Configuring the Cisco NAC Profiler for the Target Environment
This chapter includes the following topics:
•Accessing the Cisco NAC Profiler User Interface
•Uploading the FlexLM Licenses
•My Network Configuration
•Saving Cisco NAC Profiler System Configuration Changes
•Importing a Digitally Signed SSL Certificate into the Cisco NAC Profiler System
The first tasks to complete in the configuration of the Cisco NAC Profiler system after the initial start-up of the appliance(s) in the system is to establish contact with the web-based user interface, upload the license key file(s) and provide the system with information it needs to define the bounds of the address space for which it will provide Endpoint Profiling and Identity Monitoring. The vast majority of Cisco NAC Profiler system configuration and management is accomplished via the UI, and the procedures outlined in this chapter prepare the system and UI for the remaining system configuration tasks outlined in later chapters.
Accessing the Cisco NAC Profiler User Interface
Tip Prior to beginning this procedure, the Profiler Server and Collectors to be deployed in the Cisco NAC Profiler system should have been installed and started-up according to the instructions in Chapter 4, "Installing and Performing an Initial Configuration." If that is not the case, please perform these steps before continuing with the instructions outlined in this chapter.
To begin configuring Cisco NAC Profiler system, open the Cisco NAC Profiler user interface which will be used for the completion of the vast majority of Profiler system configuration tasks.
Open a web browser and enter the DNS name or IP address of the management interface of the Profiler Server for the system to be managed in the URL field in the following format:
https://[DNS or IP address]/profiler
Cisco NAC Profiler 3.1 and later versions included several enhancements related to the security of the web-based user interface. Earlier versions did not include any URL redirection, URL redirection was fully implemented in Version 3.1, which automatically redirects browser sessions to HTTPS and the Cisco NAC Profiler login page.
Previous versions also utilized the login functionality provided by the browser. In 3.1 and later versions, a secure web form/cookie authentication mechanism replaced the basic authentication used in earlier Cisco NAC Profiler versions providing a number of security and usability enhancements.
The login form presented when authenticating to the Cisco NAC Profiler interface is illustrated in Figure 5-1.
Figure 5-1 Cisco NAC Profiler Web UI Login
Prior to opening the Cisco NAC Profiler user interface, a valid username and password for the system must be provided. As described in Chapter 4, "Installing and Performing an Initial Configuration", the web UI password for the NAC Profiler administrator user account (username 'admin') is set during the Profiler Server appliance start up scripts. The admin user account is the only UI account set up on a new system. Provide the UI 'admin' username and the password set during startup to access the UI for the first time.
Note that the SSL certificate that was created during the startup scripts of the NAC Profiler Server/HA pair is self-signed. Therefore the browser is going to generate an error such as the example in Figure 5-2 (IE 7 in the example) warning the user and requiring override to proceed to the site.
Tip The NAC Profiler system does support the replacement of the self-signed SSL certificate with one signed by a recognized CA. Follow the procedures outlined in the "Importing a Digitally Signed SSL Certificate into the Cisco NAC Profiler System" section to replace the self-signed SSL certificate and avoid future warnings from the browser when navigating to the Cisco NAC Profiler UI.
Figure 5-2 Invalid Security Certificate Warning (IE)
Once past authentication and the certificate-related warning, the Cisco NAC Profiler user interface Home tab, the System dashboard, will be displayed in the browser. An example of the home tab for a system just started up is illustrated in Figure 5-3. Note the indication that there is no data displayed and that the Server module is "Not Running." These are normal indications when a new Cisco NAC Profiler system is first brought up. Until the license key is added and the Collector(s) added and configured with endpoint data collection begun, the System Status remain as shown in the figure.
Figure 5-3 Cisco NAC Profiler Web-Based UI Home Page on First Access
Support for authentication of users of the Cisco NAC Profiler UI via RADIUS is an option to local authentication. Automatic logout of the admin user (non-configurable 30 minutes of inactivity) and Operator users (configurable for 5, 15, or 30 minutes for each Operator user) is provided to prevent unauthorized access through unattended sessions with the UI.
Complete instructions for the configuration of additional NAC Profiler UI users, including RADIUS authentication is provided in
The Cisco NAC Profiler user interface is designed to provide multiple methods of navigation to support the varied preferences of administrators and operators. The tabs along the top of the page are organized to provide quick access to the interfaces for the primary areas of functionality of the Cisco NAC Profiler system: Home, Configuration, Endpoint Console, and Utilities. Selecting one of these tabs at any times redirects the interface to the main page for each primary area of functionality.
The Home tab is the main page for the Cisco NAC Profiler application user interface, as well as the landing page each time a new UI session is initiated. The secondary menu for the home tab shows the navigation options for the home tab: Getting Started, Documentation, Getting Support and Upload Key pages.
The Logout link in the upper right hand corner immediately above the search button for the Quick Search control. The logout link appears in this position throughout the user interface. Selecting the Logout link will end the current session and require the user to re-authenticate by entering a valid username and password via the login form in order to utilize the Cisco NAC Profiler system UI again. To the immediate left of the logout link, the user name and account type (administrator, operator, or analyst is shown for each active UI session.
Lastly, ''bread crumbs'' which provide an aid to navigation within the UI are shown in the upper left corner of each page away from the tab. The bread crumb trail builds as the user navigates through the UI, enabling rapid determination of the ''click path'' used to arrive at a particular page of the UI, and the ability to go back one or more pages along the path by clicking the desired bread crumb link.
Uploading the FlexLM Licenses
In order for the Cisco NAC Profiler system to run and indicate a status of running in the UI, at a minimum there must be one valid Profiler Server license and one Collector license with the MAC address of the eth0 interface of the appliance running the Profiler Server uploaded to the system via the UI.
Note The Cisco NAC Profiler Server does not need to communicate with a Collector in order for the Server to indicate running, but 1 valid Profiler Server and 1 or more valid Profiler Collector license files with the eth0 MAC of the NAC Profiler Server must be present on the Profiler Server for it to start.
The encrypted NAC Profiler Server license files include licensing information including duration (if it is not permanent) and most importantly, the MAC address of the Profiler Server(s) each license was created to enable.
License files for the NAC Profiler System are created using the Cisco licensing tool. There are two license types, Profiler Server and Profiler Collector.
Uploading Key Files on Cisco NAC Profiler Systems with the Profiler Server Running in Standalone Mode
Step 1 Place the FlexLM licenses for Cisco NAC Profiler system (files have an extension of .lic) either on the PC used to manage the NAC Profiler system via the web-based UI, or a network location accessible by that system.
Step 2 Select the Upload License link from the Cisco NAC Profiler Home tab secondary menu, which results in the display of the screen shown in Figure 5-4. This screen allows the license files to be imported to the Cisco NAC Profiler system running the Profiler Server in standalone mode, one at time beginning with the Profiler Server license.
Figure 5-4 Upload Cisco NAC Profiler License: Standalone Profiler Server
Step 3 Click Browse to locate the Profiler Server license file on the PC or an accessible network drive.
Step 4 When the license file is selected, select the Import License button on the page to upload the license file to the appliance. Successful upload is indicated by the following message appearing in the UI:
Key was successfully uploaded.
Tip The Cisco NAC Profiler Server module will attempt to restart approximately every minute. Once the license files are uploaded, it may take up to a minute for the Server to attempt a restart and recognize the uploaded Server and Collector license files added via the UI. Note that the Server will not start until there is a Profiler Server license and at least one Collector license with the correct MAC address uploaded to the system.
Step 5 Refresh the Upload License page by selecting the Upload License link again and it will display the specific details in the key files uploaded thus far as shown in Figure 5-5.
Figure 5-5 Server License Uploaded to Standalone Profiler Server
Note that the UI indicates graphically if the MAC address of eth0 of the appliance and the MAC address in each license file matches as signified by the green check mark.
If there was a mismatch between the MAC in the license and the MAC of the appliance, the UI would indicate as shown in Figure 5-6.
Figure 5-6 Invalid License Indication
The license in this case is not valid for this system and must be replaced with a license file containing the correct MAC for this Cisco NAC Profiler Appliance.
Step 6 Repeat steps 2 through 5 to add the Collector license files (one per Collector) until all license files are added and verified via the UI.
Tip The Profiler Server will only start/communicate with up to the number of valid Collector license key files uploaded to it. Collectors in excess of the number of Collector licenses will show a status of "licensing issue" in the UI.
Figure 5-7 below illustrates the Upload License page on a licensed, operational standalone NAC Profiler System. Note that the licenses never expire (are permanent) and that only one Collector will be started/communicated with by the Server. Adding additional Collectors would require uploading additional Collector licenses containing a MAC address that matches that of eth0 of the Profiler Server appliance.
Figure 5-7 Licenses Uploaded Successfully on Stand-Alone Cisco NAC Profiler
Uploading License Files on HA Cisco NAC Profiler Systems
Remember that the HA protocol description provided earlier in this guide indicated that the Cisco NAC Profiler Server module will run only on the Primary node for the pair. Because either appliance in the HA pair can be the Primary node and therefore needs to run the Server module, both members must have a valid license files for the system uploaded to the proper directory onboard the appliance so that the Server module will start and communicate with the Collectors in the system if and when it becomes the Primary node for the HA-pair.
The Cisco NAC Profiler license generation tool provides the option for creation of what is termed a "failover bundle license." The purpose of the failover bundle license is to allow the generation of Server and Collector key files that contain the eth0 (management interface) MAC addresses of both Profiler appliances deployed as a HA-pair in a single license file. The Profiler Server upload key function recognizes when HA has been configured on a NAC Profiler Server and will automatically copy license files uploaded to the Primary node to the Secondary node so that the licenses are present should the Secondary need to come online and start services.
From the perspective of license files required, a NAC Profiler system with the Profiler Server configured as an HA-pair is similar to a standalone in terms of valid key files that must be present: one Profiler Server license, and one license per Collector. However, when the Profiler Server is an HA-pair, failover bundle license files containing the eth0 MAC address of both appliances in the HA-pair should be created and uploaded through the UI as described in the following procedure.
Note As part of 3.1.1-18 release there is an enhancement to licensing system/logic when Profiler nodes are in HA. When "FO Bundle License" is installed on the Primary or the active node of NAC Profiler running 3.1.1-18 version with MAC IDs of eth0 of Active and passive nodes, the file gets replicated from Active to Primary node. This replication feature is triggered only when licenses are uploaded from Active NAC Profiler UI [This will not be triggered if license files are uploaded via SCP / FTP].
Warning Failure to use the failover bundle key option when licensing NAC Profiler Server pairs may result in the HA system not failing-over properly. On startup of the Secondary node, if the license key file is not present, or the MAC address in the key file does not match that of eth0 interface, the NAC Profiler System will not start despite the normal functioning of the HA protocol.
Once the license files for the NAC Profiler HA-pair system have been received, they must be uploaded to both Profiler Server appliances in the pair using the Upload Key functionality found on the Home tab using the following procedure.
Step 1 Place the license files for the HA-pair either on the PC used to manage the NAC Profiler system, or a network location accessible by that system.
Step 2 From the Home tab, check the HA Status indicator to ensure that the Secondary node is online. The Secondary node must be online in order to proceed with the upload of license files on a HA-pair.
Step 3 Select the Upload License link from the secondary menu of the Home tab, which results in the display of the screen in Figure 5-8 on an HA-pair and allows the license files to be uploaded once and placed on both nodes in one operation.
Figure 5-8 Upload Cisco NAC Profiler Keys: HA-Pair
Note the small difference in the Licenses table on the HA Pair: there is an additional column labeled Remote MAC which is indicative of match/mismatch of the eth0 MAC address on the Secondary node and the failover bundle licenses loaded onto the HA system.
Step 4 Click Browse to locate the Profiler Server license file for the system, then select Import License to copy the license file to both members of the HA-pair.
Successful upload is indicated by the following message appearing in the UI:
Key was successfully uploaded.
Step 5 Perform the same steps for each of the Collector licenses to be uploaded to the Profiler Servers.
Tip The Profiler Server module on the current Primary node will attempt to restart approximately every minute. Once the license files are uploaded, it may take up to a minute for the Server to restart and recognize the new license files, start the Server and begin communications with the Collector(s).
Step 6 Refresh the Upload License page to view the details of the license files loaded on both appliances in the pair. Figure 5-9 illustrates what the page should look like for an HA pair that has successfully had license files uploaded to both appliances in the pair that contain MAC addresses that match that of the appliances.
Note The Server module is not running on the Secondary node of a NAC Profiler Server pair. Upon failover of the HA pair, the Secondary will check the license file and attempt to start the Server module as it takes over the Primary node duties for the pair. If valid licensing files are found, the system will fail-over normally.
Note Navigation to the UI served by the Secondary node of a HA-pair is blocked. If an HTTP session to the eth0 IP address of the Secondary node of a NAC Profiler HA pair is attempted, the login page will display but with an error message stating that log in is not permitted on the Secondary node. Management of a NAC Profile HA-pair via the UI should be performed only via the VIP. This ensures connection to the Primary node.
Figure 5-9 Cisco NAC Profiler License Upload Successful on HA Pair
My Network Configuration
The Configuration tab is used to perform a variety of Cisco NAC Profiler system configuration management tasks. As a new NAC Profiler system is implemented, the first task in the system configuration workflow that needs to be completed is definition of the bounds of the network, referred to henceforth as the configuration of My Network. The My Network configuration enables the specification of the address space for which the NAC Profiler system will perform its Endpoint Profiling and Identity Monitoring functions.
The Cisco NAC Profiler NetWatch and NetRelay Collector component module (or modules) deployed in a given Cisco NAC Profiler system monitor all network traffic/NetFlow XDRs forwarded to the defined monitoring interface(s) which may extend across multiple NAC Profiler Collectors.
Depending on the placement of the interface(s), this traffic may include packets and or NetFlow XDRs not originating from endpoints of interest on the internal network. The My Network configuration assures that NAC Profiler is only performing its functions on network traffic (NetWatch) and NetFlow data for designated network host addresses and only profiling endpoints in the specified range of endpoint addresses.
To access the My Network configuration, select the Configuration tab and then select the My Network option from the secondary menu of the Configuration Tab. The Network Description form illustrated in Figure 5-10 is displayed in the resulting page. Use this form to provide the My Network configuration for the NAC Profiler system.
Tip Some NAC Profiler systems will require the creation of a single network (Organization Name) in the MyNetwork configuration. In larger NAC Profiler systems, particularly those that employ multiple Collectors with NetWatch and or NetRelay enabled, it may be desirable to distribute collection.
This is accomplished by dividing the total network host address space into multiple networks (Organization Names) and designating in the NetWatch and NetRelay configuration that a particular monitoring interface (NetWatch) and or NetRelay module collects endpoint data for a selected network segment. See the instructions for the configuration of NetWatch and NetRelay modules in Chapter 7, "Configuring Collector Modules".
The Network Description form is intended to gather general information about the overall characteristics of the network/network segment. The only required fields are the Organization Name and Internal Address Blocks.
Note At least one network (Organization Name) containing a valid Internal Address Block (IP address/mask in CIDR format, x.x.x.x/y) must be configured on the system to enable data endpoint collection via NetWatch and or NetRelay.
Figure 5-10 Network Description Form
Complete the following steps to configure a network (organization name) in the My Network configuration:
Step 1 Provide a name for network being added.
Enter a name which will indicate what this address space is representing. This value is for the user's reference only and can be any value that is useful in understanding what segment of the network this group of addresses represents, particularly if two or more segments are configured.
The organizational name will be used when adding interfaces to the NetWatch module(s) in the NAC Profiler system to determine the traffic of interest for each NetWatch monitoring interface.
Similarly, the NetRelay module configuration for enabling the processing of NetFlow data from NetFlow collectors also uses the Network Name construct to specify the network(s) that a particular NetRelay module should include NetFlow processing for.
Tip It may be desirable in deployments with more than one NAC Profiler Collector to create multiple Organization Names that segment the larger endpoint host address space into subsets that include the networks/subnets that a given Collector will receive redirected traffic or NetFlow data for. In this way, the NetWatch and or NetRelay per Collector can be configured (see Chapter 7, "Configuring Collector Modules") to perform endpoint data collection on endpoints within specified host address ranges only.
For example, consider a campus network that serves four large buildings. Each of the four buildings will have a NAC Profiler Collector that has a NetWatch monitoring interface analyzing traffic transiting to/from the network core. Each building utilizes one or two Class C networks for endpoint addressing.
It would be beneficial to next create four Organizational Names (one per building) and specifying for each, the specific subnet(s) used in that area of the network: Building 1, with an internal address block of 192.168.1.0/24.
When the Collector in Building 1 is configured, NetWatch can be configured to analyze only the host address space of building 1 hosts (all endpoints with host addresses on 192.168.1 network), and disregarding all others. The three remaining Collectors would be configured similarly to distribute the NetWatch processing effectively across the four Collectors.
Step 2 Specify the IP Address space for endpoints of interest for profiling and identity monitoring in the Internal Address Blocks field.
The format is X.X.X.X/CIDR, for example 10.10.0.0/16 means any IP Address in which the first two octets are 10. This should be the host address space (or spaces) that the endpoints to be profiled will be addressed within.
This is used in conjunction with the ''exclude blocks'' defined below in the next block to program NetWatch and NetRelay to collect IP-learned endpoint data from network traffic (NetFlow XDRs in the case of NetRelay).
Only data pertaining to endpoints having a host address within the Internal Address Blocks and not in the Exclude Address Blocks will be processed by NetWatch and NetRelay. All traffic/XDRs with addresses outside this range will be dropped by these collector modules.
Step 3 Specify Exclude Address Blocks (optional)
As described above, this optional part of the configuration for a given Organizational Name permits the specification of one of more address blocks within the Internal Address Block host address space that should be excluded from NetWatch/NetRelay endpoint data collection.
This is particularly useful in environments where special purpose (for example, server, etc.) subnets are continguous with those used for endpoints. Collecting data on subnets not needing to be profiled can waste system resources.
Specify the IP Address space in the Exclude Address Blocks field that are within the Internal Address Blocks space, but contain endpoints that should be learned/profiled by NAC Profiler. The format is X.X.X.X/CIDR, for example 10.10.0.0/16 means any IP Address in which the first two octets are 10.
Tip The next two parameters for a network/organization name specification are optional. In enterprises that utilize centralized print servers, or IP voice solutions including a voice gateway, IP addresses for these services can be specified.
The NAC Profiler system will automatically create the Generic Printer (if print server addresses are provided) and or Generic IP Phone (if voice gateway addresses are provided) that are based on Traffic Rules that will identify printers and IP phones on the network by noting the endpoints that communicate with these centralized services if the NAC Profiler Collector(s) in the system are able to observe this traffic via NetWatch/NetRelay.
Step 4 Specify Print Server(s) IP host addresses for this network (optional).
Enter the IP host address of each printer server, one per line. This is used for inverse rule creation in which devices that are communicated with by the print server using the specified protocols (hard coded in this case to 9100 and 515) are profiled as printers. The resulting profiles can be located in the view/edit profiles screen in the table at the bottom of the List. Note that these Profiles will not appear unless Print Server addresses are added to the configuration for this Organization Name.
Step 5 Specify Voice Gateway IP host addresses for this network (optional)
Enter the IP address of each voice gateway, one per line. This is used for inverse rule creation in which endpoints that are communicated with by the voice gateway using the specified protocols (hard coded in this case) are Profiled as phones. The resulting profiles can be located in the view/edit profiles screen in the table at the bottom.
Step 6 Save the My Networks configuration by selecting the Save Settings button
As new networks (Organization Names) are added to the MyNetwork configuration, or changes are made to existing networks the system will display the following message in the UI:
MyNetwork Configuration updated. Execute Apply Changes -> Update Modules to commit.
Adding Additional Networks to the Configuration
To add additional Networks to the system configuration at any time after initial system configuration
Step 1 Select My Network link from the secondary menu on the Configuration Tab. This will result in the Choose Network form being displayed as illustrated in Figure 5-11.
Step 2 Add the new network to the configuration by entering a new Organization\Division name in the field to name the new network. Select the continue button.
Figure 5-11 Choose Network Form
Step 3 Type a name for the new Network in the New Organization\Division Name field and select Continue. The Network Description form described earlier in "My Network Configuration" section will be displayed to gather the details on the new network being added to the configuration.
Step 4 Enter the information for the new network, then select Save Settings to save the new network.
Editing Networks (Organization Names) Previously Configured
To edit Networks previously saved to the Cisco NAC Profiler configuration:
Step 1 Select My Network link from the secondary menu of the Configuration Tab to display the Choose Network form illustrated in Figure 5-11.
Step 2 Use the Select Name drop-down list to select the desired Organization Name for Editing and select Continue.
The previously described Network Description form (Figure 5-10) is displayed with the fields populated with the last saved data.
Note The Organization Name cannot be edited. If the Organization Name needs to be changed, it must be deleted (Delete Network button) and re-entered using that process.
Step 3 To make changes, edit the necessary fields then select Save Settings to save changes to the configuration for that Organization Name.
Saving Cisco NAC Profiler System Configuration Changes
The Cisco NAC Profiler system configuration is stored in the database maintained by the Server module. Changes are made to the system configuration through the web-based User Interface through the forms illustrated in this chapter and the remainder of the Configuration Guide. Most of the forms include a control that allows saving or updating the data captured in the form. H
However, the majority of configuration changes, particularly those made to the configuration of the Cisco NAC Profiler modules themselves are not committed to the running configuration until an update of the modules is performed. To update the configuration of NAC Profiler modules, and ensure any configuration changes are made to the running Cisco NAC Profiler configuration, following the following procedure:
Step 1 Navigate to the Configuration tab, and select the Apply Changes link from the secondary menu of the Configuration tab. The page in Figure 5-12 will be displayed in the browser.
Figure 5-12 Update Cisco NAC Profiler Modules Page
Step 2 Choose the appropriate option based on the nature of the changes that need to be committed to the configuration from the 3 options:
•Update Modules is selected to update the configuration of all modules, and to commit configuration changes to the running configuration. Upon the selection of the Update Modules button, the Cisco NAC Profiler System will update the configuration of all system and Collector component modules then perform a system restart with the new configuration. All modules across the Cisco NAC Profiler system will restart.
The modeler component of the Server module will re-model all endpoints in the database against the most current data collected and the enabled profiles. The NetMap modules across the system will initiate a regular poll of the network devices assigned to them. Using Update Modules ensures that all configuration changes made and saved using the UI will be committed to the current running configuration of the NAC Profiler System.
Tip On very large systems, with large databases and complex Profiling, the system may take several minutes to complete the Update Modules process, and return all modules to the ''running'' state. Resource utilization on the Server appliance can be expected to peak during this process as the database is processed as part of the re-model.
•Re-Map is used to direct all NetMap modules to initiate a poll of the network devices they have been designated to monitor to update the map of the network topology maintained in the NAC Profiler database.
•Re-Model is used to direct the modeler component of the Server module to re-model all endpoints in the database against the most current information without regenerating module configurations and forcing a restart of the entire NAC Profiler system.
Tip Re-Model is used primarily when new Profiles are added to the configuration, and it is desirable to re-evaluate all endpoints against the new Profiles and the rules bound to them. When LDAP integration or integration with Cisco NAC Appliance is enabled on the NAC Profiler system, a full synchronization is also performed as described in Chapter 17, "Enabling LDAP Integration" or Chapter 13, "Integrating with the Cisco NAC Appliance".
Based on the option chosen, and selecting the Apply Changes option, the screens shown in the following figures will be displayed as the system performs the selected action:
Figure 5-13 Update Modules in Progress
Figure 5-14 Re-map in Progress
Figure 5-15 Re-model in Progress
Tip The pages displayed after selecting one of the available Apply Changes actions will not update. Navigate back to the Home tab and monitor the System Status table until all Collectors indicate a "Running" status.
Importing a Digitally Signed SSL Certificate into the Cisco NAC Profiler System
Tip The following procedure is optional. If it is desirable to have a valid CA-signed certificate for the web interface so that the browser warning described earlier in the chapter is not displayed when navigating to the Cisco NAC Profiler UI, perform the procedures in this section.
During the running of startup scripts of the NAC Profiler system, it was necessary to create an SSL Certificate for the standalone Cisco NAC Profiler Server appliance (or HA-pair) serving the web-based UI for the system. The certificate created during startup however is ''self-signed'' and will result in the previously described security warning issued by the web browser when connecting to the Cisco NAC Profiler web-based user interface.
In many Cisco NAC Profiler implementations it will be highly desirable to obtain a digitally signed certificate for the system, using either an internal or commercial Certificate Authority (CA) to enable the authenticity of the site to be verified by the browser and prevent SSL certificate-related browser warnings.
The procedure outlined in this section allows the NAC Profiler administrator to create a Certificate Signing Request (CSR) for submission to the CA along with instructions for installing the signed SSL certificate on the NAC Profiler system to fully enable the SSL subsystem.
The procedure consists of three operations, outlined in detail in the following subsections:
1. Verification and download of the Certificate Signing Request (CSR) from the Cisco NAC Profiler Appliance/HA pair.
2. Submission of the CSR to the CA for signature; receipt of the signed SSL certificate from the CA along with the CA's certificate.
3. Installation of the digitally-signed Profiler certificate and the Certificate Authority's certificate on the Profiler system, followed by a restart of the Web Server to begin authentication/encryption using the digitally-signed certificate.
Note For HA NAC Profiler pairs, the procedure below is performed once on the Primary system, followed by the execution of a 'service profiler' command to push the certificate information to the secondary so that both appliances have a valid, signed certificate for the VIP/Domain Name of the NAC Profiler system.
Until the three steps above are completed in their entirety, the NAC Profiler system will continue to utilize the self-signed certificate with the attendant browser warnings. Follow the steps for each of the 3 operations in the following subsections to generate a CSR, get a CA-signed certificate, and place the signed SSL certificate on the NAC Profiler system.
Verify/Download the Cisco NAC Profiler System CSR
Before beginning this procedure, it is important to gather the information required for the generation of the SSL certificate in accordance with internal security policies. The following parameters for the certificate should be gathered and close at hand prior to beginning the process outlined below for the verification/download of the Certificate Signing Request for submission to the CA for digital signature:
• Domain Name (or IP address) of the NAC Profiler system.
Note For HA systems, this should be for the VIP/Service Address of the HA NAC Profiler system with the same certificate placed on both members of the HA pair.)
• Organization Unit Name
• Organization Name
• City Name
• State or Province Name
• 2-letter Country code
Step 1 Initiate a console or SSH session with the NAC Profiler server and elevate to root privileges via su command. For HA pairs, this procedure should be done on the appliance that is currently the Primary node by opening an SSH session to the VIP.
Step 2 Initiate the SSL Certificate Management script by executing the command:
service profiler setupcert
This brings up the main Certificate Action menu, shown in Figure 5-16. Recall that option A was used during the startup of the appliances to create a self-signed certificate for the system.
Figure 5-16 Certificate Action
Step 3 To verify the parameters of the current self-signed certificate, select option A, Create/Update Self-signed Certificate & CSR which displays Figure 5-17 after prompting for confirmation that replacement of the existing certificate may result. This form reflects the current parameters of the self-signed certificate on the system and allows for edits to any of the SSL certificate parameters, if required.
Figure 5-17 Certificate Details
Step 4 Use the arrows keys to move to the field(s) to be changed and make the necessary changes to the certificate parameters.
Step 5 Use the tab key to select Submit and press Enter, which will result in the system processing the changes and overwriting the current self-signed certificate and CSR for the system (note that on HA systems, the new self-signed certificate will also be automatically pushed to the Secondary of the pair as part of processing the new certificate). Upon successfully completing the processing required to generate the new self-signed certificate and CSR, Figure 5-18 will appear:
Figure 5-18 New Certificate Installed/CSR Saved
Step 6 Select OK and enter to confirm that the CSR has been created and is ready for download. The system will prompt the user to restart Apache so the new certificate is processed, displaying the dialog in Figure 5-19 to the user.
Tip If Cisco NAC Profiler users currently have active UI sessions and the web server is restarted with the new SSL certificate, those sessions will be terminated and they will likely have to add a new exception to their browser in order to accept the new self-signed certificate when attempting to navigate back to the Cisco NAC Profiler web UI.
Figure 5-19 Confirm Apache Restart with New Certificate
Step 7 Select Yes using the arrow keys and press Enter to restart Apache.
Step 8 Utilize SCP (WinSCP) to move the CSR from /home/beacon/ssl off the appliance so that it can be submitted to the Certificate Authority for digital signature in accordance with internal policies.
Step 9 Select OK to return to the main Certificate Action menu select option 0, Exit (done with certificates) to exit the certificate management script.
The CSR is now ready for submission to an internal or commercial CA.
Submission of the CSR to the CA for Digital Signature
Step 1 After the CSR has been created/downloaded from the NAC Profiler system, follow internal policies for submission to an internal or commercial CA for digital signature.
After the NAC Profiler system certificate has been signed by the CA, it will be returned to the submitter along with Certificate Authority's own digital certificate, depending on the CA often called the ''CA bundle.''
In order for the SSL subsystem of Cisco NAC Profiler to utilize the certificate it needs both the digitally-signed certificate resulting from the CSR created in the last step, and the CA's certificate copied into the proper directory on the appliance running the Server module.
Tip The digitally-signed certificate and the CA certificate must be named: profiler.crt and profiler-ca-bundle.crt respectively before placement on the NAC Profiler System.
Step 2 Review the instructions provided by the CA to prepare the NAC Profiler system SSL certificate and CA certificate bundles appropriately. In the next step, these files will be loaded onto the NAC Profiler system, and the web server restarted to begin using the digitally signed certificate and the browser warnings should cease as the certificate is now signed by a trusted CA.
Importing the Digitally-signed Certificate onto the Cisco NAC Profiler System
The final steps in the process are straightforward but essential to complete correctly so the digitally signed certificate is accepted by the NAC Profiler system. Follow the steps below carefully.
Step 1 SSH/Console to the Profiler Server system (VIP of HA- pair), elevate to root access, and run the command service profiler setupcert. Choose option D, Backup Certificate and Private Key.
This will create a backup copy of the current self-signed certificate on the system which should be moved off-appliance. This will allow the system to be reverted back to the original self-signed certificate easily should there be a problem with importing the CA-signed certificate.
Step 2 The digitally signed certificate and the CA certificate received from the CA (filenames profiler.crt and profiler-ca-bundle.crt) should be copied into place in the following directory using SCP: /var/db/ssl/pub
Again, using the filenames specified in step 2 is essential to the proper operation of the Cisco NAC Profiler SSL subsystem.
Step 3 Restart the Apache web server to begin using the new, digitally-signed certificate by entering the following command:
Tip If Cisco NAC Profiler users currently have active sessions and the web server is restarted with a new SSL certificate, those sessions will be terminated.
Indications from the command line of a normal web server restart are as follows:
Performing sanity check on apache22 configuration:
Performing sanity check on apache22 configuration:
Step 4 Verify normal operation of the web UI using the new, signed SSL certificate. Navigation to the Cisco NAC Profiler UI should no longer result in certificate errors, assuming of course that the CA's certificate is already trusted by the browser.
Step 5 On HA-pairs only, once the normal operation of the signed certificate for Cisco NAC Profiler and the CA certificate have been verified, they can be pushed from the Primary node to the Secondary node by executing this command on the Primary:
service profiler HApushCert