Getting Started with Cisco NAC Network Modules in Cisco Access Routers

Table Of Contents

Getting Started with Cisco NAC Network Modules in Cisco Access Routers

Contents

About Cisco NAC Network Module for Integrated Services Routers

Cisco NAC Appliance

Cisco NAC Network Module

Prerequisites for Cisco NAC Network Module

Router

Network Module

Accessing the Cisco NAC Network Module

Restrictions for Cisco NAC Network Module

Cisco NAC Network Module and Clean Access Server Software

System Licenses

Deployment Overview

Cisco NAC Network Module (CAS) Deployment Modes

Interface Description

Example Layer 2 Inband Virtual Gateway Configuration

Network Diagram (L2 IB VGW)

CAS Configuration (L2 IB VGW)

Integrated Services Router Configuration (L2 IB VGW)

EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)

Example Layer 2 Out-of-Band Real-IP Gateway Configuration

Network Diagram (L2 OOB RGW)

CAS Configuration (L2 OOB RGW)

Integrated Services Router Configuration (L2 OOB RGW)

EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)

Additional References

How to Configure the Cisco NAC Network Module

Hardware Interfaces

Cisco NAC Network Module Configuration Worksheet

Setting Up Network Module Interfaces

Examples

Opening and Closing a Session

Running Clean Access Server Software Configuration Utility

Important Notes for SSL Certificates

How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module

Shutting Down and Starting Up Cisco NAC Network Module

Verifying System Status

Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module

CAS Upgrade via CLI

CAS Upgrade via Web Console

Re-Installing Cisco NAC Network Module Software

Re-Imaging the Network Module

Configuring and Administering Cisco NAC Appliance

Technical Assistance

Documentation

Related Documents

Glossary

Obtaining Documentation and Submitting a Service Request

Getting Started with Cisco NAC Network Modules in Cisco Access Routers

---

Revised: November 27, 2012, OL-2609-01

Contents

•About Cisco NAC Network Module for Integrated Services Routers

•Prerequisites for Cisco NAC Network Module

•Cisco NAC Network Module and Clean Access Server Software

•Deployment Overview

•How to Configure the Cisco NAC Network Module

•How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module

•Configuring and Administering Cisco NAC Appliance

•Technical Assistance

•Documentation

•Obtaining Documentation and Submitting a Service Request

About Cisco NAC Network Module for Integrated Services Routers

The Cisco® NAC Network Module for Integrated Services Routers (NME-NAC-K9) brings the feature-rich Cisco NAC Appliance Server capabilities to Cisco 2800 and 3800 Series Integrated Services Routers.

In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco 2900 and 3900 Series Integrated Services Routers.

Cisco NAC Appliance

Cisco NAC Appliance (also known as Cisco Clean Access) is a Network Admission Control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops, and corporate assets are compliant with a network's security policies, and it repairs any vulnerabilities before permitting access to the network.

Cisco NAC Appliance is a network-centric integrated solution that is:

•Administered from the web console of the Clean Access Manager (CAM)

•Enforced through the Clean Access Server (CAS)

•Applied on clients through the Clean Access Agent (CAA) client software

You can deploy the Cisco NAC Appliance solution in the configuration that best meets the needs of your network.

Cisco NAC Network Module

The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers. The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code.

In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco 2911/2921/2951 and 3925/3945 access routers.

The Clean Access Server operating system is based on an optimized version of Linux. The NAC network module is an ideal NAC solution for small groups of users in remote locations where an integrated services router is used. The NAC network module can be equipped with either a 50-user or 100-user license to support branch offices.

The Clean Access Manager is purchased separately as a NAC-3300 series appliance and is the primary point of configuration and management for all Clean Access Servers—whether implemented as a Cisco NAC Network Module in an Integrated Services Router, or as a NAC-3310 or NAC-3350 SERVER appliance. Once initial configuration is complete, the NAC network module is added and managed by the Clean Access Manager like any other Clean Access Server through the CAM web console (GUI) interface.

For further details on the NAC-3300 series server platforms refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide.

Prerequisites for Cisco NAC Network Module

Router

•Plan software upgrades or downgrades for times when you can take all applications that run on the host router out of service or offline.

•Ensure that you have the appropriate Cisco access router to serve as the host router. The Cisco NAC Network Module is supported on the following Cisco access routers:

–Cisco 2811

–Cisco 2821

–Cisco 2851

–Cisco 3825

–Cisco 3845

•In addition to the above routers, Cisco NAC Appliance Releases 4.8 and later support the following Cisco access routers.

–Cisco 2911

–Cisco 2921

–Cisco 2951

–Cisco 3925

–Cisco 3945

---

Note The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code. Ensure that you are upgrading it to Cisco NAC Appliance Releases 4.8 or later to support the above Cisco access routers.

---

•Ensure that the host router is running Cisco IOS Release 12.4(11)T or a later release. To learn which release your router is currently running, examine output from the show version command.

---

Note When minimum release requirements are met, you can change images on either the router or the network modules without affecting performance.

---

Network Module

---

Note Cisco NAC Network Module supports Cisco NAC Appliance Release 4.5, but does not support Wireless Out-of-Band (OOB). The Wireless OOB feature introduced in Release 4.5 only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.

Cisco NAC Network Module supports L3 Wireless Out-of-Band (L3 OOB) introduced in Cisco NAC Appliance Release 4.8(2).

---

Warning The Cisco NAC network module must run the same version of the Cisco NAC Appliance software as the Clean Access Manager and any other Clean Access Servers in the deployment. For example, all must run 4.7(x), or a later supported version.

•Release 4.1.2.1 of the Cisco NAC Appliance software is the minimum software release supported on the Cisco NAC Network Module.

Refer to the latest version of the Release Notes for Cisco NAC Appliance for enhancement details for each applicable release.

•To physically install the NAC network module use the Cisco Network Modules Hardware Installation Guide and Cisco Network Modules and Interface Cards Regulatory Compliance and Safety Information.

•The Cisco NAC Network Module for Integrated Services Routers ships from the factory with the hardware listed in Table 1 preinstalled. There are no memory options. (See How to Configure the Cisco NAC Network Module for further details.)

Table 1 Network Module Hardware Specifications

Model	Processor	Hard Disk	Memory	CompactFlash
NME-NAC-K9	1 GHz Celeron M	80 GB (SATA)	512 MB DDR	64 MB

•Make a note of the network module's location in the host router:

–slot—Number of the router chassis slot for the module. After you install the module, you can get this information from the router's show running-config command output.

–unit—Number of the daughter card on the module. This value should be 0.

---

Note You need this information for the "Setting Up Network Module Interfaces" section and the "Opening and Closing a Session" section.

---

File Server

•(Optional) Verify that your download FTP or TFTP file server is accessible:

–FTP file server—Use for backups and restores.

–TFTP file server—Use (on the FTP-file-server machine) for boothelper operations to recover from a failed installation.

Accessing the Cisco NAC Network Module

•You can configure software on the network module only from a console that connects to a single serial-port console port on the host router.

---

Note Telnet is not recommended.

---

•You can access the Clean Access Server software running on the network module by accessing one of the following:

–The router's Cisco IOS command-line interface (CLI)

–The CAS management pages of the CAM web console (Device Management > CCA Servers > Manage [CAS_IP] )

–The CAS direct access console (https://<CAS_eth0_IP>/admin/)

–Secure-shell (SSH) connection to the internal interface (CAS eth0 trusted interface) of the NAC network module.

•All Clean Access Servers which are configured have a direct web console interface which can be optionally accessed for certain limited settings, such as HA or SSL certificates, or to download support logs. For the NAC network module, all CAS configuration settings can be accessed via the the CAS management pages of the CAM web console, except for CAS support logs which need to be accessed via the direct CAS web console interface, by typing https://<CAS_eth0_IP>/admin/ into a web browser. Additionally, because the NAC network module does not support HA, there is no "Failover" tab in the direct access web console.

Restrictions for Cisco NAC Network Module

Deployment

•The NAC network module does not support High Availability (HA) mode. HA functionality is disabled on the GUI interface of the NAC network module.

•The NAC network module does not support the Cisco NAC Profiler Collector module for the CAS.

•The NAC network module does not support port-based VLAN mapping when deployed as an Out-of-Band Virtual Gateway. A change in the client IP address is always required when the NAC network module is configured as an L2 OOB Virtual Gateway.

•Cisco NAC Network Module does not support Wireless Out-of-Band (OOB). The Wireless OOB feature introduced in Release 4.5 only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.

Upgrade

•After upgrading from Release 4.6(1) to Release 4.8, there may be a drift in the clock for NAC-NME module. This may result in CAS on the NME module not being connected to CAM after upgrade from 4.6.1, as the certificate dates will fall out of range.

To resolve this, check the system clock after upgrading, set it once and reboot. To set the date again use the following command and reboot.

Syntax:

date -s "dd MMM YYYY hh:mm:ss"

Example:

date -s "15 APR 2010 19:49:00"

You can also synchronize the time using the CAS web console. In the CAS web console, perform the following steps:

---

Step 1 Navigate to Administration > Time Server.

Step 2 Select the Time Zone and enter the appropriate time server in the Time Servers field.

Step 3 Click Synchronize Time.

Step 4 Reboot the system.

---

•The Cisco NAC Appliance architecture is not designed for heterogeneous support—that is, some Clean Access Servers running 4.1(3) software and some running 4.1(2) software. Because the NAC network module is only supported starting from release 4.1(2) and later, to introduce a NAC network module to an existing NAC Appliance deployment (e.g. running 4.1.1), you must upgrade your Clean Access Manager and all your Clean Access Servers concurrently to release 4.1.2.1 or later.

---

Note Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for the latest compatibility details.

---

---

Note Release 4.1.2.1 is the minimum mandatory version for all appliances, and is required to support HA-CAS pairs. For compatibility with CAM/CAS appliances running 4.1.2.1, you must use the standard product upgrade file to upgrade the Cisco NAC network module to 4.1.2.1. See Configuring and Administering Cisco NAC Appliance for additional information.

---

---

Note Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.

---

---

Note Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.

---

Cisco NAC Network Module and Clean Access Server Software

The Clean Access Server is a Linux-based application that resides on the NAC network module that plugs into a host Cisco router running Cisco IOS software.

The network module is a standalone services engine with its own startup and run-time configurations that are independent of the Cisco IOS configuration on the router. The module does not have an external console port. Instead, you launch and configure the module through the router, by means of a configuration session on the module. After the session, you return to the router CLI and clear the session.

This arrangement—host router plus network module (the latter is also sometimes called an appliance or blade or, with installed software, a service or services engine)—provides a router-integrated application platform for accelerating data-intensive applications. Such applications typically involve the following and more:

•Application-oriented networking

•Contact centers and interactive-voice-response applications

•Content caching and delivery

•Data and video storage

•Network analysis

•Voice-mail and auto-attendant applications

Network Admission Control (NAC) enabled by Cisco NAC Appliance is such an application.

This section contains the following information:

•System Licenses

•Deployment Overview

•How to Configure the Cisco NAC Network Module

System Licenses

Cisco NAC Appliance product licensing treats the Cisco NAC Network Module as any other Clean Access Server. In order for a NAC network module to work in your system, you need the following:

•Clean Access Manager appliance (MANAGER) which will manage the NAC network module within the ISR.

•Clean Access Manager license.
The CAM license is based on the eth0 IP address of the CAM and corresponds to the number of Clean Access Servers it supports. There are licenses for: Lite Manager (supports 3 CASs), Standard Manager (supports 20 CASs), and Super Manager (supports 40 CASs) .

•NAC network module license
This is a type of Clean Access Server license. The CAS license is based on the number of concurrent users it supports. The NAC network module can support up to 100 online, concurrent users. Table 2 shows the license types available for the NAC network module. These software licenses can also be used for the ordering of a spare NAC network module.

Table 2 Cisco NAC Network Module Licenses

License/Software SKU	Description
NACNM-50-K9	NAC Network Module Server License—max 50 users
NACNM-100-K9	NAC Network Module Server License—max 100 users
NACNM-50UL=	NAC Network Module Server License—Upgrade only- 50 to 100 users

---

Note All Cisco NAC product licenses are added to the Clean Access Manager in your system. You add the CAM license the first time you access the CAM web console, then use the Administration > Licensing pages of the CAM web console to add the NAC network module or CAS licenses thereafter.

---

For complete details on licensing, refer to Cisco NAC Appliance Service Contract / Licensing Support .

Deployment Overview

This section provides a overview of Cisco NAC Network Module deployment with some configuration examples. If you already know how you want to deploy your NAC network module, continue to How to Configure the Cisco NAC Network Module for detailed initial configuration steps.

It contains the following:

•Cisco NAC Network Module (CAS) Deployment Modes

•Interface Description

•Example Layer 2 Inband Virtual Gateway Configuration

•Example Layer 2 Out-of-Band Real-IP Gateway Configuration

Cisco NAC Network Module (CAS) Deployment Modes

Table 3 shows the Clean Access Server deployment modes supported by the Cisco NAC Network Module.

Table 3 CAS Deployment Modes Supported by Cisco NAC Network Module

Deployment Mode	Options 1
Physical deployment	Edge deployment only
CAS traffic passing	•Virtual Gateway (bridged mode) •Real IP Gateway (routed mode)
Client access	•Layer 2—client is adjacent to NAC network module (CAS) •Layer 3—client is multiple hops away from NAC network module (CAS)
Traffic flow	•In-band—CAS is always inline with traffic •Out-of-Band—CAS is inline with traffic only during posture assessment/remediation

1 The Cisco NAC Network Module does not support Wireless Out-of-Band deployment (Release 4.5 and later). Wireless OOB only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.

From a physical deployment perspective, all NAC network modules are Edge Deployments. This means each port (eth0 and eth1) of the NAC network module (CAS) is connected to a different device.

The eth1 (untrusted) interface of the NAC network module can be connected to an external switch or to an EtherSwitch Service Module (NME-ESW) for 3800 series integrated services routers supporting multiple slots (e.g. 3845).

Interface Description

Table 4 describes the interface terminology used in the example deployments shown in Figure 1 and Figure 2.

The example scenarios illustrate the NAC network module (NME-NAC) in a 3800 Series Integrated Services Router (ISR) when an EtherSwitch Service Module (NME-ESW) is used instead of an external switch.

In both examples, the eth1(untrusted) interface of the NAC network module (Clean Access Server) is connected via external link to the EtherSwitch module (instead of internal Gigabit Serdes (GigSerdes) connection)

Table 4 Cisco NAC Network Module Interface Description  

Interface	Description
Integrated Service Engine 1/0 (int-svr-eng 1/0)	Internal port connecting the integrated services router to the eth0 Trusted port of the CAS (NAC module). It is treated like any other Layer 3 port.
ESW internal port (Gig1/0/2)	Internal link connecting the integrated services router to the Gig 1/0/2 interface of an EtherSwitch (ESW) module. Treated like any other Layer 3 port. Depending on the ISR slot, displays as Gig2/0 or Gig3/0 on the router.
Gigabit Serdes (GigSerdes)	(Optional) Internal port that can be configured to connect the eth1 Untrusted port of the CAS (NAC module) with an EtherSwitch (ESW) Gig 1/0/2 port, via CLI command: connect 1 module Integrated-Service-Engine 1/0 0 module GigabitEthernet2/0 0 Where: •Integrated-Service-Engine 1/0 0 is the CAS eth1 Untrusted port •GigabitEthernet2/0 0 is the Gig 1/0/2 port of the EtherSwitch •The configuration applied to the Gig 1/0/2 port of the EtherSwitch applies to the GigSerdes port. Note If Gigabit Serdes is used, the external ports should not be connected.

Example Layer 2 Inband Virtual Gateway Configuration

This section describes the following:

•Network Diagram (L2 IB VGW)

•CAS Configuration (L2 IB VGW)

•Integrated Services Router Configuration (L2 IB VGW)

•EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)

Network Diagram (L2 IB VGW)

Figure 1 shows the Cisco NAC Network Module deployed as a CAS in Layer 2 inband Virtual Gateway mode.

Figure 1 NME-NAC (CAS) Layer 2 Inband Virtual Gateway Deployment with NME-ESW

Key Points

•No VLAN mapping is required for Edge Deployment

•Int int-svr-eng 1/0 of the ISR is the Default Gateway for all users

•Int int-svr-eng 1/0 of the ISR is configured as a Layer 2 trunk with subinterfaces to/from each data VLAN

•Link between the switch (NME-ESW) and CAS (NME-NAC) via external link or internal GigSerdes link (on 3800) carries data VLANs 51,52

•No VLAN 51, 52 traffic on internal GE link between NME-ESW and ISR

•IP Phone traffic on VLAN 15 sent directly to int Gig2/0 of the ISR

CAS Configuration (L2 IB VGW)

The example in this section illustrates the main concepts for configuring the CAS as a Layer 2 Inband Virtual Gateway.

•CAS IP Form (L2 IB VGW)

•CAS Managed Subnet Form (L2 IB VGW)

•CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning)

CAS IP Form (L2 IB VGW)

•CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > IP

•Clean Access Server Type: Virtual Gateway

•Both Trusted (eth0) and Untrusted (eth1) Interface IP Addresses are the same: 10.10.55.2

•Both Trusted and Untrusted Interface Default Gateway is the same: 10.10.55.1

•Trusted Interface (eth0) Management VLAN ID needs to be set (55).

---

Note For Virtual Gateway, the Management VLAN for the CAS must be different from the CAM. Management VLANs must be set for the CAM and CAS, solely to manage the CAS from the CAM.

---

CAS Managed Subnet Form (L2 IB VGW)

•CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > Managed Subnet

•A managed subnet is added for each user VLAN (51, 52) and verified in the list at the bottom of the page.

•Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS.

•For all CAS modes in L2 deployment (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface.

•You must configure the untrusted interface (Auth) VLAN in the VLAN ID field of each Managed Subnet.

•For Virtual Gateways, the managed subnet form essentially assigns an IP address to the CAS that is otherwise unused on the subnet. The CAS is not the gateway, but owns that address for the specified VLAN/subnet in order to send ARP queries.

CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning)

•CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > VLAN Mapping

•On a Cisco NAC Network Module, the CAS is always an edge deployment. Therefore no VLAN Mapping is required because the eth0 and eth1 interfaces of the CAS are connected to different devices.

---

Caution The " Enable VLAN Pruning" option is enabled by default for CAS Virtual Gateways. Make sure that " Enable VLAN Pruning" is turned off when "VLAN Mapping" is disabled. Turning the "Enable VLAN Pruning" option on when the "VLAN Mapping" option is disabled can cause the CAS to discard all VLAN packets from passing through in either direction.

---

•When a CAS operates in Virtual Gateway mode, it passes network traffic from its eth0 interface to eth1 and from eth1 to eth0 without changing the VLAN tag. VLAN Mapping is necessary only for In-band Virtual Gateways when both interfaces of the CAS are connected to the same Layer 2 switch. It allows putting incoming traffic to the CAS on a different VLAN from the outgoing traffic of the CAS. This is not needed for the NAC network module.

Integrated Services Router Configuration (L2 IB VGW)

ISR Configuration—Layer 2 Inband Virtual Gateway

ISR# sh run Building configuration... ! ip dhcp excluded-address 10.10.15.1 ip dhcp excluded-address 10.10.51.1 ip dhcp excluded-address 10.10.52.1 ip dhcp excluded-address 10.10.53.1 ip dhcp excluded-address 10.10.51.254 ip dhcp excluded-address 10.10.52.254 ip dhcp excluded-address 10.10.53.254 ! ip dhcp pool vlan51 network 10.10.51.0 255.255.255.0 default-router 10.10.51.1 ! ip dhcp pool vlan52 network 10.10.52.0 255.255.255.0 default-router 10.10.52.1 ! ip dhcp pool vlan53 network 10.10.53.0 255.255.255.0 default-router 10.10.53.1 ! ip dhcp pool vlan15 network 10.10.15.0 255.255.255.0 default-router 10.10.15.1

interface Integrated-Service-Engine1/0 description "Internal link between ISR & CAS" ip address 10.10.50.1 255.255.255.0 no keepalive ! interface Integrated-Service-Engine1/0.51 encapsulation dot1Q 51 ip address 10.10.51.1 255.255.255.0 ! interface Integrated-Service-Engine1/0.52 encapsulation dot1Q 52 ip address 10.10.52.1 255.255.255.0 ! interface Integrated-Service-Engine1/0.53 encapsulation dot1Q 53 ip address 10.10.53.1 255.255.255.0 ! interface Integrated-Service-Engine1/0.55 encapsulation dot1Q 55 ip address 10.10.55.1 255.255.255.0 ! interface GigabitEthernet2/0 description "Internal link between ISR & NME-ESW switch" ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet2/0.15 encapsulation dot1Q 15 ip address 10.10.15.1 255.255.255.0 ! interface GigabitEthernet2/0.16 encapsulation dot1Q 16 ip address 10.10.16.1 255.255.255.0 ! end

EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)

EtherSwitch (NME-ESW) Configuration—Layer 2 Inband Virtual Gateway

NME-Switch# sh run ! vlan 15,16,51-53 ! interface FastEthernet1/0/1 switchport access vlan 51 switchport mode access spanning-tree portfast ! interface FastEthernet1/0/2 switchport access vlan 52 switchport mode access spanning-tree portfast ! interface FastEthernet1/0/3 switchport access vlan 53 switchport mode access spanning-tree portfast ! interface FastEthernet1/0/16 description EXTERNAL LINK Between NME-ESW switch and CAS switchport trunk encapsulation dot1q switchport trunk allowed vlan 51-53 switchport mode trunk !

interface GigabitEthernet1/0/2 description INTERNAL LINK Between NME-ESW switch and ISR switchport trunk encapsulation dot1q switchport trunk allowed vlan 15,16 switchport mode trunk ! interface Vlan16 ip address 10.10.16.2 255.255.255.0 ! ip classless ip route 0.0.0.0 0.0.0.0 10.10.16.1 ip http server ! end

Example Layer 2 Out-of-Band Real-IP Gateway Configuration

This section describes the following:

•Network Diagram (L2 OOB RGW)

•CAS Configuration (L2 OOB RGW)

•Integrated Services Router Configuration (L2 OOB RGW)

•EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)

Network Diagram (L2 OOB RGW)

Figure 2 shows the NAC module deployed as a CAS in Layer 2 out-of-band Real-IP Gateway mode.

Figure 2 NME-NAC (CAS) Layer 2 Out-of-Band Real-IP Gateway Deployment with NME-ESW

Key Points

•Link between NME-ESW switch and CAS via external link or GigSerdes (on 3800) carries Auth VLAN 53

•No VLAN 53 traffic on internal GE link between NME-ESW and ISR

•User Access VLAN and phone VLAN is sent via internal link to Gig2/0 interface of ISR.

CAS Configuration (L2 OOB RGW)

The example in this section illustrates the main concepts for configuring the CAS as a Layer 2 Out-of-Band Real-IP Gateway.

•CAS IP Form (L2 OOB RGW)

•CAS Managed Subnet Form (L2 OOB RGW)

•CAS DHCP Form (L2 OOB RGW)

•CAM - Switch Profile (L2 OOB RGW)

•CAM - Port Profile (L2 OOB RGW)

•CAM - SNMP Receiver (L2 OOB RGW)

•CAM - Ports Management (L2 OOB RGW)

CAS IP Form (L2 OOB RGW)

•CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > IP

•Clean Access Server Type: Real-IP Gateway

•Trusted (10.10.55.2) and Untrusted (10.10.51.1) Interface IP Addresses are different

•Trusted Interface Default Gateway (10.10.55.1) and Untrusted Interface Default Gateway (10.10.51.1) are different.

•Trusted Interface Management VLAN ID (55) and Untrusted Interface Management VLAN ID (51) are different.

---

Note Management VLANs must be set for the CAM and CAS to manage the CAS from the CAM.

---

CAS Managed Subnet Form (L2 OOB RGW)

•CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > Managed Subnet

•A managed subnet is added for the Authentication VLAN (53) and verified in the list at the bottom of the page.

•Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS.

•For all CAS modes in L2 deployment (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface.

•You must configure the untrusted interface (Auth) VLAN in the VLAN ID field of each Managed Subnet.

•For a Real-IP Gateway, the CAS will own the gateway IP address of the managed subnet.

CAS DHCP Form (L2 OOB RGW)

•CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > DHCP

•CAS is configured as a DHCP Relay.

CAM - Switch Profile (L2 OOB RGW)

•CAM web console: Switch Management > Profiles >Switch > New/Edit

•A Switch profile is created for the NME-ESW. Supported NME EtherSwitch service modules are added as 3750 Switch Models. Refer to Switch Support for Cisco NAC Appliance for details.

CAM - Port Profile (L2 OOB RGW)

•CAM web console: Switch Management > Profiles > Port > New/Edit

•A Port profile is created for the NME-ESW to map Authentication VLAN 53 to Access VLAN 11.

CAM - SNMP Receiver (L2 OOB RGW)

•CAM web console: Switch Management > Profiles > SNMP Receiver

•A Community String (public) is configured for the CAM SNMP Receiver.

CAM - Ports Management (L2 OOB RGW)

•CAM web console: Switch Management > Devices > Switches > (Manage) Ports [Switch_IP]

•The Profile (ISR_NME_switch) is applied to the switch port, and settings are updated on the switch.

Integrated Services Router Configuration (L2 OOB RGW)

ISR Configuration—Layer 2 Out-of-Band Real-IP Gateway

ISR# sh run Building configuration... ! ip dhcp excluded-address 10.10.53.1 ip dhcp excluded-address 10.10.53.254 ip dhcp excluded-address 10.10.11.1 ip dhcp excluded-address 10.10.12.1 ip dhcp excluded-address 10.10.15.1 ! ip dhcp pool vlan53 network 10.10.53.0 255.255.255.0 default-router 10.10.53.1 ! ip dhcp pool vlan11 network 10.10.11.0 255.255.255.0 default-router 10.10.11.1 ! ip dhcp pool vlan12 network 10.10.12.0 255.255.255.0 default-router 10.10.12.1 ! ip dhcp pool vlan15 network 10.10.15.0 255.255.255.0 default-router 10.10.15.1 ! interface Integrated-Service-Engine1/0 description "Internal link between ISR and CAS" ip address 10.10.50.1 255.255.255.0 no keepalive ! interface Integrated-Service-Engine1/0.55 encapsulation dot1Q 55 ip address 10.10.55.1 255.255.255.0 !

interface GigabitEthernet2/0 description "Internal link between ISR & NME-ESW switch" ip address 10.10.10.1 255.255.255.0 ! interface GigabitEthernet2/0.11 encapsulation dot1Q 11 ip address 10.10.11.1 255.255.255.0 ! interface GigabitEthernet2/0.12 encapsulation dot1Q 12 ip address 10.10.12.1 255.255.255.0 ! interface GigabitEthernet2/0.15 encapsulation dot1Q 15 ip address 10.10.15.1 255.255.255.0 ! interface GigabitEthernet2/0.16 encapsulation dot1Q 16 ip address 10.10.16.1 255.255.255.0 ! end

EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)

EtherSwitch (NME-ESW) Configuration—Layer 2 Out-of-Band Real-IP Gateway

NME-Switch# sh run ! vlan 11,12,15,16,53 ! interface FastEthernet1/0/1 switchport access vlan 12 switchport mode access spanning-tree portfast interface FastEthernet1/0/16 description EXTERNAL LINK Between NME switch and CAS switchport trunk encapsulation dot1q switchport trunk allowed vlan 53 switchport mode trunk ! interface GigabitEthernet1/0/2 description INTERNAL LINK Between NME switch and ISR switchport trunk encapsulation dot1q switchport trunk allowed vlan 11,12,15,16 switchport mode trunk ! interface Vlan16 ip address 10.10.16.2 255.255.255.0 ! ip route 0.0.0.0 0.0.0.0 10.10.16.1 !

snmp-server community public RO snmp-server community private RW snmp-server trap-source Vlan16 snmp-server enable traps snmp linkdown linkup snmp-server enable traps mac-notification snmp-server host 10.10.100.2 public mac-notification ! end

Additional References

For more information on Gigabit Serdes/HIMI, refer to:

•Cisco High-Speed Intrachassis Module Interconnect (HIMI) Configuration Guide

For more information on EtherSwitch Service Modules, refer to:

•Interface Cards and Modules (LAN section)

•EtherSwitch Service Module (ES) Configuration Example

For more information on Clean Access Server configuration, refer to the applicable:

•Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

•Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide

For OOB support information, see:

•Switch Support for Cisco NAC Appliance

How to Configure the Cisco NAC Network Module

This section contains the following information:

•Hardware Interfaces

•Cisco NAC Network Module Configuration Worksheet

•Setting Up Network Module Interfaces

•Opening and Closing a Session

•Running Clean Access Server Software Configuration Utility

---

Note If you lose power or connection during any of the following procedures, the system usually detects the interruption and tries to recover. If it fails to do so, fully reinstall the system using the boothelper, as described in Re-Installing Cisco NAC Network Module Software.

---

Initial configuration of the network module is done via CLI (router console). Thereafter, the Cisco NAC Network Module is a Clean Access Server that is managed via Clean Access Manager (CAM) web console. The CAS on the NAC network module can be accessed by: router console, CAM/CAS web console, and SSH.

This document presents router console configuration instructions.

For CAM/CAS web console (GUI) configuration instructions, refer to the following guides. Refer to the document version corresponding to the release you are running on your machines:

•Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

•Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide

Hardware Interfaces

The host router and network module use several interfaces for internal and external communication (see Figure 3). Each interface is configurable—for the router by using the Cisco IOS CLI and for the module by using the module firmware's CLI, GUI, or SSH.

Figure 3 Router and Network Module Interfaces

	On This Hardware Interface...	Configure These Settings...	Using This Configuration Interface
1	Router interface to external link (GigabitEthernet slot/0) Note For ISR 2811 only, this is Fast Ethernet slot/0	Standard router settings	Router's Cisco IOS CLI
2	Router interface to module (integrated-service-engine slot/0)	Module's IP address and default gateway router
3	eth0 (trusted) interface of the Clean Access Server Module interface to router (GigabitEthernet 0/1)	NAC network module settings	NAC network module's CLI, GUI, or SSH interface
4	eth1 (untrusted) interface of the Clean Access Server Module interface to external link (GigabitEthernet 0/0)	Untrusted interface (client-side network) settings

Cisco NAC Network Module Configuration Worksheet

You will need to collect the information in Table 5, first to configure the Cisco NAC Network Module within the Integrated Services Router (ISR), then to configure the Clean Access Server software that will run on the NAC network module.

Table 5 CAS Configuration Utility Worksheet

ISR Configuration Value	Address or Value	NAC Clean Access Server Configuration Value
service-module ip address
module-side-ip-address		a. IP address for eth0 interface (trusted)
subnet-mask		b. Subnet mask (IP netmask) for eth0 interface
service-module ip default-gateway
gateway-ip-address		c. Default gateway IP address for eth0 interface. Note This is the same IP as the router-side interface to the module. Note For Virtual Gateway, eth0 and eth1 have the same default gateway.
service-module external ip address
external-ip-address		d. IP address for eth1 interface (untrusted)
subnet-mask		e. Subnet mask (IP netmask) for eth1 interface
n/a		f. Default gateway IP address for eth1 interface: Note For Virtual Gateway, eth0 and eth1 have the same default gateway.
n/a		g. Host name for your CAS
n/a		h. IP address of Domain Name Server on your network
n/a		i. Shared secret Note Must be the same for the CAM and all CAS(s)
n/a		j. Date, time and timezone
n/a		k. To generate the required temporary SSL certificate (you can change this at a later time): - FQDN or eth0 IP address of CAS: - Organization unit (e.g. Sales) - Organization name (e.g. Cisco) - Organization location (e.g. San Jose, CA, US) Note If using FQDN, make sure your DNS server is set up for the domain name.
n/a		l. Root user password
n/a		m. Web console password

Setting Up Network Module Interfaces

Your first configuration task is to set up network module interfaces to the host router and to its external links, which enables you to access the module to install and configure NAC.

---

Note The first few steps open the host-router CLI and access the router's interface to the module. The subsequent steps configure the interface.

---

SUMMARY STEPS

From the Host-Router CLI

1. enable

2. configure terminal

3. interface integrated-service-engine slot/0

4. ip address router-side-ip-address subnet-mask

or

ip unnumbered type number

5. service-module ip address module-side-ip-address subnet-mask

6. service-module external ip address external-ip-address subnet-mask

7. service-module ip default-gateway gateway-ip-address

8. end

9. copy running-config startup-config

10. show running-config

DETAILED STEPS

	Command or Action	Purpose
	From the Host-Router CLI
Step 1	enable Example: Router> enable	Enters privileged EXEC mode on the host router. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode on the host router.
Step 3	interface integrated-service-engine slot/0 Example: ISR 2811 (one-slot only): Router(config)# interface integrated-service-engine 1/0 Example: ISR 3845 (multiple-slot): Router(config)# interface integrated-service-engine 3/0	Enters interface configuration mode for the slot and port where the network module resides.
Step 4	ip address router-side-ip-address subnet-mask or ip unnumbered type number Example: Router(config-if)# ip address 10.30.30.10 255.255.255.0 or Router(config-if)# ip unnumbered ethernet 0	Specifies the router interface to the module (#2 in Figure 3). Arguments are as follows: •router-side-ip-address subnet-mask—IP address and subnet mask for the interface. •type number—Type and number of another serial interface on which the router has an assigned IP address. It cannot be another unnumbered interface. Serial interfaces using High Level Data Link Control (HDLC), Point-to-Point Protocol (PPP), Link Access Procedure, Balanced (LAPB), Frame Relay encapsulations, Serial Line Internet Protocol (SLIP), and tunnel interfaces can be unnumbered.
Step 5	service-module ip address module-side-ip-address subnet-mask Example: Router(config-if)# service-module ip address 10.30.30.9 255.255.255.0	Specifies the IP address for the module interface to the router (#3 in Figure 3). Note This is the trusted (eth0) interface of the Clean Access Server. Arguments are as follows: •module-side-ip-address—IP address for the interface •subnet-mask—Subnet mask to append to the IP address; must be in the same subnet as the host router
Step 6	service-module external ip address external-ip-address subnet-mask Example: Router(config-if)# service-module external ip address 172.0.0.30 255.255.255.0	Specifies the IP address for the external LAN interface on the module (#4 in Figure 3). Note This is the untrusted (eth1) interface of the Clean Access Server. Arguments are as follows: •external-ip-address—IP address for the interface •subnet-mask—Subnet mask to append to the IP address
Step 7	service-module ip default-gateway gateway-ip-address Example: Router(config-if)# service-module ip default-gateway 10.30.30.10	Specifies the IP address for the default gateway router for the module. The argument is as follows: •gateway-ip-address—IP address for the gateway router
Step 8	end Example: Router(config-if)# exit	Returns to global configuration mode on the host router.
Step 9	copy running-config startup-config Example: Router# copy running-config startup-config	Saves the router's new running configuration.
Step 10	show running-config Example: Router# show running-config	Displays the router's running configuration, so that you can verify address configurations.

Examples

The following partial output from the show running-config command shows how the interfaces are configured.

NME-NAC-3845#sh run interface integrated-service-engine 3/0

Building configuration...

Current configuration : 197 bytes

!

interface integrated-service-engine3/0

 ip address 10.30.30.10 255.255.255.0

 service-module ip address 10.30.30.9 255.255.255.0

 service-module ip default-gateway 10.30.30.10

 no keepalive

end

Opening and Closing a Session

You can now open and close a session on the network module.

---

Note•You can conduct only one session at a time.

•The first few steps open the host-router CLI and access the module. The subsequent steps configure the module. The last steps return you to the host-router CLI.

---

SUMMARY STEPS

From the Host-Router CLI

1. enable

2. service-module integrated-service-engine slot/0 status

3. service-module integrated-service-engine slot/0 session

From the Service-Module Interface

4. Perform the configuration detailed in Running Clean Access Server Software Configuration Utility.

5. Control-Shift-6 x

From the Host-Router CLI

6. service-module integrated-service-engine slot/0 session clear

DETAILED STEPS

	Command or Action	Purpose
	From the Host-Router CLI
Step 1	enable Example: Router> enable	Enters privileged EXEC mode on the host router. Enter your password if prompted.
Step 2	service-module integrated-service-engine slot/0 status Example: Router# service-module integrated-service-engine 2/0 status	Displays the status of the specified module, so that you can ensure that the module is running (that is, in steady state). Note If the module is not running, start it with one of the startup commands listed in the "Shutting Down and Starting Up Cisco NAC Network Module" section.
Step 3	service-module integrated-service-engine slot/0 session Example: Router# service-module integrated-service-engine 1/0 session Trying 10.10.10.1, 2065 ... Open	Begins a session on the specified module. Do one of the following: •To interrupt the auto-boot sequence and access the bootloader, quickly type ***. This should only be done if the machine cannot boot. In this case, refer to Re-Installing Cisco NAC Network Module Software for detailed steps. •To start a configuration session, press Enter.
	From the Service-Module Interface
Step 4	Fedora Core release 4 (Stentz) Kernel 2.6.11-perfigo on an i686 NME-NAC login: root	See Running Clean Access Server Software Configuration Utility for instructions on how to perform the initial configuration of the Clean Access Server software on the NAC network module.
Step 5	Press Control-Shift-6 x.	Closes the service-module session and returns to the router CLI. Note The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.
	From the Host-Router CLI
Step 6	service-module integrated-service-engine slot/0 session clear Example: Router# service-module service-engine 1/0 session clear	Clears the service-module session for the specified module. When prompted to confirm this command, press Enter.

Running Clean Access Server Software Configuration Utility

The first time the NAC network module session is initiated, the Clean Access Server quick configuration utility prompts appears. This section details the CAS Configuration Utility steps.

DETAILED STEPS

	Command or Action	Purpose
	From the Service-Module Interface
Step 1	root Example: Fedora Core release 4 (Stentz) Kernel 2.6.11-perfigo on an i686 NME-NAC login: root Welcome to the Cisco Clean Access Server quick configuration utility. Note that you need to be root to execute this utility. The utility will now ask you a series of configuration questions. Please answer them carefully. Cisco Clean Access Server, (C) 2008 Cisco Systems, Inc. Please use ^H to delete Configuring the network interfaces:	From the network module prompt, log into the Clean Access Server Configuration Utility as the root user. The first time you login, there is no password prompt. Note After the module is initially configured, you can bring up this Configuration Utility again by: –Starting a configuration session on the module and entering the NAC Appliance CLI command, service perfigo config. –Using SSH to connect to the module (CAS eth0 IP address) and entering service perfigo config
Step 2	module-side-ip-address Example: Please enter the IP address for the interface eth0 [10.201.2.30]: 10.201.217.203 You entered 10.201.217.203 Is this correct? (y/n)? [y]	At the first prompt, type an IP address for the eth0 (trusted) interface of the CAS (from field a of the CAS Worksheet) and press Enter. Confirm the value when prompted, or type n and press Enter to correct the entry. Note The eth0 IP address of the CAS is the same as the Management IP address.
Step 3	module-side-ip-address subnet-mask Example: Please enter the netmask for the interface eth0 [255.255.255.0]: You entered 255.255.255.0, is this correct? (y/n)? [y]	Type the subnet mask for the interface address (from field b) at the prompt or press Enter for the default (255.255.255.0). Confirm the value when prompted.
Step 4	service-module ip default-gateway Example: Please enter the IP address for the default gateway [10.201.217.1]: 10.201.217.202 You entered 10.201.217.202 Is this correct? (y/n)? [y]	Accept the default gateway address or type a default gateway (from field c) for the eth0 address of the CAS and press Enter. Confirm the default gateway at the prompt.
Step 5	y-or-n Example: [Vlan Id Passthrough] for packets from eth0 to eth1 is disabled. Would you like to enable it? (y/n)? [n]	At the VLAN ID Passthrough prompt, type n and press Enter (or just press Enter) to keep VLAN ID passthrough disabled as the default behavior of the CAS. By default, VLAN IDs are stripped from traffic passing through the interface to the CAS. Typing y enables VLAN IDs to be passed through the CAS for traffic from the trusted to the untrusted network. Note In most cases, VLAN passthrough is not needed.
Step 6	y-or-n Example: [Management Vlan Tagging] for egress packets of eth0 is disabled. Would you like to enable it? (y/n)? [n]	At the Management VLAN Tagging prompt, type n and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default). Or, type Y and press Enter to enable Management VLAN tagging with the specified VLAN ID for the eth0 interface. Note Management VLAN tagging is necessary when the trusted side of the CAS is a trunk, such as in Virtual Gateway deployments. In this case, you will need to enable Management VLAN tagging and specify the VLAN ID to which the trusted interface of the CAS belongs. Note CAS eth0 interface settings are required for basic connection to the CAM. CAS eth1 interface settings can be reconfigured later from the CAM web console.
Step 7	external-ip-address Example: Please enter the IP address for the untrusted interface eth1 [192.168.110.1]: 10.201.243.49 You entered 10.201.243.49 Is this correct? (y/n)? [y]	Type an IP address for the eth1 (untrusted) interface of the CAS (from field d) and press Enter. Confirm the value when prompted, or type n and press Enter to correct the entry. Note For Virtual Gateways, the eth1 address most commonly used is the eth0 address. To prevent looping, do not connect eth1 to the network until after you have added the CAS to the CAM in the web console. See the CAS guide for further details.
Step 8	external-ip-address-subnet-mask Example: Please enter the netmask for the interface eth1 [255.255.255.0]: 255.255.255.240 You entered 255.255.255.240, is this correct? (y/n)? [y]	Type the subnet mask of the eth1 interface (from field e) or press Enter to accept the default of 255.255.255.0. Confirm the value at when prompted.
Step 9	external-ip-address-default-gateway Example: Please enter the IP address for the default gateway [10.201.243.1]: 10.201.243.49 You entered 10.201.243.49 Is this correct? (y/n)? [y]	Enter the default gateway address for the eth1 untrusted interface (from field f): a. If the CAS will be a Real-IP Gateway, this is the IP address of the CAS's untrusted interface eth1. b. If the CAS will be a Virtual Gateway, this can be the same default gateway address used for the trusted interface.
Step 10	y-or-n Example: [Vlan Id Passthrough] for packets from eth1 to eth0 is disabled. Would you like to enable it? (y/n)? [n]	At the next prompt, type n and press Enter (or just press Enter) to keep VLAN ID passthrough disabled for the eth1 interface.
Step 11	y-or-n Example: [Management Vlan Tagging] for egress packets of eth1 is disabled. Would you like to enable it? (y/n)? [n]	At the Management VLAN Tagging prompt, type n and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default) for the eth1 interface.
Step 12	clean-access-server-host-name Example: Please enter the hostname [caserver]: cas-10 You entered cas-10 Is this correct? (y/n)? [y]	Type and confirm the host name for the Clean Access Server (from field g).
Step 13	dns-server-ip-address Example: Please enter the IP address for the name server: [171.68.226.120]: You entered 171.68.226.120 Is this correct? (y/n)? [y]	Type the IP address of the DNS server in your environment (from field h) or accept the default at the following prompt:
Step 14	nac-shared-secret Example: The shared secret used between Clean Access Manager and Clean Access Server is the default string: cisco123 This is highly insecure. It is recommended that you choose a string that is unique to your installation. Please remember to configure all Clean Access Devices with the same string. Only the first 8 characters supplied will be used. Please enter the shared secret between Clean Access Server and Clean Access Manager: cisco1234 You entered: cisco1234 Is this correct? (y/n)? [y]	Type and confirm the shared secret for the CAM and CAS (from field i) at the prompts. Caution The shared secret must be the same for the Clean Access Manager and all Clean Access Servers in the deployment. If they have different shared secrets, they cannot communicate.
Step 15	region-number Example: >>> Configuring date and time: The timezone is currently not set on this system. Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean. 1) Africa 2) Americas 3) Antarctica 4) Arctic Ocean 5) Asia 6) Atlantic Ocean 7) Australia 8) Europe 9) Indian Ocean 10) Pacific Ocean 11) none - I want to specify the time zone using the Posix TZ format. #? 2	Specify time settings for the Clean Access Server (from field j) as follows: Choose your region from the continents and oceans list. Type the number next to your location on the list, such as 2 for the Americas, and press Enter. Type 11 to enter the time zone in Posix TZ format, such as GST-10.
Step 16	country-number Example: Please select a country. 1) Anguilla 18) Ecuador 35) Paraguay 2) Antigua & Barbuda 19) El Salvador 36) Peru 3) Argentina 20) French Guiana 37) Puerto Rico 4) Aruba 21) Greenland 38) St Kitts & Nevis 5) Bahamas 22) Grenada 39) St Lucia 6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon 7) Belize 24) Guatemala 41) St Vincent 8) Bolivia 25) Guyana 42) Suriname 9) Brazil 26) Haiti 43) Trinidad & Tobago 10) Canada 27) Honduras 44) Turks & Caicos Is 11) Cayman Islands 28) Jamaica 45) United States 12) Chile 29) Martinique 46) Uruguay 13) Colombia 30) Mexico 47) Venezuela 14) Costa Rica 31) Montserrat 48) Virgin Islands (UK) 15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US) 16) Dominica 33) Nicaragua 17) Dominican Republic 34) Panama #? 45	The next list that appears shows the countries for the region you chose. Choose your country from the country list, such as 45 for the United States, and press Enter.
Step 17	timezone-number Example: Please select one of the following time zone regions. 1) Eastern Time 2) Eastern Time - Michigan - most locations 3) Eastern Time - Kentucky - Louisville area 4) Eastern Time - Kentucky - Wayne County 5) Eastern Time - Indiana - most locations 6) Eastern Time - Indiana - Crawford County 7) Eastern Time - Indiana - Starke County 8) Eastern Time - Indiana - Switzerland County 9) Central Time 10) Central Time - Indiana - Daviess, Dubois, Knox, Martin, Perry & Pulaski Counties 11) Central Time - Indiana - Pike County 12) Central Time - Michigan - Dickinson, Gogebic, Iron & Menominee Counties 13) Central Time - North Dakota - Oliver County 14) Central Time - North Dakota - Morton County (except Mandan area) 15) Mountain Time 16) Mountain Time - south Idaho & east Oregon 17) Mountain Time - Navajo 18) Mountain Standard Time - Arizona 19) Pacific Time 20) Alaska Time 21) Alaska Time - Alaska panhandle 22) Alaska Time - Alaska panhandle neck 23) Alaska Time - west Alaska 24) Aleutian Islands 25) Hawaii #? 19	If the country contains more than one time zone, the time zones for the country appears. Choose the appropriate time zone region from the list, such as 19 for Pacific Time, and press Enter.
Step 18	confirmation-number Example: The following information has been given: United States Pacific Time Is the above information OK? 1) Yes 2) No #? 1 Updating timezone information...	Confirm your choices by entering 1, or use 2 to cancel and start over.
Step 19	y-or-n or hh:mm:ss mm/dd/yy Example: Current date and time hh:mm:ss mm/dd/yy [11:23:33 08/22/08]: 11:26:33 08/22/08 You entered 11:26:33 08/22/08 Is this correct? (y/n)? [y]	Type and confirm the current date and time, using format hh:mm:ss mm/dd/yy. Note The time set on the CAS must fall within the creation date/expiry date range set on the CAM's SSL certificate. The time set on the user machine must fall within the creation date /expiry date range set on the CAS's SSL certificate.
Step 20	<certificate fields> Example: You must generate a valid SSL certificate in order to use the Clean Access Server's secure web console. Please answer the following questions correctly. Information for a new SSL certificate: Enter fully qualified domain name or IP: 10.201.217.203 Enter organization unit name: Test Enter organization name: Cisco Systems Enter city name: San Jose Enter state code: California Enter 2 letter country code: US	Follow the prompts to configure the temporary SSL security certificate that secures the login exchange between the Clean Access Server and untrusted (managed) clients (using field k): a. For the organization unit name, enter the group within your organization that is responsible for the certificate (for example, Perfigo). b. For the organization name, type the name of your organization or company for which you would like to receive the certificate (for example, Cisco Systems), and press Enter. c. Type the name of the city or county in which your organization is legally located (for example, San Jose), and press Enter. d. Type the two-character state code in which the organization is located (for example, California or NY), and press Enter. •Type the two-letter country code (for example, US),
Step 21	y-or-n Example: You entered the following: Domain: 10.201.217.203 Organization unit: Test Organization name: Cisco Systems City name: San Jose State code: California Country code: US Is this correct? (y/n)? [y] Generating SSL Certificate... CA signing: /root/.tomcat.csr -> /root/.tomcat.crt: CA verifying: /root/.tomcat.crt <-> CA cert /root/.tomcat.crt: OK Done	Confirm values and press Enter to generate the SSL certificate, or type n to restart:
Step 22	y-or-n Example: Enable Prelogin Banner Support? (y/n)? [n]	Confirm whether to enable the Pre-login Banner for admin users before they log into the CAS (Release 4.5 and later). Administrators can specify the text of the Pre-login Banner by enabling this feature on the appliance, logging into the command-line console, and editing the /root/banner.pre file. The text of the Pre-login Banner appears in both the web console interface and the command-line interface when admin users are logging into the CAM/CAS. See the installation chapter of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.5 for details.
Step 23	root-user-password Example: For security reasons, it is highly recommended that you change the password for the root user. ** Please enter a valid password for root user as per the requirements below! ** Changing password for user root. You can now choose the new password. A valid password should be a mix of upper and lower case letters, digits, and other characters. Minimum of 8 characters and maximum of 16 characters with characters from all of these classes. Minimum of 2 characters from each of the four character classes is mandatory. An upper case letter that begins the password and a digit that ends it do not count towards the number of character classes used. Enter new password: Re-type new password: passwd: all authentication tokens updated successfully.	Type the root user password for the installed Linux operating system of the CAS (from field l). The root user account is used to access the system over direct/serial/SSH connection. Starting from Release 4.5, the default root user password (cisco123) is removed, and Cisco NAC Appliance supports Strong Passwords only for root user login. Passwords must be at least 8 characters long and contain at least two characters from each of the following four categories: lower-case letters, upper-case letters, numbers (digits), and special characters (such as !@#$%^&*~). For example, 1o-9=OnE is a valid password, but the password 10-9=One does not satisfy requirements because it does not contain two characters from each category. For further details, see the "Manage System Passwords" section in the "Administer the CAM" chapter of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5.
Step 24	web-console-admin-password Example: Example: Please enter an appropriately secure password for the web console admin user. New password for web console admin: Confirm new password for web console admin: Web console admin password changed successfully.	Type the admin user password for the CAS direct access web console (from field m). The CAS web console provides limited CAS-specific settings, and is primarily used to set up High Availability.
Step 25	reboot Example: Configuration is complete. [root@NME-NAC ~]# reboot Broadcast message from root (ttyS0) (Fri Aug 22 11:45:36 2008): The system is going down for reboot NOW! [root@cas-10 ~]#	After the configuration is complete, wait for the prompt, then type reboot to reboot the CAS. Note If you used service perfigo config to start the configuration utility, you must type service perfigo reboot or reboot and press Enter to reboot the machine after configuration. The CAS initial configuration is now complete.
Step 26	From CAS: ping cam-ip-address From CAM (ping CAS eth0 address): ping 10.201.217.203 ...	Ping the CAM from the CAS to verify that the CAM and CAS can ping (route) to each other.
	From Web Browser Interfaces
Step 27	https://<CAS IP address>/admin	Type the CAS IP address into the URL/address field of a web browser to verify you can log into the CAS web console. You will need to use the admin user password you configured in . Note Make sure to type "https" and "/admin" in the CAS URL or you will get the end user portal.
Step 28	http://<CAM IP address> /admin	Log into the CAM web console by typing the CAM IP address into the URL/address field of a web browser. From the CAM web console: •Add the NAC network module license under Administration > CCA Manager > Licensing as described in Cisco NAC Appliance Service Contract / Licensing Support. •Add the CAS to the CAM as described in: Cisco NAC Appliance Configuration Quick Start Guide, or Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide (applicable to your release)
	From the Service-Module Interface
Step 29	Press Control-Shift-6 x.	Close the service-module session and returns to the router CLI. Note The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.
	From the Host-Router CLI
Step 30	service-module integrated-service-engine slot/0 session clear Example: Router# service-module service-engine 1/0 session clear	Clear the service-module session for the specified module. When prompted to confirm this command, press Enter.

Important Notes for SSL Certificates

•You must generate the temporary SSL certificates during the initial configuration of both the CAM and CAS or you will not be able to access your NAC Appliance as an admin or end user.

•Before deploying the CAM or CAS in a production environment, you can obtain a trusted certificate from a Certificate Authority to replace the temporary certificate. A CA-signed certificate for the CAS prevents the security warning when end users log in and a CA-signed certificate for the CAM prevents the admin web login security warning.

•Make sure to synchronize the time on the CAM and CAS via the web console interface before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. For further details see the "Set System Time" and "Manage SSL Certificates" sections of the CAM and CAS guides.

How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module

This section contains the following information:

•Shutting Down and Starting Up Cisco NAC Network Module

•Verifying System Status

•Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module

•Re-Installing Cisco NAC Network Module Software

---

Note•The tables in these sections show only common router and network module commands.

–To view a complete list of available commands, type ? at the prompt
(Example: Router(config-if)# ?).

–To view a complete list of command keyword options, type ? at the end of the command
(Example: Router# service-module integrated-service-engine ?).

•The tables group commands by the configuration mode in which they are available. If the same command is available in more than one mode, it may act differently in each mode.

---

Shutting Down and Starting Up Cisco NAC Network Module

To shut down or start up the Cisco NAC network module or the Clean Access Server application that runs on the module, use commands as needed from the following list of common router and network module commands (Table 6).

---

Note•Some shutdown commands can potentially disrupt service. If command output for such a command displays a confirmation prompt, confirm by pressing Enter or cancel by typing n and pressing Enter. Alternatively, prevent the prompt from displaying by using the no-confirm keyword.

•Some commands shut the module or application down and then immediately restart it.

---

Table 6 Common Shutdown and Startup Commands 

Configuration Mode	Command	Purpose
Router#	service-module integrated-service-engine slot/0 reload	(Preferred) Shuts down the network module operating system gracefully, allowing services to execute their shutdown process, then restarts the network module from the bootloader. This command is similar to executing a reboot from the network module's Linux console. Note If reload executes, there is no need to use the reset command.
Router#	service-module integrated-service-engines slot/0 reset	(Ungraceful) Resets the hardware on a module via a hardware reset line. This command should only be used to recover from shutdown or a failed state. Caution Never issue reset before reload. This command is similar to pressing the reset button on a Linux box; it does not allow services to execute their shutdown process.
Router#	service-module integrated-service-engine slot/0 session	Accesses the specified service engine and begins a network module configuration session.
Router#	service-module integrated-service-engines slot/0 shutdown	Shuts down the network module operating system gracefully. Use when removing or replacing a hot-swappable module during online insertion and removal (OIR).
Router#	service-module integrated-service-engine slot/0 status	Displays configuration and status information for the network module hardware and software.
ServicesEngine boot-loader>	boot helper | chainloader	Starts the boothelper or bootloader.
ServicesEngine boot-loader>	reboot	Shuts down the NAC network module without first saving configuration changes, then reboots it from the bootloader.

Verifying System Status

To verify the status of an installation, upgrade, or downgrade or to troubleshoot problems, use commands as needed from the following list of common router and network module commands (Table 7).

---

Note Among keyword options for many show commands is provision to display diagnostic output on your screen or to pipe it to a file or a URL.

---

Table 7 Common Verification and Troubleshooting Commands 

Configuration Mode	Command	Purpose
Router#	ping	Pings a specified IP address to check network connectivity (does not accept a hostname as destination).
Router#	show arp	Displays the current Address Resolution Protocol (ARP) table.
Router#	show clock	Displays the current date and time.
Router#	show configuration	Displays the current bootloader configuration as entered by means of the configure command.
Router#	show controllers	Displays interface debug information.
Router#	show diag	Displays standard Cisco IOS diagnostics information, including information about NAC.
Router#	show hardware	Displays information about network module and host-router hardware.
Router#	show hosts	Displays the default domain name, style of name lookup, list of name-server hosts, and cached list of hostnames and addresses
Router#	show interfaces	Displays information about all hardware interfaces, including network and disk.
Router#	show interfaces integrated-service-engine slot/0	Displays information about the module side of the router-module interface.
Router#	show ntp status	Displays information about Network Time Protocol (NTP).
Router#	show processes	Displays a list of the running application processes.
Router#	show running-config	Displays the configuration commands that are in effect.
Router#	show startup-config	Displays the startup configuration.
Router#	show tech-support	Displays general information about the host router that is useful to Cisco technical support for problem diagnosis.
Router#	show version	Displays information about the loaded router, software or network module bootloader version, and also hardware and device information.
ServicesEngine boot-loader>	ping	Pings a specified IP address to check network connectivity (does not accept a hostname as destination).
ServicesEngine boot-loader>	show config	Displays the startup configuration stored in flash memory.

Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module

To upgrade the Cisco NAC Network Module to the latest supported Cisco NAC Appliance release, a single product upgrade file (cca_upgrade-<version>.tar.gz) is uploaded and applied to the CAS. This section describes the following upgrade procedures:

•CAS Upgrade via CLI

•CAS Upgrade via Web Console

---

Note Clean Access Manager/Server appliances and Cisco NAC Network Modules in your deployment must all run the same version of the Cisco NAC Appliance software.

---

---

Note Release 4.1.2.1 is the minimum mandatory version for all appliances, and is required to support HA-CAS pairs. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for the latest compatibility details.

---

---

Note Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.

---

---

Note Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.

---

See Restrictions for Cisco NAC Network Module for additional information.

CAS Upgrade via CLI

You can upgrade the CAS on your NAC network module by using the command line upgrade procedure described in this section.

---

Note If upgrading to Cisco NAC Appliance Release 4.5 or later, you must use the command line upgrade procedure only.

---

SUMMARY STEPS

From the Host-Router CLI

1. enable

2. service-module integrated-service-engine slot/0 status

3. service-module integrated-service-engine slot/0 session

From the Service-Module Interface

4. Perform the upgrade procedure described in DETAILED STEPS (CAS UPGRADE).

5. Control-Shift-6 x

From the Host-Router CLI

6. service-module integrated-service-engine slot/0 session clear

DETAILED STEPS (CAS UPGRADE)

	Command or Action	Purpose
Step 1	a. Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials. b. Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance. c. Navigate to the appropriate release folder (4.1.2.1 or later), for example, "Cisco NAC Appliance Software <version>." d. Locate the product upgrade (.tar.gz) file for the applicable version: •cca_upgrade-<version>.tar.gz •nme-nac-upgrade-<version>-from-4.6.x.tar.gz (for upgrading from 4.6(1) to 4.8(x)) •cca_upgrade-<version>-from-4.7.x-4.8.x.tar.gz (for upgrading from 4.8 to 4.8(x)) •nme-nac-upgrade-<version>-from-4.8.x.tar.gz (for upgrading from 4.8(x) to 4.9) •nme-nac-upgrade-<version>-from-4.8.x-4.9.x.tar.gz (for upgrading from 4.8(x) or 4.9(x) to 4.9(1) or 4.9(2)) e. Download and save this file to a local machine that can access the NAC network module over the network. Note For Release 4.5, the upgrade file name is cca_upgrade-4.5.0-NO-WEB.tar.gz	Download the Cisco NAC Appliance product upgrade file.
	From the Service-Module Interface
Step 2	root Example: Fedora Core release 4 (Stentz) Kernel 2.6.11-perfigo on an i686 NME-NAC login: root	From the network module prompt, log into the Clean Access Server Configuration Utility as the root user to access the command line of the CAS.
Step 3	cat /perfigo/build Example: [root@cas128 ~]# cat /perfigo/build VERSION=4.1.2.1 NAME=Clean Access Server DATE=2007/09/07	Verify the current Cisco NAC Appliance software version on the CAS.
Step 4	Copy the upgrade file to /store directory of the CAS. Example: If using WinSCP or SSH File Transfer: a. Copy cca_upgrade-<version>.tar.gz to the /store directory of the CAS. If using PSCP: a. Open a command prompt on your Windows computer. b. Cd to the path where your PSCP resides (e.g, C:\Documents and Settings\desktop). c. Enter the following command to copy the file to the CAS (copy to each CAS): pscp cca_upgrade-4.5.0-NO-WEB.tar.gz root@ipaddress_server:/store	Copy the upgrade file to the /store directory of the CAS using WinSCP, SSH File Transfer or PSCP.
Step 5	cd /store ls Example: [root@cas128 ~]# cd /store [root@cas128 store]# ls cca_upgrade-4.5.0-NO-WEB.tar.gz	On the CAS, change directory to /store and verify the upgrade package is there.
Step 6	tar zxf cca_upgrade-<version>.tar.gz ls Example: [root@cas128 store]# tar xzf cca_upgrade-4.5.0-NO-WEB.tar.gz [root@cas128 store]# ls cca_upgrade-4.5.0 cca_upgrade-4.5.0-NO-WEB.tar.gz upload [root@cas128 store]#	Extract the contents of the upgrade file.
Step 7 .	cd cca_upgrade-<version> ./UPGRADE.sh Example: [root@cas128 store]# cd cca_upgrade-4.5.0 [root@cas128 cca_upgrade-4.5.0]# ls agent-version.sh checksum.txt notes.html version.sh cam-4.5.x-upgrade.sh checksum.txt.sig RPMS cas-4.5.x-upgrade.sh dmidecode showstate.sh cca_upgrade-4.1.6.tar.gz initrd.img UPGRADE.sh [root@cas128 cca_upgrade-4.5.0]# ./UPGRADE.sh ...stopping CCA Server... BaseAgent process stopped! Stopping DHCP... In Maintenance Mode... Welcome to the CCA Server migration utility. ...Upgrading to newer rpms of 4.5.0...done. ...Upgrading CCA files... done Clearing Tomcat cache...checking ssl configuration...done. [root@cas128 cca_upgrade-4.5.0]#	Change to the /cca_upgrade-<version> directory and execute the upgrade process.
Step 8	[root@cas128 cca_upgrade-4.5.0]# reboot Example: [root@cas128 cca_upgrade-4.5.0]# reboot Broadcast message from root (pts/0) (Tue Oct 21 18:49:00 2008): The system is going down for reboot NOW! [root@cas126 cca_upgrade-4.5.0]#	Reboot the CAS after upgrade is complete.
Step 9	cat /perfigo/build Example: [root@cas128 ~]# cat /perfigo/build NAME=Clean Access Server DATE=2008/10/20 AUTHOR=rachnar BUILD_TAG=NAC-4_5_0-RC9 BUILD_INFO=Experimental BUILT_ON=mercury REBUILD_COUNT=0	Verify the new build after the CAS reboot.
Step 10	Press Control-Shift-6 x.	Close the service-module session and return to the router CLI. Note The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.
	From the Host-Router CLI
Step 11	service-module integrated-service-engine slot/0 session clear Example: Router# service-module service-engine 1/0 session clear	Clear the service-module session for the specified module. When prompted to confirm this command, press Enter.

CAS Upgrade via Web Console

If upgrading the CAS on your NAC network module to Cisco NAC Appliance Release 4.1(6) or earlier only, you can use the same web upgrade procedure used to upgrade standalone CAS appliances as described in the "Upgrading" section of the applicable Release Notes for Cisco NAC Appliance.

---

Note Cisco NAC Appliance Release 4.5 (and later) does not support web upgrade. Refer to the Release Notes for Cisco NAC Appliance, Release 4.5 for details.

---

CAS Web Upload

•If upgrading to Release 4.1.6 or earlier and the upgrade file is uploaded via CAS web upload on a 4.1.6 or earlier CAS, it is placed in /store/upload. The web uploaded file will also have a randomly-generated numeric code appended to the .tar.gz file (e.g. cca_upgrade-<version>.tar<digit code>.gz

•If Release 4.5 is already installed and an upgrade file is uploaded via CAS web upload on a 4.5 CAS, it is placed in /store for Release 4.5 and later. The web uploaded file also has a randomly-generated numeric code appended to the .tar.gz file (e.g. cca_upgrade-<version>.tar<digit code>.gz

•If upgrading from Release 4.1.x to Release 4.5, web upload of upgrade files to the CAS is not supported.

•If upgrading from Release 4.6(1) to Release 4.8(x), the web uploaded file is nme-nac-upgrade-<version>-from-4.6.x.tar.gz

•If upgrading from Release 4.8 to Release 4.8(x), the web uploaded file is cca_upgrade-<version>-from-4.7.x-4.8.x.tar.gz

•If upgrading from Release 4.8(x) to Release 4.9(x), the web uploaded file is nme-nac-upgrade-<version>-from-4.8.x.tar.gz

---

Note Cisco NAC Appliance Release 4.5 (and later) does not support web upgrade. Refer to the Release Notes for Cisco NAC Appliance, Release 4.5 for details.

---

---

Note Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.

---

---

Note Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.

---

Re-Installing Cisco NAC Network Module Software

By default, the Cisco NAC Network Module is preconfigured to load the operating system and Clean Access Server software from the onboard flash. In most cases, the administrator will only need to perform the initial Clean Access Server configuration of the network module, then can use the normal Cisco NAC Appliance upgrade procedure to later upgrade the software on the module. See Configuring and Administering Cisco NAC Appliance for additional information.

If the machine is corrupt or cannot be booted, you can interrupt and change the boot process (by entering ***) in order to reimage the entire system. This process requires downloading the boot helper and image files separately from the Cisco Secure Software site, and configuring a TFTP server so that the boot helper can be loaded onto the network module from the network.

In this case, two items of boot software may be used:

•Bootloader—A small set of system software that runs when the system first powers up. In normal operation, it automatically loads the operating system from compact flash, which in turn loads and runs the Clean Access Server application. In case of disaster recovery, the bootloader process can optionally be interrupted and reconfigured to load the boot helper from the network via a TFTP server.

•Boothelper—A small subset of the system software that runs on the module. It boots the module from the network and assists in disaster recovery and other operations when the module cannot access its software.

This section contains the following information:

•Re-Imaging the Network Module

•Running Clean Access Server Software Configuration Utility

•Shutting Down and Starting Up Cisco NAC Network Module

Re-Imaging the Network Module

Re-installing the network module involves installing, configuring, and starting a boothelper image. The boothelper, in turn, starts the Cisco NAC Appliance software installation on the NAC network module and brings up the Clean Access Server Configuration Utility which will prompt you through the configuration of the CAS.

Prerequisites

•Have available the IP address of your TFTP file server.

SUMMARY STEPS

From the Host-Router CLI

1. Download the required software.

2. service-module integrated-service-engine slot/0 reset

3. service-module integrated-service-engine slot/0 session, ***

From the Service-Module Interface

4. config

5. show config

6. boot helper

7. Follow boothelper instructions for installing software.

8. Control-Shift-6 x

From the Host-Router CLI

9. service-module integrated-service-engine slot/0 session clear

DETAILED STEPS

	Command or Action	Purpose
Step 1	a. Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials. b. Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance. c. Navigate to the appropriate release folder (4.1.2.1 or later), for example, "Cisco NAC Appliance Software <version>." d. Locate the NME-NAC image files for the applicable version: •nme-nac-helper-<version>-K9 •nme-nac-install-<version>-K9.img e. Place these files on your TFTP file server.	Download the Cisco NAC Network Module installation-package files (boothelper image and installation image). Note If NME-NAC images are not available for a specific minor release, you can install the latest available image for the major version, and use the CAS upgrade procedure to upgrade the Cisco NAC Network Module to the minor release. For more information, refer to Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module.
	From the Host-Router CLI
Step 2	enable Example: Router> enable	Enter privileged EXEC mode on the host router. Enter your password if prompted.
Step 3	service-module integrated-service-engine slot/0 reset Example: Router# service-module integrated-service-engine 1/0 reset	After the download completes, reset the system.
Step 4	service-module integrated-service-engine slot/0 session *** Example: Router# service-module integrated-service-engine 1/0 session ***	If the reset does not automatically do so, open a session and quickly type *** to interrupt the auto-boot sequence and access the bootloader:
	From the Service-Module Interface
Step 5	config Example: ServicesEngine boot-loader> config IP Address [10.201.243.18] > Subnet mask [255.255.255.240] > 255.255.255.240 TFTP server [10.201.210.15] > Gateway [10.201.243.17] > 10.201.243.17 Default Helper-file [nme-nac-helper-4.5_0-K9] > nme-nac-helper-4.5_0-K9 Ethernet interface [external|internal] [internal] > internal External interface media [copper|fiber] [copper] > copper Debug Statements [enable|disable] [disabled] > Default Boot [none|disk|compactflash|chainloader] [chainloader] > Default bootloader [primary|secondary] primary] > primary Updating flash with bootloader configuration: 1 Please wait ... .............done.	Configure the bootloader to load and launch the boothelper. Prompts to configure the bootloader interface appear in the order listed. For each, enter a value or accept the previously stored input that appears inside square brackets by pressing Enter. •IP address— Service module address or the trusted interface (eth0) address of your NAC network module •Subnet mask—eth0 netmask of your NAC network module •TFTP server— TFTP file-server IP address •Gateway—Gateway-router IP address (normally the IP address for the ISR). The configured IP address your ISR uses to communicate with your NAC network module. •Default Helper-file—Default boothelper image filename: nme-nac-helper-<version>-K9 •Ethernet interface: internal or external— Choose internal for NAC network module •External interface media— Choose copper for NAC network module •Debug Statements—Leave as disabled (default) •Default Boot —Choose chainloader as the default boot option for NAC network module •Default bootloader— Choose primary as the default bootloader file to be used on subsequent boot for NAC network module
Step 6	show config Example: ServicesEngine boot-loader> show config	(Optional) Verify your bootloader configuration settings:
Step 7	boot helper Example: ServicesEngine boot-loader> boot helper	After the new configuration finishes writing, start the boothelper at the boot prompt.
Step 8	1 Example: Welcome to the NME-NAC Installer 1 Install everything 2 Install compact flash only 3 Verify Install 4 Root shell 5 Reboot Please select install option: 1 Creating partitions with fdisk...	Follow boothelper instructions. The helper will present the following options: 1. Install everything 2. Install compact flash only 3. Verify Install 4. Root shell 5. Reboot Enter 1 to install everything.
Step 9	(Virtual Gateway only) eth0 IP address subnet mask default gateway Example: Please enter the IP address for the interface eth0: 10.201.243.18 You entered 10.201.243.18 Is this correct? (y/n)? [y] Please enter the netmask for the interface eth0: 255.255.255.240 You entered 255.255.255.240, is this correct? (y/n)? [y] Please enter the IP address for the default gateway: 10.201.243.17 You entered 10.201.243.17 Is this correct? (y/n)? [y] Creating partitions with fdisk...	If installing on a previously configured Virtual Gateway system, you will additionally be asked for the eth0 IP address, netmask, and gateway.
Step 10	nme-nac-install-<version>-K9.img Example: Please enter the Image name: nme-nac-install-4.5_0-K9.img You entered nme-nac-install-4.5_0-K9.img Is this correct? (y/n)? [y]	After partitioning and formatting the hard disk, the helper will ask two more questions (image name and TFTP server address) Type the image name (e.g. nme-nac-install-<version>-K9.img) and press Enter. Confirm that this is correct by typing y and pressing Enter.
Step 11	TFTP server IP address Example: Please enter the IP address for the tftp server: 10.201.210.15 You entered 10.201.210.15 Is this correct? (y/n)? [y] Transferring Image now Done!Success!	Type the IP address of your TFTP server. Confirm that this is correct by typing y and pressing Enter. The helper will then transfer the image. The image is quite large, and the transfer takes a long time. After the image is transferred the helper will display status as RPMs get installed.
Step 12	Press Enter Example: Press enter to reboot	At the reboot prompt, press the Enter key and the NAC network module will reboot.
Step 13	root Example: Fedora Core release 4 (Stentz) Kernel 2.6.11-perfigo on an i686 NME-NAC login: root	On next boot up, the network module login prompt appears. Login as root The standard Clean Access Server Configuration Utility questions will then be asked. Follow the instructions in Running Clean Access Server Software Configuration Utility to complete the CAS configuration.
Step 14	reboot	After completing the Configuration Utility, at the prompt, reboot your NAC network module. On next reboot, the NAC network module installation is complete.
Step 15	Press Control-Shift-6 x.	Close the session by pressing Control-Shift-6 x.
	From the Host-Router CLI
Step 16	service-module integrated-service-engine slot/0 session clear Example: Router# service-module service-engine 1/0 session clear	From the host-router CLI, clear the session:

Configuring and Administering Cisco NAC Appliance

For comprehensive Cisco NAC Appliance configuration information, refer to the applicable version of the following guides:

•Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

•Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide

Technical Assistance

Description	Link
The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/techsupport
Cisco Feature Navigator website	http://www.cisco.com/go/cfn Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. An account on Cisco.com is not required.
Cisco Software Center website	Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials. Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance to download software for Cisco NAC Appliance.

Documentation

Table 8 Updates to this Guide

Date	Description
11/27/12	Updates (for 4.9(x)): •Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module •Restrictions for Cisco NAC Network Module (Added restriction on upgrading from 4.8(x) to 4.9(x))
9/23/10	Updates (for 4.9): •Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module •Restrictions for Cisco NAC Network Module (Added restriction on upgrading from 4.8(x) to 4.9)
7/26/10	Updates (for 4.8): •Router (Added Routers supported by Cisco NAC Appliance Release 4.8) •Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module •Restrictions for Cisco NAC Network Module (Added restriction on upgrading from 4.6(1) to 4.8)
10/3/08 9/25/08	Updates (for 4.5): •Network Module •Restrictions for Cisco NAC Network Module (added WOOB note) •How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module (added link to upgrade section) •Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module (moved and updated section) •Re-Installing Cisco NAC Network Module Software (step 1)
6/11/08	•Updated Restrictions for Cisco NAC Network Module with notes for 4.1.2.1 •Corrected section CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning) •Updated step 1 of Re-Installing Cisco NAC Network Module Software. •Added section Configuring and Administering Cisco NAC Appliance. •Updated boilerplate and hypertext links
11/02/07	Minor updates/corrections
8/22/07	Cisco NAC Network Module (NME-NAC-K9) release

Related Documents

Related Topic	Document Title
Cisco NAC Appliance For the latest updates to Cisco NAC Appliance documentation on Cisco.com, visit www.cisco.com/go/nac/appliance. Refer to the document versions that correspond to the release you are running on your machines.
Data sheets	Cisco NAC Appliance Cisco NAC Network Module for Integrated Services Routers
Ordering guide	Cisco NAC Appliance Ordering Guide
Licensing	Cisco NAC Appliance Service Contract / Licensing Support
System requirements	Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)
Supported switches (OOB)	Switch Support for Cisco NAC Appliance
Release notes	Release Notes for Cisco NAC Appliance (Cisco Clean Access) (Version 4.1(2) or later)
Configuration guides	Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide
Appliance hardware (MANAGER/SERVER)	Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1
Network module	Getting Started with Cisco NAC Network Modules in Cisco Access Routers (this guide)
	Installing Cisco Network Modules in Cisco Access Routers at http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/InstNetM.html
	Connecting Cisco Network Admission Control Network Modules at http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/nacnm.html
Additional Cisco Documentation
Cisco IOS software	Cisco IOS Software website at http://www.cisco.com/en/US/products/sw/iosswrel/tsd_products_support_category_home.html
Voice and IP communications	Cisco Voice and IP Communications website at http://www.cisco.com/en/US/products/sw/voicesw/tsd_products_support_category_home.html Tip To ensure that you are displaying the most current information on the Cisco.com website, force your browser to refresh by pressing Ctrl-F5. To narrow your Cisco.com search to technical documents, from the Cisco.com home page on the upper right under the Search box, click Advanced Search > Technical Support & Documentation and enter your search criteria. To provide feedback about the Cisco.com website or a particular technical document, from the top of any Cisco.com web page, click Feedback.

Glossary

blade	Alternate term for network module.
boothelper	A small subset of the system software that runs on the module. It boots the module from the network and assists in software installation and upgrades, disaster recovery, and other operations when the module cannot access its software.
bootloader	A small set of system software that runs when the system first powers up. It loads the operating system (from the disk, network, external compact flash, or external USB flash), which loads and runs the NAC application. The bootloader may optionally load and run the boothelper.
CAM	Clean Access Manager The policy configuration server and management database for Cisco NAC Appliance deployment. The Clean Access Manager can manage from 1 to 40 Clean Access Servers in a deployment.
CAS	Clean Access Server The policy enforcement server to which end users connect in Cisco NAC Appliance deployments. The Clean Access Server is managed by the Clean Access Manager.
CCA	Cisco Clean Access (also known as Cisco NAC Appliance software)
Cisco NAC Appliance	Cisco Network Admission Control solution
Cisco NAC Network Module	NME-NAC-K9 network module for Cisco Integrated Services Routers 2811, 2821, 2851, 3825, and 3845. In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco Integrated Services Routers 2911, 2921, 2951, 3925, and 3945. The Cisco NAC Network Module is a Clean Access Server (CAS) platform for 50 or 100 users.
Cisco NAC-3300 Series Appliances	Cisco NAC Appliance hardware appliance platforms for the Clean Access Manager and Clean Access Server: •NAC-3310 SERVER •NAC-3350 SERVER •NAC-3310 MANAGER •NAC-3350 MANAGER •NAC-3390 MANAGER (Super Manager)
service (or services) engine	Alternate term for network module with installed application software.
service module	Standalone content engine with its own startup and run-time configurations that are independent of the Cisco IOS configuration on the router.
TFTP	Trivial File Transfer Protocol. Simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).

---

Note For terms not included in this glossary, see the following references:

•Cisco IOS Voice Configuration Library Glossary

•Internetworking Terms and Acronyms

---

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2012Cisco Systems, Inc. All rights reserved.