the IP address of the eth0 interface of the other Profiler Server appliance in the HA pair, press Enter, enter the VIP/Service IP address of the HA Profiler Server pair, and then enter done to move the script to the next step.

	You will be asked to enter the IP address(es) of the NPS. This
	is necessary to configure the access control list used by this
	collector. If the NPS is part of an HA pair then you must include
	the real IP address of each independant NPS and the virtual IP to
	ensure proper connectivity in the case of failover.

Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [127.0.0.1]: 10.10.0.211
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [10.10.0.211]: 10.10.0.212
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [10.10.0.210]: 10.10.0.210
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [10.10.0.212]: done

Step 12 Press Enter to accept the default port number (31416), or choose the alternate 31417 TCP port number for communication with the Cisco NAC Profiler Server:

 Port number [31416]: 

Step 13 Type none if no encryption is desired (not recommended), or select AES (default) or type blowfish to configure encryption:

Encryption type (AES, blowfish, none) [AES]: none 

Step 14 Type the shared secret for the Network Connection with the NAC Profiler Server.

 Shared secret []: cisco123 

Step 15 The NAC Collector configuration utility will next show status for each of the modules (Forwarder, NetMap, NetTrap, NetWatch, NetInquiry, NetRelay) in the Collector followed by a final confirmation:

-- Configured CAS_OOB-fw
-- Configured CAS_OOB-nm
-- Configured CAS_OOB-nt
-- Configured CAS_OOB-nw
-- Configured CAS_OOB-ni
-- Configured CAS_OOB-nr

        NAC Collector has been configured
[root@CAS_OOB /]#  

Step 16 Ensure the Collector service is running by issuing the following command:

[root@CAS_OOB /]# service collector restart

Configuring the Collector Service on a Secondary NAC Server Node

Step 17 Login as user root with the root password (default is cisco123)

Step 18 At the command line, type service collector config.

[root@CAS_OOB /]# service collector config 

This starts the short configuration script for the Collector service. Either type a value or press Enter to accept the default value (shown in brackets [ ]) for each of the following prompts.

Step 19 Type y or press Enter to enable the Collector service on the CAS:

Enable the NAC Collector (y/n) [y]:  

Step 20 Type y or press Enter to enter configure network settings for the Collector so that it can connect to the Cisco NAC Profiler Server:

Configure NAC Collector (y/n) [y]: y

Step 21 Enter the Remote Collector's name and press Enter.

Enter the name for this remote collector. Please note that if
this collector exists on a HA pair that this name must match
its pair's name for proper operation. (24 char max) [GBS-CAS]:

Note An identical name for the Collector service must be used in the configuration on both NAC Servers in the Collector HA pair. The hostname of the CAS appliance is chosen by default by the configuration scripts but is not acceptable. When configuring NAC Server/Collector HA pairs, a name for the virtualized Collector service must be chosen and used on both nodes in the pair identically (for example, case sensitive, spaces, etc.)



Warning Collector Names must be 24 characters or less.


Step 22 The Connection type for the Collector configuration must be set to 'Server'. For Collector HA-pairs, the Profiler Server will have to initiate the connection to the Collector service running on the pair. This is accomplished by selecting the Server Connection Type for the Collector configuration.

Network configuration to connect to a NAC Profiler Server
Connection type (server/client) [client]:server

Step 23 Listen on IP - the Collector should be configured to listen on the VIP/Service IP address assigned to the NAC Server HA-pair during the NAC Server HA configuration.

Listen on IP [10.40.1.10]:

Step 24 Provide the Collector service with the IP(s) that it should accept connections from: the eth0 IP address of the standalone NAC Profiler Server, or for NAC Profiler Server HA-pairs, the eth0 interface IP addresses of both members of the Profiler Server HA pair need to be entered in this step along with the VIP Profiler Server HA-pair.

Step 25 Enter the IP address of the eth0 interface of the first Profiler Server appliance, press Enter; enter the IP address of the eth0 interface of the other Profiler Server appliance in the HA pair, press Enter, enter the VIP/Service IP address of the HA Profiler Server pair, then enter done to move the script to the next step.

	You will be asked to enter the IP address(es) of the NPS. This
	is necessary to configure the access control list used by this
	collector. If the NPS is part of an HA pair then you must include
	the real IP address of each independant NPS and the virtual IP to
	ensure proper connectivity in the case of failover.
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [127.0.0.1]: 10.10.0.211
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [10.10.0.211]: 10.10.0.212
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [10.10.0.210]: 10.10.0.210
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [10.10.0.212]: done

Step 26 Press Enter to accept the default port number (31416), or choose the alternation 31417 TCP port number for communication with the Cisco NAC Profiler Server:

 Port number [31416]: 

Step 27 Type none if no encryption is desired, or select AES (default) or type blowfish to configure encryption:

Encryption type (AES, blowfish, none) [AES]: none 

Step 28 Type the shared secret for the Network Connection with the NAC Profiler Server.

 Shared secret []: cisco123 

Step 29 The NAC Collector configuration utility will next show status for each of the modules (Forwarder, NetMap, NetTrap, NetWatch, NetInquiry, NetRelay) in the Collector followed by a final confirmation:

-- Configured CAS_OOB-fw
-- Configured CAS_OOB-nm
-- Configured CAS_OOB-nt
-- Configured CAS_OOB-nw
-- Configured CAS_OOB-ni
-- Configured CAS_OOB-nr

NAC Collector has been configured
[root@CAS_OOB /]#  

Step 30 Ensure the Collector service is running by issuing the following command:

[root@CAS_OOB /]# service collector restart

Starting Up a Standalone NAC Profiler Collector using the Server Connection Type


Step 1 Connect to the NAC Server and access its command line by direct console, serial connection, or SSH.

Step 2 Login as user root with the root password (default is cisco123)

Step 3 At the command line, type service collector config.

[root@CAS_OOB /]# service collector config 

This starts the short configuration script for the Collector. Either type a value or press Enter to accept the default value (shown in brackets [ ]) for each of the following prompts.

Step 4 Type y or press Enter to enable the Collector service on the NAC Server:

Enable the NAC Collector (y/n) [y]: y 

Step 5 Type y or press Enter to enter configure network settings for the Collector so that it can connect to the Cisco NAC Profiler Server:

Configure NAC Collector (y/n) [y]: y 

Step 6 Type this Collector's name and press Enter.

Enter the name for this remote collector. Please note that if
this collector exists on a HA pair that this name must match
its pair's name for proper operation. (24 char max) [GBS-CAS]:


Warning Collector Names must be 24 characters or less.


Step 7 Type server to configure the Connection Type as Server, designating that this Collector will accept connections initiated by the NAC Profiler Server:

Network configuration to connect to a NAC Profiler Server
	Connection type (server/client) [client]:server 

Step 8 Type the eth0 IP address of the NAC Server to configure it to listen for incoming connections from the NAC Profiler Server:

	Listen on IP [10.40.1.10]:

Step 9 Provide the Collector service with the IP(s) that it should accept connections from: the eth0 IP address of the standalone NAC Profiler Server, or for NAC Profiler Server HA-pairs, the eth0 interface IP addresses of both members of the Profiler Server HA pair need to be entered in this step along with the VIP Profiler Server HA-pair.

Step 10 Enter the IP address of the eth0 interface of the first Profiler Server appliance, press Enter; enter the IP address of the eth0 interface of the other Profiler Server appliance in the HA pair, press Enter, enter the VIP/Service IP address of the HA Profiler Server pair, then enter done to move the script to the next step.

	You will be asked to enter the IP address(es) of the NPS. This
	is necessary to configure the access control list used by this
	collector. If the NPS is part of an HA pair then you must include
	the real IP address of each independant NPS and the virtual IP to
	ensure proper connectivity in the case of failover.
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [127.0.0.1]: 10.10.0.211
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [10.10.0.211]: 10.10.0.212
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [10.10.0.210]: 10.10.0.210
Enter the IP address(es) of the NAC Profiler.
   (Finish by typing 'done') [10.10.0.212]: done

Step 11 Press Enter to accept the default port number (31416), or type another port number for communication with the Cisco NAC Profiler Server:

 Port number [31416]:  

Step 12 Type none if no encryption is desired, or select AES (default) or type blowfish to configure encryption:

Encryption type (AES, blowfish, none) [AES]: none

Step 13 Type the shared secret for the Network Connection.

 Shared secret []: cisco123 

Step 14 The NAC Collector configuration utility will next show status for each of the modules (Forwarder, NetMap, NetTrap, NetWatch, NetInquiry, NetRelay) in the Collector followed by a final confirmation:

-- Configured CAS_OOB-fw
-- Configured CAS_OOB-nm
-- Configured CAS_OOB-nt
-- Configured CAS_OOB-nw
-- Configured CAS_OOB-ni
-- Configured CAS_OOB-nr

NAC Collector has been configured
[root@CAS_OOB /]#  

Step 15 Collector configuration on the Clean Access Server is complete.

Step 16 Ensure the Collector service is running by issuing the following command:

[root@CAS_OOB /]# service collector restart

Configuring Profiler Collectors to Use with DHCP Analysis via IP Helper

As outlined in Chapter 3, "Preparing for Deployment", there are two alternatives for providing the Cisco NAC Profiler system with visibility into DHCP to assist the system with the collection of endpoint profiling attributes and maintaining IP-to-MAC mappings for endpoints addressed dynamically. Those methods include:

Using SPAN or RSPAN to deliver packets associated with DHCP to a NetWatch monitoring interface

Alternatively, using the IP Helper functionality provided by routers to forward endpoint DHCP requests to a NetWatch monitoring interface

The normal functioning of IP Helper converts the broadcast DHCP packets into unicast so that it can be redirected across the network to a designated IP host address. Using the eth0 and eth1 interfaces of a NAC Server for monitoring by NetWatch is not supported.

Therefore, to use the IP Helper option for delivering client DHCP requests from endpoints to a Cisco NAC Server for analysis by the NAC Profiler Collector NetWatch component requires the configuration of another available Cisco NAC Server interface for receipt of IP Helper packets from routers configured to forward DHCP requests to the Cisco NAC Profiler.

When configuring a Cisco NAC Server/Collector that will be tasked with analyzing DHCP packets forwarded via IP Helper by routers, you must complete the following procedure.


Note If the NAC Server/Collector is deployed as an HA-pair, this procedure must be performed on both appliances in the pair.



Step 1 Configure an unused interface (eth2 or eth3) of the NAC Server (CAS) collector via the CLI. For example:

a. cd to /etc/sysconfig/network-scripts

b. Copy file ifcfg-eth0 to ifcfg-eth3:

cp ifcfg-eth0 ifcfg-eth3

c. Edit the interface configuration using the vi editor:

vi ifcfg-eth3

The interface configuration file should be modified to mirror the following, ensuring the IP address and mask is set appropriately so that directed traffic received on the interface is processed by the OS and forwarded to NetWatch.


Note The IP Address configured for this interface needs to be a separate network from the eth0/eth1 interfaces on the NAC Server.


IPADDR=172.16.14.18
NETMASK=255.255.255.248
BOOTPROTO=static
ONBOOT=yes
PERFIGO_VLANPASS=
GATEWAY=
BROADCAST=
DEVICE=eth3
NETWORK=

Network routing needs to exist for this new network. The interface is not configured with a default gateway (so that the NAC Server routing is not confused/disrupted as a precaution). Since IP helper is sent UDP, a response is not needed. The client subnet is simply informing the Collector interface (running NetWatch) about the new DHCP requests and the Profiler is able to use these packets for collecting endpoint date.

You will not be able to ping this interface from the network since there is no default gateway. To troubleshoot and verify if the packets are being seen on the interface, use the following command to view traffic received on the interface:

tcpdump -ni eth3

Step 2 IP helper addresses configured on routed interfaces (SVIs) will need to point to the IP(s) of the Collector NetWatch monitoring interface (HA will have 2 separate IPs) for forwarding of the DHCP packets to the Collector for NetWatch analysis.


Issuing CLI Commands to the Cisco NAC Profiler Collector

Table 4-7 lists CLI commands issued on the CAS for the Cisco NAC Profiler Collector service running on NAC servers. Refer to the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide for complete details on using the CAS CLI.


Note To display the version of the Collector on the CAS, SSH to the CAS machine running the Collector service, and type rpm -q Collector.


Table 4-7 Cisco NAC Profiler Collector Service CLI Commands for Collectors 

Command
Description

service collector status

Displays the version and status of the individual Collector component modules on the NAC Server, for example:

Profiler Status
   Version: Collector-3.1.0-24

  o Server      Not Installed
  o Forwarder   Running
  o NetMap      Running
  o NetTrap     Running
  o NetWatch    Running
  o NetInquiry  Running
  o NetRelay    Running

service collector config

Starts the Collector service configuration script so that an initial configuration for the Collector service can be created, or allows re-configuration of the Collector service on the Cisco NAC Server.

[root@caserver12 /]# service collector config
Enable the NAC Collector (y/n) [y]: 
Configure NAC Collector (y/n) [y]: 
Enter the name for this remote collector. Please note that 
if this collector exists on a HA pair that this name must 
match its pair's name for proper operation. (24 char max) 
[GBS-CAS]:
Network configuration to connect to a NAC Profiler Server
	Connection type (server/client) [client]: client
 Connect to IP [127.0.0.1]: 192.168.96.20
 Port number [31416]: 
 Encryption type (AES, blowfish, none) [AES]: none
 Shared secret []: cisco123
-- Configured caserver12-fw
-- Configured caserver12-nm
-- Configured caserver12-nt
-- Configured caserver12-nw
-- Configured caserver12-ni
-- Configured caserver12-nr

        NAC Collector has been configured

service collector restart

Stops and then restarts the Collector service. This is used when the service is already running and you want to restart it.

service collector stop

Shuts down the Collector service on the CAS.

service collector start

Starts the Collector service on the CAS.

service collector verify

Displays the current configuration of the Collector service.

Collector Network Configuration
Collector Name    = bcas1-fw
Connection Type   = server
Listen on IP      = 10.40.1.10
Network IP ACL
127.0.0.1
10.10.0.211
10.10.0.210
10.10.0.212
Port Number       = 31416
Encryption type   = AES
Shared secret     = profiler