Table Of Contents
Getting Started with Cisco NAC Network Modules in Cisco Access Routers
About Cisco NAC Network Module for Integrated Services Routers
Prerequisites for Cisco NAC Network Module
Accessing the Cisco NAC Network Module
Restrictions for Cisco NAC Network Module
Cisco NAC Network Module and Clean Access Server Software
Cisco NAC Network Module (CAS) Deployment Modes
Example Layer 2 Inband Virtual Gateway Configuration
Integrated Services Router Configuration (L2 IB VGW)
EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)
Example Layer 2 Out-of-Band Real-IP Gateway Configuration
CAS Configuration (L2 OOB RGW)
Integrated Services Router Configuration (L2 OOB RGW)
EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)
How to Configure the Cisco NAC Network Module
Cisco NAC Network Module Configuration Worksheet
Setting Up Network Module Interfaces
Running Clean Access Server Software Configuration Utility
Important Notes for SSL Certificates
How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module
Shutting Down and Starting Up Cisco NAC Network Module
Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module
Re-Installing Cisco NAC Network Module Software
Configuring and Administering Cisco NAC Appliance
Obtaining Documentation and Submitting a Service Request
Getting Started with Cisco NAC Network Modules in Cisco Access Routers
Revised: November 27, 2012, OL-2609-01Contents
•
About Cisco NAC Network Module for Integrated Services Routers
•
Prerequisites for Cisco NAC Network Module
•
Cisco NAC Network Module and Clean Access Server Software
•
How to Configure the Cisco NAC Network Module
•
How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module
•
Configuring and Administering Cisco NAC Appliance
•
Obtaining Documentation and Submitting a Service Request
About Cisco NAC Network Module for Integrated Services Routers
The Cisco® NAC Network Module for Integrated Services Routers (NME-NAC-K9) brings the feature-rich Cisco NAC Appliance Server capabilities to Cisco 2800 and 3800 Series Integrated Services Routers.
In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco 2900 and 3900 Series Integrated Services Routers.
Cisco NAC Appliance
Cisco NAC Appliance (also known as Cisco Clean Access) is a Network Admission Control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops, and corporate assets are compliant with a network's security policies, and it repairs any vulnerabilities before permitting access to the network.
Cisco NAC Appliance is a network-centric integrated solution that is:
•
Administered from the web console of the Clean Access Manager (CAM)
•
Enforced through the Clean Access Server (CAS)
•
Applied on clients through the Clean Access Agent (CAA) client software
You can deploy the Cisco NAC Appliance solution in the configuration that best meets the needs of your network.
Cisco NAC Network Module
The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers. The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code.
In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco 2911/2921/2951 and 3925/3945 access routers.
The Clean Access Server operating system is based on an optimized version of Linux. The NAC network module is an ideal NAC solution for small groups of users in remote locations where an integrated services router is used. The NAC network module can be equipped with either a 50-user or 100-user license to support branch offices.
The Clean Access Manager is purchased separately as a NAC-3300 series appliance and is the primary point of configuration and management for all Clean Access Servers—whether implemented as a Cisco NAC Network Module in an Integrated Services Router, or as a NAC-3310 or NAC-3350 SERVER appliance. Once initial configuration is complete, the NAC network module is added and managed by the Clean Access Manager like any other Clean Access Server through the CAM web console (GUI) interface.
For further details on the NAC-3300 series server platforms refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide.
Prerequisites for Cisco NAC Network Module
Router
•
Plan software upgrades or downgrades for times when you can take all applications that run on the host router out of service or offline.
•
Ensure that you have the appropriate Cisco access router to serve as the host router. The Cisco NAC Network Module is supported on the following Cisco access routers:
–
Cisco 2811
–
Cisco 2821
–
Cisco 2851
–
Cisco 3825
–
Cisco 3845
•
In addition to the above routers, Cisco NAC Appliance Releases 4.8 and later support the following Cisco access routers.
–
Cisco 2911
–
Cisco 2921
–
Cisco 2951
–
Cisco 3925
–
Cisco 3945
![]()
Note
The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code. Ensure that you are upgrading it to Cisco NAC Appliance Releases 4.8 or later to support the above Cisco access routers.
•
Ensure that the host router is running Cisco IOS Release 12.4(11)T or a later release. To learn which release your router is currently running, examine output from the show version command.
![]()
Note
When minimum release requirements are met, you can change images on either the router or the network modules without affecting performance.
Network Module
![]()
Note
Cisco NAC Network Module supports Cisco NAC Appliance Release 4.5, but does not support Wireless Out-of-Band (OOB). The Wireless OOB feature introduced in Release 4.5 only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.
Cisco NAC Network Module supports L3 Wireless Out-of-Band (L3 OOB) introduced in Cisco NAC Appliance Release 4.8(2).
•
Release 4.1.2.1 of the Cisco NAC Appliance software is the minimum software release supported on the Cisco NAC Network Module.
Refer to the latest version of the Release Notes for Cisco NAC Appliance for enhancement details for each applicable release.
•
To physically install the NAC network module use the Cisco Network Modules Hardware Installation Guide and Cisco Network Modules and Interface Cards Regulatory Compliance and Safety Information.
•
The Cisco NAC Network Module for Integrated Services Routers ships from the factory with the hardware listed in Table 1 preinstalled. There are no memory options. (See How to Configure the Cisco NAC Network Module for further details.)
Table 1 Network Module Hardware Specifications
Model Processor Hard Disk Memory CompactFlashNME-NAC-K9
1 GHz Celeron M
80 GB (SATA)
512 MB DDR
64 MB
•
Make a note of the network module's location in the host router:
–
slot—Number of the router chassis slot for the module. After you install the module, you can get this information from the router's show running-config command output.
–
unit—Number of the daughter card on the module. This value should be 0.
![]()
Note
You need this information for the "Setting Up Network Module Interfaces" section and the "Opening and Closing a Session" section.
File Server
•
(Optional) Verify that your download FTP or TFTP file server is accessible:
–
FTP file server—Use for backups and restores.
–
TFTP file server—Use (on the FTP-file-server machine) for boothelper operations to recover from a failed installation.
Accessing the Cisco NAC Network Module
•
You can configure software on the network module only from a console that connects to a single serial-port console port on the host router.
![]()
Note
Telnet is not recommended.
•
You can access the Clean Access Server software running on the network module by accessing one of the following:
–
The router's Cisco IOS command-line interface (CLI)
–
The CAS management pages of the CAM web console (Device Management > CCA Servers > Manage [CAS_IP] )
–
The CAS direct access console (https://<CAS_eth0_IP>/admin/)
–
Secure-shell (SSH) connection to the internal interface (CAS eth0 trusted interface) of the NAC network module.
•
All Clean Access Servers which are configured have a direct web console interface which can be optionally accessed for certain limited settings, such as HA or SSL certificates, or to download support logs. For the NAC network module, all CAS configuration settings can be accessed via the the CAS management pages of the CAM web console, except for CAS support logs which need to be accessed via the direct CAS web console interface, by typing https://<CAS_eth0_IP>/admin/ into a web browser. Additionally, because the NAC network module does not support HA, there is no "Failover" tab in the direct access web console.
Restrictions for Cisco NAC Network Module
Deployment
•
The NAC network module does not support High Availability (HA) mode. HA functionality is disabled on the GUI interface of the NAC network module.
•
The NAC network module does not support the Cisco NAC Profiler Collector module for the CAS.
•
The NAC network module does not support port-based VLAN mapping when deployed as an Out-of-Band Virtual Gateway. A change in the client IP address is always required when the NAC network module is configured as an L2 OOB Virtual Gateway.
•
Cisco NAC Network Module does not support Wireless Out-of-Band (OOB). The Wireless OOB feature introduced in Release 4.5 only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.
Upgrade
•
After upgrading from Release 4.6(1) to Release 4.8, there may be a drift in the clock for NAC-NME module. This may result in CAS on the NME module not being connected to CAM after upgrade from 4.6.1, as the certificate dates will fall out of range.
To resolve this, check the system clock after upgrading, set it once and reboot. To set the date again use the following command and reboot.
Syntax:
date -s "dd MMM YYYY hh:mm:ss"Example:
date -s "15 APR 2010 19:49:00"You can also synchronize the time using the CAS web console. In the CAS web console, perform the following steps:
Step 1
Navigate to Administration > Time Server.
Step 2
Select the Time Zone and enter the appropriate time server in the Time Servers field.
Step 3
Click Synchronize Time.
Step 4
Reboot the system.
•
The Cisco NAC Appliance architecture is not designed for heterogeneous support—that is, some Clean Access Servers running 4.1(3) software and some running 4.1(2) software. Because the NAC network module is only supported starting from release 4.1(2) and later, to introduce a NAC network module to an existing NAC Appliance deployment (e.g. running 4.1.1), you must upgrade your Clean Access Manager and all your Clean Access Servers concurrently to release 4.1.2.1 or later.
![]()
Note
Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for the latest compatibility details.
![]()
Note
Release 4.1.2.1 is the minimum mandatory version for all appliances, and is required to support HA-CAS pairs. For compatibility with CAM/CAS appliances running 4.1.2.1, you must use the standard product upgrade file to upgrade the Cisco NAC network module to 4.1.2.1. See Configuring and Administering Cisco NAC Appliance for additional information.
![]()
Note
Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.
![]()
Note
Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.
Cisco NAC Network Module and Clean Access Server Software
The Clean Access Server is a Linux-based application that resides on the NAC network module that plugs into a host Cisco router running Cisco IOS software.
The network module is a standalone services engine with its own startup and run-time configurations that are independent of the Cisco IOS configuration on the router. The module does not have an external console port. Instead, you launch and configure the module through the router, by means of a configuration session on the module. After the session, you return to the router CLI and clear the session.
This arrangement—host router plus network module (the latter is also sometimes called an appliance or blade or, with installed software, a service or services engine)—provides a router-integrated application platform for accelerating data-intensive applications. Such applications typically involve the following and more:
•
Application-oriented networking
•
Contact centers and interactive-voice-response applications
•
Content caching and delivery
•
Data and video storage
•
Network analysis
•
Voice-mail and auto-attendant applications
Network Admission Control (NAC) enabled by Cisco NAC Appliance is such an application.
This section contains the following information:
•
How to Configure the Cisco NAC Network Module
System Licenses
Cisco NAC Appliance product licensing treats the Cisco NAC Network Module as any other Clean Access Server. In order for a NAC network module to work in your system, you need the following:
•
Clean Access Manager appliance (MANAGER) which will manage the NAC network module within the ISR.
•
Clean Access Manager license.
The CAM license is based on the eth0 IP address of the CAM and corresponds to the number of Clean Access Servers it supports. There are licenses for: Lite Manager (supports 3 CASs), Standard Manager (supports 20 CASs), and Super Manager (supports 40 CASs) .•
NAC network module license
This is a type of Clean Access Server license. The CAS license is based on the number of concurrent users it supports. The NAC network module can support up to 100 online, concurrent users. Table 2 shows the license types available for the NAC network module. These software licenses can also be used for the ordering of a spare NAC network module.
![]()
Note
All Cisco NAC product licenses are added to the Clean Access Manager in your system. You add the CAM license the first time you access the CAM web console, then use the Administration > Licensing pages of the CAM web console to add the NAC network module or CAS licenses thereafter.
For complete details on licensing, refer to Cisco NAC Appliance Service Contract / Licensing Support .
Deployment Overview
This section provides a overview of Cisco NAC Network Module deployment with some configuration examples. If you already know how you want to deploy your NAC network module, continue to How to Configure the Cisco NAC Network Module for detailed initial configuration steps.
It contains the following:
•
Cisco NAC Network Module (CAS) Deployment Modes
•
Example Layer 2 Inband Virtual Gateway Configuration
•
Example Layer 2 Out-of-Band Real-IP Gateway Configuration
Cisco NAC Network Module (CAS) Deployment Modes
Table 3 shows the Clean Access Server deployment modes supported by the Cisco NAC Network Module.
Table 3 CAS Deployment Modes Supported by Cisco NAC Network Module
Deployment Mode Options 1Physical deployment
Edge deployment only
CAS traffic passing
•
Virtual Gateway (bridged mode)
•
Real IP Gateway (routed mode)
Client access
•
Layer 2—client is adjacent to NAC network module (CAS)
•
Layer 3—client is multiple hops away from NAC network module (CAS)
Traffic flow
•
In-band—CAS is always inline with traffic
•
Out-of-Band—CAS is inline with traffic only during posture assessment/remediation
1 The Cisco NAC Network Module does not support Wireless Out-of-Band deployment (Release 4.5 and later). Wireless OOB only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.
From a physical deployment perspective, all NAC network modules are Edge Deployments. This means each port (eth0 and eth1) of the NAC network module (CAS) is connected to a different device.
The eth1 (untrusted) interface of the NAC network module can be connected to an external switch or to an EtherSwitch Service Module (NME-ESW) for 3800 series integrated services routers supporting multiple slots (e.g. 3845).
Interface Description
Table 4 describes the interface terminology used in the example deployments shown in Figure 1 and Figure 2.
The example scenarios illustrate the NAC network module (NME-NAC) in a 3800 Series Integrated Services Router (ISR) when an EtherSwitch Service Module (NME-ESW) is used instead of an external switch.
In both examples, the eth1(untrusted) interface of the NAC network module (Clean Access Server) is connected via external link to the EtherSwitch module (instead of internal Gigabit Serdes (GigSerdes) connection)
Example Layer 2 Inband Virtual Gateway Configuration
This section describes the following:
•
CAS Configuration (L2 IB VGW)
•
Integrated Services Router Configuration (L2 IB VGW)
•
EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)
Network Diagram (L2 IB VGW)
Figure 1 shows the Cisco NAC Network Module deployed as a CAS in Layer 2 inband Virtual Gateway mode.
Figure 1 NME-NAC (CAS) Layer 2 Inband Virtual Gateway Deployment with NME-ESW
![]()
Key Points
•
No VLAN mapping is required for Edge Deployment
•
Int int-svr-eng 1/0 of the ISR is the Default Gateway for all users
•
Int int-svr-eng 1/0 of the ISR is configured as a Layer 2 trunk with subinterfaces to/from each data VLAN
•
Link between the switch (NME-ESW) and CAS (NME-NAC) via external link or internal GigSerdes link (on 3800) carries data VLANs 51,52
•
No VLAN 51, 52 traffic on internal GE link between NME-ESW and ISR
•
IP Phone traffic on VLAN 15 sent directly to int Gig2/0 of the ISR
CAS Configuration (L2 IB VGW)
The example in this section illustrates the main concepts for configuring the CAS as a Layer 2 Inband Virtual Gateway.
•
CAS Managed Subnet Form (L2 IB VGW)
•
CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning)
CAS IP Form (L2 IB VGW)
![]()
•
CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > IP
•
Clean Access Server Type: Virtual Gateway
•
Both Trusted (eth0) and Untrusted (eth1) Interface IP Addresses are the same: 10.10.55.2
•
Both Trusted and Untrusted Interface Default Gateway is the same: 10.10.55.1
•
Trusted Interface (eth0) Management VLAN ID needs to be set (55).
![]()
Note
For Virtual Gateway, the Management VLAN for the CAS must be different from the CAM. Management VLANs must be set for the CAM and CAS, solely to manage the CAS from the CAM.
CAS Managed Subnet Form (L2 IB VGW)
![]()
•
CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > Managed Subnet
•
A managed subnet is added for each user VLAN (51, 52) and verified in the list at the bottom of the page.
•
Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS.
•
For all CAS modes in L2 deployment (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface.
•
You must configure the untrusted interface (Auth) VLAN in the VLAN ID field of each Managed Subnet.
•
For Virtual Gateways, the managed subnet form essentially assigns an IP address to the CAS that is otherwise unused on the subnet. The CAS is not the gateway, but owns that address for the specified VLAN/subnet in order to send ARP queries.
CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning)
![]()
•
CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > VLAN Mapping
•
On a Cisco NAC Network Module, the CAS is always an edge deployment. Therefore no VLAN Mapping is required because the eth0 and eth1 interfaces of the CAS are connected to different devices.
![]()
CautionThe " Enable VLAN Pruning" option is enabled by default for CAS Virtual Gateways. Make sure that " Enable VLAN Pruning" is turned off when "VLAN Mapping" is disabled. Turning the "Enable VLAN Pruning" option on when the "VLAN Mapping" option is disabled can cause the CAS to discard all VLAN packets from passing through in either direction.
•
When a CAS operates in Virtual Gateway mode, it passes network traffic from its eth0 interface to eth1 and from eth1 to eth0 without changing the VLAN tag. VLAN Mapping is necessary only for In-band Virtual Gateways when both interfaces of the CAS are connected to the same Layer 2 switch. It allows putting incoming traffic to the CAS on a different VLAN from the outgoing traffic of the CAS. This is not needed for the NAC network module.
Integrated Services Router Configuration (L2 IB VGW)
EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)
Example Layer 2 Out-of-Band Real-IP Gateway Configuration
This section describes the following:
•
CAS Configuration (L2 OOB RGW)
•
Integrated Services Router Configuration (L2 OOB RGW)
•
EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)
Network Diagram (L2 OOB RGW)
Figure 2 shows the NAC module deployed as a CAS in Layer 2 out-of-band Real-IP Gateway mode.
Figure 2 NME-NAC (CAS) Layer 2 Out-of-Band Real-IP Gateway Deployment with NME-ESW
![]()
Key Points
•
Link between NME-ESW switch and CAS via external link or GigSerdes (on 3800) carries Auth VLAN 53
•
No VLAN 53 traffic on internal GE link between NME-ESW and ISR
•
User Access VLAN and phone VLAN is sent via internal link to Gig2/0 interface of ISR.
CAS Configuration (L2 OOB RGW)
The example in this section illustrates the main concepts for configuring the CAS as a Layer 2 Out-of-Band Real-IP Gateway.
•
CAS Managed Subnet Form (L2 OOB RGW)
•
CAM - Switch Profile (L2 OOB RGW)
•
CAM - Port Profile (L2 OOB RGW)
•
CAM - SNMP Receiver (L2 OOB RGW)
•
CAM - Ports Management (L2 OOB RGW)
CAS IP Form (L2 OOB RGW)
![]()
•
CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > IP
•
Clean Access Server Type: Real-IP Gateway
•
Trusted (10.10.55.2) and Untrusted (10.10.51.1) Interface IP Addresses are different
•
Trusted Interface Default Gateway (10.10.55.1) and Untrusted Interface Default Gateway (10.10.51.1) are different.
•
Trusted Interface Management VLAN ID (55) and Untrusted Interface Management VLAN ID (51) are different.
![]()
Note
Management VLANs must be set for the CAM and CAS to manage the CAS from the CAM.
CAS Managed Subnet Form (L2 OOB RGW)
![]()
•
CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > Managed Subnet
•
A managed subnet is added for the Authentication VLAN (53) and verified in the list at the bottom of the page.
•
Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS.
•
For all CAS modes in L2 deployment (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface.
•
You must configure the untrusted interface (Auth) VLAN in the VLAN ID field of each Managed Subnet.
•
For a Real-IP Gateway, the CAS will own the gateway IP address of the managed subnet.
CAS DHCP Form (L2 OOB RGW)
![]()
•
CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > DHCP
•
CAS is configured as a DHCP Relay.
CAM - Switch Profile (L2 OOB RGW)
![]()
•
CAM web console: Switch Management > Profiles >Switch > New/Edit
•
A Switch profile is created for the NME-ESW. Supported NME EtherSwitch service modules are added as 3750 Switch Models. Refer to Switch Support for Cisco NAC Appliance for details.
CAM - Port Profile (L2 OOB RGW)
![]()
•
CAM web console: Switch Management > Profiles > Port > New/Edit
•
A Port profile is created for the NME-ESW to map Authentication VLAN 53 to Access VLAN 11.
CAM - SNMP Receiver (L2 OOB RGW)
![]()
•
CAM web console: Switch Management > Profiles > SNMP Receiver
•
A Community String (public) is configured for the CAM SNMP Receiver.
CAM - Ports Management (L2 OOB RGW)
![]()
•
CAM web console: Switch Management > Devices > Switches > (Manage) Ports [Switch_IP]
•
The Profile (ISR_NME_switch) is applied to the switch port, and settings are updated on the switch.
Integrated Services Router Configuration (L2 OOB RGW)
EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)
Additional References
For more information on Gigabit Serdes/HIMI, refer to:
•
Cisco High-Speed Intrachassis Module Interconnect (HIMI) Configuration Guide
For more information on EtherSwitch Service Modules, refer to:
•
Interface Cards and Modules (LAN section)
•
EtherSwitch Service Module (ES) Configuration Example
For more information on Clean Access Server configuration, refer to the applicable:
•
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
•
Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide
For OOB support information, see:
•
Switch Support for Cisco NAC Appliance
How to Configure the Cisco NAC Network Module
This section contains the following information:
•
Cisco NAC Network Module Configuration Worksheet
•
Setting Up Network Module Interfaces
•
Opening and Closing a Session
•
Running Clean Access Server Software Configuration Utility
![]()
Note
If you lose power or connection during any of the following procedures, the system usually detects the interruption and tries to recover. If it fails to do so, fully reinstall the system using the boothelper, as described in Re-Installing Cisco NAC Network Module Software.
Initial configuration of the network module is done via CLI (router console). Thereafter, the Cisco NAC Network Module is a Clean Access Server that is managed via Clean Access Manager (CAM) web console. The CAS on the NAC network module can be accessed by: router console, CAM/CAS web console, and SSH.
This document presents router console configuration instructions.
For CAM/CAS web console (GUI) configuration instructions, refer to the following guides. Refer to the document version corresponding to the release you are running on your machines:
•
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
•
Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide
Hardware Interfaces
The host router and network module use several interfaces for internal and external communication (see Figure 3). Each interface is configurable—for the router by using the Cisco IOS CLI and for the module by using the module firmware's CLI, GUI, or SSH.
Figure 3 Router and Network Module Interfaces
![]()
Cisco NAC Network Module Configuration Worksheet
You will need to collect the information in Table 5, first to configure the Cisco NAC Network Module within the Integrated Services Router (ISR), then to configure the Clean Access Server software that will run on the NAC network module.
Setting Up Network Module Interfaces
Your first configuration task is to set up network module interfaces to the host router and to its external links, which enables you to access the module to install and configure NAC.
![]()
Note
The first few steps open the host-router CLI and access the router's interface to the module. The subsequent steps configure the interface.
SUMMARY STEPS
From the Host-Router CLI
1.
enable
2.
configure terminal
3.
interface integrated-service-engine slot/0
4.
ip address router-side-ip-address subnet-mask
or
ip unnumbered type number
5.
service-module ip address module-side-ip-address subnet-mask
6.
service-module external ip address external-ip-address subnet-mask
7.
service-module ip default-gateway gateway-ip-address
8.
end
9.
copy running-config startup-config
10.
show running-config
DETAILED STEPS
Command or Action Purpose From the Host-Router CLIStep 1
enable
Example:Router> enable
Enters privileged EXEC mode on the host router. Enter your password if prompted.
Step 2
configure terminal
Example:Router# configure terminal
Enters global configuration mode on the host router.
Step 3
interface integrated-service-engine slot/0
Example:ISR 2811 (one-slot only):
Router(config)# interface integrated-service-engine 1/0
Example:ISR 3845 (multiple-slot):
Router(config)# interface integrated-service-engine 3/0
Enters interface configuration mode for the slot and port where the network module resides.
Step 4
ip address router-side-ip-address subnet-mask
or
ip unnumbered type number
Example:Router(config-if)# ip address 10.30.30.10 255.255.255.0
or
Router(config-if)# ip unnumbered ethernet 0
Specifies the router interface to the module (#2 in Figure 3). Arguments are as follows:
•
router-side-ip-address subnet-mask—IP address and subnet mask for the interface.
•
type number—Type and number of another serial interface on which the router has an assigned IP address. It cannot be another unnumbered interface. Serial interfaces using High Level Data Link Control (HDLC), Point-to-Point Protocol (PPP), Link Access Procedure, Balanced (LAPB), Frame Relay encapsulations, Serial Line Internet Protocol (SLIP), and tunnel interfaces can be unnumbered.
Step 5
service-module ip address module-side-ip-address subnet-mask
Example:Router(config-if)# service-module ip address 10.30.30.9 255.255.255.0
Specifies the IP address for the module interface to the router (#3 in Figure 3).
Note
This is the trusted (eth0) interface of the Clean Access Server.
Arguments are as follows:
•
module-side-ip-address—IP address for the interface
•
subnet-mask—Subnet mask to append to the IP address; must be in the same subnet as the host router
Step 6
service-module external ip address external-ip-address subnet-mask
Example:Router(config-if)# service-module external ip address 172.0.0.30 255.255.255.0
Specifies the IP address for the external LAN interface on the module (#4 in Figure 3).
Note
This is the untrusted (eth1) interface of the Clean Access Server.
Arguments are as follows:
•
external-ip-address—IP address for the interface
•
subnet-mask—Subnet mask to append to the IP address
Step 7
service-module ip default-gateway gateway-ip-address
Example:Router(config-if)# service-module ip default-gateway 10.30.30.10
Specifies the IP address for the default gateway router for the module. The argument is as follows:
•
gateway-ip-address—IP address for the gateway router
Step 8
end
Example:Router(config-if)# exit
Returns to global configuration mode on the host router.
Step 9
copy running-config startup-config
Example:Router# copy running-config startup-config
Saves the router's new running configuration.
Step 10
show running-config
Example:Router# show running-config
Displays the router's running configuration, so that you can verify address configurations.
Examples
The following partial output from the show running-config command shows how the interfaces are configured.
NME-NAC-3845#sh run interface integrated-service-engine 3/0Building configuration...Current configuration : 197 bytes!interface integrated-service-engine3/0ip address 10.30.30.10 255.255.255.0service-module ip address 10.30.30.9 255.255.255.0service-module ip default-gateway 10.30.30.10no keepaliveendOpening and Closing a Session
You can now open and close a session on the network module.
![]()
Note
•
You can conduct only one session at a time.
•
The first few steps open the host-router CLI and access the module. The subsequent steps configure the module. The last steps return you to the host-router CLI.
SUMMARY STEPS
From the Host-Router CLI
1.
enable
2.
service-module integrated-service-engine slot/0 status
3.
service-module integrated-service-engine slot/0 session
From the Service-Module Interface
4.
Perform the configuration detailed in Running Clean Access Server Software Configuration Utility.
5.
Control-Shift-6 x
From the Host-Router CLI
6.
service-module integrated-service-engine slot/0 session clear
DETAILED STEPS
Command or Action Purpose From the Host-Router CLIStep 1
enable
Example:Router> enable
Enters privileged EXEC mode on the host router. Enter your password if prompted.
Step 2
service-module integrated-service-engine slot/0 status
Example:Router# service-module integrated-service-engine 2/0 status
Displays the status of the specified module, so that you can ensure that the module is running (that is, in steady state).
Note
If the module is not running, start it with one of the startup commands listed in the "Shutting Down and Starting Up Cisco NAC Network Module" section.
Step 3
service-module integrated-service-engine slot/0 session
Example:Router# service-module integrated-service-engine 1/0 session
Trying 10.10.10.1, 2065 ... Open
Begins a session on the specified module. Do one of the following:
•
To interrupt the auto-boot sequence and access the bootloader, quickly type ***. This should only be done if the machine cannot boot. In this case, refer to Re-Installing Cisco NAC Network Module Software for detailed steps.
•
To start a configuration session, press Enter.
From the Service-Module InterfaceStep 4
Fedora Core release 4 (Stentz)
Kernel 2.6.11-perfigo on an i686
NME-NAC login: root
See Running Clean Access Server Software Configuration Utility for instructions on how to perform the initial configuration of the Clean Access Server software on the NAC network module.
Step 5
Press Control-Shift-6 x.
Closes the service-module session and returns to the router CLI.
Note
The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.
From the Host-Router CLIStep 6
service-module integrated-service-engine slot/0 session clear
Example:Router# service-module service-engine 1/0 session clear
Clears the service-module session for the specified module. When prompted to confirm this command, press Enter.
Running Clean Access Server Software Configuration Utility
The first time the NAC network module session is initiated, the Clean Access Server quick configuration utility prompts appears. This section details the CAS Configuration Utility steps.
DETAILED STEPS
Command or Action Purpose From the Service-Module InterfaceStep 1
root
Example:Fedora Core release 4 (Stentz)Kernel 2.6.11-perfigo on an i686NME-NAC login: rootWelcome to the Cisco Clean Access Server quick configuration utility.Note that you need to be root to execute this utility.The utility will now ask you a series of configuration questions. Please answer them carefully.Cisco Clean Access Server, (C) 2008 Cisco Systems, Inc.Please use ^H to deleteConfiguring the network interfaces:
From the network module prompt, log into the Clean Access Server Configuration Utility as the root user.
The first time you login, there is no password prompt.Note
After the module is initially configured, you can bring up this Configuration Utility again by:
–
Starting a configuration session on the module and entering the NAC Appliance CLI command, service perfigo config.
–
Using SSH to connect to the module (CAS eth0 IP address) and entering service perfigo config
Step 2
module-side-ip-address
Example:Please enter the IP address for the interface eth0 [10.201.2.30]: 10.201.217.203
You entered 10.201.217.203 Is this correct? (y/n)? [y]
At the first prompt, type an IP address for the eth0 (trusted) interface of the CAS (from field a of the CAS Worksheet) and press Enter. Confirm the value when prompted, or type n and press Enter to correct the entry.
Note
The eth0 IP address of the CAS is the same as the Management IP address.
Step 3
module-side-ip-address subnet-mask
Example:Please enter the netmask for the interface eth0 [255.255.255.0]:
You entered 255.255.255.0, is this correct? (y/n)? [y]
Type the subnet mask for the interface address (from field b) at the prompt or press Enter for the default (255.255.255.0). Confirm the value when prompted.
Step 4
service-module ip default-gateway
Example:Please enter the IP address for the default gateway [10.201.217.1]: 10.201.217.202
You entered 10.201.217.202 Is this correct? (y/n)? [y]
Accept the default gateway address or type a default gateway (from field c) for the eth0 address of the CAS and press Enter. Confirm the default gateway at the prompt.
Step 5
y-or-n
Example:[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.
Would you like to enable it? (y/n)? [n]
At the VLAN ID Passthrough prompt, type n and press Enter (or just press Enter) to keep VLAN ID passthrough disabled as the default behavior of the CAS. By default, VLAN IDs are stripped from traffic passing through the interface to the CAS. Typing y enables VLAN IDs to be passed through the CAS for traffic from the trusted to the untrusted network.
Note
In most cases, VLAN passthrough is not needed.
Step 6
y-or-n
Example:[Management Vlan Tagging] for egress packets of eth0 is disabled.
Would you like to enable it? (y/n)? [n]
At the Management VLAN Tagging prompt, type n and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default). Or, type Y and press Enter to enable Management VLAN tagging with the specified VLAN ID for the eth0 interface.
Note
Management VLAN tagging is necessary when the trusted side of the CAS is a trunk, such as in Virtual Gateway deployments. In this case, you will need to enable Management VLAN tagging and specify the VLAN ID to which the trusted interface of the CAS belongs.
Note
CAS eth0 interface settings are required for basic connection to the CAM. CAS eth1 interface settings can be reconfigured later from the CAM web console.
Step 7
external-ip-address
Example:Please enter the IP address for the untrusted interface eth1 [192.168.110.1]: 10.201.243.49
You entered 10.201.243.49 Is this correct? (y/n)? [y]
Type an IP address for the eth1 (untrusted) interface of the CAS (from field d) and press Enter. Confirm the value when prompted, or type n and press Enter to correct the entry.
Note
For Virtual Gateways, the eth1 address most commonly used is the eth0 address. To prevent looping, do not connect eth1 to the network until after you have added the CAS to the CAM in the web console. See the CAS guide for further details.
Step 8
external-ip-address-subnet-mask
Example:Please enter the netmask for the interface eth1 [255.255.255.0]: 255.255.255.240
You entered 255.255.255.240, is this correct? (y/n)? [y]
Type the subnet mask of the eth1 interface (from field e) or press Enter to accept the default of 255.255.255.0. Confirm the value at when prompted.
Step 9
external-ip-address-default-gateway
Example:Please enter the IP address for the default gateway [10.201.243.1]: 10.201.243.49
You entered 10.201.243.49 Is this correct? (y/n)? [y]
Enter the default gateway address for the eth1 untrusted interface (from field f):
a.
If the CAS will be a Real-IP Gateway, this is the IP address of the CAS's untrusted interface eth1.
b.
If the CAS will be a Virtual Gateway, this can be the same default gateway address used for the trusted interface.
Step 10
y-or-n
Example:[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.
Would you like to enable it? (y/n)? [n]
At the next prompt, type n and press Enter (or just press Enter) to keep VLAN ID passthrough disabled for the eth1 interface.
Step 11
y-or-n
Example:[Management Vlan Tagging] for egress packets of eth1 is disabled.
Would you like to enable it? (y/n)? [n]
At the Management VLAN Tagging prompt, type n and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default) for the eth1 interface.
Step 12
clean-access-server-host-name
Example:Please enter the hostname [caserver]: cas-10
You entered cas-10 Is this correct? (y/n)? [y]
Type and confirm the host name for the Clean Access Server (from field g).
Step 13
dns-server-ip-address
Example:Please enter the IP address for the name server: [171.68.226.120]:
You entered 171.68.226.120 Is this correct? (y/n)? [y]
Type the IP address of the DNS server in your environment (from field h) or accept the default at the following prompt:
Step 14
nac-shared-secret
Example:The shared secret used between Clean Access Manager and Clean Access Server is the default string: cisco123
This is highly insecure. It is recommended that you choose a string that is unique to your installation.
Please remember to configure all Clean Access Devices with the same string.
Only the first 8 characters supplied will be used.
Please enter the shared secret between Clean Access Server and Clean Access Manager: cisco1234
You entered: cisco1234
Is this correct? (y/n)? [y]
Type and confirm the shared secret for the CAM and CAS (from field i) at the prompts.
![]()
CautionThe shared secret must be the same for the Clean Access Manager and all Clean Access Servers in the deployment. If they have different shared secrets, they cannot communicate.
Step 15
region-number
Example:>>> Configuring date and time:
The timezone is currently not set on this system.
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa
2) Americas
3) Antarctica
4) Arctic Ocean
5) Asia
6) Atlantic Ocean
7) Australia
8) Europe
9) Indian Ocean
10) Pacific Ocean
11) none - I want to specify the time zone using the Posix TZ format.
#? 2
Specify time settings for the Clean Access Server (from field j) as follows:
Choose your region from the continents and oceans list. Type the number next to your location on the list, such as 2 for the Americas, and press Enter. Type 11 to enter the time zone in Posix TZ format, such as
GST-10
.Step 16
country-number
Example:Please select a country.
1) Anguilla 18) Ecuador 35) Paraguay
2) Antigua & Barbuda 19) El Salvador 36) Peru
3) Argentina 20) French Guiana 37) Puerto Rico
4) Aruba 21) Greenland 38) St Kitts & Nevis
5) Bahamas 22) Grenada 39) St Lucia
6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon
7) Belize 24) Guatemala 41) St Vincent
8) Bolivia 25) Guyana 42) Suriname
9) Brazil 26) Haiti 43) Trinidad & Tobago
10) Canada 27) Honduras 44) Turks & Caicos Is
11) Cayman Islands 28) Jamaica 45) United States
12) Chile 29) Martinique 46) Uruguay
13) Colombia 30) Mexico 47) Venezuela
14) Costa Rica 31) Montserrat 48) Virgin Islands (UK)
15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US)
16) Dominica 33) Nicaragua
17) Dominican Republic 34) Panama
#? 45
The next list that appears shows the countries for the region you chose. Choose your country from the country list, such as 45 for the United States, and press Enter.
Step 17
timezone-number
Example:Please select one of the following time zone regions.
1) Eastern Time
2) Eastern Time - Michigan - most locations
3) Eastern Time - Kentucky - Louisville area
4) Eastern Time - Kentucky - Wayne County
5) Eastern Time - Indiana - most locations
6) Eastern Time - Indiana - Crawford County
7) Eastern Time - Indiana - Starke County
8) Eastern Time - Indiana - Switzerland County
9) Central Time
10) Central Time - Indiana - Daviess, Dubois, Knox, Martin, Perry & Pulaski Counties
11) Central Time - Indiana - Pike County
12) Central Time - Michigan - Dickinson, Gogebic, Iron & Menominee Counties
13) Central Time - North Dakota - Oliver County
14) Central Time - North Dakota - Morton County (except Mandan area)
15) Mountain Time
16) Mountain Time - south Idaho & east Oregon
17) Mountain Time - Navajo
18) Mountain Standard Time - Arizona
19) Pacific Time
20) Alaska Time
21) Alaska Time - Alaska panhandle
22) Alaska Time - Alaska panhandle neck
23) Alaska Time - west Alaska
24) Aleutian Islands
25) Hawaii
#? 19
If the country contains more than one time zone, the time zones for the country appears.
Choose the appropriate time zone region from the list, such as 19 for Pacific Time, and press Enter.
Step 18
confirmation-number
Example:The following information has been given:
United States
Pacific Time
Is the above information OK?
1) Yes
2) No
#? 1
Updating timezone information...
Confirm your choices by entering 1, or use 2 to cancel and start over.
Step 19
y-or-n
or
hh:mm:ss mm/dd/yy
Example:Current date and time hh:mm:ss mm/dd/yy [11:23:33 08/22/08]: 11:26:33 08/22/08You entered 11:26:33 08/22/08 Is this correct? (y/n)? [y]Type and confirm the current date and time, using format hh:mm:ss mm/dd/yy.
![]()
Note
The time set on the CAS must fall within the creation date/expiry date range set on the CAM's SSL certificate. The time set on the user machine must fall within the creation date /expiry date range set on the CAS's SSL certificate.
Step 20
<certificate fields>
Example:You must generate a valid SSL certificate in order to use the Clean Access Server's secure web console.
Please answer the following questions correctly.
Information for a new SSL certificate:
Enter fully qualified domain name or IP: 10.201.217.203
Enter organization unit name: Test
Enter organization name: Cisco Systems
Enter city name: San Jose
Enter state code: California
Enter 2 letter country code: US
Follow the prompts to configure the temporary SSL security certificate that secures the login exchange between the Clean Access Server and untrusted (managed) clients (using field k):
a.
For the organization unit name, enter the group within your organization that is responsible for the certificate (for example, Perfigo).
b.
For the organization name, type the name of your organization or company for which you would like to receive the certificate (for example, Cisco Systems), and press Enter.
c.
Type the name of the city or county in which your organization is legally located (for example, San Jose), and press Enter.
d.
Type the two-character state code in which the organization is located (for example, California or NY), and press Enter.
•
Type the two-letter country code (for example, US),
Step 21
y-or-n
Example:You entered the following:
Domain: 10.201.217.203
Organization unit: Test
Organization name: Cisco Systems
City name: San Jose
State code: California
Country code: US
Is this correct? (y/n)? [y]
Generating SSL Certificate...
CA signing: /root/.tomcat.csr -> /root/.tomcat.crt:
CA verifying: /root/.tomcat.crt <-> CA cert
/root/.tomcat.crt: OK
Done
Confirm values and press Enter to generate the SSL certificate, or type n to restart:
Step 22
y-or-n
Example:Enable Prelogin Banner Support? (y/n)? [n]
Confirm whether to enable the Pre-login Banner for admin users before they log into the CAS (Release 4.5 and later).
Administrators can specify the text of the Pre-login Banner by enabling this feature on the appliance, logging into the command-line console, and editing the /root/banner.pre file. The text of the Pre-login Banner appears in both the web console interface and the command-line interface when admin users are logging into the CAM/CAS. See the installation chapter of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.5 for details.
Step 23
root-user-password
Example:For security reasons, it is highly recommended that you change the password for the root user.** Please enter a valid password for root user as per the requirements below! **Changing password for user root.You can now choose the new password.A valid password should be a mix of upper and lower case letters,digits, and other characters. Minimum of 8 characters and maximumof 16 characters with characters from all of these classes. Minimumof 2 characters from each of the four character classes is mandatory.An upper case letter that begins the password and a digit that endsit do not count towards the number of character classes used.Enter new password:Re-type new password:passwd: all authentication tokens updated successfully.
Type the root user password for the installed Linux operating system of the CAS (from field l). The root user account is used to access the system over direct/serial/SSH connection.
Starting from Release 4.5, the default root user password (cisco123) is removed, and Cisco NAC Appliance supports Strong Passwords only for root user login. Passwords must be at least 8 characters long and contain at least two characters from each of the following four categories: lower-case letters, upper-case letters, numbers (digits), and special characters (such as !@#$%^&*~).
For example, 1o-9=OnE is a valid password, but the password 10-9=One does not satisfy requirements because it does not contain two characters from each category. For further details, see the "Manage System Passwords" section in the "Administer the CAM" chapter of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5.
Step 24
web-console-admin-password
Example:Example:Please enter an appropriately secure password for the web console admin user.
New password for web console admin:
Confirm new password for web console admin:
Web console admin password changed successfully.
Type the admin user password for the CAS direct access web console (from field m). The CAS web console provides limited CAS-specific settings, and is primarily used to set up High Availability.
Step 25
reboot
Example:Configuration is complete.[root@NME-NAC ~]# rebootBroadcast message from root (ttyS0) (Fri Aug 22 11:45:36 2008):The system is going down for reboot NOW![root@cas-10 ~]#
After the configuration is complete, wait for the prompt, then type reboot to reboot the CAS.
![]()
Note
If you used service perfigo config to start the configuration utility, you must type service perfigo reboot or reboot and press Enter to reboot the machine after configuration.
The CAS initial configuration is now complete.
Step 26
From CAS:
ping cam-ip-address
From CAM (ping CAS eth0 address):
ping 10.201.217.203 ...
Ping the CAM from the CAS to verify that the CAM and CAS can ping (route) to each other.
From Web Browser InterfacesStep 27
https://<CAS IP address>/admin
Type the CAS IP address into the URL/address field of a web browser to verify you can log into the CAS web console. You will need to use the admin user password you configured in .
Note
Make sure to type "https" and "/admin" in the CAS URL or you will get the end user portal.
Step 28
http://<CAM IP address> /admin
Log into the CAM web console by typing the CAM IP address into the URL/address field of a web browser.
From the CAM web console:
•
Add the NAC network module license under Administration > CCA Manager > Licensing as described in Cisco NAC Appliance Service Contract / Licensing Support.
•
Add the CAS to the CAM as described in:
Cisco NAC Appliance Configuration Quick Start Guide, or
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide (applicable to your release)
From the Service-Module InterfaceStep 29
Press Control-Shift-6 x.
Close the service-module session and returns to the router CLI.
Note
The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.
From the Host-Router CLIStep 30
service-module integrated-service-engine slot/0 session clear
Example:Router# service-module service-engine 1/0 session clear
Clear the service-module session for the specified module. When prompted to confirm this command, press Enter.
Important Notes for SSL Certificates
•
You must generate the temporary SSL certificates during the initial configuration of both the CAM and CAS or you will not be able to access your NAC Appliance as an admin or end user.
•
Before deploying the CAM or CAS in a production environment, you can obtain a trusted certificate from a Certificate Authority to replace the temporary certificate. A CA-signed certificate for the CAS prevents the security warning when end users log in and a CA-signed certificate for the CAM prevents the admin web login security warning.
•
Make sure to synchronize the time on the CAM and CAS via the web console interface before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. For further details see the "Set System Time" and "Manage SSL Certificates" sections of the CAM and CAS guides.
How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module
This section contains the following information:
•
Shutting Down and Starting Up Cisco NAC Network Module
•
Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module
•
Re-Installing Cisco NAC Network Module Software
![]()
Note
•
The tables in these sections show only common router and network module commands.
–
To view a complete list of available commands, type ? at the prompt
(Example:Router(config-if)#
?).–
To view a complete list of command keyword options, type ? at the end of the command
(Example:Router#
service-module integrated-service-engine ?).•
The tables group commands by the configuration mode in which they are available. If the same command is available in more than one mode, it may act differently in each mode.
Shutting Down and Starting Up Cisco NAC Network Module
To shut down or start up the Cisco NAC network module or the Clean Access Server application that runs on the module, use commands as needed from the following list of common router and network module commands (Table 6).
![]()
Note
•
Some shutdown commands can potentially disrupt service. If command output for such a command displays a confirmation prompt, confirm by pressing Enter or cancel by typing n and pressing Enter. Alternatively, prevent the prompt from displaying by using the no-confirm keyword.
•
Some commands shut the module or application down and then immediately restart it.
Verifying System Status
To verify the status of an installation, upgrade, or downgrade or to troubleshoot problems, use commands as needed from the following list of common router and network module commands (Table 7).
![]()
Note
Among keyword options for many show commands is provision to display diagnostic output on your screen or to pipe it to a file or a URL.
Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module
To upgrade the Cisco NAC Network Module to the latest supported Cisco NAC Appliance release, a single product upgrade file (cca_upgrade-<version>.tar.gz) is uploaded and applied to the CAS. This section describes the following upgrade procedures:
![]()
Note
Clean Access Manager/Server appliances and Cisco NAC Network Modules in your deployment must all run the same version of the Cisco NAC Appliance software.
![]()
Note
Release 4.1.2.1 is the minimum mandatory version for all appliances, and is required to support HA-CAS pairs. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for the latest compatibility details.
![]()
Note
Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.
![]()
Note
Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.
See Restrictions for Cisco NAC Network Module for additional information.
CAS Upgrade via CLI
You can upgrade the CAS on your NAC network module by using the command line upgrade procedure described in this section.
![]()
Note
If upgrading to Cisco NAC Appliance Release 4.5 or later, you must use the command line upgrade procedure only.
SUMMARY STEPS
From the Host-Router CLI
1.
enable
2.
service-module integrated-service-engine slot/0 status
3.
service-module integrated-service-engine slot/0 session
From the Service-Module Interface
4.
Perform the upgrade procedure described in DETAILED STEPS (CAS UPGRADE).
5.
Control-Shift-6 x
From the Host-Router CLI
6.
service-module integrated-service-engine slot/0 session clear
DETAILED STEPS (CAS UPGRADE)
Command or Action PurposeStep 1
a.
Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.
b.
Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance.
c.
Navigate to the appropriate release folder (4.1.2.1 or later), for example, "Cisco NAC Appliance Software <version>."
d.
Locate the product upgrade (.tar.gz) file for the applicable version:
•
cca_upgrade-<version>.tar.gz
•
nme-nac-upgrade-<version>-from-4.6.x.tar.gz (for upgrading from 4.6(1) to 4.8(x))
•
cca_upgrade-<version>-from-4.7.x-4.8.x.tar.gz (for upgrading from 4.8 to 4.8(x))
•
nme-nac-upgrade-<version>-from-4.8.x.tar.gz (for upgrading from 4.8(x) to 4.9)
•
nme-nac-upgrade-<version>-from-4.8.x-4.9.x.tar.gz (for upgrading from 4.8(x) or 4.9(x) to 4.9(1) or 4.9(2))
e.
Download and save this file to a local machine that can access the NAC network module over the network.
Note
For Release 4.5, the upgrade file name is cca_upgrade-4.5.0-NO-WEB.tar.gz
Download the Cisco NAC Appliance product upgrade file.
From the Service-Module InterfaceStep 2
root
Example:Fedora Core release 4 (Stentz)Kernel 2.6.11-perfigo on an i686NME-NAC login: rootFrom the network module prompt, log into the Clean Access Server Configuration Utility as the root user to access the command line of the CAS.
Step 3
cat /perfigo/build
Example:[root@cas128 ~]# cat /perfigo/build
VERSION=4.1.2.1
NAME=Clean Access Server
DATE=2007/09/07
Verify the current Cisco NAC Appliance software version on the CAS.
Step 4
Copy the upgrade file to /store directory of the CAS.
Example:If using WinSCP or SSH File Transfer:
a.
Copy cca_upgrade-<version>.tar.gz to the /store directory of the CAS.
If using PSCP:
a.
Open a command prompt on your Windows computer.
b.
Cd to the path where your PSCP resides (e.g, C:\Documents and Settings\desktop).
c.
Enter the following command to copy the file to the CAS (copy to each CAS):
pscp cca_upgrade-4.5.0-NO-WEB.tar.gz
root@ipaddress_server:/store
Copy the upgrade file to the /store directory of the CAS using WinSCP, SSH File Transfer or PSCP.
Step 5
cd /store
ls
Example:[root@cas128 ~]# cd /store
[root@cas128 store]# ls
cca_upgrade-4.5.0-NO-WEB.tar.gz
On the CAS, change directory to /store and verify the upgrade package is there.
Step 6
tar zxf cca_upgrade-<version>.tar.gz
ls
Example:[root@cas128 store]# tar xzf cca_upgrade-4.5.0-NO-WEB.tar.gz
[root@cas128 store]# ls
cca_upgrade-4.5.0 cca_upgrade-4.5.0-NO-WEB.tar.gz upload
[root@cas128 store]#
Extract the contents of the upgrade file.
Step 7 .
cd cca_upgrade-<version>
./UPGRADE.sh
Example:[root@cas128 store]# cd cca_upgrade-4.5.0
[root@cas128 cca_upgrade-4.5.0]# ls
agent-version.sh checksum.txt notes.html version.sh
cam-4.5.x-upgrade.sh checksum.txt.sig RPMS
cas-4.5.x-upgrade.sh dmidecode showstate.sh
cca_upgrade-4.1.6.tar.gz initrd.img UPGRADE.sh
[root@cas128 cca_upgrade-4.5.0]# ./UPGRADE.sh
...stopping CCA Server...
BaseAgent process stopped!
Stopping DHCP...
In Maintenance Mode...
Welcome to the CCA Server migration utility.
...Upgrading to newer rpms of 4.5.0...done.
...Upgrading CCA files... done
Clearing Tomcat cache...checking ssl configuration...done.
[root@cas128 cca_upgrade-4.5.0]#
Change to the
/cca_upgrade-
<version> directory and execute the upgrade process.Step 8
[root@cas128 cca_upgrade-4.5.0]# reboot
Example:[root@cas128 cca_upgrade-4.5.0]# reboot
Broadcast message from root (pts/0) (Tue Oct 21 18:49:00 2008):
The system is going down for reboot NOW!
[root@cas126 cca_upgrade-4.5.0]#
Reboot the CAS after upgrade is complete.
Step 9
cat /perfigo/build
Example:[root@cas128 ~]# cat /perfigo/build
NAME=Clean Access Server
DATE=2008/10/20
AUTHOR=rachnar
BUILD_TAG=NAC-4_5_0-RC9
BUILD_INFO=Experimental
BUILT_ON=mercury
REBUILD_COUNT=0
Verify the new build after the CAS reboot.
Step 10
Press Control-Shift-6 x.
Close the service-module session and return to the router CLI.
Note
The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.
From the Host-Router CLIStep 11
service-module integrated-service-engine slot/0 session clear
Example:Router# service-module service-engine 1/0 session clear
Clear the service-module session for the specified module. When prompted to confirm this command, press Enter.
CAS Upgrade via Web Console
If upgrading the CAS on your NAC network module to Cisco NAC Appliance Release 4.1(6) or earlier only, you can use the same web upgrade procedure used to upgrade standalone CAS appliances as described in the "Upgrading" section of the applicable Release Notes for Cisco NAC Appliance.
![]()
Note
Cisco NAC Appliance Release 4.5 (and later) does not support web upgrade. Refer to the Release Notes for Cisco NAC Appliance, Release 4.5 for details.
CAS Web Upload
•
If upgrading to Release 4.1.6 or earlier and the upgrade file is uploaded via CAS web upload on a 4.1.6 or earlier CAS, it is placed in
/store/upload
. The web uploaded file will also have a randomly-generated numeric code appended to the .tar.gz file (e.g.cca_upgrade
-<version>.tar<digit code>.gz•
If Release 4.5 is already installed and an upgrade file is uploaded via CAS web upload on a 4.5 CAS, it is placed in
/store
for Release 4.5 and later. The web uploaded file also has a randomly-generated numeric code appended to the .tar.gz file (e.g.cca_upgrade
-<version>.tar<digit code>.gz•
If upgrading from Release 4.1.x to Release 4.5, web upload of upgrade files to the CAS is not supported.
•
If upgrading from Release 4.6(1) to Release 4.8(x), the web uploaded file is
nme-nac-upgrade-
<version>-from-4.6.x.tar.gz•
If upgrading from Release 4.8 to Release 4.8(x), the web uploaded file is
cca_upgrade-
<version>-from-4.7.x-4.8.x.tar.gz•
If upgrading from Release 4.8(x) to Release 4.9(x), the web uploaded file is
nme-nac-upgrade-
<version>-from-4.8.x.tar.gz![]()
Note
Cisco NAC Appliance Release 4.5 (and later) does not support web upgrade. Refer to the Release Notes for Cisco NAC Appliance, Release 4.5 for details.
![]()
Note
Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.
![]()
Note
Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.
Re-Installing Cisco NAC Network Module Software
By default, the Cisco NAC Network Module is preconfigured to load the operating system and Clean Access Server software from the onboard flash. In most cases, the administrator will only need to perform the initial Clean Access Server configuration of the network module, then can use the normal Cisco NAC Appliance upgrade procedure to later upgrade the software on the module. See Configuring and Administering Cisco NAC Appliance for additional information.
If the machine is corrupt or cannot be booted, you can interrupt and change the boot process (by entering ***) in order to reimage the entire system. This process requires downloading the boot helper and image files separately from the Cisco Secure Software site, and configuring a TFTP server so that the boot helper can be loaded onto the network module from the network.
In this case, two items of boot software may be used:
•
Bootloader—A small set of system software that runs when the system first powers up. In normal operation, it automatically loads the operating system from compact flash, which in turn loads and runs the Clean Access Server application. In case of disaster recovery, the bootloader process can optionally be interrupted and reconfigured to load the boot helper from the network via a TFTP server.
•
Boothelper—A small subset of the system software that runs on the module. It boots the module from the network and assists in disaster recovery and other operations when the module cannot access its software.
This section contains the following information:
•
Re-Imaging the Network Module
•
Running Clean Access Server Software Configuration Utility
•
Shutting Down and Starting Up Cisco NAC Network Module
Re-Imaging the Network Module
Re-installing the network module involves installing, configuring, and starting a boothelper image. The boothelper, in turn, starts the Cisco NAC Appliance software installation on the NAC network module and brings up the Clean Access Server Configuration Utility which will prompt you through the configuration of the CAS.
Prerequisites
•
Have available the IP address of your TFTP file server.
SUMMARY STEPS
From the Host-Router CLI
1.
Download the required software.
2.
service-module integrated-service-engine slot/0 reset
3.
service-module integrated-service-engine slot/0 session, ***
From the Service-Module Interface
4.
config
5.
show config
6.
boot helper
7.
Follow boothelper instructions for installing software.
8.
Control-Shift-6 x
From the Host-Router CLI
9.
service-module integrated-service-engine slot/0 session clear
DETAILED STEPS
Command or Action PurposeStep 1
a.
Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.
b.
Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance.
c.
Navigate to the appropriate release folder (4.1.2.1 or later), for example, "Cisco NAC Appliance Software <version>."
d.
Locate the NME-NAC image files for the applicable version:
•
nme-nac-helper-<version>-K9
•
nme-nac-install-<version>-K9.img
e.
Place these files on your TFTP file server.
Download the Cisco NAC Network Module installation-package files (boothelper image and installation image).
Note
If NME-NAC images are not available for a specific minor release, you can install the latest available image for the major version, and use the CAS upgrade procedure to upgrade the Cisco NAC Network Module to the minor release. For more information, refer to Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module.
From the Host-Router CLIStep 2
enable
Example:Router> enable
Enter privileged EXEC mode on the host router. Enter your password if prompted.
Step 3
service-module integrated-service-engine slot/0 reset
Example:Router# service-module integrated-service-engine 1/0 resetAfter the download completes, reset the system.
Step 4
service-module integrated-service-engine slot/0 session
***
Example:Router# service-module integrated-service-engine 1/0 session***
If the reset does not automatically do so, open a session and quickly type *** to interrupt the auto-boot sequence and access the bootloader:
From the Service-Module InterfaceStep 5
configExample:ServicesEngine boot-loader> configIP Address [10.201.243.18] >Subnet mask [255.255.255.240] > 255.255.255.240TFTP server [10.201.210.15] >Gateway [10.201.243.17] > 10.201.243.17Default Helper-file [nme-nac-helper-4.5_0-K9] > nme-nac-helper-4.5_0-K9Ethernet interface [external|internal] [internal] > internalExternal interface media [copper|fiber] [copper] > copperDebug Statements [enable|disable] [disabled] >Default Boot [none|disk|compactflash|chainloader] [chainloader] >Default bootloader [primary|secondary] primary] > primaryUpdating flash with bootloader configuration: 1Please wait ................done.Configure the bootloader to load and launch the boothelper.
Prompts to configure the bootloader interface appear in the order listed. For each, enter a value or accept the previously stored input that appears inside square brackets by pressing Enter.
•
IP address— Service module address or the trusted interface (eth0) address of your NAC network module
•
Subnet mask—eth0 netmask of your NAC network module
•
TFTP server— TFTP file-server IP address
•
Gateway—Gateway-router IP address (normally the IP address for the ISR). The configured IP address your ISR uses to communicate with your NAC network module.
•
Default Helper-file—Default boothelper image filename: nme-nac-helper-<version>-K9
•
Ethernet interface: internal or external— Choose internal for NAC network module
•
External interface media— Choose copper for NAC network module
•
Debug Statements—Leave as disabled (default)
•
Default Boot —Choose chainloader as the default boot option for NAC network module
•
Default bootloader— Choose primary as the default bootloader file to be used on subsequent boot for NAC network module
Step 6
show configExample:ServicesEngine boot-loader> show config(Optional) Verify your bootloader configuration settings:
Step 7
boot helperExample:ServicesEngine boot-loader> boot helperAfter the new configuration finishes writing, start the boothelper at the boot prompt.
Step 8
1Example:Welcome to the NME-NAC Installer1 Install everything2 Install compact flash only3 Verify Install4 Root shell5 RebootPlease select install option: 1Creating partitions with fdisk...Follow boothelper instructions. The helper will present the following options:
1.
Install everything
2.
Install compact flash only
3.
Verify Install
4.
Root shell
5.
Reboot
Enter 1 to install everything.
Step 9
(Virtual Gateway only)
eth0 IP address
subnet mask
default gateway
Example:
Please enter the IP address for the interface eth0: 10.201.243.18You entered 10.201.243.18 Is this correct? (y/n)? [y]Please enter the netmask for the interface eth0: 255.255.255.240You entered 255.255.255.240, is this correct? (y/n)? [y]Please enter the IP address for the default gateway: 10.201.243.17You entered 10.201.243.17 Is this correct? (y/n)? [y]Creating partitions with fdisk...If installing on a previously configured Virtual Gateway system, you will additionally be asked for the eth0 IP address, netmask, and gateway.
Step 10
nme-nac-install-<version>-K9.img
Example:Please enter the Image name: nme-nac-install-4.5_0-K9.imgYou entered nme-nac-install-4.5_0-K9.img Is this correct? (y/n)? [y]After partitioning and formatting the hard disk, the helper will ask two more questions (image name and TFTP server address)
Type the image name (e.g. nme-nac-install-<version>-K9.img) and press Enter.
Confirm that this is correct by typing y and pressing Enter.
Step 11
TFTP server IP address
Example:Please enter the IP address for the tftp server: 10.201.210.15You entered 10.201.210.15 Is this correct? (y/n)? [y]Transferring Image nowDone!Success!Type the IP address of your TFTP server.
Confirm that this is correct by typing y and pressing Enter.
The helper will then transfer the image. The image is quite large, and the transfer takes a long time. After the image is transferred the helper will display status as RPMs get installed.
Step 12
Press Enter
Example:Press enter to rebootAt the reboot prompt, press the Enter key and the NAC network module will reboot.
Step 13
root
Example:Fedora Core release 4 (Stentz)Kernel 2.6.11-perfigo on an i686NME-NAC login: rootOn next boot up, the network module login prompt appears. Login as root
The standard Clean Access Server Configuration Utility questions will then be asked. Follow the instructions in Running Clean Access Server Software Configuration Utility to complete the CAS configuration.
Step 14
reboot
After completing the Configuration Utility, at the prompt, reboot your NAC network module.
On next reboot, the NAC network module installation is complete.
Step 15
Press Control-Shift-6 x.
Close the session by pressing Control-Shift-6 x.
From the Host-Router CLIStep 16
service-module integrated-service-engine slot/0 session clear
Example:Router# service-module service-engine 1/0 session clear
From the host-router CLI, clear the session:
Configuring and Administering Cisco NAC Appliance
For comprehensive Cisco NAC Appliance configuration information, refer to the applicable version of the following guides:
•
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
•
Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide
Technical Assistance
Description LinkThe Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.
Cisco Feature Navigator website
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. An account on Cisco.com is not required.
Cisco Software Center website
Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.
Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance to download software for Cisco NAC Appliance.
Documentation
Table 8 Updates to this Guide
Date Description11/27/12
Updates (for 4.9(x)):
•
Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module
•
Restrictions for Cisco NAC Network Module (Added restriction on upgrading from 4.8(x) to 4.9(x))
9/23/10
Updates (for 4.9):
•
Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module
•
Restrictions for Cisco NAC Network Module (Added restriction on upgrading from 4.8(x) to 4.9)
7/26/10
Updates (for 4.8):
•
Router (Added Routers supported by Cisco NAC Appliance Release 4.8)
•
Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module
•
Restrictions for Cisco NAC Network Module (Added restriction on upgrading from 4.6(1) to 4.8)
10/3/08
9/25/08
Updates (for 4.5):
•
Restrictions for Cisco NAC Network Module (added WOOB note)
•
How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module (added link to upgrade section)
•
Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module (moved and updated section)
6/11/08
•
Updated Restrictions for Cisco NAC Network Module with notes for 4.1.2.1
•
Corrected section CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning)
•
Updated step 1 of Re-Installing Cisco NAC Network Module Software.
•
Added section Configuring and Administering Cisco NAC Appliance.
•
Updated boilerplate and hypertext links
11/02/07
Minor updates/corrections
8/22/07
Cisco NAC Network Module (NME-NAC-K9) release
Related Documents
Related Topic Document Title Cisco NAC ApplianceFor the latest updates to Cisco NAC Appliance documentation on Cisco.com, visit www.cisco.com/go/nac/appliance. Refer to the document versions that correspond to the release you are running on your machines.
Data sheets
Ordering guide
Licensing
System requirements
Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)
Supported switches (OOB)
Release notes
Release Notes for Cisco NAC Appliance (Cisco Clean Access) (Version 4.1(2) or later)
Configuration guides
Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide
Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide
Appliance hardware (MANAGER/SERVER)
Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1
Network module
Getting Started with Cisco NAC Network Modules in Cisco Access Routers (this guide)
Installing Cisco Network Modules in Cisco Access Routers at
Connecting Cisco Network Admission Control Network Modules at
http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/nacnm.html
Additional Cisco DocumentationCisco IOS software
Cisco IOS Software website at http://www.cisco.com/en/US/products/sw/iosswrel/tsd_products_support_category_home.html
Voice and IP communications
Cisco Voice and IP Communications website at http://www.cisco.com/en/US/products/sw/voicesw/tsd_products_support_category_home.html
TipTo ensure that you are displaying the most current information on the Cisco.com website, force your browser to refresh by pressing Ctrl-F5.
To narrow your Cisco.com search to technical documents, from the Cisco.com home page on the upper right under the Search box, click Advanced Search > Technical Support & Documentation and enter your search criteria.
To provide feedback about the Cisco.com website or a particular technical document, from the top of any Cisco.com web page, click Feedback.
Glossary
![]()
Note
For terms not included in this glossary, see the following references:
•
Cisco IOS Voice Configuration Library Glossary
•
Internetworking Terms and Acronyms
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:
http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2012Cisco Systems, Inc. All rights reserved.