Cisco NAC3350-PROF-K9 Hardware Installation Guide

Cisco NAC3350-PROF-K9 - NAC Profiler Server Manual

Get Cisco NAC3350-PROF-K9 - NAC Profiler Server PDF manuals and user guides View all Cisco NAC3350-PROF-K9 manuals
Add to My Manuals
Save this manual to your list of manuals

Cisco NAC3350-PROF-K9 manual content summary:

  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 1
    Cisco NAC Appliance Hardware Installation Guide Release 4.8 Jan 2012 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 2
    MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, Cisco NAC Appliance Hardware Installation Guide © 2012 Cisco Systems, Inc. All
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 3
    R OL-20326-01 CONTENTS About This Guide 7 Audience 7 Purpose 7 Document Organization 8 Document Conventions 8 New Features in this Release 8 Product Documentation 9 Documentation Updates 11 Obtaining Documentation and Submitting a Service Request 12 Cisco NAC Appliance Hardware Platforms 1-1 About
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 4
    the 4-Post Rack 2-22 Installing the NAC-3355/3395 Appliance Into the Slide Rails 2-25 Cisco NAC Appliance Licensing 2-26 Upgrading Cisco NAC Appliance Software 2-27 Downloading Cisco NAC Appliance Software 2-28 Upgrading Firmware 2-28 Cisco NAC Appliance Hardware Installation Guide 2 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 5
    Script 3-6 Access the CAM Web Console 3-11 Install CAM Connection Requirements 3-19 Switch Support for CAS Virtual Gateway/ Cisco NAC Appliance 3-43 CAS CLI Commands for Cisco NAC Profiler 3-44 Manually Restarting the CAM/CAS Configuration Utility 3-46 Cisco NAC Appliance Hardware Installation Guide
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 6
    Troubleshooting the Installation 3-47 Verify/Change Current Master Secret on CAM/CAS 3-48 Recover From Corrupted Master Secret 3-48 Network Interface Card (NIC) Driver Not Supported High Availability Pair CAM Web Consoles 4-17 Determining Cisco NAC Appliance Hardware Installation Guide 4 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 7
    Interfaces 4-45 Active/Standby Status 4-45 Accessing High Availability Pair CAS Web Consoles 4-46 Determining Active and Standby CAS 4-46 Determining Primary and Notices A-1 OpenSSL/Open SSL Project A-1 License Issues A-1 Contents OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 5
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 8
    Contents Cisco NAC Appliance Hardware Installation Guide 6 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 9
    Submitting a Service Request Audience This guide is for network administrators who are installing the Cisco NAC Appliance hardware connect through the Clean Access Server to the network via web login or Cisco NAC Agent. This guide also describes how to implement High Availability for the CAMs and
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 10
    Guide and Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide. Table 1 Document Organization Chapter Description Chapter 1, "Cisco you enter. Indicates variables for which you supply values. Indicates web admin console modules, menus, tabs, links and submenu links.
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 11
    issues/troubleshooting for switches and WLCs Connecting Cisco Network Admission Control Network Modules • Connecting Cisco NAC network module (NME-NAC-K9) in an Integrated Services Router Cisco NAC Appliance FIPS Card Field-Replaceable Unit Installation Guide • Provides instructions to upgrade
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 12
    release, including: • New features and enhancements • Fixed caveats • Upgrade instructions • Supported AV/AS product charts • CAM/CAS/Agent compatibility and version information Cisco NAC Appliance Hardware Installation Guide, Release 4.8 Details on CAM/CAS installation topics: • Hardware
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 13
    26/10 Updates to Cisco NAC Appliance Hardware Installation Guide, Release 4.8 Description Release 4.8(3) • Updated Upgrading Cisco NAC Appliance Software, of users supported by NAC-3315 and NAC-3310, when they are FIPS-Compliant, to Cisco NAC-3315 Front and Rear Panels, page 1-5 and Cisco NAC-3310
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 14
    Subscribe to the What's New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0. Cisco NAC Appliance Hardware Installation Guide 12 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 15
    available from Cisco Systems, Inc. This chapter covers the following topics: • About Cisco NAC • Cisco Product Identification Tool, page 1-27 About Cisco NAC Appliance Cisco® Cisco NAC Agent and Cisco NAC Web Agent client software. You can deploy the Cisco 5.3. Cisco NAC Appliance does not support the
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 16
    will need to RMA the appliance with Cisco Systems and replace it with a new Cisco NAC-3315/3355/3395. Refer to the "Cisco NAC Appliance RMA and Licensing" section of the Cisco NAC Appliance Service Contract/Licensing Support document for details. 2. Cisco NAC Appliance Release 4.8(1) and later do
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 17
    NAC-3395 NAC-3315, NAC-3355, and NAC-3395 Table 1-1 Cisco NAC Appliance NAC-3315 Cisco NAC Appliance Hardware Summary Product Hardware Specifications MANAGER Lite Manager supporting up to 3 standalone or HA-pair CASs SERVER CAS supporting 100, 250, or 500 users • Single processor: Quad-core
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 18
    NAC-3355 Front Panel LEDs/Buttons" • Figure 1-9 on page 1-10 "Cisco NAC-3355 (With Installed FIPS Card) Rear Panel" • Figure 1-10 on page 1-10 "Cisco NAC-3355 (With Installed FIPS Card) Rear Panel LEDs" MANAGER Super Manager supporting up to 40 standalone or HA-pair CASs • Dual processor: 2 x Quad
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 19
    XXXXNNNNNNN Cisco NAC 3315 Series NAC Manager CISCO 195683 Cisco Support website using the Cisco Product Identification Tool. For details, see Cisco Product Identification Tool, page 1-27. Cisco NAC-3315 Front and Rear Panels The Cisco Cisco NAC-3315 Front Panel 1 3 2 4 CISCO Cisco NAC
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 20
    module failure • A power supply unit error has occurred Rear Panel Features Figure 1-4 1 Cisco NAC-3315 (With Installed FIPS Card) Rear Panel 3 5 2 4 195199 12 1 8 NIC 2 (eth1) GbE interface 9 NIC 1 (eth0) GbE interface Cisco NAC Appliance Hardware Installation Guide 1-6 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 21
    switch 6 Serial port 10 Rear USB port 4 11 Rear USB port 3 12 Console port Figure 1-5 Cisco NAC-3315 (With Installed FIPS Card) Rear Panel LEDs 1 195200 2 5 3 4 1 FIPS card LED Green = Link exists Off = No link exists OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 1-7
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 22
    20 HA-CAS pairs. A NAC-3355 CAS can support up to 1500, 2500, or 3500 users. Similar to the Cisco NAC-3315, the Cisco NAC-3355 comes equipped with 4 network interfaces to provide /amber) 11 Empty (unused) hard disk drive (HDD) bay 1 Cisco NAC Appliance Hardware Installation Guide 1-8 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 23
    Cisco does not support installing additional hard drives in the NAC-3355 appliance. Figure 1-8 Cisco NAC-3355 Front Panel LEDs/Buttons 34 5 67 1 2 10 9 8 195202 Cisco NAC 3355 Series NAC Manager CISCO to expose or protect power switch 4 Cisco NAC Appliance Hardware Installation Guide 1-9
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 24
    NAC-3395 Chapter 1 Cisco NAC Appliance Hardware The appliance is powered off (AC power disconnected) Rear Panel Features Figure 1-9 Cisco NAC-3355 (With Installed FIPS Card) Rear Panel 1 2 3 5 4 10 Cisco NAC-3355 (With Installed FIPS Card) Rear Panel LEDs 12 3 4 56 195205 987 1-
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 25
    Chapter 1 Cisco NAC Appliance Hardware Platforms NAC-3315, NAC-3355, and NAC-3395 1 FIPS card status LED Solid blue occasionally blinking off and is ready to be turned on Off = The appliance is powered off (power is disconnected) OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 1-11
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 26
    of the Clean Access Super Manager (Super CAM) which can support up to 40 Clean Access Servers or 40 HA-CAS pairs. The Cisco NAC-3390 features dual processors, dual power supplies, 4 GB 11 Empty (unused) hard disk drive (HDD) bay 1 1-12 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 27
    Cisco does not support installing additional hard drives in the NAC-3395 appliance. Figure 1-13 Cisco NAC-3395 Front Panel LEDs/Buttons 34 5 67 1 2 10 9 8 195207 Cisco NAC 3395 Series NAC Manager CISCO expose or protect power switch Cisco NAC Appliance Hardware Installation Guide 1-13
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 28
    NAC-3395 Chapter 1 Cisco NAC Appliance Hardware Platforms appliance is powered off (AC power disconnected) Rear Panel Features Figure 1-14 Cisco NAC-3395 (With Installed FIPS Card) Rear Panel 1 2 3 5 4 15 Cisco NAC-3395 (With Installed FIPS Card) Rear Panel LEDs 12 3 4 56 195205 987
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 29
    Chapter 1 Cisco NAC Appliance Hardware Platforms NAC-3315, NAC-3355, and NAC-3395 1 FIPS card status LED Solid blue occasionally blinking off and is ready to be turned on Off = The appliance is powered off (power is disconnected) OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 1-15
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 30
    Cisco NAC Appliance Hardware Summary Cisco NAC Appliance NAC-3310 1,2 Product MANAGER Lite Manager supporting up to 3 standalone or HA-pair CASs SERVER CAS supporting "Cisco NAC-3310 Front Panel LEDs/Buttons" • Figure 1-18 on page 1-20 "Cisco NAC-3310 Rear Panel" • Figure 1-19 on page 1-20 "Cisco
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 31
    Cisco NAC Appliance Hardware Summary (continued) Cisco NAC Appliance NAC-3350 3 Product Hardware Specifications MANAGER • Single processor: Xeon 3.0 GHz dual core Standard Manager supporting Figure 1-27 on page 1-26 "Cisco NAC-3390 Rear Panel LEDs/Buttons" 2. NAC-3310 supports iLO (Lights Out
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 32
    Replaceable Unit Installation Guide. The Cisco NAC-3310 Appliance is the recommended platform for Clean Access Lite Manager and Clean Access Server (100/250/500 user count) deployments. A NAC-3310 CAM Lite can manage up to 3 Clean Access Servers or 3 HA-CAS pairs. A NAC-3310 CAS can support 100, 250
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 33
    NAC Appliance Hardware Platforms Figure 1-17 Cisco NAC-3310 Front Panel LEDs/Buttons NAC-3310, NAC-3350, and NAC-3390 1 2 34 5 UID 187416 1 UID LED is in standby mode Off = The server is powered off (AC power disconnected) OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 1-19
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 34
    10/100 Mbps iLO LAN port for IPMI management (RJ-45) 8 NIC 1 (eth0) and NIC 2 (eth1) integrated GbE LAN (RJ-45) ports (Broadcom) Figure 1-19 Cisco NAC-3310 Rear Panel LEDs 187417 1 3 2 45 1-20 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 35
    Guide. The Cisco NAC-3350 Appliance provides enhanced capability for enterprise wide Clean Access Standard Manager and Clean Access Server (1500/2500/3500 user count) deployments. A NAC-3350 Standard CAM can manage up to 20 Clean Access Servers or 20 HA-CAS pairs. A NAC-3350 CAS can support
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 36
    2 3 CD-ROM/DVD drive 4 Video connector 5 HP Systems Insight Display 6 USB connector Figure 1-21 Cisco NAC-3350 Front Panel LEDs/Buttons 1 2 3 4 5 6 180960 1 Power On/Standby button Green = (Figure 1-23 on page 1-23). 1-22 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 37
    ) 11 Serial connector 12 USB connector 13 USB connector 14 iLO 2 NIC connector (RJ-45) Figure 1-23 Cisco NAC-3350 Rear Panel LEDs 12 46 7 8 9 10 11 12 13 181238 OL-20326-01 35 1 Mbps Off = 10 Mbps (if activity LED is off, link is dead) Cisco NAC Appliance Hardware Installation Guide 1-23
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 38
    NAC Appliance FIPS Card Field-Replaceable Unit Installation Guide. The Cisco NAC-3390 Appliance platform provides the enhanced processing, memory, and power necessary for enterprise wide deployment of the Clean Access Super Manager (Super CAM) which can support up to 40 Clean Access Servers or 40
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 39
    bay 4 5 CD-ROM/DVD drive 6 Video connector 7 HP Systems Insight Display 8 USB connector Figure 1-25 Cisco NAC-3390 Front Panel LEDs /Buttons 1 2 3 4 5 6 180960 1 Power On/Standby button Green = normal when in standby mode OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 1-25
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 40
    NIC 2 (eth1) port (Broadcom) 12 USB connector 6 Integrated NIC 1 (eth0) port (Broadcom) 13 iLO 2 NIC connector (RJ-45) 7 Keyboard connector (purple) Figure 1-27 12 Cisco NAC-3390 Rear Panel LEDs/Buttons 34 567 8 9 180962 1-26 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 41
    the serial number label location highlighted. Locate the serial number label on your product and record the information before you place a service call. You can access the CPI tool at: http://tools.cisco.com/Support/CPI/index.do OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 1-27
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 42
    Platforms To access the CPI tool, you require a Cisco.com user ID and password. If you have a valid service contract but do not have a user ID or password, you can register at: http://tools.cisco.com/RPF/register/register.do 1-28 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 43
    provides instructions for how to verify your hardware and other required equipment, install your Cisco NAC Appliance in a four-post rack, and upgrade the existing Cisco NAC Appliance software and chassis firmware. Note This Installation Guide does not cover the Cisco NAC Network Module (NME-NAC-K9
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 44
    Observe and follow service markings. Do not service any Cisco product except as - The product does not operate correctly when you follow the operating instructions. • Keep your appliance away from radiators and heat sources. Also Cisco NAC Appliance Hardware Installation Guide 2-2 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 45
    your safety and protect the equipment. However, this list does not include all potentially hazardous situations, so be alert. Warning Read the installation instructions before connecting the or other means of security. Statement 1017 OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-3
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 46
    ; always check. • Never perform any action that creates a potential hazard to people or makes the equipment unsafe. • Never work alone when potentially hazardous conditions exist. Cisco NAC Appliance Hardware Installation Guide 2-4 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 47
    resistance value of the antistatic wrist strap. It should be between 1 and 10 Mohm. Lifting Guidelines A Cisco NAC Appliance CAM/CAS weighs between 15 lb (9.071 kg) and 33 lb (14.96 kg) depending heavy object, follow these guidelines: OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-5
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 48
    exterior with both hands. Preparing Your Site for Installation Before installing a Cisco NAC Appliance CAM/CAS, it is important to prepare the following: 1. Airflow Guidelines, page 2-9 • Temperature and Humidity Guidelines, page 2-9 Cisco NAC Appliance Hardware Installation Guide 2-6 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 49
    with the appliance is suitable for most 19-inch equipment racks or telco-type frames. Note Cisco strongly recommends using four-post racks whenever possible, but your rack must have at least two posts with the front of the rack. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-7
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 50
    does not include a two-post equipment rack. • Use appropriate strain-relief methods to protect cables and equipment connections. • To avoid noise interference in network interface cables, do immediate or intermittent equipment failure. Cisco NAC Appliance Hardware Installation Guide 2-8 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 51
    temperature measurement approaching a minimum or maximum parameter indicates a potential problem. Maintain normal operation by anticipating and correcting environmental anomalies before draw, and power dissipation for the appliance.) OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-9
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 52
    material in case you need to repack the unit. If any item is missing or damaged, contact your Cisco representative or reseller for instructions. Some Cisco NAC Appliance models might include additional items that are not shown. 2-10 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 53
    described in this guide. After initial configuration is complete, configure High Availability (HA) using the CAM or CAS web console and physically (Failover) Connections" section of the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details. Required
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 54
    HA via the CAM and/or CAS web console(s). You will need to create a virtual Service IP for the HA-pair via web configuration. Clean Access Manager (CAM) Configuration (trusted) 1: b. Subnet mask (IP netmask) for eth0 interface: 2-12 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 55
    Root user password: m. Web console password 2: 1. eth0 and eth1 generally correlate to the first two network cards-NIC 1 and NIC 2-on the server hardware. 2. Cisco highly recommends replacing default back to the managed subnets. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-13
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 56
    the CAS is added to the CAM via the web console, and VLAN mapping is configured correctly under Device Management > CCA Servers > Manage [CAS_IP] > Advanced > VLAN Mapping. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for details. • The CAS and CAM must be
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 57
    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS • Because you may install more than one appliance in the rack, ensure items that you need to install the NAC-3315 appliance in a four-post rack. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-15
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 58
    Rack-Mounting Your Cisco NAC Appliance CAM/CAS Chapter 2 Preparing for Installation Figure 2-3 Release Levers on the NAC-3315 Slide Rail Hardware 1 the rail-locking carrier toward the rear of the slide until it snaps into place. 2-16 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 59
    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-4 Installing the Slide Rail into the Rack 1 Adjustment tab 1 2 Adjustment fully extended through the mounting flange and slide rail. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-17
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 60
    Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-5 Adjusting the Slide-rail Length Chapter 2 Preparing for Installation 1 Adjustment tab 2 and the slide rail. Step 7 Repeat the steps from 1 to 6 for the other slide rail. 2-18 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 61
    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-6 Aligning the Slide Rail with the Mounting Flange 1 Adjustment tab 2 cabinet. If you need to remove the shipping brackets, see Step 3. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-19
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 62
    Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-7 Aligning the NAC-3315 on the Slide Rails Chapter 2 Preparing for Installation 1 Shipping with the CAM/CAS installed. To reinstall the shipping brackets, reverse the steps. 2-20 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 63
    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-8 Removing the Shipping Brackets 1 Release tab Mounting the NAC Installing the NAC-3355/3395 Appliance Into the Slide Rails, page 2-25 OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-21
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 64
    arm mounting bracket (Not used) Slide rail (left) Slide rail (right) Cable-management support arm EIA latches (2) Front of rails Cable-management arm assembly Large cable tie (1) Cable rack mounting rails (see Figure 2-10). 2-22 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 65
    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-10 Position Cage Nuts or Clip Nuts Front Rear Upper U (For 2 U /3395, reinstall and tighten the screws and nuts for both slide rails. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 2-23
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 66
    Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-12 Set Up Slide Rails Post D Post C Post B Post A Slots Chapter 2 Preparing for and bottom holes of the selected rack space for your NAC-3355/3395 (see Figure 2-14). 2-24 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 67
    Chapter 2 Preparing for Installation Rack-Mounting Your Cisco NAC Appliance CAM/CAS Figure 2-14 Fasten Rear of Slide Rail to Four-Post Rack 253144 Figure 2-15 Position the NAC-3355/3395 In the Slide Rails 2 OL-20326-01 253145 3 1 4 5 Cisco NAC Appliance Hardware Installation Guide 2-25
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 68
    device to the CAM to access the OOB Management module of the CAM web console. • For instructions on how to obtain new license(s) for your system, see Cisco NAC Appliance Service Contract/Licensing Support. • For instructions on how to install licenses for your system (after initial configuration is
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 69
    may cause undesirable system behavior. If you are experiencing problems with Release 4.8 on the CCA-3140, please contact the Cisco Technical Assistance Center (TAC). Note The support for CCA-3140 has been dropped starting from Cisco NAC Appliance release 4.8(1). Upgrading to Release 4.8(x) In
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 70
    . Note For Cisco NAC-3310 platforms, be sure to also refer to the "DL140 G3 Required BIOS/Firmware Upgrades" section of the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for further details. 2-28 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 71
    CAS, page 3-42 • Manually Restarting the CAM/CAS Configuration Utility, page 3-46 • Troubleshooting the Installation, page 3-47 • Powering Down the NAC Appliance, page 3-50 Overview This chapter provides installation instructions for Cisco NAC Appliance. It provides instructions for how to initially
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 72
    mode is not supported for configuration of these interfaces. Note For installation details on the Cisco NAC Network Module (CAS on a network module), refer to Getting Started with Cisco NAC Network Modules in Cisco Access Routers. Cisco NAC Appliance Hardware Installation Guide 3-2 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 73
    NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). Step 1 Step 2 Follow the instructions on your welcome letter to obtain a valid license file for your installation. Refer to the instructions in Cisco NAC Appliance Service Contract/Licensing Support for details. (If you are
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 74
    for the Clean Access Manager as described in Access the CAM Web Console, page 3-11. In the web console, navigate to Administration > CCA Manager > Licensing to install . DHCP mode is not supported for configuration of these interfaces. Cisco NAC Appliance Hardware Installation Guide 3-4 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 75
    latest software version supported on the target machine as follows: a. Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw Security > Cisco Network Access Control > Cisco NAC Appliance > Cisco NAC Appliance 4.8. c. Download the latest 4.8(x) .ISO image (e.g. nac-4.8_3-K9.iso)
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 76
    Note If necessary, you can always manually start the Configuration Utility Script as service perfigo config command to modify the configuration of the CAM if it cannot be reached through the web Cisco Clean Access Manager quick configuration utility. Cisco NAC Appliance Hardware Installation Guide 3-6
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 77
    , Inc. Note If this prompt does not appear after you install the Cisco NAC Appliance software and restart the CAM, refer to Manually Restarting the CAM/CAS Configuration Utility, page 3-46. Step 2 If your eth0 []: 10.201.240.11 OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 3-7
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 78
    Servers use a local master secret password to encrypt and protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords for the United States, and press Enter. Cisco NAC Appliance Hardware Installation Guide 3-8 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 79
    the CAM and the administrator web console as follows: a. Type Support at the following prompt. Enable Prelogin Banner Support? (y/n)? [n] For more information and an example of the Pre-login Banner feature, see Figure 3-2 on page 3-14. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 80
    to access the system over a serial connection or through SSH. Cisco NAC Appliance supports using Strong Passwords for root user login. Passwords must be at through the web console. See the "Manage System Passwords" section in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 81
    Web Console The Clean Access Manager web administration console is the primary interface for administering the Cisco NAC Appliance deployment. After initial configuration is complete, use the following steps to access the CAM web console. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 82
    web console. Refer to Cisco NAC Appliance Service Contract / Licensing Support for complete step-by-step instructions on how to obtain and install product licenses and obtain service contract support for Cisco the CAM web console. See Cisco NAC Appliance Service Contract/Licensing Support for details
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 83
    3-2) appears (if you have chosen to enable Pre-login Banners during your initial CAM configuration) or the web admin console login window appears (Figure 3-3). Type the username admin and web admin user password, and click Login. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 3-13
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 84
    base CAM/CAS configuration with the service perfigo config CLI command. Figure 3-3 CAM Administrator Web Console Login Page Step 8 Step web console admin password you specified during installation and initial configuration, and click Login. 3-14 Cisco NAC Appliance Hardware Installation Guide
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 85
    10 To add additional licenses for your Clean Access Servers, go to Administration > CCA Manager > Licensing (Figure 3-5) in the CAM administrator web console. Note A Manager Failover license must be present for HA-CAS machines. When a Manager Failover license is installed, the Server count increment
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 86
    web console. Refer to Cisco NAC Appliance Service Contract/Licensing Support Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) • Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) 3-16 Cisco NAC Appliance Hardware Installation Guide
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 87
    installation, make sure to synchronize the time on the CAM and CAS via the web console interface before regenerating a temporary certificate on which a Certificate Signing Request (CSR) /CAS After Upgrade Troubleshooting Tech Note. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 3-17
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 88
    appliance, you can perform software installation via CD first. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details on the software versions supported on Cisco NAC Appliance CAM/CAS platforms. This chapter contains information for performing
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 89
    of the CAS to the network. Add the CAS to the CAM in the CAM web console under Device Management > CCA Servers > New Server, as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). Manage the CAS by accessing the CAS management pages, via Device Management
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 90
    ) or out-of-band (OOB) deployments, refer to Switch Support for Cisco NAC Appliance. Determining VLANs For Virtual Gateway Before you start the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) for additional details. 3-20 Cisco NAC Appliance Hardware Installation Guide
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 91
    Configuration Guide, Release 4.8(3) for additional deployment information for new installations. Step 1 Follow the instructions on your welcome letter to obtain a valid license file for your installation. Refer to the instructions in Cisco NAC Appliance Service Contract/Licensing Support for
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 92
    Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces. Install the Clean Access Server (CAS) Software from CD- SERVER or NAC-3350/3355 SERVER appliances. 3-22 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 93
    supported on the target machine as follows: a. Log in to the Cisco Software Download Site at http://www.cisco Cisco Network Access Control > Cisco NAC Appliance > Cisco NAC Appliance 4.8. c. Download the latest 4.8(x) .ISO image (e.g. nac-4.8_3-K9 Cisco NAC Appliance Hardware Installation Guide 3-23
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 94
    necessary, you can always manually start the Configuration Utility service perfigo config command to modify the configuration of the CAS if it cannot be reached through the web Cisco Clean Access Server, (C) 2012 Cisco Systems, Inc. 3-24 Cisco NAC Appliance Hardware Installation Guide OL-20326
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 95
    Note If this prompt does not appear after you install the Cisco NAC Appliance software and restart the CAS, refer to Manually Restarting the CAM/CAS Configuration Utility, page 3-46. Step 3 .201.1.20 Is this correct? (y/n)? [y] OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 3-25
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 96
    you can always change this option later from the CAS Network > IP page of the web console or using the service perfigo config utility. Note that either method requires a reboot of the CAS. • network back to the trusted network. 3-26 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 97
    the eth0 interface. (You can change the Management VLAN ID later from the CAS Network > IP web console page; however, changing settings on the CAS IP page requires a reboot of the CAS.) [Management network to the trusted network. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 3-27
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 98
    this time, you can change the option later in the web console or using service perfigo config utility. (Management VLAN tagging is necessary when the the CAS to the CAM in the web console. See the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for further details. Step
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 99
    packets of eth1 is disabled. Would you like to enable it? (y/n)? [n] Note You can change the Management VLAN ID later from the CAS Network > IP web console page; however, changing settings on the CAS IP page requires a reboot of the CAS. OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 100
    Servers use a local master secret password to encrypt and protect important data, like other system passwords. Cisco recommends keeping very accurate records of assigned master secret passwords 21 for Pacific Time, and press Enter. 3-30 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 101
    the web server responds. If DNS is not already set up for a domain name, the CAS web console would like to receive the certificate (for example, Cisco Systems), and press Enter. d. Type the name .201.240.10 Organization unit: doc Organization name: Cisco Systems City name: San Jose State code: CA
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 102
    the CAS to feature Pre-login Banner Support at the following prompt. Enable Prelogin Banner Support? (y/n)? [n] For more information and an example of the Pre-login Banner feature, see the Cisco NAC Appliance Clean Access Server Configuration Guide, Release 4.8(3). Step 25 Configure the root user
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 103
    CAM web administration console to add the CAS to the CAM as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, connect to the CAS machine directly or through SSH and use the service perfigo config command. Important Notes for SSL Certificates 1. You must generate
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 104
    and CAM, also refer to section "Configuring the CAS Behind a NAT Firewall" in the Installation chapter of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3) for additional details. Table 3-1 lists the ports that are required for communication between the CAS and the
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 105
    Connecting to the CAS Using the SWISS Protocol" section in the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3). HTTP over SSL communication between Agent/CAS/CAM, such as for user redirection to a web login page. TCP 80 (for version HTTP communication between Agent/CAS
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 106
    domain environments. If your deployment requires LDAP services, use TCP/UDP 636 (LDAP with SSL Guide, Release 4.8(3). Configuring the CAS Behind a NAT Firewall Caution If deploying a NAT firewall between the CAS and the CAM, the CAS must be in Standalone mode. Cisco NAC Appliance does not support
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 107
    Restart the CAS by entering the service perfigo restart command. Step 7 and CAS in addition to the Service IP address for HA pairs. Configuring can use the following instructions to configure the additional CAS. Note • For Cisco NAC Appliance hardware, the following instructions assume that the NIC
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 108
    up a utility that helps you to configure the NIC. Note Static IP addresses must be configured for the CAM/CAS interfaces. DHCP mode is not supported for configuration of these interfaces. See Chapter 4, "Configuring High Availability (HA)"for details on configuring HA. 3-38
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 109
    see http://seclists.org/fulldisclosure/2011/Apr/55, which applies to the Cisco ISE, Cisco NAC Appliance, and Cisco Secure ACS hardware platforms. Step 2 After physically connecting the workstation to COM1 or COM2) and click OK. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 3-39
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 110
    original settings, you can log in as user root and run the service perfigo config command. Configuring Boot Settings on the Cisco NAC Appliance CAM/CAS If your CAM or CAS does not read the booting. Go to the Boot menu (Figure 3-11). 3-40 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 111
    pressing the plus ("+") key (Figure 3-12). Figure 3-12 Boot from CD-ROM Drive Step 4 Press the F10 key to Save and Exit. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 3-41
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 112
    Manager through the web admin console, such Cisco NAC Appliance CLI commands. Table 3-3 CLI Commands Command service perfigo start service perfigo stop service perfigo restart service perfigo reboot service perfigo config service CAM configuration. After completing service perfigo config, you
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 113
    , page 3-6 for instructions). After running and completing service perfigo config, make sure to run service perfigo reboot or reboot manual backup snapshots via command line utility, see the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). CAS CLI Commands The CAM web
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 114
    perfigo config, you must reboot the CAS. For instructions on using the script, see Perform the Initial CAM Configuration, page 3-6 service perfigo time Use to modify the time zone settings. CAS CLI Commands for Cisco NAC Profiler All Cisco NAC Appliance releases are shipped with a default version
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 115
    3-5 lists CLI commands issued on the CAS for the Cisco NAC Profiler Collector service. For complete details on the Cisco NAC Profiler solution, refer to the Cisco NAC Profiler Installation and Configuration Guide and Release Notes for Cisco NAC Profiler. Note To display the version of the Collector
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 116
    configuration information, see the Cisco NAC Profiler Installation and Configuration Guide. Manually Restarting the CAM/CAS Configuration connection, or SSH. Login as root with the correct password. Enter the service perfigo config command. Accept the default values or provide new ones for all
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 117
    /3355/3395. Refer to the "Cisco NAC Appliance RMA and Licensing" section of Cisco NAC Appliance Service Contract/Licensing Support for details. For further troubleshooting information, see the latest version of the Release Notes. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 3-47
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 118
    local master secret password to encrypt and protect important data, like other system passwords. Cisco recommends keeping very accurate records of command. If the two CAM/CAS master secret signatures are different, use service perfigo config to "reconfigure" the CAM/CAS with the incorrect master
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 119
    reboot using: # service perfigo reboot You can now add the CAS to the CAM. See the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). Enabling TLSv1 on Internet Explorer Version 6 Cisco NAC Appliance network administrators managing the CAM/CAS via web console and client
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 120
    recommended methods while connected via console/SSH. These methods prevent database corruption when powering down the CAM. • Type service perfigo stop and power down the machine. • Type /sbin/halt and power down the machine. 3-50 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 121
    following topics: • Adding High Availability Cisco NAC Appliance To Your Network, page page 4-43 Adding High Availability Cisco NAC Appliance To Your Network The a network topology without Cisco NAC Appliance, where Core-Distribution-Access Network Before Cisco NAC Appliance Core Distribution 2/8
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 122
    interface. Link-failure based failover connection can also be configured over the eth0 and/or eth1 interfaces. Note Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not support high availability. Cisco NAC Appliance Hardware Installation Guide 4-2 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 123
    HA-Secondary CAM, page 4-12 • Upgrading an Existing Failover Pair, page 4-16 • Failing Over an HA-CAM Pair, page 4-16 • Accessing High Availability Pair CAM Web Consoles, page 4-17 Note You must use identical appliances (e.g. NAC-3350 and NAC-3350 or NAC-3315 and NAC-3315) in order to configure High
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 124
    Settings" section of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) to Service IP must be used for the SSL certificate. • The Service IP address is used for all messages and requests sent to the CAM, including communication from the CAS and the administration web
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 125
    and eth1 is down, the standby CAM fails to do the database synchronization. The perfigo service is stopped on the standby CAM as the database synchronization happens only on eth1, which is down. Cisco recommends using only eth1 as heartbeat interface for CAM HA instead of using multiple HA
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 126
    -Availability Configuration trusted network Service IP Address 10.201.2.102 168.0.252 (specify network portion of address in web console) 195812 The Clean Access Manager high- HA-CAS" section of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). When the Clean
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 127
    CAM web console supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco . Note The instructions in this section Layer 2 adjacent to support heartbeat and sync functions. CA-signed certificate for the Service IP of the HA
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 128
    Cisco NAC Appliance - Clean Access Manager Configuration Guide port. Use the specification manuals for the server hardware services will be briefly unavailable. You may want to configure an online CAM when downtime has the least impact on your users. Note Cisco NAC Appliance web admin consoles support
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 129
    supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco configuration. Step 1 Open the web admin console for the Clean associated with the Service IP addresses of Cisco NAC Appliance Hardware Installation Guide 4-9
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 130
    follow the instructions in the "Manage CAM SSL Certificates" section of the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3) field under Administration > CCA Manager > Network and enter it in Service IP Address field. The Network Settings IP Address is the existing IP
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 131
    in the Link-detect Timeout field. The minimum value for this setting is 10 seconds, but Cisco recommends at least a 25-second timeout interval. Note Link-detect settings on the CAM (Release the additional UDP heartbeat interface. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-11
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 132
    the CAM web console, the Heartbeat Serial Interface feature is being deprecated in a future Cisco NAC Appliance the private key and SSL certificate files associated with the Service IP/HA-Primary CAM are available (previously exported as Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 133
    7 Choose HA-Secondary in the Clean Access Manager Mode dropdown menu. The high availability settings appear. Set the Service IP Address value to the same value set for the Service IP Address in the HA-Primary CAM configuration. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-13
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 134
    Although this element still appears in the CAM web console, the Heartbeat Serial Interface feature is being deprecated in a future Cisco NAC Appliance release. (The associated Heartbeat Timeout Heartbeat Timeout value is 30 seconds. 4-14 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 135
    platform that supports the BIOS redirection to serial port functionality. See Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access 4-8). Figure 4-7 Standby Web Admin Console Example-Summary Page OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-15
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 136
    the active machine. When heartbeat fails, the standby machine will assume the active role. Perform service perfigo start to restart services on the stopped machine. This should cause the stopped machine to assume the standby role. 4-16 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 137
    of each individual CAM (not the Service IP) in the URL/Address field of a web browser. You should have two browsers open. The web console for the Standby (inactive) 41 • Accessing High Availability Pair CAS Web Consoles, page 4-46 OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-17
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 138
    Situation Due to Expired SSL Certificates" section of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3). Note Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not support high availability. The following key points provide a high
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 139
    Service IP for the eth0 trusted interface and eth1 untrusted interface. The Service IP should be used for SSL certificates. • Cisco NAC-3310 CAMs/CASs feature a 160GB hard drive or 80GB hard drive. Both of these hard drive sizes support Cisco
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 140
    is displayed in brackets next to the Service IP for the pair in the List of Servers in the CAM web console. In addition, either the trusted or untrusted interface Service IP address should be used to generate the SSL certificate. 4-20 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 141
    prior to configuring it for HA. After HA configuration is complete on both CASs, the Service IP is then entered in the New Server form to add the HA-CAS pair to the CAM. initiating failover to the standby CAM/CAS. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-21
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 142
    service hostname> property is set for the starttomcat and restartweb files on both the Primary and Secondary CAS. For example, -Dperfigo.nat.serviceip=172.10.20.100. Physical Connection Cisco eth0 and eth1 are supported for the Heartbeat UDP Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 143
    , configure the IP address for the interface. For instructions, see Configuring Additional NIC Cards, page 3-37. for HA. After HA configuration is complete on both CASs, use the Service IP in the New Server form to add the HA-CAS pair to Cisco NAC Appliance Hardware Installation Guide 4-23
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 144
    web console. These settings include updating the SSL certificate, system time, time zone, DNS, or Service IP. See the Cisco NAC Appliance - Clean Access Server Configuration Guide in the HA pair must remain Layer 2 adjacent to support heartbeat and sync functions. 3. If the Clean Access Servers
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 145
    11 List of Servers Installing a Clean Access Server High Availability Pair Note Cisco NAC Appliance web consoles support Internet Explorer 6.0 and 7.0 browsers. Selecting and Configuring the Heartbeat UDP Interface Note Cisco strongly recommends you do not use the serial interface on the NAC-3315
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 146
    general best practice that allows you to segment and protect management traffic when running the failover heartbeat over the Note Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not support high Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 147
    f. Add the CAS to the CAM Using the Service IP, page 4-33 When done, continue to web console password specified during initial configuration. Note • In order to copy and paste values to/from configuration forms, Cisco recommends keeping both web Cisco NAC Appliance Hardware Installation Guide 4-27
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 148
    Access Server Mode dropdown menu. Figure 4-13 Failover -Choose Mode 6. In the HA-Primary Mode form that opens, type values for the following fields. 4-28 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 149
    the trusted network (10.201.2.112 in the example in Figure 4-9 on page 4-20). - Untrusted-side Service IP Address: The common address for the pair on the untrusted (managed) network (10.201.50.243 in HA-Primary and HA-Secondary CAS. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-29
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 150
    addresses (all addresses or only one address), no failover event occurs, since neither CAS has the advantage. To enable link-detect, enter at least one link-detect IP address on each CAS and the eth0 interface for the HA-Primary CAS. 4-30 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 151
    the HA-Secondary CAS web console. • [Secondary not available, Cisco recommends using manually configure the interface using the CAS CLI. There are no eth2 or eth3 configuration settings (IP address, netmask, etc.) available via the CAS web console. For instructions in order to support HA behavior. In
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 152
    this element still appears in the CAM web console, the Heartbeat Serial Interface feature is being deprecated in a future Cisco NAC Appliance release. (The associated Heartbeat . Figure 4-15 Administration > SSL > X509 Certificate 4-32 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 153
    the instructions in the "Manage CAS SSL Certificates" section of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release Using the Service IP 10. In the CAM web console, go to Device Management > CCA Servers > New Server, and add the CAS to the CAM using the Service IP for the
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 154
    Note Cisco NAC network modules installed in Cisco Integrated Services Routers (ISRs) do not support to copy and paste values to/from configuration forms, Cisco recommends keeping both web consoles open for each CAS (primary and secondary). Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 155
    primary CAS (10.201.2.112 in the example in Figure 4-9 on page 4-20). - Untrusted-side Service IP Address: The IP address by which the pair is addressed from the untrusted (managed) network. Use your network topology is different. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-35
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 156
    CAS information into the form for the HA-Secondary CAS, copy and paste the corresponding fields from the web console of the HA-Primary CAS. • [Primary] Peer Host Name: Type the host name of the the CAS configuration information. 4-36 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 157
    eth3 interfaces to be Heartbeat UDP Interface 3, you must manually configure the interface using the CAS CLI. There are no eth2 or eth3 configuration settings (IP address, netmask, etc.) available via the CAS web console. For instructions, see Configuring Additional NIC Cards, page 3-37. • [Primary
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 158
    to import the Private Key. For more information, see the "Manage CAS SSL Certificates" section in the Cisco NAC Appliance Clean Access Server Configuration Guide, Release 4.8(3). e. Reboot the HA-Secondary CAS 8. From the CAS direct access interface (Network Settings > Failover > General), click
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 159
    3. The HA-Secondary CAS should still be active and providing services for the user. 4. Shut down the HA-Secondary CAS machine. Note Cisco recommends "shutdown" or "reboot" on the machine to test configuration is now complete. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-39
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 160
    instructions describe how to change settings for an existing high-availability Clean Access Server pair. Changing the Service Update the HA settings in the direct access web console for the primary CAS and reboot the of the Cisco NAC Appliance - Clean Access Server Configuration Guide, Release 4.8(3)
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 161
    button. 13. From the Clean Access Manager administrator web console, go to Device Management > CCA Servers high-availability pair is displayed in brackets next to the Service IP for the pair, as shown in Figure 4-9 Pair For instructions on upgrading an existing failover pair to a new Cisco NAC
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 162
    High Availability for Virtual Gateway Mode You can follow the same instructions explained in CAM High Availability Overview, page 4-4 and CAS High page 3-22 for details. After HA configuration is complete on both CASs, use the Service IP in the New Server form to add the HA-CAS pair to the CAM.
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 163
    -pair. 2. Run the fostate.sh script on the second CAM: [root@rjcam_2 ~]# ./fostate.sh My node is standby, peer node is active OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-43
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 164
    deadping 25 auto_failback off apiauth default uid=root respawn hacluster /usr/lib64/heartbeat/ipfail ping 10.10.20.100 ping 10.10.40.100 4-44 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 165
    # eth0 eth1 Enable the new function by stopping and restarting CAS services with the service perfigo stop and service perfigo start commands. In the above linkdetect.conf file example, both CAS: [root@rjcas_1 bin]# ./fostate.sh OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 4-45
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 166
    Standby CAS From the CAM web console, go to Device Management > CCA Servers > List of Servers to view your HA-CAS pairs. The List of Servers page displays the Service IP of the CAS pair Mode (CAS) for the initial HA configuration. 4-46 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 167
    following procedure to recover the root password for a CAM or CAS machine. The following password recovery instructions assume that you are connected to the CAM/CAS via a keyboard and monitor (i.e. console or /CAS machine via console. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 5-1
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 168
    the prompt type: linux single. This boots the machine into single user mode. Type: passwd. Change the password. Reboot the machine using the reboot command. Cisco NAC Appliance Hardware Installation Guide 5-2 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 169
    to endorse or promote products derived from this software without prior written permission. For written permission, please contact [email protected]. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide A-1
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 170
    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND software written by Tim Hudson ([email protected])". Cisco NAC Appliance Hardware Installation Guide A-2 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 171
    EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON license [including the GNU Public License]. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide A-3
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 172
    Notices Appendix A Open Source License Acknowledgements Cisco NAC Appliance Hardware Installation Guide A-4 OL-20326-01
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 173
    with 2-3 ESD preventing effects of 2-5 eth1 3-28 F failover. See high availability. firewall, deploying behind 3-36 G guidelines airflow 2-9 lifting 2-5 rack installation 2-7 rack-mounting configuration 2-14 safety 2-2 Cisco NAC Appliance Hardware Installation Guide IN-1
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 174
    ) 2-4 power supply (warning) 2-4 precautions IN-2 Cisco NAC Appliance Hardware Installation Guide general precautions 2-2 primary HA server 4-9 procedure method 2-4 serial number location 1-5, 1-8, 1-12 Service IP address HA (failover) 4-23 service perfigo config 3-6, 3-24 site configuration 2-8
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 175
    Index U untrusted interface 3-28 V VLAN settings at install 3-29 OL-20326-01 Cisco NAC Appliance Hardware Installation Guide IN-3
  • Cisco NAC3350-PROF-K9 | Hardware Installation Guide - Page 176
    Index IN-4 Cisco NAC Appliance Hardware Installation Guide OL-20326-01
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Cisco NAC Appliance Hardware
Installation Guide
Release 4.8
Jan 2012
Text Part Number: OL-20326-01