Table Of Contents
Administer the Clean Access Server
Status Tab
Clean Access Server Direct Access Web Console
Manage CAS SSL Certificates
Generate Temporary Certificate
Export CSR/Private Key/Certificate
Verify Currently Installed Private Key and Certificates
Import Signed Certificate
View Certificate Files Uploaded for Import
Troubleshooting Certificate Issues
CAS Cannot Establish Secure Connection to CAM
Private Key in Clean Access Server Does Not Match the CA-Signed Certificate
Regenerating Certificates for DNS Name Instead of IP
Certificate-Related Files
Synchronize System Time
Support Logs and Loglevel Settings
Administer the Clean Access Server
This chapter describes Clean Access Server (CAS) administration. Topics include:
•
Status Tab
•Clean Access Server Direct Access Web Console
•Manage CAS SSL Certificates
•Synchronize System Time
•Support Logs and Loglevel Settings
Status Tab
The Status tab of the CAS management pages displays high-level status information on which modules are running in the Clean Access Server.
Figure 13-1 CAS Management Pages Status Tab
•IP Filter—An IP packet filter that analyzes packets to ensure that they come from valid, authenticated users.
•DHCP Server—The CAS's internal DHCP (Dynamic Host Configuration Protocol) server.
•DHCP Relay—The module that relays address requests and assignments between clients and an external DHCP server.
•IPSec Server — The module for establishing a secure, IP Security-based channel between the CAS and a client device. The module encrypts and decrypts data passed between the client and server.
•Active Directory SSO—The module that enables Active Directory Single Sign-On for authenticated Windows users.
•Windows NetBIOS SSO—The module that enables Windows NetBIOS login for authenticated Windows users.
Clean Access Server Direct Access Web Console
The CAS management pages of the CAM web admin console (Figure 13-1) are the primary configuration interface for the Clean Access Server(s). However, each Clean Access Server has its own web admin console that allows configuration of certain limited Administration and Monitoring settings directly on the CAS (Figure 13-2). The CAS direct access web console is primarily used to download CAS support logs or r configure pairs of Clean Access Servers for High Availability. See Chapter 14, "Configuring High Availability (HA)" for details. If the CAS management pages become unavailable, you can also use the direct console interface for other functions such as managing SSL certificates for the CAS or performing system upgrade.
To access the Clean Access Server's direct access web admin console:
1. Open a web browser and type the IP address of the CAS's trusted (eth0) interface in the URL/address field: https://<CAS_eth0_IP>/admin (for example, https://172.16.1.2/admin)
2. Accept the temporary certificate and log in as user admin (default password is cisco123).
Figure 13-2 CAS Direct Access Web Admin Console
Note•Make sure to precede the CAS IP address with "https://" and append it with "/admin"; otherwise you will see the redirect page for web login users.
•For security purposes, Cisco recommends changing the default password for the CAS web console.
Note that almost all of the settings in the CAS web console can be configured via the CAS management pages in the CAM web admin console, with the exception of the Failover, DHCP Failover, Admin Password, and Support Logs. The CAS direct access web console provides the following Administration pages for the local CAS:
•Network Settings (IP, DNS, Failover, DHCP Failover)
•Software Update
•SSL Certificates (Generate Temporary Certificate, Import Certificate, Export CSR/Private Key/Certificate)
•Time Server
•Admin Password
The Monitoring module of the CAS direct access console provides the following pages:
•Active VPN Clients
•Support Logs
Note For High Availability CAS pairs, any CAS network setting changes performed on an HA-Primary CAS through the CAS management pages or CAS direct access web console must also be repeated on the standby CAS unit through its direct access web console. These settings include updating the SSL certificate, system time, time zone, DNS, or Service IP. See IP Form, page 5-8 and Modifying High Availability Settings, page 14-22 for details.
Manage CAS SSL Certificates
The elements of Cisco NAC Appliance communicate securely over Secure Socket Layer (SSL) connections. Cisco NAC Appliance uses SSL connections for the following:
•Between the CAM and the CAS
•Between the CAM and the browser accessing the CAM web admin console
•Between the CAS and end-users connecting to the CAS
•Between the CAS and the browser accessing the CAS direct access web console
During installation, the configuration utility script for both the CAM and CAS requires you to generate a temporary SSL certificate for the server being installed (CAM or CAS). A corresponding private key is also generated with the temporary certificate.
For a production deployment, you will typically want to replace the temporary certificate for the Clean Access Server with a CA-signed SSL certificate, since the CAS certificate is the one that is visible to the end user. Otherwise, if the Clean Access Server has a temporary certificate, users accessing the network will have to explicitly accept the certificate from the CAS each time they login.
Note Due to Java version dependencies in the system software, Cisco NAC Appliance only supports 1024- and 2048-bit key lengths for SSL certificates.
For the Clean Access Manager, it is not necessary to use a CA-signed certificate and you can continue to use a temporary certificate, if desired. For details on managing SSL certificates for the CAM, see the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(1).
The following sections describes how to manage SSL certificates for the CAS:
•Generate Temporary Certificate
•Export CSR/Private Key/Certificate
•Verify Currently Installed Private Key and Certificates
•Import Signed Certificate
•View Certificate Files Uploaded for Import
•Troubleshooting Certificate Issues
Note You cannot use a CA-signed certificate that you bought for the Clean Access Manager on the Clean Access Server. You must buy a separate certificate for each Clean Access Server.
Web Console Pages for SSL Certificate Management
The actual CAM SSL certificate files are kept on the CAM machine, and the CAS SSL certificate files are kept on the CAS machine. After installation, the CAM and CAS certificates can be managed from the following web console pages (respectively):
Clean Access Manager Certificates:
•Administration > CCA Manager > SSL Certificate
Clean Access Server Certificates:
•CAS management pages: Device Management > CCA Servers > Manage [CAS_IP] > Network > Certs, or
•CAS direct access console: Administration > SSL Certificate
Note You can use the CAS direct access console interface if the CAS management pages become unavailable. See Clean Access Server Direct Access Web Console for further details.
The CAS management pages and CAS direct access console provide the same controls and allow you to perform the following SSL certificate-related operations:
•Generate a temporary certificate (and corresponding private key).
•Generate a PEM-encoded PKCS #10 Certificate Signing Request (CSR) based on the current temporary certificate.
•Import and export the private key. The Export Key feature is used to save a backup copy of the Private Key on which the CSR is based. When a CA-signed certificate is returned from the Certificate Authority and imported into the CAS, this Private Key must be used with it.
Note For High Availability CAS pairs, any CAS network setting changes performed on an HA-Primary CAS through the CAS management pages or CAS direct access web console must also be repeated on the standby CAS unit through its direct access web console. These settings include updating the SSL certificate, system time/time zone, DNS, or Service IP. See Clean Access Server Direct Access Web Console and Modifying High Availability Settings, page 14-22 for details.
Typical Steps for CAS New Installs
For new installations, the typical steps for managing the CAS certificate are as follows:
1. Synchronize time
After CAM and CAS installation, make sure the time on the CAM and CAS is synchronized before regenerating the temporary certificate on which the Certificate Signing Request will be based. See the next section, Synchronize System Time, for details.
2. Check DNS settings for the CAS
If planning to use the DNS name instead of the IP address of your servers for CA-signed certs, you will need to verify the CAS settings and regenerate a temporary certificate. See Regenerating Certificates for DNS Name Instead of IP for details.
3. Generate Temporary Certificate
A temporary certificate and private key are automatically generated during CAS installation. If changing time or DNS settings on the CAS, regenerate the temporary certificate and private key prior to creating the Certificate Signing Request.
4. Export (Backup) the private key to a local machine for safekeeping/backup.
It is a good idea to always back up the private key corresponding to the current temporary certificate to a local hard drive for safekeeping before you generate and export the Certificate Signing Request. See Export CSR/Private Key/Certificate.
5. Export (save) the Certificate Signing Request (CSR) to a local machine.
See Export CSR/Private Key/Certificate.
6. Send the CSR file to a Certification Authority (CA) authorized to issue trusted certificates.
7. After the CA signs and returns the certificate, import the CA-signed certificate to your server.
When the CA-signed certificate is received from the CA, upload it as PEM-encoded file to the CAS temporary store. See Import Signed Certificate.
8. If necessary, upload any required intermediate CA certificate(s) as a single PEM-encoded file to the CAS temporary store.
9. Click Verify and Install Uploaded Certificates to verify the entire certificate chain and private key in the temporary store and install the verified certificates to the CAS.
10. Test as a client accessing the Clean Access Server.
Note Make sure the CA-signed certificate you are importing is the one with which you generated the CSR and that you have NOT subsequently generated another temporary certificate. Generating a new temporary certificate will create a new private-public key combination. In addition, always export and save the private key to a secure location when you are generating a CSR for signing (for safekeeping and to have the private key handy).
For additional details, see also Troubleshooting Certificate Issues.
Generate Temporary Certificate
The following procedure describes how to generate a new temporary certificate for the CAS. Keep in mind that if the Clean Access Server has a temporary certificate, users accessing the network will have to explicitly accept the certificate from the CAS at each login. After generating a temporary certificate, you can generate a Certificate Signing Request (CSR) suitable for submission to a Certification Authority (CA). See also Regenerating Certificates for DNS Name Instead of IP for additional details.
To generate a certificate:
1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Network > Certs.
2. If not already selected, choose Generate Temporary Certificate from the Choose an action dropdown menu.
Figure 13-3 Certs—Generate Temporary Certificate
3. Type appropriate values for the form fields:
–Full Domain Name or IP - The fully qualified domain name or IP address of the CAS for which the certificate is to apply. For example: caserver.<your_domain_name>
–Organization Unit Name - The name of the unit within the organization, if applicable.
–Organization Name - The legal name of the organization.
–City Name - The city in which the organization is legally located.
–State Name - The full name of the state in which the organization is legally located.
–2-letter Country Code - The two-character, ISO-format country code, such as GB for Great Britain or US for the United States.
4. When finished, click Generate. This generates a new temporary certificate and new private key.
Note The Current SSL Certificate Domain: <IP or domain name> field at the bottom of each form displays the IP address or domain name of the current SSL certificate being used to access the web console page displayed. For example, if you are accessing the SSL Certificate management pages of a CAS, the domain name or IP address that is on the SSL certificate of that CAS will be shown. If accessing the SSL Certificate management pages of the CAM, the domain name/IP on the SSL certificate of the CAM will be shown.
Export CSR/Private Key/Certificate
Exporting a CSR generates a PEM-encoded PKCS#10-formatted Certificate Signing Request suitable for submission to a certificate authority. The CSR will be based on the temporary certificate and private key currently in the keystore database.
To create a certificate request:
1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Network > Certs (Figure 13-4).
2. Choose Export CSR/Private Key/Certificate from the Choose an action dropdown menu.
Figure 13-4 Certs —Export CSR/Private Key/Certificate
3. Create a backup of the private key used to generate the request by clicking the Export button for Currently Installed Private Key (A) in the Export CSR/Private Key/Certificate form. You are prompted to save or open the file (see Filenames for Exported Files). Save it to a secure location.
Note Cisco NAC Appliance only supports 1024- and 2048-bit key lengths for SSL certificates.
4. Click Export CSR (B). A certificate signing request file for the CAS is generated and made available for downloading (see Filenames for Exported Files).
Note This step will generate a certificate request based on the currently installed (temporary) certificate and private key pair. Make sure these are the ones for which you want to submit the CSR to the certificate authority.
5. Save the CSR file to your hard drive (or Open it immediately in a text editor if you are ready to fill out the certificate request form). Use the CSR file to request a certificate from a certificate authority. When you order a certificate, you may be asked to copy and paste the contents of the CSR file into a CSR field of the order form.
6. When you receive the CA-signed certificate back from the certification authority, you can import it into the Clean Access Server as described in Import Signed Certificate.
After the CA-signed cert is imported, the "currently installed certificate" is the CA-signed certificate. You can always optionally Export the Currently Installed Certificate if you need to access a backup of this certificate later.
Note The Current SSL Certificate Domain: <IP or domain name> field at the bottom of each form displays the IP address or domain name of the current SSL certificate being used to access the web console page displayed. For example, if you are accessing the SSL Certificate management pages of a CAS, the domain name or IP address that is on the SSL certificate of that CAS will be shown. If accessing the SSL Certificate management pages of the CAM, the domain name/IP on the SSL certificate of the CAM will be shown.
Filenames for Exported Files
File names for SSL Certificate files that can be exported from the CAS are as follows:
|
|
Description
|
secsmart_csr.pem
|
CAS Certificate Signing Request (CSR)
|
secsmart_key.pem
|
CAS Currently Installed Private Key
|
secsmart_crt.cer 2
|
CAS Currently Installed Certificate
|
Verify Currently Installed Private Key and Certificates
You can verify the following files by viewing them under Device Management > CCA Servers > Manage [CAS_IP] > Network > Certs | Export CSR/Private Key/Certificate (Figure 13-4):
•Currently Installed Private Key
•Currently Installed Certificate
•Currently Installed Certificate Details
•Currently Installed Root/Intermediate CA Certificate
•Currently Installed Root/Intermediate CA Certificate Details
Note You must be currently logged into your web console session to view any certificate files.
On the CAS, if a particular file is not currently installed (for export) or not uploaded (for import), a dialog message "Unable to read certificate from Clean Access Server" will appear when you click the View or Details button. For example, if only a temporary certificate is present on the CAS, this message will appear if you click the View/Details buttons for "Root/Intermediate CA" or "Currently Installed Root/Intermediate CA" on the Import and Export forms, respectively.
Clicking View for "Currently Installed Private Key" brings up the dialog shown in Figure 13-5 (BEGIN PRIVATE KEY/END PRIVATE KEY).
Figure 13-5 View Currently Installed Private Key
Clicking View for "Currently Installed Certificate" brings up the dialog shown in Figure 13-6 (BEGIN CERTIFICATE / END CERTIFICATE).
Figure 13-6 View Currently Installed Certificate
Clicking Details for "Currently Installed Certificate" brings up the dialog shown in Figure 13-7 ("Certificate:"). The Currently Installed Certificate Details form provides an easy way to verify whether you have a temporary or CA-signed certificate. The most important fields to check are:
•Issuer —Who signed the current certificate. The temporary certificate generated during installation will have the Issuer information shown in Figure 13-7.
•Validity—The creation date ("Not Before:") and expiry date ("Not After":) of the certificate.
Note The time set on the CAS must fall within the creation date/expiry date range set on the SSL certificate of the CAM. The time set on the user machine must fall within the creation date/expiry date range set on the SSL certificate of the CAS.
•Subject—The server and organizational information you entered when you generated the temporary certificate.
•Begin Certificate/End Certificate—The actual certificate is displayed in this section. It is identical to the information shown when you click View "Currently Installed Certificate".
Figure 13-7 View Currently Installed Certificate Details (Example Temporary Certificate)
Clicking View or Details for "Currently Installed Root/Intermediate CA Certificate" will bring up similar dialogs for the root or intermediate certificates you have installed on your CAS.
Import Signed Certificate
If you have received a CA-signed PEM-encoded X.509 certificate for the Clean Access Server, you can import it into the Clean Access Server as described here. Before starting, make sure that the root and CA-signed certificate files are in an accessible file directory location. If using a certificate authority for which intermediate CA certificates are necessary, make sure these files are also present and accessible.
To import a CA-signed certificate:
1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Network > Certs (Figure 13-8).
2. Choose Import Certificate from the Choose an action dropdown menu.
Figure 13-8 Certs —Import Certificate
3. Click the Browse button next to the Certificate File field and locate the certificate file on your directory system.
Note Make sure there are no spaces in the filename when importing files (you can use underscores).
4. Select the File Type from the dropdown menu:
–CA-signed PEM-encoded X.509 Cert — Select this option to upload the PEM-encoded CA-signed certificate.
–Root/Intermediate CA — Select this option to upload the PEM-encoded intermediate CA certificate or root certificate. To install chained certificates (i.e. multiple intermediate CA files):
a. If the certificate chain is using a different file format (e.g. .p7b), you must convert the chain to PEM format first.
b. Copy and paste the root and intermediate certificate information into a single file, then upload that as the Intermediate CA PEM-encoded file to the CAS.
Note Only one Intermediate CA file can be uploaded to the CAS, and it must be in PEM format.
–Private Key — Select this option if you need to upload the Private Key for the CAS (from backup). Typically, you only need to do this if the current Private Key does not match the Private Key used to create the original CSR on which the CA-Signed certificate is based.
–Trust Non-Standard CA — On the CAS, select this option if uploading a certificate needed for communication between the CAM and CAS that is signed by a non-standard organization. For example, you may have a non-standard certificate for the CAM that is signed by your institution (e.g. university), but a CA-signed certificate from VeriSign for your CAS. If the Clean Access Manager certificate is signed by a CA that is not well known, import the CA cert using the Trust Non-Standard CA option to have it accepted. The Clean Access Server must be rebooted for this to take effect.
5. Click Upload to upload the certificate file to the temporary store on the Clean Access Server.
6. Click Verify and Install Uploaded Certificates to verify the entire certificate chain and private key in the temporary store and install the verified certificate files to the correct locations in the CAS. If any files are missing, errors will be displayed indicating which files need to be uploaded. For example, if an intermediate CA certificate is required for the certificate authority you are using, upload it to the CAS temporary store in order for the certificate chain to be verified and installed on the CAS.
Note Neither the CAM nor CAS will install an unverifiable certificate chain. You must have delimiters (Begin/End Certificate) for multiple certificates in one file, but you do not need to upload certificate files in any particular sequence because they are verified in the temporary store first before being installed.
7. If you try to upload a root/intermediate CA certificate for the CAS that is already in the list, you may see an error message "this intermediate CA is not necessary" after you click the Verify and Install Uploaded Certificates button. You must Delete the uploaded Root/Intermediate CA in order to remove any duplicate files.
Note The Current SSL Certificate Domain: <IP or domain name> field at the bottom of each form displays the IP address or domain name of the current SSL certificate being used to access the web console page displayed. For example, if you are accessing the SSL Certificate management pages of a CAS, the domain name or IP address that is on the SSL certificate of that CAS will be shown. If accessing the SSL Certificate management pages of the CAM, the domain name/IP on the SSL certificate of the CAM will be shown.
View Certificate Files Uploaded for Import
You can verify certificate files you have uploaded to the temporary store for import into the CAS under Device Management > CCA Servers > Manage [CAS_IP] > Network > Certs | Import Certificate (Figure 13-4), as follows:
•Uploaded Private Key
•Uploaded CA-Signed Certificate
•Uploaded CA-Signed Certificate Details
•Uploaded Root/Intermediate CA Certificate
•Uploaded Root/Intermediate CA Certificate Details
Note You must be currently logged into your web console session to view any certificate files.
On the CAS, if a particular file is not currently installed (for export) or not uploaded (for import), a dialog message "Unable to read certificate from Clean Access Server" will appear when you click the View or Details button. For example, if only a temporary certificate is present on the CAS, the message will appear if you click the View/Details buttons for "Root/Intermediate CA" or "Currently Installed Root/Intermediate CA" on the Import and Export forms, respectively.
Troubleshooting Certificate Issues
Issues can arise during Cisco NAC Appliance certificate management, particularly if there are mismatched SSL certificates somewhere along the certificate chain. Common problems on SSL certificates can be time-oriented (if the clocks are not synchronized on the CAM and CAS, authentication fails), IP-oriented (certificates are created for the wrong interface) or information-oriented (wrong or mistyped certificate information is imported). This section describes the following:
•CAS Cannot Establish Secure Connection to CAM
•Private Key in Clean Access Server Does Not Match the CA-Signed Certificate
•Regenerating Certificates for DNS Name Instead of IP
•Certificate-Related Files
CAS Cannot Establish Secure Connection to CAM
If clients attempting login get the following error message, "Clean Access Server could not establish a secure connection to the Clean Access Manager at <IPaddress or domain> (see Figure 13-9), this commonly indicates one of the following issues:
•The time difference between the CAM and CAS is greater than 5 minutes.
•Invalid IP address
•Invalid domain name
•CAM is unreachable
The time set on the CAM and the CAS must be 5 minutes apart or less. To resolve this issue:
1. Set the time on the CAM and CAS correctly first (see Synchronize System Time)
2. Regenerate the certificate on the CAS using the correct IP address or domain.
3. Reboot the CAS.
4. Regenerate the certificate on the CAM using the correct IP address or domain.
5. Reboot the CAM.
Figure 13-9 Troubleshooting: "CAS Cannot Establish Secure Connection to CAM"
Note If you check nslookup and date from the CAS, and both the DNS and TIME settings on the CAS are correct, this can indicate that the cacerts file on the CAS is corrupted. In this case, Cisco recommends backing up the existing cacerts file from /usr/java/j2sdk1.4/lib/security/cacerts, then override it with the file from /perfigo/common/conf/cacerts, then perform "service perfigo restart" on the CAS.
Note If the error message on the client is "Clean Access Server is not properly configured, please report to your administrator," this typically is not a certificate issue but indicates that a default user login page has not been added to the CAM. See "Add Default Login Page" in the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(1) for details.
Private Key in Clean Access Server Does Not Match the CA-Signed Certificate
This issue can arise if a new temporary certificate is generated but a CA-signed certificate is returned for the CSR (certificate signing request) generated from a previous temporary certificate and private key pair.
For example, an administrator generates a CSR, backs up the private key, and then sends the CSR to a CA authority, such as VeriSign.
Subsequently, another administrator regenerates a temporary certificate after the CSR has been sent. When the CA-signed certificate is returned from the CA authority, the private key on which the CA-certificate is based no longer matches the one in the Clean Access Server.
To resolve this issue, re-import the old private key and then install the CA-signed certificate.
Regenerating Certificates for DNS Name Instead of IP
If planning to regenerate certificates based on the DNS name instead of the IP address of your servers:
•Make sure the CA-signed certificate you are importing is the one with which you generated the CSR and that you have NOT subsequently generated another temporary certificate. Generating a new temporary certificate will create a new private-public key combination. In addition, always export and save the private key when you are generating a CSR for signing (to have the private key handy).
•When importing certain CA-signed certificates, the system may warn you that you need to import the root certificate (the CA's root certificate) used to sign the CA-signed certificate, or the intermediate root certificate may need to be imported.
•Make sure there is a DNS entry in the DNS server.
•Make sure the DNS address in your Clean Access Server is correct (see Configure DNS Servers on the Network, page 5-15).
•For High-Availability (failover) configurations, use the DNS name for the Service IP (virtual DNS).
•Cisco recommends rebooting when you generate a new certificate or import a CA-signed certificate.
•When using a DNS-based certificate, if it is not CA-signed, the user will simply be prompted to accept the certificate.
Certificate-Related Files
For troubleshooting purposes, Table 13-1 lists certificate-related files on the Clean Access Server. For example, if the admin console becomes unreachable due to a mismatch of the CA-certificate/private key combination, these files may need to be modified directly in the file system of the Clean Access Server.
Table 13-1 Clean Access Server Certificate-Related Files
File
|
Description
|
/root/.tomcat.key
|
Private key
|
/root/.tomcat.crt
|
Certificate
|
/root/.tomcat.csr
|
Certificate Signing Request
|
/root/.chain.crt
|
Intermediate certificate
|
/perfigo/common/conf/perfigo-ca-bundle.crt
|
The root CA bundle
|
Synchronize System Time
For logging purposes and other time-sensitive tasks (such as SSL certificate generation), the time on the Clean Access Manager and Clean Access Servers needs to be correctly synchronized. The Time form lets you set the time on the Clean Access Server and modify the time zone setting for the CAS operating system.
After CAM and CAS installation, you should synchronize the time on the CAM and CAS before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. The easiest way to ensure this is to automatically synchronize time with the time server (Sync Current Time button).
Note The time set on the CAS must fall within the creation date/expiry date range set on the CAM SSL certificate. The time set on the user machine must fall within the creation date /expiry date range set on the CAS SSL certificate.
Note For High Availability CAS pairs, any CAS network setting changes performed on an HA-Primary CAS through the CAS management pages or CAS direct access web console must also be repeated on the standby CAS unit through its direct access web console. These settings include updating the SSL certificate, system time/time zone, DNS, or Service IP. See Clean Access Server Direct Access Web Console and Modifying High Availability Settings, page 14-22 for details.
The time can be modified on the CAM under Administration > CCA Manager > System Time. See the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(1) for details.
To view the current time:
1. Go to Device Management > CCA Servers > Manage [CAS_IP] > Misc > Time.
2. The system time for the Clean Access Server appears in the Current Time field.
Figure 13-10 Time Form
There are two ways to adjust the system time —manually, by typing in the new time, or automatically, by synchronizing from an external time server.
To manually modify the system time:
Go to the Time form of the Misc tab and perform one of the following steps:
•Type the time in the Date & Time field and click Update Current Time. The time should be in the form: mm/dd/yy hh:ss PM/AM.
•Click the Sync Current Time button to have the time updated by the time servers listed in the Time Servers field.
To automatically synchronize with the time server:
The default time server is the server managed by the National Institute of Standards and Technology (NIST), at time.nist.gov. To specify another time server:
1. In the Time form of the Misc tab type the URL of the server in the Time Servers field. The server should provide the time in NIST-standard format. Use a space to separate multiple servers.
2. Click Update Current Time.
If more than one time server is listed, the CAS tries to contact the first server in the list when synchronizing. If available, the time is updated from that server. If it is not available, the CAS tries the next one, and so on, until a server is reached.
The CAS then automatically synchronizes the time with the configured NTP server at periodic intervals.
To change the time zone of the server system time:
1. In the Time form of the Misc tab, choose the new time zone from the Time Zone dropdown menu.
2. Click Update Time Zone.
Support Logs and Loglevel Settings
The Support Logs page on the Clean Access Server is intended to facilitate TAC support of customer issues. The Support Logs page allows administrators to combine a variety of system logs (such as information on open files, open handles, and packages) into one tarball that can be sent to TAC to be included in the support case. Administrators should download these support logs when sending their customer support request.
The Support Logs pages on the CAM web console and CAS direct access web console (Figure 13-11)provide web page controls to configure the level of log detail recorded for troubleshooting purposes in /perfigo/logs. These web controls are intended as alternatives to using the CLI loglevel command and parameters to gather system information when troubleshooting.
For normal operation, the log level should always remain at the default setting (severe). The log level is only changed temporarily for a specific troubleshooting time period —typically at the request of the customer support/TAC engineer. In most cases, the setting is switched from "Severe" to "All" for a specific interval, then reset to "Severe" after data is collected. Note that once you reboot the CAM/CAS, or perform the service perfigo restart command, the log level will return to the default setting (Severe).
Caution Do not leave the log level set at "All" or "Info" indefinitely, as this will cause the log file to grow quickly.
To Download CAS Support Logs:
Note To optimize memory usage, CAS support logs page are only available from the CAS direct access console under "Monitoring." (They are not available from the CAS management pages.)
1. Open the CAS direct access console from a browser using https://<CAS_eth0_IP>/admin as the URL/Address.
2. Go to Monitoring > Support Logs (Figure 13-11).
Figure 13-11 CAS Support Logs
3. Click the Download button to download the cas_logs.<cas-ip-address>.tar.gz file to your local computer.
4. Send this .tar.gz file with your customer support request.
Note To retrieve the compressed support logs file for the Clean Access Manager, go to Administration > CCA Manager > Support Logs. See the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.1(1) for details.
To Change the Loglevel for CAS Logs:
1. Open the CAS direct access console (https://<CAS_eth0_IP>/admin).
2. Go to Monitoring > Support Logs.
3. Choose the CAS log category to change:
–CCA Server General Logging: This category contains general logging events for this CAS not contained in the other three categories listed below. For example a user that logs in (needs to post request to the CAM) will be logged here.
–CAS/CAM Communication Logging: This category contains the majority of relevant logs: CAM/CAS configuration or communication errors specific to this CAS. For example, if the CAM's attempt to publish information to this CAS fails, the event will be logged here.
–SWISS Communication Logging: This category contains log events related to SWISS (proprietary communication protocol) packets sent between this CAS and the Clean Access Agent.
–Radius Accounting Proxy Server Logging: This category contains RADIUS accounting log events related to Single Sign-On (SSO) for this CAS when integrated with a Cisco VPN Server.
4. Click the loglevel setting for the category of log:
–All: This is the lowest loglevel, with all events and details recorded.
–Info: Provides more details than the Severe loglevel. For example, if a user logs in successfully an Info message is logged.
–Severe: This is the default level of logging for the system. A log event is written to /perfigo/logs only if the system encounters a severe error, such as:
- CAM cannot connect to CAS
- CAM and CAS cannot communicate
Note To discover the CAS, the Clean Access Agent sends SWISS (proprietary CAS-Agent communication protocol) packets on UDP port 8905 for L2 users and on port 8906 for L3 users. The CAS always listens on UDP port 8905 and 8906 and accepts traffic on port 8905 by default. The CAS will drop traffic on UDP port 8906 unless L3 support is enabled.The Agent performs SWISS discovery every 5 seconds.
