 Feedback
|
Table Of Contents
Cisco NAC Appliance FIPS Card Field-Replaceable Unit Installation Guide
Prerequisites and Hardware Requirements
Installing the FIPS Card Field-Replaceable Unit
Installing the FIPS Card in the Cisco NAC-3310
Opening the Chassis and Removing the Riser Card Assembly
Installing the FIPS Card in the Riser Card Assembly
Reinstalling the Riser Card Assembly and Closing the Chassis
Installing the FIPS Card in the Cisco NAC-3350/3390
Opening the Chassis and Removing the Existing Riser Card Assembly
Installing the FIPS Card in the New Riser Card Assembly
Installing the Completed Riser Card Assembly and Closing the Chassis
Bringing the FIPS Card Field-Replaceable Unit Online
Verifying FIPS Card Field-Replaceable Unit Operation
What's Next? Configuring the CAM/CAS for FIPS Compliance
Obtaining Documentation and Submitting a Service Request
Cisco NAC Appliance FIPS Card Field-Replaceable Unit Installation Guide
Part Number: 78-19152-01 Revised: September 23, 2011
This document contains the following sections:
•
Prerequisites and Hardware Requirements
•
•
•
•
•
Prerequisites and Hardware Requirements
You must be running Cisco NAC Appliance Release 4.9 or 4.8 on the CAM(s) and CAS(s) in your deployment to support FIPS 140-2 compliant functions via the field-replaceable FIPS card component. For specific Release information, including FIPS compliance requirements and restrictions, see the Release Notes for Cisco NAC Appliance corresponding to your latest Cisco NAC Appliance release version.
You can install the field-replaceable FIPS card in the following Cisco NAC Appliance platforms:
•
•
•
Once you have installed the FIPS card field-replaceable unit in a Cisco NAC-3310/3350/3390 chassis, it becomes "FIPS-compliant" and to appropriately handle any problems arising with either the chassis or the FIPS card, itself, you must RMA the appliance with Cisco Systems and obtain a replacement Cisco NAC-3310/3350/3390.
Note
For more information on the NAC-3310/3350/3390 as well as other Cisco NAC Appliance platforms, see the Cisco NAC Appliance Hardware Installation Guide corresponding to your latest Cisco NAC Appliance release version.
Installing the FIPS Card Field-Replaceable Unit
WarningBe sure to follow instructions for your particular Cisco NAC Appliance platform:
•
•
Installing the FIPS Card in the Cisco NAC-3310
Before installing the field-replaceable FIPS card in any of the supported Cisco NAC Appliance platforms, be sure to disconnect all interface cables, power down the appliance, and disconnect power from the chassis.
Opening the Chassis and Removing the Riser Card Assembly
Step 1
Step 2
Step 3
Figure 1 Cisco NAC-3310 Chassis and Riser Card Assembly
Step 4
Installing the FIPS Card in the Riser Card Assembly
There is only one way you can install the FIPS card and simultaneously have enough room to fit the card inside the chassis.
Step 1
Figure 2 Cisco NAC-3310 Riser Card Assembly
Step 2
Reinstalling the Riser Card Assembly and Closing the Chassis
Step 1
Step 2
Step 3
Step 4
Step 5
Installing the FIPS Card in the Cisco NAC-3350/3390
Note
Before installing the field-replaceable FIPS card in any of the supported Cisco NAC Appliance platforms, be sure to disconnect all interface cables, power down the appliance, and disconnect power from the chassis.
Opening the Chassis and Removing the Existing Riser Card Assembly
Step 1
Step 2
Step 3
Figure 3 Cisco NAC-3350/3390 Chassis and Riser Card Assembly
Step 4
Installing the FIPS Card in the New Riser Card Assembly
There is only one way you can install the FIPS card and simultaneously have enough room to fit the card inside the chassis.
Step 1
Figure 4 Cisco NAC-3350/3390 Riser Card Assembly
Step 2
Step 3
Installing the Completed Riser Card Assembly and Closing the Chassis
Step 1
Step 2
Step 3
Step 4
Step 5
Bringing the FIPS Card Field-Replaceable Unit Online
Once the FIPS card is installed and you have reconnected interfaces and power to the chassis, access the CAM/CAS console CLI and log in as root , enter the service perfigo config command, and accept the existing values for all configuration settings except the items specific to FIPS configuration.
Step 1
Step 2
Would you like to turn on fips mode? (y/n)? [y]---- Stopping any nCipher servers ----No nCipher init scripts installed.---- Cleaning up any old install ----No nCipher components requiring cleanup found.---- Installing ------ Running install fragment 10nfastugChecking for user 'nfast' in group 'nfast'User 'nfast' or group 'nfast' do not exist. To create the 'nfast' user,in group 'nfast', with home directory /opt/nfast please select one of thefollowing options, based on the current linux distribution:1) Run 'useradd -r nfast' (this should work with Red Hat, SuSE, andFedora-based distributions).2) Run 'adduser --group --system nfast' (this should work with Debianand Ubuntu-based distributions).3) Edit /etc/passwd and /etc/group (this should work with mostdistributions that do not use shadow passwords).4) Exit the script so you can create the user and group manually.Rerun the install script when this is complete.5) Abort the installation process.Please select a number from 1 to 5:-- Running install fragment 15makefilesSetting up directories.Making default config file.-- Running install fragment 45driversUnloading old nCipher PCI nfp driver.Checking for PCI nfp hardware.Found: /dev/nfastpci0Installing startup scripts for 'drivers'.Linking in init scriptsLoading nCipher PCI nfp driver.-- Running install fragment 46exardRemove old nCipher PCI miniHSM devices.Checking for nCipher PCI miniHSM hardware.No nCipher PCI miniHSM devices found.Installing startup scripts for 'exard'.Not linking in init scripts or loading drivers.-- Running install fragment 50hardserverMaking privconn setuid and root.Installing startup scripts for 'hardserver'.Linking in init scriptsStarting nCipher 'hardserver' server process.waiting for nCipher server to become operational ...waiting for nCipher server to become operational ...waiting for nCipher server to become operational ...nCipher server now running-- Running install fragment 60cmdadp---- Installation complete ------ Running shutdown script 50hardserver-- Running shutdown script 46exard-- Running shutdown script 45drivers-- Running startup script 45drivers-- Running startup script 46exard-- Running startup script 50hardserverSecurity world not foundCreating the security world and initializing the smart cardsHow many cards do you want to initialize (1-6)? [1] 1Set ncipher card switch in i mode and press Return to continueStep 3
Module 1, command ClearUnit: OKCreate Security World:Module 1: 0 cards of 1 writtenModule 1 slot 0: unformatted cardModule 1 slot 0:- passphrase specified - writing cardCard writing complete.security world generated on module #1; hknso = 32f3a58da27cd15cd2a7fda08526f1d0ca96ac63Set ncipher card switch in o mode and press Return to continueStep 4
Module 1, command ClearUnit: OKwriting RSA keyCard(s) check passedStep 5
Configuration is complete.Changes require a REBOOT of Clean Access Server.# rebootStep 6
The initial configuration is now complete.
Verifying FIPS Card Field-Replaceable Unit Operation
There are two methods you can use to verify proper installation and FIPS operation on the CAM/CAS:
•
Command Line Interface Method
Verify FIPS functionality on the CAM/CAS as follows:
•
•
•
•
Installed FIPS card is nCipherInfo-FIPS file existsInfo-card is in operational modeInfo-httpd worker is in FIPS modeInfo-sshd upCAM/CAS Web Console Method
To verify FIPS operation on the CAM:
Step 1
Step 2
Installed card in the system: nCipherSystem is running in FIPS modeFigure 5 CAM Monitoring > Summary Page
To verify FIPS operation on the CAS:
Step 1
View the status messages in the CAS Administration > Network Settings > IP page (Figure 6). The page should read:
Installed card in the system: nCipherSystem is running in FIPS modeFigure 6 CAS Administration > Network Settings > IP Page
What's Next? Configuring the CAM/CAS for FIPS Compliance
After you install and enable field-replaceable FIPS cards in your NAC-3310/33/50/3390s, connectivity with external components like RADIUS servers, Wireless LAN Controllers, and VPN Concentrators will likely fail. This field-replaceable unit installation guide does not address configuring and enabling FIPS functionality on your CAMs/CASs to ensure connectivity with such external components. Refer to the following documents for complete information on configuring your CAMs/CASs to operate and maintain connectivity with other external components in a FIPS-compliant environment:
•
•
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
© 2010 Cisco Systems, Inc. All rights reserved.
