Cisco NAC3350-PROF-K9 Hardware Installation Guide - Page 103

Important Notes for SSL Certificates

Get Cisco NAC3350-PROF-K9 - NAC Profiler Server PDF manuals and user guides View all Cisco NAC3350-PROF-K9 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 103 highlights

Chapter 3 Installing the Clean Access Manager and Clean Access Server Installing the Clean Access Server Step 29 After the configuration is complete, press Enter to reboot the CAS. Configuration is complete. Changes require a REBOOT of Clean Access Server. Step 30 Enter the following command to reboot the CAS after configuration is complete: # reboot Step 31 The CAS initial configuration is now complete. Once the Clean Access Manager is also installed and initially configured, use the CAM web administration console to add the CAS to the CAM as described in the Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3). Following CAS installation and initial configuration: a. Ping the eth0 interface address from a command line. If working properly, the interface should respond to the ping. b. For a FIPS-compliant CAS, verify FIPS functionality as follows: - Ensure the FIPS card operation switch is set to "O" (for operational mode). - Log into the CAS console interface as root. - Navigate to the /perfigo/common/bin/ directory. - Enter ./test_fips.sh info and verify the following output: Installed FIPS card is nCipher Info-FIPS file exists Info-card is in operational mode Info-httpd worker is in FIPS mode Info-sshd up c. If the CAS is not responding, try connecting to the CAS using SSH (Secure Shell). Connect with the root username and password. Once connected, try pinging the gateway and/or an external website from the CAS to see if the CAS can reach the external network. If both tests fail, make sure that you have configured the IP address correctly and that the other network settings are correct. If after installation you need to reset the initial configuration settings for the Clean Access Server, connect to the CAS machine directly or through SSH and use the service perfigo config command. Important Notes for SSL Certificates 1. You must generate the temporary SSL certificate during CAS installation or you will not be able to access your CAS. Before deploying in a live environment, obtain a trusted certificate for the CAS from a Certificate Authority to replace the temporary certificate. 2. After CAM and CAS installation, make sure to synchronize the time on the CAM and CAS via the web console interface before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. 3. In order to establish the initial secure communication channel between a CAM and CAS, you must import the root certificate from each appliance into the other appliance's trusted store so that the CAM can trust the CAS's certificate and vice-versa. OL-20326-01 Cisco NAC Appliance Hardware Installation Guide 3-33

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109
  • 110
  • 111
  • 112
  • 113
  • 114
  • 115
  • 116
  • 117
  • 118
  • 119
  • 120
  • 121
  • 122
  • 123
  • 124
  • 125
  • 126
  • 127
  • 128
  • 129
  • 130
  • 131
  • 132
  • 133
  • 134
  • 135
  • 136
  • 137
  • 138
  • 139
  • 140
  • 141
  • 142
  • 143
  • 144
  • 145
  • 146
  • 147
  • 148
  • 149
  • 150
  • 151
  • 152
  • 153
  • 154
  • 155
  • 156
  • 157
  • 158
  • 159
  • 160
  • 161
  • 162
  • 163
  • 164
  • 165
  • 166
  • 167
  • 168
  • 169
  • 170
  • 171
  • 172
  • 173
  • 174
  • 175
  • 176
3-33
Cisco NAC Appliance Hardware Installation Guide
OL-20326-01
Chapter 3
Installing the Clean Access Manager and Clean Access Server
Installing the Clean Access Server
Step 29
After the configuration is complete, press Enter to reboot the CAS.
Configuration is complete.
Changes require a REBOOT of Clean Access Server.
Step 30
Enter the following command to reboot the CAS after configuration is complete:
# reboot
The CAS initial configuration is now complete. Once the Clean Access Manager is also installed and
initially configured, use the CAM web administration console to add the CAS to the CAM as described
in the
Cisco NAC Appliance - Clean Access Manager Configuration Guide, Release 4.8(3)
.
Step 31
Following CAS installation and initial configuration:
a.
Ping the eth0 interface address from a command line. If working properly, the interface should
respond to the ping.
b.
For a FIPS-compliant CAS, verify FIPS functionality as follows:
Ensure the FIPS card operation switch is set to “O” (for operational mode).
Log into the CAS console interface as
root
.
Navigate to the
/perfigo/common/bin/
directory.
Enter
./test_fips.sh info
and verify the following output:
Installed FIPS card is nCipher
Info-FIPS file exists
Info-card is in operational mode
Info-httpd worker is in FIPS mode
Info-sshd up
c.
If the CAS is not responding, try connecting to the CAS using SSH (Secure Shell). Connect with the
root
username and password. Once connected, try pinging the gateway and/or an external website
from the CAS to see if the CAS can reach the external network.
If both tests fail, make sure that you have configured the IP address correctly and that the other
network settings are correct.
If after installation you need to reset the initial configuration settings for the Clean Access Server,
connect to the CAS machine directly or through SSH and use the
service perfigo config
command.
Important Notes for SSL Certificates
1.
You must generate the temporary SSL certificate during CAS installation or you will not be able to
access your CAS. Before deploying in a live environment, obtain a trusted certificate for the CAS
from a Certificate Authority to replace the temporary certificate.
2.
After CAM and CAS installation, make sure to synchronize the time on the CAM and CAS via the
web console interface before regenerating a temporary certificate on which a Certificate Signing
Request (CSR) will be based.
3.
In order to establish the initial secure communication channel between a CAM and CAS, you must
import the root certificate from each appliance into the other appliance’s trusted store so that the
CAM can trust the CAS’s certificate and vice-versa.