Getting Started with Cisco NAC Network Modules in Cisco ... · Getting Started with Cisco NAC...

Getting Started with Cisco NAC Network Modules in Cisco Access Routers

Revised: November 27, 2012, OL-2609-01

Contents• About Cisco NAC Network Module for Integrated Services Routers, page 2

• Prerequisites for Cisco NAC Network Module, page 3

• Cisco NAC Network Module and Clean Access Server Software, page 6

• Deployment Overview, page 8

• How to Configure the Cisco NAC Network Module, page 23

• How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module, page 39

• Configuring and Administering Cisco NAC Appliance, page 53

• Technical Assistance, page 53

• Documentation, page 54

• Obtaining Documentation and Submitting a Service Request, page 57

Americas Headquarters:Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

About Cisco NAC Network Module for Integrated Services Routers

About Cisco NAC Network Module for Integrated Services Routers

The Cisco® NAC Network Module for Integrated Services Routers (NME-NAC-K9) brings the feature-rich Cisco NAC Appliance Server capabilities to Cisco 2800 and 3800 Series Integrated Services Routers.

In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco 2900 and 3900 Series Integrated Services Routers.

Cisco NAC ApplianceCisco NAC Appliance (also known as Cisco Clean Access) is a Network Admission Control (NAC) product that allows network administrators to authenticate, authorize, evaluate, and remediate wired, wireless, and remote users and their machines prior to allowing users onto the network. It identifies whether networked devices such as laptops, desktops, and corporate assets are compliant with a network's security policies, and it repairs any vulnerabilities before permitting access to the network.

Cisco NAC Appliance is a network-centric integrated solution that is:

• Administered from the web console of the Clean Access Manager (CAM)

• Enforced through the Clean Access Server (CAS)

• Applied on clients through the Clean Access Agent (CAA) client software

You can deploy the Cisco NAC Appliance solution in the configuration that best meets the needs of your network.

Cisco NAC Network Module The Cisco NAC Network Module (NME-NAC-K9) implements the Clean Access Server functionality on the next generation service module for the Cisco 2811/2821/2851 and 3825/3845 access routers. The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code.

In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco 2911/2921/2951 and 3925/3945 access routers.

The Clean Access Server operating system is based on an optimized version of Linux. The NAC network module is an ideal NAC solution for small groups of users in remote locations where an integrated services router is used. The NAC network module can be equipped with either a 50-user or 100-user license to support branch offices.

The Clean Access Manager is purchased separately as a NAC-3300 series appliance and is the primary point of configuration and management for all Clean Access Servers—whether implemented as a Cisco NAC Network Module in an Integrated Services Router, or as a NAC-3310 or NAC-3350 SERVER appliance. Once initial configuration is complete, the NAC network module is added and managed by the Clean Access Manager like any other Clean Access Server through the CAM web console (GUI) interface.

For further details on the NAC-3300 series server platforms refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide.

2Getting Started with Cisco NAC Network Modules in Cisco Access Routers

OL-2609-01

http://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.html


Prerequisites for Cisco NAC Network Module


Router• Plan software upgrades or downgrades for times when you can take all applications that run on the

host router out of service or offline.

• Ensure that you have the appropriate Cisco access router to serve as the host router. The Cisco NAC Network Module is supported on the following Cisco access routers:

– Cisco 2811

– Cisco 2821

– Cisco 2851

– Cisco 3825

– Cisco 3845

• In addition to the above routers, Cisco NAC Appliance Releases 4.8 and later support the following Cisco access routers.

– Cisco 2911

– Cisco 2921

– Cisco 2951

– Cisco 3925

– Cisco 3945

Note The NAC network module is pre-installed with Cisco NAC Appliance software release 4.1(2) (or later), with the Clean Access Server software running as the application code. Ensure that you are upgrading it to Cisco NAC Appliance Releases 4.8 or later to support the above Cisco access routers.

• Ensure that the host router is running Cisco IOS Release 12.4(11)T or a later release. To learn which release your router is currently running, examine output from the show version command.

Note When minimum release requirements are met, you can change images on either the router or the network modules without affecting performance.


OL-2609-01


Network Module

Note Cisco NAC Network Module supports Cisco NAC Appliance Release 4.5, but does not support Wireless Out-of-Band (OOB). The Wireless OOB feature introduced in Release 4.5 only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.

Cisco NAC Network Module supports L3 Wireless Out-of-Band (L3 OOB) introduced in Cisco NAC Appliance Release 4.8(2).

Warning The Cisco NAC network module must run the same version of the Cisco NAC Appliance software as the Clean Access Manager and any other Clean Access Servers in the deployment. For example, all must run 4.7(x), or a later supported version.

• Release 4.1.2.1 of the Cisco NAC Appliance software is the minimum software release supported on the Cisco NAC Network Module.

Refer to the latest version of the Release Notes for Cisco NAC Appliance for enhancement details for each applicable release.

• To physically install the NAC network module use the Cisco Network Modules Hardware Installation Guide and Cisco Network Modules and Interface Cards Regulatory Compliance and Safety Information.

• The Cisco NAC Network Module for Integrated Services Routers ships from the factory with the hardware listed in Table 1 preinstalled. There are no memory options. (See How to Configure the Cisco NAC Network Module, page 23 for further details.)

• Make a note of the network module’s location in the host router:

– slot—Number of the router chassis slot for the module. After you install the module, you can get this information from the router’s show running-config command output.

– unit—Number of the daughter card on the module. This value should be 0.

Note You need this information for the “Setting Up Network Module Interfaces” section on page 26 and the “Opening and Closing a Session” section on page 29.

File Server

• (Optional) Verify that your download FTP or TFTP file server is accessible:

– FTP file server—Use for backups and restores.

– TFTP file server—Use (on the FTP-file-server machine) for boothelper operations to recover from a failed installation.

Table 1 Network Module Hardware Specifications

Model Processor Hard Disk Memory CompactFlash

NME-NAC-K9 1 GHz Celeron M 80 GB (SATA) 512 MB DDR 64 MB


OL-2609-01

http://www.cisco.com/en/US/products/hw/modules/ps2797/prod_installation_guides_list.html




http://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.html


Accessing the Cisco NAC Network Module• You can configure software on the network module only from a console that connects to a single

serial-port console port on the host router.

Note Telnet is not recommended.

• You can access the Clean Access Server software running on the network module by accessing one of the following:

– The router’s Cisco IOS command-line interface (CLI)

– The CAS management pages of the CAM web console (Device Management > CCA Servers > Manage [CAS_IP] )

– The CAS direct access console (https://<CAS_eth0_IP>/admin/)

– Secure-shell (SSH) connection to the internal interface (CAS eth0 trusted interface) of the NAC network module.

• All Clean Access Servers which are configured have a direct web console interface which can be optionally accessed for certain limited settings, such as HA or SSL certificates, or to download support logs. For the NAC network module, all CAS configuration settings can be accessed via the the CAS management pages of the CAM web console, except for CAS support logs which need to be accessed via the direct CAS web console interface, by typing https://<CAS_eth0_IP>/admin/ into a web browser. Additionally, because the NAC network module does not support HA, there is no “Failover” tab in the direct access web console.

Restrictions for Cisco NAC Network Module

Deployment

• The NAC network module does not support High Availability (HA) mode. HA functionality is disabled on the GUI interface of the NAC network module.

• The NAC network module does not support the Cisco NAC Profiler Collector module for the CAS.

• The NAC network module does not support port-based VLAN mapping when deployed as an Out-of-Band Virtual Gateway. A change in the client IP address is always required when the NAC network module is configured as an L2 OOB Virtual Gateway.

• Cisco NAC Network Module does not support Wireless Out-of-Band (OOB). The Wireless OOB feature introduced in Release 4.5 only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.

Upgrade

• After upgrading from Release 4.6(1) to Release 4.8, there may be a drift in the clock for NAC-NME module. This may result in CAS on the NME module not being connected to CAM after upgrade from 4.6.1, as the certificate dates will fall out of range.


OL-2609-01

Cisco NAC Network Module and Clean Access Server Software

To resolve this, check the system clock after upgrading, set it once and reboot. To set the date again use the following command and reboot.

Syntax:

date -s "dd MMM YYYY hh:mm:ss"

Example:

date -s "15 APR 2010 19:49:00"

You can also synchronize the time using the CAS web console. In the CAS web console, perform the following steps:

Step 1 Navigate to Administration > Time Server.

Step 2 Select the Time Zone and enter the appropriate time server in the Time Servers field.

Step 3 Click Synchronize Time.

Step 4 Reboot the system.

• The Cisco NAC Appliance architecture is not designed for heterogeneous support—that is, some Clean Access Servers running 4.1(3) software and some running 4.1(2) software. Because the NAC network module is only supported starting from release 4.1(2) and later, to introduce a NAC network module to an existing NAC Appliance deployment (e.g. running 4.1.1), you must upgrade your Clean Access Manager and all your Clean Access Servers concurrently to release 4.1.2.1 or later.

Note Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for the latest compatibility details.

Note Release 4.1.2.1 is the minimum mandatory version for all appliances, and is required to support HA-CAS pairs. For compatibility with CAM/CAS appliances running 4.1.2.1, you must use the standard product upgrade file to upgrade the Cisco NAC network module to 4.1.2.1. See Configuring and Administering Cisco NAC Appliance, page 53 for additional information.

Note Cisco NAC Appliance Release 4.8 supports fresh installation of Release 4.8 or upgrade from Release 4.6(1) to Release 4.8 only.

Note Cisco NAC Appliance Release 4.9(x) supports fresh installation of Release 4.9(x) or upgrade from Release 4.8(x) to Release 4.9(x) only.

Cisco NAC Network Module and Clean Access Server SoftwareThe Clean Access Server is a Linux-based application that resides on the NAC network module that plugs into a host Cisco router running Cisco IOS software.


OL-2609-01

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/srvrhw.html#wp40104


Cisco NAC Network Module and Clean Access Server Software

The network module is a standalone services engine with its own startup and run-time configurations that are independent of the Cisco IOS configuration on the router. The module does not have an external console port. Instead, you launch and configure the module through the router, by means of a configuration session on the module. After the session, you return to the router CLI and clear the session.

This arrangement—host router plus network module (the latter is also sometimes called an appliance or blade or, with installed software, a service or services engine)—provides a router-integrated application platform for accelerating data-intensive applications. Such applications typically involve the following and more:

• Application-oriented networking

• Contact centers and interactive-voice-response applications

• Content caching and delivery

• Data and video storage

• Network analysis

• Voice-mail and auto-attendant applications

Network Admission Control (NAC) enabled by Cisco NAC Appliance is such an application.

This section contains the following information:

• System Licenses, page 7

• Deployment Overview, page 8

• How to Configure the Cisco NAC Network Module, page 23

System LicensesCisco NAC Appliance product licensing treats the Cisco NAC Network Module as any other Clean Access Server. In order for a NAC network module to work in your system, you need the following:

• Clean Access Manager appliance (MANAGER) which will manage the NAC network module within the ISR.

• Clean Access Manager license.The CAM license is based on the eth0 IP address of the CAM and corresponds to the number of Clean Access Servers it supports. There are licenses for: Lite Manager (supports 3 CASs), Standard Manager (supports 20 CASs), and Super Manager (supports 40 CASs) .

• NAC network module license This is a type of Clean Access Server license. The CAS license is based on the number of concurrent users it supports. The NAC network module can support up to 100 online, concurrent users. Table 2 shows the license types available for the NAC network module. These software licenses can also be used for the ordering of a spare NAC network module.

Table 2 Cisco NAC Network Module Licenses

License/Software SKU Description

NACNM-50-K9 NAC Network Module Server License—max 50 users

NACNM-100-K9 NAC Network Module Server License—max 100 users

NACNM-50UL= NAC Network Module Server License—Upgrade only- 50 to 100 users


OL-2609-01

Deployment Overview

Note All Cisco NAC product licenses are added to the Clean Access Manager in your system. You add the CAM license the first time you access the CAM web console, then use the Administration > Licensing pages of the CAM web console to add the NAC network module or CAS licenses thereafter.

For complete details on licensing, refer to Cisco NAC Appliance Service Contract / Licensing Support .

Deployment OverviewThis section provides a overview of Cisco NAC Network Module deployment with some configuration examples. If you already know how you want to deploy your NAC network module, continue to How to Configure the Cisco NAC Network Module, page 23 for detailed initial configuration steps.

It contains the following:

• Cisco NAC Network Module (CAS) Deployment Modes, page 8

• Interface Description, page 9

• Example Layer 2 Inband Virtual Gateway Configuration, page 10

• Example Layer 2 Out-of-Band Real-IP Gateway Configuration, page 16

Cisco NAC Network Module (CAS) Deployment ModesTable 3 shows the Clean Access Server deployment modes supported by the Cisco NAC Network Module.

From a physical deployment perspective, all NAC network modules are Edge Deployments. This means each port (eth0 and eth1) of the NAC network module (CAS) is connected to a different device.

The eth1 (untrusted) interface of the NAC network module can be connected to an external switch or to an EtherSwitch Service Module (NME-ESW) for 3800 series integrated services routers supporting multiple slots (e.g. 3845).

Table 3 CAS Deployment Modes Supported by Cisco NAC Network Module

Deployment Mode Options1

Physical deployment Edge deployment only

CAS traffic passing • Virtual Gateway (bridged mode)

• Real IP Gateway (routed mode)

Client access • Layer 2—client is adjacent to NAC network module (CAS)

• Layer 3—client is multiple hops away from NAC network module (CAS)

Traffic flow • In-band—CAS is always inline with traffic

• Out-of-Band—CAS is inline with traffic only during posture assessment/remediation

1. The Cisco NAC Network Module does not support Wireless Out-of-Band deployment (Release 4.5 and later). Wireless OOB only supports Layer 2 OOB Virtual Gateway deployments that require no IP change. The NAC Network Module does not support this topology.


OL-2609-01

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html

Deployment Overview

Interface DescriptionTable 4 describes the interface terminology used in the example deployments shown in Figure 1 on page 11 and Figure 2 on page 16.

The example scenarios illustrate the NAC network module (NME-NAC) in a 3800 Series Integrated Services Router (ISR) when an EtherSwitch Service Module (NME-ESW) is used instead of an external switch.

In both examples, the eth1(untrusted) interface of the NAC network module (Clean Access Server) is connected via external link to the EtherSwitch module (instead of internal Gigabit Serdes (GigSerdes), page 10 connection)

Table 4 Cisco NAC Network Module Interface Description

Interface Description

Integrated Service Engine 1/0 (int-svr-eng 1/0)

Internal port connecting the integrated services router to the eth0 Trusted port of the CAS (NAC module). It is treated like any other Layer 3 port.

ESW internal port (Gig1/0/2)

Internal link connecting the integrated services router to the Gig 1/0/2 interface of an EtherSwitch (ESW) module. Treated like any other Layer 3 port. Depending on the ISR slot, displays as Gig2/0 or Gig3/0 on the router.


OL-2609-01

Deployment Overview

Example Layer 2 Inband Virtual Gateway ConfigurationThis section describes the following:

• Network Diagram (L2 IB VGW)

• CAS Configuration (L2 IB VGW)

• Integrated Services Router Configuration (L2 IB VGW)

• EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)

Network Diagram (L2 IB VGW)

Figure 1 shows the Cisco NAC Network Module deployed as a CAS in Layer 2 inband Virtual Gateway mode.

Gigabit Serdes (GigSerdes)

(Optional) Internal port that can be configured to connect the eth1 Untrusted port of the CAS (NAC module) with an EtherSwitch (ESW) Gig 1/0/2 port, via CLI command:

connect 1 module Integrated-Service-Engine 1/0 0 module GigabitEthernet2/0 0

Where:

• Integrated-Service-Engine 1/0 0 is the CAS eth1 Untrusted port

• GigabitEthernet2/0 0 is the Gig 1/0/2 port of the EtherSwitch

• The configuration applied to the Gig 1/0/2 port of the EtherSwitch applies to the GigSerdes port.

Note If Gigabit Serdes is used, the external ports should not be connected.

Table 4 Cisco NAC Network Module Interface Description (continued)

Interface Description


OL-2609-01

Deployment Overview

Figure 1 NME-NAC (CAS) Layer 2 Inband Virtual Gateway Deployment with NME-ESW

Key Points

• No VLAN mapping is required for Edge Deployment

• Int int-svr-eng 1/0 of the ISR is the Default Gateway for all users

• Int int-svr-eng 1/0 of the ISR is configured as a Layer 2 trunk with subinterfaces to/from each data VLAN

• Link between the switch (NME-ESW) and CAS (NME-NAC) via external link or internal GigSerdes link (on 3800) carries data VLANs 51,52

• No VLAN 51, 52 traffic on internal GE link between NME-ESW and ISR

• IP Phone traffic on VLAN 15 sent directly to int Gig2/0 of the ISR

CAS Configuration (L2 IB VGW)

The example in this section illustrates the main concepts for configuring the CAS as a Layer 2 Inband Virtual Gateway.

• CAS IP Form (L2 IB VGW), page 12

• CAS Managed Subnet Form (L2 IB VGW), page 12

• CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning), page 13


OL-2609-01

Deployment Overview

CAS IP Form (L2 IB VGW)

• CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > IP

• Clean Access Server Type: Virtual Gateway

• Both Trusted (eth0) and Untrusted (eth1) Interface IP Addresses are the same: 10.10.55.2

• Both Trusted and Untrusted Interface Default Gateway is the same: 10.10.55.1

• Trusted Interface (eth0) Management VLAN ID needs to be set (55).

Note For Virtual Gateway, the Management VLAN for the CAS must be different from the CAM. Management VLANs must be set for the CAM and CAS, solely to manage the CAS from the CAM.

CAS Managed Subnet Form (L2 IB VGW)

• CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > Managed Subnet

• A managed subnet is added for each user VLAN (51, 52) and verified in the list at the bottom of the page.


OL-2609-01

Deployment Overview

• Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS.

• For all CAS modes in L2 deployment (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface.

• You must configure the untrusted interface (Auth) VLAN in the VLAN ID field of each Managed Subnet.

• For Virtual Gateways, the managed subnet form essentially assigns an IP address to the CAS that is otherwise unused on the subnet. The CAS is not the gateway, but owns that address for the specified VLAN/subnet in order to send ARP queries.

CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning)

• CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > VLAN Mapping

• On a Cisco NAC Network Module, the CAS is always an edge deployment. Therefore no VLAN Mapping is required because the eth0 and eth1 interfaces of the CAS are connected to different devices.

Caution The “Enable VLAN Pruning” option is enabled by default for CAS Virtual Gateways. Make sure that “Enable VLAN Pruning” is turned off when “VLAN Mapping” is disabled. Turning the “Enable VLAN Pruning” option on when the “VLAN Mapping” option is disabled can cause the CAS to discard all VLAN packets from passing through in either direction.

• When a CAS operates in Virtual Gateway mode, it passes network traffic from its eth0 interface to eth1 and from eth1 to eth0 without changing the VLAN tag. VLAN Mapping is necessary only for In-band Virtual Gateways when both interfaces of the CAS are connected to the same Layer 2 switch. It allows putting incoming traffic to the CAS on a different VLAN from the outgoing traffic of the CAS. This is not needed for the NAC network module.


OL-2609-01

Deployment Overview

Integrated Services Router Configuration (L2 IB VGW)

ISR Configuration—Layer 2 Inband Virtual GatewayISR# sh runBuilding configuration...!ip dhcp excluded-address 10.10.15.1ip dhcp excluded-address 10.10.51.1ip dhcp excluded-address 10.10.52.1ip dhcp excluded-address 10.10.53.1ip dhcp excluded-address 10.10.51.254ip dhcp excluded-address 10.10.52.254ip dhcp excluded-address 10.10.53.254!ip dhcp pool vlan51 network 10.10.51.0 255.255.255.0 default-router 10.10.51.1 !ip dhcp pool vlan52 network 10.10.52.0 255.255.255.0 default-router 10.10.52.1 !ip dhcp pool vlan53 network 10.10.53.0 255.255.255.0 default-router 10.10.53.1 !ip dhcp pool vlan15 network 10.10.15.0 255.255.255.0 default-router 10.10.15.1

interface Integrated-Service-Engine1/0 description “Internal link between ISR & CAS” ip address 10.10.50.1 255.255.255.0 no keepalive!interface Integrated-Service-Engine1/0.51 encapsulation dot1Q 51 ip address 10.10.51.1 255.255.255.0!interface Integrated-Service-Engine1/0.52 encapsulation dot1Q 52 ip address 10.10.52.1 255.255.255.0!interface Integrated-Service-Engine1/0.53 encapsulation dot1Q 53 ip address 10.10.53.1 255.255.255.0!interface Integrated-Service-Engine1/0.55 encapsulation dot1Q 55 ip address 10.10.55.1 255.255.255.0!

interface GigabitEthernet2/0 description “Internal link between ISR & NME-ESW switch” ip address 10.10.10.1 255.255.255.0!interface GigabitEthernet2/0.15 encapsulation dot1Q 15 ip address 10.10.15.1 255.255.255.0!interface GigabitEthernet2/0.16 encapsulation dot1Q 16 ip address 10.10.16.1 255.255.255.0!end


OL-2609-01

Deployment Overview

EtherSwitch Service Module (NME-ESW) Configuration (L2 IB VGW)

EtherSwitch (NME-ESW) Configuration—Layer 2 Inband Virtual GatewayNME-Switch# sh run!vlan 15,16,51-53 !interface FastEthernet1/0/1 switchport access vlan 51 switchport mode access spanning-tree portfast!interface FastEthernet1/0/2 switchport access vlan 52 switchport mode access spanning-tree portfast!interface FastEthernet1/0/3 switchport access vlan 53 switchport mode access spanning-tree portfast!interface FastEthernet1/0/16 description EXTERNAL LINK Between NME-ESW switch and CAS switchport trunk encapsulation dot1q switchport trunk allowed vlan 51-53 switchport mode trunk!

interface GigabitEthernet1/0/2 description INTERNAL LINK Between NME-ESW switch and ISR switchport trunk encapsulation dot1q switchport trunk allowed vlan 15,16 switchport mode trunk!interface Vlan16 ip address 10.10.16.2 255.255.255.0!ip classlessip route 0.0.0.0 0.0.0.0 10.10.16.1ip http server!end


OL-2609-01

Deployment Overview

Example Layer 2 Out-of-Band Real-IP Gateway Configuration This section describes the following:

• Network Diagram (L2 OOB RGW)

• CAS Configuration (L2 OOB RGW)

• Integrated Services Router Configuration (L2 OOB RGW)

• EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)

Network Diagram (L2 OOB RGW)

Figure 2 shows the NAC module deployed as a CAS in Layer 2 out-of-band Real-IP Gateway mode.

Figure 2 NME-NAC (CAS) Layer 2 Out-of-Band Real-IP Gateway Deployment with NME-ESW

Key Points

• Link between NME-ESW switch and CAS via external link or GigSerdes (on 3800) carries Auth VLAN 53

• No VLAN 53 traffic on internal GE link between NME-ESW and ISR

• User Access VLAN and phone VLAN is sent via internal link to Gig2/0 interface of ISR.


OL-2609-01

Deployment Overview

CAS Configuration (L2 OOB RGW)

The example in this section illustrates the main concepts for configuring the CAS as a Layer 2 Out-of-Band Real-IP Gateway.

• CAS IP Form (L2 OOB RGW), page 17

• CAS Managed Subnet Form (L2 OOB RGW), page 18

• CAS DHCP Form (L2 OOB RGW), page 18

• CAM – Switch Profile (L2 OOB RGW), page 19

• CAM – Port Profile (L2 OOB RGW), page 19

• CAM – SNMP Receiver (L2 OOB RGW), page 20

• CAM – Ports Management (L2 OOB RGW), page 20

CAS IP Form (L2 OOB RGW)

• CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > IP

• Clean Access Server Type: Real-IP Gateway

• Trusted (10.10.55.2) and Untrusted (10.10.51.1) Interface IP Addresses are different

• Trusted Interface Default Gateway (10.10.55.1) and Untrusted Interface Default Gateway (10.10.51.1) are different.

• Trusted Interface Management VLAN ID (55) and Untrusted Interface Management VLAN ID (51) are different.

Note Management VLANs must be set for the CAM and CAS to manage the CAS from the CAM.


OL-2609-01

Deployment Overview

CAS Managed Subnet Form (L2 OOB RGW)

• CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Advanced > Managed Subnet

• A managed subnet is added for the Authentication VLAN (53) and verified in the list at the bottom of the page.

• Managed Subnets are only for user subnets that are Layer 2 adjacent to the CAS.

• For all CAS modes in L2 deployment (Real-IP/Virtual Gateway) when configuring additional subnets, you must configure Managed Subnets in the CAS so that the CAS can send ARP queries with appropriate VLAN IDs for client machines on the untrusted interface.

• You must configure the untrusted interface (Auth) VLAN in the VLAN ID field of each Managed Subnet.

• For a Real-IP Gateway, the CAS will own the gateway IP address of the managed subnet.

CAS DHCP Form (L2 OOB RGW)

• CAM web console: Device Management > CCA Servers > Manage [CAS_eth0_IP] > Network > DHCP

• CAS is configured as a DHCP Relay.


OL-2609-01

Deployment Overview

CAM – Switch Profile (L2 OOB RGW)

• CAM web console: Switch Management > Profiles >Switch > New/Edit

• A Switch profile is created for the NME-ESW. Supported NME EtherSwitch service modules are added as 3750 Switch Models. Refer to Switch Support for Cisco NAC Appliance for details.

CAM – Port Profile (L2 OOB RGW)

• CAM web console: Switch Management > Profiles > Port > New/Edit

• A Port profile is created for the NME-ESW to map Authentication VLAN 53 to Access VLAN 11.


OL-2609-01

http://www.cisco.com/en/US/products/ps6128/products_device_support_tables_list.html

Deployment Overview

CAM – SNMP Receiver (L2 OOB RGW)

• CAM web console: Switch Management > Profiles > SNMP Receiver

• A Community String (public) is configured for the CAM SNMP Receiver.

CAM – Ports Management (L2 OOB RGW)

• CAM web console: Switch Management > Devices > Switches > (Manage) Ports [Switch_IP]

• The Profile (ISR_NME_switch) is applied to the switch port, and settings are updated on the switch.


OL-2609-01

Deployment Overview

Integrated Services Router Configuration (L2 OOB RGW)

ISR Configuration—Layer 2 Out-of-Band Real-IP GatewayISR# sh runBuilding configuration...!ip dhcp excluded-address 10.10.53.1ip dhcp excluded-address 10.10.53.254ip dhcp excluded-address 10.10.11.1ip dhcp excluded-address 10.10.12.1ip dhcp excluded-address 10.10.15.1!ip dhcp pool vlan53 network 10.10.53.0 255.255.255.0 default-router 10.10.53.1 !ip dhcp pool vlan11 network 10.10.11.0 255.255.255.0 default-router 10.10.11.1 !ip dhcp pool vlan12 network 10.10.12.0 255.255.255.0 default-router 10.10.12.1 !ip dhcp pool vlan15 network 10.10.15.0 255.255.255.0 default-router 10.10.15.1 !

interface Integrated-Service-Engine1/0 description “Internal link between ISR and CAS” ip address 10.10.50.1 255.255.255.0 no keepalive!interface Integrated-Service-Engine1/0.55 encapsulation dot1Q 55 ip address 10.10.55.1 255.255.255.0!

interface GigabitEthernet2/0 description “Internal link between ISR & NME-ESW switch” ip address 10.10.10.1 255.255.255.0!interface GigabitEthernet2/0.11 encapsulation dot1Q 11 ip address 10.10.11.1 255.255.255.0!interface GigabitEthernet2/0.12 encapsulation dot1Q 12 ip address 10.10.12.1 255.255.255.0!interface GigabitEthernet2/0.15 encapsulation dot1Q 15 ip address 10.10.15.1 255.255.255.0!interface GigabitEthernet2/0.16 encapsulation dot1Q 16 ip address 10.10.16.1 255.255.255.0!end


OL-2609-01

Deployment Overview

EtherSwitch Service Module (NME-ESW) Configuration (L2 OOB RGW)

Additional References For more information on Gigabit Serdes/HIMI, refer to:

• Cisco High-Speed Intrachassis Module Interconnect (HIMI) Configuration Guide

For more information on EtherSwitch Service Modules, refer to:

• Interface Cards and Modules (LAN section)

• EtherSwitch Service Module (ES) Configuration Example

For more information on Clean Access Server configuration, refer to the applicable:

• Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

• Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide

For OOB support information, see:

• Switch Support for Cisco NAC Appliance

EtherSwitch (NME-ESW) Configuration—Layer 2 Out-of-Band Real-IP GatewayNME-Switch# sh run!vlan 11,12,15,16,53 !interface FastEthernet1/0/1 switchport access vlan 12 switchport mode access spanning-tree portfast

interface FastEthernet1/0/16 description EXTERNAL LINK Between NME switch and CAS switchport trunk encapsulation dot1q switchport trunk allowed vlan 53 switchport mode trunk!interface GigabitEthernet1/0/2 description INTERNAL LINK Between NME switch and ISR switchport trunk encapsulation dot1q switchport trunk allowed vlan 11,12,15,16 switchport mode trunk!interface Vlan16 ip address 10.10.16.2 255.255.255.0!ip route 0.0.0.0 0.0.0.0 10.10.16.1!

snmp-server community public ROsnmp-server community private RWsnmp-server trap-source Vlan16snmp-server enable traps snmp linkdown linkupsnmp-server enable traps mac-notificationsnmp-server host 10.10.100.2 public mac-notification!end


OL-2609-01

http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.html

http://wwwin.cisco.com/artg/interface_cards.shtml#anchor2

http://www.cisco.com/en/US/products/hw/modules/ps2797/products_configuration_example09186a0080810449.shtml



http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/switch_spt.html

How to Configure the Cisco NAC Network Module

How to Configure the Cisco NAC Network ModuleThis section contains the following information:

• Hardware Interfaces, page 24

• Cisco NAC Network Module Configuration Worksheet, page 25

• Setting Up Network Module Interfaces, page 26

• Opening and Closing a Session, page 29

• Running Clean Access Server Software Configuration Utility, page 31

Note If you lose power or connection during any of the following procedures, the system usually detects the interruption and tries to recover. If it fails to do so, fully reinstall the system using the boothelper, as described in Re-Installing Cisco NAC Network Module Software, page 48.

Initial configuration of the network module is done via CLI (router console). Thereafter, the Cisco NAC Network Module is a Clean Access Server that is managed via Clean Access Manager (CAM) web console. The CAS on the NAC network module can be accessed by: router console, CAM/CAS web console, and SSH.

This document presents router console configuration instructions.

For CAM/CAS web console (GUI) configuration instructions, refer to the following guides. Refer to the document version corresponding to the release you are running on your machines:




OL-2609-01




Hardware InterfacesThe host router and network module use several interfaces for internal and external communication (see Figure 3). Each interface is configurable—for the router by using the Cisco IOS CLI and for the module by using the module firmware’s CLI, GUI, or SSH.

Figure 3 Router and Network Module Interfaces

On This Hardware Interface... Configure These Settings...Using This Configuration Interface

1 Router interface to external link (GigabitEthernet slot/0)

Note For ISR 2811 only, this is Fast Ethernet slot/0

Standard router settings Router’s Cisco IOS CLI

2 Router interface to module (integrated-service-engine slot/0)

Module’s IP address and default gateway router

3 eth0 (trusted) interface of the Clean Access Server

Module interface to router (GigabitEthernet 0/1)

NAC network module settings NAC network module’s CLI, GUI, or SSH interface

4 eth1 (untrusted) interface of the Clean Access Server

Module interface to external link (GigabitEthernet 0/0)

Untrusted interface (client-side network) settings

1556

30

Router interface to module

Host Router (Top View)

Module interface to router

Network Module

Module interface to external link Router interface to external link14

3

2


OL-2609-01


Cisco NAC Network Module Configuration Worksheet You will need to collect the information in Table 5, first to configure the Cisco NAC Network Module within the Integrated Services Router (ISR), then to configure the Clean Access Server software that will run on the NAC network module.

Table 5 CAS Configuration Utility Worksheet

ISR Configuration Value Address or Value NAC Clean Access Server Configuration Value

service-module ip address

module-side-ip-address a. IP address for eth0 interface (trusted)

subnet-mask b. Subnet mask (IP netmask) for eth0 interface

service-module ip default-gateway

gateway-ip-address c. Default gateway IP address for eth0 interface.

Note This is the same IP as the router-side interface to the module.

Note For Virtual Gateway, eth0 and eth1 have the same default gateway.

service-module external ip address

external-ip-address d. IP address for eth1 interface (untrusted)

subnet-mask e. Subnet mask (IP netmask) for eth1 interface

n/a f. Default gateway IP address for eth1 interface:

Note For Virtual Gateway, eth0 and eth1 have the same default gateway.

n/a g. Host name for your CAS

n/a h. IP address of Domain Name Server on your network

n/a i. Shared secret

Note Must be the same for the CAM and all CAS(s)

n/a j. Date, time and timezone

n/a k. To generate the required temporary SSL certificate (you can change this at a later time):

- FQDN or eth0 IP address of CAS:- Organization unit (e.g. Sales)- Organization name (e.g. Cisco)- Organization location (e.g. San Jose, CA, US)

Note If using FQDN, make sure your DNS server is set up for the domain name.

n/a l. Root user password

n/a m. Web console password


OL-2609-01


Setting Up Network Module InterfacesYour first configuration task is to set up network module interfaces to the host router and to its external links, which enables you to access the module to install and configure NAC.

Note The first few steps open the host-router CLI and access the router’s interface to the module. The subsequent steps configure the interface.

SUMMARY STEPS

From the Host-Router CLI

1. enable

2. configure terminal

3. interface integrated-service-engine slot/0

4. ip address router-side-ip-address subnet-mask

or

ip unnumbered type number

5. service-module ip address module-side-ip-address subnet-mask

6. service-module external ip address external-ip-address subnet-mask

7. service-module ip default-gateway gateway-ip-address

8. end

9. copy running-config startup-config

10. show running-config

DETAILED STEPS

Command or Action Purpose


Step 1 enable

Example:Router> enable

Enters privileged EXEC mode on the host router. Enter your password if prompted.

Step 2 configure terminal

Example:Router# configure terminal

Enters global configuration mode on the host router.


OL-2609-01


Step 3 interface integrated-service-engine slot/0

Example:ISR 2811 (one-slot only):

Router(config)# interface integrated-service-engine 1/0

Example:ISR 3845 (multiple-slot):

Router(config)# interface integrated-service-engine 3/0

Enters interface configuration mode for the slot and port where the network module resides.

Step 4 ip address router-side-ip-address subnet-mask

or

ip unnumbered type number

Example:Router(config-if)# ip address 10.30.30.10 255.255.255.0

or

Router(config-if)# ip unnumbered ethernet 0

Specifies the router interface to the module (#2 in Figure 3). Arguments are as follows:

• router-side-ip-address subnet-mask—IP address and subnet mask for the interface.

• type number—Type and number of another serial interface on which the router has an assigned IP address. It cannot be another unnumbered interface. Serial interfaces using High Level Data Link Control (HDLC), Point-to-Point Protocol (PPP), Link Access Procedure, Balanced (LAPB), Frame Relay encapsulations, Serial Line Internet Protocol (SLIP), and tunnel interfaces can be unnumbered.

Step 5 service-module ip address module-side-ip-address subnet-mask

Example:Router(config-if)# service-module ip address 10.30.30.9 255.255.255.0

Specifies the IP address for the module interface to the router (#3 in Figure 3).

Note This is the trusted (eth0) interface of the Clean Access Server.

Arguments are as follows:

• module-side-ip-address—IP address for the interface

• subnet-mask—Subnet mask to append to the IP address; must be in the same subnet as the host router

Step 6 service-module external ip address external-ip-address subnet-mask

Example:Router(config-if)# service-module external ip address 172.0.0.30 255.255.255.0

Specifies the IP address for the external LAN interface on the module (#4 in Figure 3).

Note This is the untrusted (eth1) interface of the Clean Access Server.

Arguments are as follows:

• external-ip-address—IP address for the interface

• subnet-mask—Subnet mask to append to the IP address



OL-2609-01


Examples

The following partial output from the show running-config command shows how the interfaces are configured.

NME-NAC-3845#sh run interface integrated-service-engine 3/0Building configuration... Current configuration : 197 bytes!interface integrated-service-engine3/0 ip address 10.30.30.10 255.255.255.0 service-module ip address 10.30.30.9 255.255.255.0 service-module ip default-gateway 10.30.30.10 no keepaliveend

Step 7 service-module ip default-gateway gateway-ip-address

Example:Router(config-if)# service-module ip default-gateway 10.30.30.10

Specifies the IP address for the default gateway router for the module. The argument is as follows:

• gateway-ip-address—IP address for the gateway router

Step 8 end

Example:Router(config-if)# exit

Returns to global configuration mode on the host router.

Step 9 copy running-config startup-config

Example:Router# copy running-config startup-config

Saves the router’s new running configuration.

Step 10 show running-config

Example:Router# show running-config

Displays the router’s running configuration, so that you can verify address configurations.



OL-2609-01


Opening and Closing a SessionYou can now open and close a session on the network module.

Note • You can conduct only one session at a time.

• The first few steps open the host-router CLI and access the module. The subsequent steps configure the module. The last steps return you to the host-router CLI.

SUMMARY STEPS


1. enable

2. service-module integrated-service-engine slot/0 status

3. service-module integrated-service-engine slot/0 session

From the Service-Module Interface

4. Perform the configuration detailed in Running Clean Access Server Software Configuration Utility, page 31.

5. Control-Shift-6 x


6. service-module integrated-service-engine slot/0 session clear

DETAILED STEPS



Step 1 enable


Enters privileged EXEC mode on the host router. Enter your password if prompted.

Step 2 service-module integrated-service-engine slot/0 status

Example:Router# service-module integrated-service-engine 2/0 status

Displays the status of the specified module, so that you can ensure that the module is running (that is, in steady state).

Note If the module is not running, start it with one of the startup commands listed in the “Shutting Down and Starting Up Cisco NAC Network Module” section on page 39.


OL-2609-01


Step 3 service-module integrated-service-engine slot/0 session

Example:Router# service-module integrated-service-engine 1/0 session

Trying 10.10.10.1, 2065 ... Open

Begins a session on the specified module. Do one of the following:

• To interrupt the auto-boot sequence and access the bootloader, quickly type ***. This should only be done if the machine cannot boot. In this case, refer to Re-Installing Cisco NAC Network Module Software, page 48 for detailed steps.

• To start a configuration session, press Enter.


Step 4 Fedora Core release 4 (Stentz)Kernel 2.6.11-perfigo on an i686NME-NAC login: root

See Running Clean Access Server Software Configuration Utility, page 31 for instructions on how to perform the initial configuration of the Clean Access Server software on the NAC network module.

Step 5 Press Control-Shift-6 x. Closes the service-module session and returns to the router CLI.

Note The service-module session stays up until you clear it in the next step. While it remains up, you can return to it from the router CLI by pressing Enter.


Step 6 service-module integrated-service-engine slot/0 session clear

Example:Router# service-module service-engine 1/0 session clear

Clears the service-module session for the specified module. When prompted to confirm this command, press Enter.



OL-2609-01


Running Clean Access Server Software Configuration UtilityThe first time the NAC network module session is initiated, the Clean Access Server quick configuration utility prompts appears. This section details the CAS Configuration Utility steps.

DETAILED STEPS



Step 1 root

Example:Fedora Core release 4 (Stentz)Kernel 2.6.11-perfigo on an i686NME-NAC login: root

Welcome to the Cisco Clean Access Server quick configuration utility.Note that you need to be root to execute this utility.The utility will now ask you a series of configuration questions. Please answer them carefully.Cisco Clean Access Server, (C) 2008 Cisco Systems, Inc.Please use ^H to delete

Configuring the network interfaces:

From the network module prompt, log into the Clean Access Server Configuration Utility as the root user. The first time you login, there is no password prompt.

Note After the module is initially configured, you can bring up this Configuration Utility again by:

– Starting a configuration session on the module and entering the NAC Appliance CLI command, service perfigo config.

– Using SSH to connect to the module (CAS eth0 IP address) and entering service perfigo config

Step 2 module-side-ip-address

Example:Please enter the IP address for the interface eth0 [10.201.2.30]: 10.201.217.203You entered 10.201.217.203 Is this correct? (y/n)? [y]

At the first prompt, type an IP address for the eth0 (trusted) interface of the CAS (from field a of the CAS Worksheet) and press Enter. Confirm the value when prompted, or type n and press Enter to correct the entry.

Note The eth0 IP address of the CAS is the same as the Management IP address.

Step 3 module-side-ip-address subnet-mask

Example:Please enter the netmask for the interface eth0 [255.255.255.0]: You entered 255.255.255.0, is this correct? (y/n)? [y]

Type the subnet mask for the interface address (from field b) at the prompt or press Enter for the default (255.255.255.0). Confirm the value when prompted.

Step 4 service-module ip default-gateway

Example:Please enter the IP address for the default gateway [10.201.217.1]: 10.201.217.202You entered 10.201.217.202 Is this correct? (y/n)? [y]

Accept the default gateway address or type a default gateway (from field c) for the eth0 address of the CAS and press Enter. Confirm the default gateway at the prompt.


OL-2609-01


Step 5 y-or-n

Example:[Vlan Id Passthrough] for packets from eth0 to eth1 is disabled.Would you like to enable it? (y/n)? [n]

At the VLAN ID Passthrough prompt, type n and press Enter (or just press Enter) to keep VLAN ID passthrough disabled as the default behavior of the CAS. By default, VLAN IDs are stripped from traffic passing through the interface to the CAS. Typing y enables VLAN IDs to be passed through the CAS for traffic from the trusted to the untrusted network.

Note In most cases, VLAN passthrough is not needed.

Step 6 y-or-n

Example:[Management Vlan Tagging] for egress packets of eth0 is disabled.Would you like to enable it? (y/n)? [n]

At the Management VLAN Tagging prompt, type n and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default). Or, type Y and press Enter to enable Management VLAN tagging with the specified VLAN ID for the eth0 interface.

Note Management VLAN tagging is necessary when the trusted side of the CAS is a trunk, such as in Virtual Gateway deployments. In this case, you will need to enable Management VLAN tagging and specify the VLAN ID to which the trusted interface of the CAS belongs.

Note CAS eth0 interface settings are required for basic connection to the CAM. CAS eth1 interface settings can be reconfigured later from the CAM web console.

Step 7 external-ip-address

Example:Please enter the IP address for the untrusted interface eth1 [192.168.110.1]: 10.201.243.49You entered 10.201.243.49 Is this correct? (y/n)? [y]

Type an IP address for the eth1 (untrusted) interface of the CAS (from field d) and press Enter. Confirm the value when prompted, or type n and press Enter to correct the entry.

Note For Virtual Gateways, the eth1 address most commonly used is the eth0 address. To prevent looping, do not connect eth1 to the network until after you have added the CAS to the CAM in the web console. See the CAS guide for further details.

Step 8 external-ip-address-subnet-mask

Example:Please enter the netmask for the interface eth1 [255.255.255.0]: 255.255.255.240You entered 255.255.255.240, is this correct? (y/n)? [y]

Type the subnet mask of the eth1 interface (from field e) or press Enter to accept the default of 255.255.255.0. Confirm the value at when prompted.

Step 9 external-ip-address-default-gateway

Example:Please enter the IP address for the default gateway [10.201.243.1]: 10.201.243.49You entered 10.201.243.49 Is this correct? (y/n)? [y]

Enter the default gateway address for the eth1 untrusted interface (from field f):

a. If the CAS will be a Real-IP Gateway, this is the IP address of the CAS’s untrusted interface eth1.

b. If the CAS will be a Virtual Gateway, this can be the same default gateway address used for the trusted interface.



OL-2609-01


Step 10 y-or-n

Example:[Vlan Id Passthrough] for packets from eth1 to eth0 is disabled.Would you like to enable it? (y/n)? [n]

At the next prompt, type n and press Enter (or just press Enter) to keep VLAN ID passthrough disabled for the eth1 interface.

Step 11 y-or-n

Example:[Management Vlan Tagging] for egress packets of eth1 is disabled.Would you like to enable it? (y/n)? [n]

At the Management VLAN Tagging prompt, type n and press Enter (or just press Enter) to keep Management VLAN tagging disabled (default) for the eth1 interface.

Step 12 clean-access-server-host-name

Example:Please enter the hostname [caserver]: cas-10You entered cas-10 Is this correct? (y/n)? [y]

Type and confirm the host name for the Clean Access Server (from field g).

Step 13 dns-server-ip-address

Example:Please enter the IP address for the name server: [171.68.226.120]: You entered 171.68.226.120 Is this correct? (y/n)? [y]

Type the IP address of the DNS server in your environment (from field h) or accept the default at the following prompt:

Step 14 nac-shared-secret

Example:The shared secret used between Clean Access Manager and Clean Access Server is the default string: cisco123This is highly insecure. It is recommended that you choose a string that is unique to your installation.Please remember to configure all Clean Access Devices with the same string. Only the first 8 characters supplied will be used.Please enter the shared secret between Clean Access Server and Clean Access Manager: cisco1234You entered: cisco1234Is this correct? (y/n)? [y]

Type and confirm the shared secret for the CAM and CAS (from field i) at the prompts.

Caution The shared secret must be the same for the Clean Access Manager and all Clean Access Servers in the deployment. If they have different shared secrets, they cannot communicate.



OL-2609-01


Step 15 region-number

Example:>>> Configuring date and time:

The timezone is currently not set on this system.Please identify a location so that time zone rules can be set correctly.Please select a continent or ocean. 1) Africa 2) Americas 3) Antarctica 4) Arctic Ocean 5) Asia 6) Atlantic Ocean 7) Australia 8) Europe 9) Indian Ocean10) Pacific Ocean11) none - I want to specify the time zone using the Posix TZ format.#? 2

Specify time settings for the Clean Access Server (from field j) as follows:

Choose your region from the continents and oceans list. Type the number next to your location on the list, such as 2 for the Americas, and press Enter. Type 11 to enter the time zone in Posix TZ format, such as GST-10.

Step 16 country-number

Example:Please select a country. 1) Anguilla 18) Ecuador 35) Paraguay 2) Antigua & Barbuda 19) El Salvador 36) Peru 3) Argentina 20) French Guiana 37) Puerto Rico 4) Aruba 21) Greenland 38) St Kitts & Nevis 5) Bahamas 22) Grenada 39) St Lucia 6) Barbados 23) Guadeloupe 40) St Pierre & Miquelon 7) Belize 24) Guatemala 41) St Vincent 8) Bolivia 25) Guyana 42) Suriname 9) Brazil 26) Haiti 43) Trinidad & Tobago10) Canada 27) Honduras 44) Turks & Caicos Is11) Cayman Islands 28) Jamaica 45) United States12) Chile 29) Martinique 46) Uruguay13) Colombia 30) Mexico 47) Venezuela14) Costa Rica 31) Montserrat 48) Virgin Islands (UK)15) Cuba 32) Netherlands Antilles 49) Virgin Islands (US)16) Dominica 33) Nicaragua17) Dominican Republic 34) Panama#? 45

The next list that appears shows the countries for the region you chose. Choose your country from the country list, such as 45 for the United States, and press Enter.



OL-2609-01


Step 17 timezone-number

Example:Please select one of the following time zone regions. 1) Eastern Time 2) Eastern Time - Michigan - most locations 3) Eastern Time - Kentucky - Louisville area 4) Eastern Time - Kentucky - Wayne County 5) Eastern Time - Indiana - most locations 6) Eastern Time - Indiana - Crawford County 7) Eastern Time - Indiana - Starke County 8) Eastern Time - Indiana - Switzerland County 9) Central Time10) Central Time - Indiana - Daviess, Dubois, Knox, Martin, Perry & Pulaski Counties11) Central Time - Indiana - Pike County12) Central Time - Michigan - Dickinson, Gogebic, Iron & Menominee Counties13) Central Time - North Dakota - Oliver County14) Central Time - North Dakota - Morton County (except Mandan area)15) Mountain Time16) Mountain Time - south Idaho & east Oregon17) Mountain Time - Navajo18) Mountain Standard Time - Arizona19) Pacific Time20) Alaska Time21) Alaska Time - Alaska panhandle22) Alaska Time - Alaska panhandle neck23) Alaska Time - west Alaska24) Aleutian Islands25) Hawaii#? 19

If the country contains more than one time zone, the time zones for the country appears.

Choose the appropriate time zone region from the list, such as 19 for Pacific Time, and press Enter.

Step 18 confirmation-number

Example:The following information has been given:United StatesPacific Time

Is the above information OK?1) Yes2) No#? 1Updating timezone information...

Confirm your choices by entering 1, or use 2 to cancel and start over.

Step 19 y-or-nor

hh:mm:ss mm/dd/yy

Example:Current date and time hh:mm:ss mm/dd/yy [11:23:33 08/22/08]: 11:26:33 08/22/08You entered 11:26:33 08/22/08 Is this correct? (y/n)? [y]

Type and confirm the current date and time, using format hh:mm:ss mm/dd/yy.

Note The time set on the CAS must fall within the creation date/expiry date range set on the CAM’s SSL certificate. The time set on the user machine must fall within the creation date /expiry date range set on the CAS’s SSL certificate.



OL-2609-01


Step 20 <certificate fields>

Example:You must generate a valid SSL certificate in order to use the Clean Access Server's secure web console.Please answer the following questions correctly.Information for a new SSL certificate:Enter fully qualified domain name or IP: 10.201.217.203Enter organization unit name: TestEnter organization name: Cisco SystemsEnter city name: San JoseEnter state code: CaliforniaEnter 2 letter country code: US

Follow the prompts to configure the temporary SSL security certificate that secures the login exchange between the Clean Access Server and untrusted (managed) clients (using field k):

a. For the organization unit name, enter the group within your organization that is responsible for the certificate (for example, Perfigo).

b. For the organization name, type the name of your organization or company for which you would like to receive the certificate (for example, Cisco Systems), and press Enter.

c. Type the name of the city or county in which your organization is legally located (for example, San Jose), and press Enter.

d. Type the two-character state code in which the organization is located (for example, California or NY), and press Enter.

• Type the two-letter country code (for example, US),

Step 21 y-or-n

Example:You entered the following: Domain: 10.201.217.203Organization unit: TestOrganization name: Cisco SystemsCity name: San JoseState code: CaliforniaCountry code: USIs this correct? (y/n)? [y] Generating SSL Certificate...CA signing: /root/.tomcat.csr -> /root/.tomcat.crt:CA verifying: /root/.tomcat.crt <-> CA cert/root/.tomcat.crt: OKDone

Confirm values and press Enter to generate the SSL certificate, or type n to restart:

Step 22 y-or-n

Example:Enable Prelogin Banner Support? (y/n)? [n]

Confirm whether to enable the Pre-login Banner for admin users before they log into the CAS (Release 4.5 and later).

Administrators can specify the text of the Pre-login Banner by enabling this feature on the appliance, logging into the command-line console, and editing the /root/banner.pre file. The text of the Pre-login Banner appears in both the web console interface and the command-line interface when admin users are logging into the CAM/CAS. See the installation chapter of the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.5 for details.



OL-2609-01




Step 23 root-user-password

Example:For security reasons, it is highly recommended that you change the password for the root user.** Please enter a valid password for root user as per the requirements below! **

Changing password for user root.

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,digits, and other characters. Minimum of 8 characters and maximumof 16 characters with characters from all of these classes. Minimumof 2 characters from each of the four character classes is mandatory.An upper case letter that begins the password and a digit that endsit do not count towards the number of character classes used.

Enter new password:Re-type new password:passwd: all authentication tokens updated successfully.

Type the root user password for the installed Linux operating system of the CAS (from field l). The root user account is used to access the system over direct/serial/SSH connection.

Starting from Release 4.5, the default root user password (cisco123) is removed, and Cisco NAC Appliance supports Strong Passwords only for root user login. Passwords must be at least 8 characters long and contain at least two characters from each of the following four categories: lower-case letters, upper-case letters, numbers (digits), and special characters (such as !@#$%^&*~).

For example, 1o-9=OnE is a valid password, but the password 10-9=One does not satisfy requirements because it does not contain two characters from each category. For further details, see the “Manage System Passwords” section in the “Administer the CAM” chapter of the Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release 4.5.

Step 24 web-console-admin-password

Example:

Example:Please enter an appropriately secure password for the web console admin user.

New password for web console admin:Confirm new password for web console admin:Web console admin password changed successfully.

Type the admin user password for the CAS direct access web console (from field m). The CAS web console provides limited CAS-specific settings, and is primarily used to set up High Availability.

Step 25 reboot

Example:Configuration is complete.[root@NME-NAC ~]# rebootBroadcast message from root (ttyS0) (Fri Aug 22 11:45:36 2008):The system is going down for reboot NOW![root@cas-10 ~]#

After the configuration is complete, wait for the prompt, then type reboot to reboot the CAS.

Note If you used service perfigo config to start the configuration utility, you must type service perfigo reboot or reboot and press Enter to reboot the machine after configuration.

The CAS initial configuration is now complete.



OL-2609-01




Important Notes for SSL Certificates

• You must generate the temporary SSL certificates during the initial configuration of both the CAM and CAS or you will not be able to access your NAC Appliance as an admin or end user.

Step 26 From CAS:ping cam-ip-addressFrom CAM (ping CAS eth0 address):ping 10.201.217.203 ...

Ping the CAM from the CAS to verify that the CAM and CAS can ping (route) to each other.

From Web Browser Interfaces

Step 27 https://<CAS IP address>/admin Type the CAS IP address into the URL/address field of a web browser to verify you can log into the CAS web console. You will need to use the admin user password you configured in Step 24, page 37.

Note Make sure to type “https” and “/admin” in the CAS URL or you will get the end user portal.

Step 28 http://<CAM IP address> /admin Log into the CAM web console by typing the CAM IP address into the URL/address field of a web browser.

From the CAM web console:

• Add the NAC network module license under Administration > CCA Manager > Licensing as described in Cisco NAC Appliance Service Contract / Licensing Support.

• Add the CAS to the CAM as described in:

Cisco NAC Appliance Configuration Quick Start Guide, or

Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide (applicable to your release)


Step 29 Press Control-Shift-6 x. Close the service-module session and returns to the router CLI.





Clear the service-module session for the specified module. When prompted to confirm this command, press Enter.



OL-2609-01







How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module

• Before deploying the CAM or CAS in a production environment, you can obtain a trusted certificate from a Certificate Authority to replace the temporary certificate. A CA-signed certificate for the CAS prevents the security warning when end users log in and a CA-signed certificate for the CAM prevents the admin web login security warning.

• Make sure to synchronize the time on the CAM and CAS via the web console interface before regenerating a temporary certificate on which a Certificate Signing Request (CSR) will be based. For further details see the “Set System Time” and “Manage SSL Certificates” sections of the CAM and CAS guides.



• Shutting Down and Starting Up Cisco NAC Network Module, page 39

• Verifying System Status, page 41

• Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module, page 42

• Re-Installing Cisco NAC Network Module Software, page 48

Note • The tables in these sections show only common router and network module commands.

– To view a complete list of available commands, type ? at the prompt(Example: Router(config-if)# ?).

– To view a complete list of command keyword options, type ? at the end of the command(Example: Router# service-module integrated-service-engine ?).

• The tables group commands by the configuration mode in which they are available. If the same command is available in more than one mode, it may act differently in each mode.

Shutting Down and Starting Up Cisco NAC Network ModuleTo shut down or start up the Cisco NAC network module or the Clean Access Server application that runs on the module, use commands as needed from the following list of common router and network module commands (Table 6).

Note • Some shutdown commands can potentially disrupt service. If command output for such a command displays a confirmation prompt, confirm by pressing Enter or cancel by typing n and pressing Enter. Alternatively, prevent the prompt from displaying by using the no-confirm keyword.

• Some commands shut the module or application down and then immediately restart it.


OL-2609-01


Table 6 Common Shutdown and Startup Commands

Configuration Mode Command Purpose

Router# service-module integrated-service-engine slot/0 reload

(Preferred) Shuts down the network module operating system gracefully, allowing services to execute their shutdown process, then restarts the network module from the bootloader.

This command is similar to executing a reboot from the network module’s Linux console.

Note If reload executes, there is no need to use the reset command.

Router# service-module integrated-service-engines slot/0 reset

(Ungraceful) Resets the hardware on a module via a hardware reset line. This command should only be used to recover from shutdown or a failed state.

Caution Never issue reset before reload.

This command is similar to pressing the reset button on a Linux box; it does not allow services to execute their shutdown process.

Router# service-module integrated-service-engine slot/0 session

Accesses the specified service engine and begins a network module configuration session.

Router# service-module integrated-service-engines slot/0 shutdown

Shuts down the network module operating system gracefully. Use when removing or replacing a hot-swappable module during online insertion and removal (OIR).

Router# service-module integrated-service-engine slot/0 status

Displays configuration and status information for the network module hardware and software.

ServicesEngine boot-loader>

boot helper | chainloader Starts the boothelper or bootloader.


reboot Shuts down the NAC network module without first saving configuration changes, then reboots it from the bootloader.


OL-2609-01


Verifying System StatusTo verify the status of an installation, upgrade, or downgrade or to troubleshoot problems, use commands as needed from the following list of common router and network module commands (Table 7).

Note Among keyword options for many show commands is provision to display diagnostic output on your screen or to pipe it to a file or a URL.

Table 7 Common Verification and Troubleshooting Commands


Router# ping Pings a specified IP address to check network connectivity (does not accept a hostname as destination).

Router# show arp Displays the current Address Resolution Protocol (ARP) table.

Router# show clock Displays the current date and time.

Router# show configuration Displays the current bootloader configuration as entered by means of the configure command.

Router# show controllers Displays interface debug information.

Router# show diag Displays standard Cisco IOS diagnostics information, including information about NAC.

Router# show hardware Displays information about network module and host-router hardware.

Router# show hosts Displays the default domain name, style of name lookup, list of name-server hosts, and cached list of hostnames and addresses

Router# show interfaces Displays information about all hardware interfaces, including network and disk.

Router# show interfaces integrated-service-engine slot/0

Displays information about the module side of the router-module interface.

Router# show ntp status Displays information about Network Time Protocol (NTP).

Router# show processes Displays a list of the running application processes.

Router# show running-config Displays the configuration commands that are in effect.

Router# show startup-config Displays the startup configuration.

Router# show tech-support Displays general information about the host router that is useful to Cisco technical support for problem diagnosis.


OL-2609-01


Upgrading Cisco NAC Appliance Software on the Cisco NAC Network ModuleTo upgrade the Cisco NAC Network Module to the latest supported Cisco NAC Appliance release, a single product upgrade file (cca_upgrade-<version>.tar.gz) is uploaded and applied to the CAS. This section describes the following upgrade procedures:

• CAS Upgrade via CLI, page 42

• CAS Upgrade via Web Console, page 47

Note Clean Access Manager/Server appliances and Cisco NAC Network Modules in your deployment must all run the same version of the Cisco NAC Appliance software.

Note Release 4.1.2.1 is the minimum mandatory version for all appliances, and is required to support HA-CAS pairs. Refer to Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access) for the latest compatibility details.



See Restrictions for Cisco NAC Network Module, page 5 for additional information.

CAS Upgrade via CLI

You can upgrade the CAS on your NAC network module by using the command line upgrade procedure described in this section.

Router# show version Displays information about the loaded router, software or network module bootloader version, and also hardware and device information.


ping Pings a specified IP address to check network connectivity (does not accept a hostname as destination).


show config Displays the startup configuration stored in flash memory.

Table 7 Common Verification and Troubleshooting Commands (continued)



OL-2609-01




Note If upgrading to Cisco NAC Appliance Release 4.5 or later, you must use the command line upgrade procedure only.

SUMMARY STEPS


1. enable

2. service-module integrated-service-engine slot/0 status

3. service-module integrated-service-engine slot/0 session


4. Perform the upgrade procedure described in DETAILED STEPS (CAS UPGRADE), page 44.





OL-2609-01


DETAILED STEPS (CAS UPGRADE)


Step 1 a. Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.

b. Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance.

c. Navigate to the appropriate release folder (4.1.2.1 or later), for example, “Cisco NAC Appliance Software <version>.”

d. Locate the product upgrade (.tar.gz) file for the applicable version:

• cca_upgrade-<version>.tar.gz

• nme-nac-upgrade-<version>-from-4.6.x.tar.gz (for upgrading from 4.6(1) to 4.8(x))

• cca_upgrade-<version>-from-4.7.x-4.8.x.tar.gz (for upgrading from 4.8 to 4.8(x))

• nme-nac-upgrade-<version>-from-4.8.x.tar.gz (for upgrading from 4.8(x) to 4.9)

• nme-nac-upgrade-<version>-from-4.8.x-4.9.x.tar.gz (for upgrading from 4.8(x) or 4.9(x) to 4.9(1) or 4.9(2))

e. Download and save this file to a local machine that can access the NAC network module over the network.

Note For Release 4.5, the upgrade file name is cca_upgrade-4.5.0-NO-WEB.tar.gz

Download the Cisco NAC Appliance product upgrade file.


Step 2 root


From the network module prompt, log into the Clean Access Server Configuration Utility as the root user to access the command line of the CAS.

Step 3 cat /perfigo/build

Example:[root@cas128 ~]# cat /perfigo/build VERSION=4.1.2.1NAME=Clean Access Server DATE=2007/09/07

Verify the current Cisco NAC Appliance software version on the CAS.


OL-2609-01

http://www.cisco.com/public/sw-center/index.shtml


Step 4 Copy the upgrade file to /store directory of the CAS.

Example:If using WinSCP or SSH File Transfer:

a. Copy cca_upgrade-<version>.tar.gz to the /store directory of the CAS.

If using PSCP:

a. Open a command prompt on your Windows computer.

b. Cd to the path where your PSCP resides (e.g, C:\Documents and Settings\desktop).

c. Enter the following command to copy the file to the CAS (copy to each CAS):

pscp cca_upgrade-4.5.0-NO-WEB.tar.gzroot@ipaddress_server:/store

Copy the upgrade file to the /store directory of the CAS using WinSCP, SSH File Transfer or PSCP.

Step 5 cd /storels

Example:[root@cas128 ~]# cd /store[root@cas128 store]# ls cca_upgrade-4.5.0-NO-WEB.tar.gz

On the CAS, change directory to /store and verify the upgrade package is there.

Step 6 tar zxf cca_upgrade-<version>.tar.gzls

Example:[root@cas128 store]# tar xzf cca_upgrade-4.5.0-NO-WEB.tar.gz[root@cas128 store]# lscca_upgrade-4.5.0 cca_upgrade-4.5.0-NO-WEB.tar.gz upload[root@cas128 store]#

Extract the contents of the upgrade file.



OL-2609-01


Step 7. cd cca_upgrade-<version>./UPGRADE.sh

Example:[root@cas128 store]# cd cca_upgrade-4.5.0[root@cas128 cca_upgrade-4.5.0]# lsagent-version.sh checksum.txt notes.html version.shcam-4.5.x-upgrade.sh checksum.txt.sig RPMScas-4.5.x-upgrade.sh dmidecode showstate.shcca_upgrade-4.1.6.tar.gz initrd.img UPGRADE.sh[root@cas128 cca_upgrade-4.5.0]# ./UPGRADE.sh ...stopping CCA Server...BaseAgent process stopped!Stopping DHCP...In Maintenance Mode...

Welcome to the CCA Server migration utility.

...Upgrading to newer rpms of 4.5.0...done.

...Upgrading CCA files... doneClearing Tomcat cache...checking ssl configuration...done.[root@cas128 cca_upgrade-4.5.0]#

Change to the /cca_upgrade-<version> directory and execute the upgrade process.

Step 8 [root@cas128 cca_upgrade-4.5.0]# reboot

Example:[root@cas128 cca_upgrade-4.5.0]# reboot

Broadcast message from root (pts/0) (Tue Oct 21 18:49:00 2008):

The system is going down for reboot NOW![root@cas126 cca_upgrade-4.5.0]#

Reboot the CAS after upgrade is complete.

Step 9 cat /perfigo/build

Example:[root@cas128 ~]# cat /perfigo/build NAME=Clean Access ServerDATE=2008/10/20AUTHOR=rachnarBUILD_TAG=NAC-4_5_0-RC9BUILD_INFO=ExperimentalBUILT_ON=mercuryREBUILD_COUNT=0

Verify the new build after the CAS reboot.

Step 10 Press Control-Shift-6 x. Close the service-module session and return to the router CLI.




OL-2609-01


CAS Upgrade via Web Console

If upgrading the CAS on your NAC network module to Cisco NAC Appliance Release 4.1(6) or earlier only, you can use the same web upgrade procedure used to upgrade standalone CAS appliances as described in the “Upgrading” section of the applicable Release Notes for Cisco NAC Appliance.

Note Cisco NAC Appliance Release 4.5 (and later) does not support web upgrade. Refer to the Release Notes for Cisco NAC Appliance, Release 4.5 for details.

CAS Web Upload

• If upgrading to Release 4.1.6 or earlier and the upgrade file is uploaded via CAS web upload on a 4.1.6 or earlier CAS, it is placed in /store/upload. The web uploaded file will also have a randomly-generated numeric code appended to the .tar.gz file (e.g. cca_upgrade-<version>.tar<digit code>.gz

• If Release 4.5 is already installed and an upgrade file is uploaded via CAS web upload on a 4.5 CAS, it is placed in /store for Release 4.5 and later. The web uploaded file also has a randomly-generated numeric code appended to the .tar.gz file (e.g. cca_upgrade-<version>.tar<digit code>.gz

• If upgrading from Release 4.1.x to Release 4.5, web upload of upgrade files to the CAS is not supported.

• If upgrading from Release 4.6(1) to Release 4.8(x), the web uploaded file is nme-nac-upgrade-<version>-from-4.6.x.tar.gz

• If upgrading from Release 4.8 to Release 4.8(x), the web uploaded file is cca_upgrade-<version>-from-4.7.x-4.8.x.tar.gz

• If upgrading from Release 4.8(x) to Release 4.9(x), the web uploaded file is nme-nac-upgrade-<version>-from-4.8.x.tar.gz

Note Cisco NAC Appliance Release 4.5 (and later) does not support web upgrade. Refer to the Release Notes for Cisco NAC Appliance, Release 4.5 for details.






Clear the service-module session for the specified module. When prompted to confirm this command, press Enter.



OL-2609-01


http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/45/45rn.html





Re-Installing Cisco NAC Network Module SoftwareBy default, the Cisco NAC Network Module is preconfigured to load the operating system and Clean Access Server software from the onboard flash. In most cases, the administrator will only need to perform the initial Clean Access Server configuration of the network module, then can use the normal Cisco NAC Appliance upgrade procedure to later upgrade the software on the module. See Configuring and Administering Cisco NAC Appliance, page 53 for additional information.

If the machine is corrupt or cannot be booted, you can interrupt and change the boot process (by entering ***) in order to reimage the entire system. This process requires downloading the boot helper and image files separately from the Cisco Secure Software site, and configuring a TFTP server so that the boot helper can be loaded onto the network module from the network.

In this case, two items of boot software may be used:

• Bootloader—A small set of system software that runs when the system first powers up. In normal operation, it automatically loads the operating system from compact flash, which in turn loads and runs the Clean Access Server application. In case of disaster recovery, the bootloader process can optionally be interrupted and reconfigured to load the boot helper from the network via a TFTP server.

• Boothelper—A small subset of the system software that runs on the module. It boots the module from the network and assists in disaster recovery and other operations when the module cannot access its software.


• Re-Imaging the Network Module, page 48

• Running Clean Access Server Software Configuration Utility, page 31

• Shutting Down and Starting Up Cisco NAC Network Module, page 39

Re-Imaging the Network Module

Re-installing the network module involves installing, configuring, and starting a boothelper image. The boothelper, in turn, starts the Cisco NAC Appliance software installation on the NAC network module and brings up the Clean Access Server Configuration Utility which will prompt you through the configuration of the CAS.

Prerequisites

• Have available the IP address of your TFTP file server.

SUMMARY STEPS


1. Download the required software.

2. service-module integrated-service-engine slot/0 reset

3. service-module integrated-service-engine slot/0 session, ***


4. config

5. show config


OL-2609-01


6. boot helper

7. Follow boothelper instructions for installing software.




DETAILED STEPS


Step 1 a. Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.

b. Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance.

c. Navigate to the appropriate release folder (4.1.2.1 or later), for example, “Cisco NAC Appliance Software <version>.”

d. Locate the NME-NAC image files for the applicable version:

• nme-nac-helper-<version>-K9

• nme-nac-install-<version>-K9.img

e. Place these files on your TFTP file server.

Download the Cisco NAC Network Module installation-package files (boothelper image and installation image).

Note If NME-NAC images are not available for a specific minor release, you can install the latest available image for the major version, and use the CAS upgrade procedure to upgrade the Cisco NAC Network Module to the minor release. For more information, refer to Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module, page 42.


Step 2 enable


Enter privileged EXEC mode on the host router. Enter your password if prompted.

Step 3 service-module integrated-service-engine slot/0 reset

Example:Router# service-module integrated-service-engine 1/0 reset

After the download completes, reset the system.

Step 4 service-module integrated-service-engine slot/0 session***

Example:Router# service-module integrated-service-engine 1/0 session***

If the reset does not automatically do so, open a session and quickly type *** to interrupt the auto-boot sequence and access the bootloader:


OL-2609-01





Step 5 config

Example:ServicesEngine boot-loader> config

IP Address [10.201.243.18] >Subnet mask [255.255.255.240] > 255.255.255.240 TFTP server [10.201.210.15] > Gateway [10.201.243.17] > 10.201.243.17Default Helper-file [nme-nac-helper-4.5_0-K9] > nme-nac-helper-4.5_0-K9Ethernet interface [external|internal] [internal] > internalExternal interface media [copper|fiber] [copper] > copperDebug Statements [enable|disable] [disabled] > Default Boot [none|disk|compactflash|chainloader] [chainloader] > Default bootloader [primary|secondary] primary] > primary

Updating flash with bootloader configuration: 1Please wait ................done.

Configure the bootloader to load and launch the boothelper.

Prompts to configure the bootloader interface appear in the order listed. For each, enter a value or accept the previously stored input that appears inside square brackets by pressing Enter.

• IP address— Service module address or the trusted interface (eth0) address of your NAC network module

• Subnet mask—eth0 netmask of your NAC network module

• TFTP server— TFTP file-server IP address

• Gateway—Gateway-router IP address (normally the IP address for the ISR). The configured IP address your ISR uses to communicate with your NAC network module.

• Default Helper-file—Default boothelper image filename: nme-nac-helper-<version>-K9

• Ethernet interface: internal or external— Choose internal for NAC network module

• External interface media— Choose copper for NAC network module

• Debug Statements—Leave as disabled (default)

• Default Boot —Choose chainloader as the default boot option for NAC network module

• Default bootloader— Choose primary as the default bootloader file to be used on subsequent boot for NAC network module

Step 6 show config

Example:ServicesEngine boot-loader> show config

(Optional) Verify your bootloader configuration settings:

Step 7 boot helper

Example:ServicesEngine boot-loader> boot helper

After the new configuration finishes writing, start the boothelper at the boot prompt.



OL-2609-01


Step 8 1

Example:Welcome to the NME-NAC Installer1 Install everything2 Install compact flash only3 Verify Install4 Root shell5 RebootPlease select install option: 1Creating partitions with fdisk...

Follow boothelper instructions. The helper will present the following options:

1. Install everything

2. Install compact flash only

3. Verify Install

4. Root shell

5. Reboot

Enter 1 to install everything.

Step 9 (Virtual Gateway only)eth0 IP addresssubnet maskdefault gateway

Example:

Please enter the IP address for the interface eth0: 10.201.243.18You entered 10.201.243.18 Is this correct? (y/n)? [y]

Please enter the netmask for the interface eth0: 255.255.255.240You entered 255.255.255.240, is this correct? (y/n)? [y]

Please enter the IP address for the default gateway: 10.201.243.17You entered 10.201.243.17 Is this correct? (y/n)? [y]

Creating partitions with fdisk...

If installing on a previously configured Virtual Gateway system, you will additionally be asked for the eth0 IP address, netmask, and gateway.

Step 10 nme-nac-install-<version>-K9.img

Example:Please enter the Image name: nme-nac-install-4.5_0-K9.imgYou entered nme-nac-install-4.5_0-K9.img Is this correct? (y/n)? [y]

After partitioning and formatting the hard disk, the helper will ask two more questions (image name and TFTP server address)

Type the image name (e.g. nme-nac-install-<version>-K9.img) and press Enter.

Confirm that this is correct by typing y and pressing Enter.

Step 11 TFTP server IP address

Example:Please enter the IP address for the tftp server: 10.201.210.15You entered 10.201.210.15 Is this correct? (y/n)? [y]

Transferring Image nowDone!Success!

Type the IP address of your TFTP server.

Confirm that this is correct by typing y and pressing Enter.

The helper will then transfer the image. The image is quite large, and the transfer takes a long time. After the image is transferred the helper will display status as RPMs get installed.



OL-2609-01


Step 12 Press Enter

Example:Press enter to reboot

At the reboot prompt, press the Enter key and the NAC network module will reboot.

Step 13 root


On next boot up, the network module login prompt appears. Login as root

The standard Clean Access Server Configuration Utility questions will then be asked. Follow the instructions in Running Clean Access Server Software Configuration Utility, page 31 to complete the CAS configuration.

Step 14 reboot After completing the Configuration Utility, at the prompt, reboot your NAC network module.

On next reboot, the NAC network module installation is complete.

Step 15 Press Control-Shift-6 x. Close the session by pressing Control-Shift-6 x.




From the host-router CLI, clear the session:



OL-2609-01

Configuring and Administering Cisco NAC Appliance

Configuring and Administering Cisco NAC ApplianceFor comprehensive Cisco NAC Appliance configuration information, refer to the applicable version of the following guides:



Technical Assistance

Description Link

The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.

http://www.cisco.com/techsupport

Cisco Feature Navigator website http://www.cisco.com/go/cfn

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. An account on Cisco.com is not required.

Cisco Software Center website Log in to the Cisco Software Download Site at http://www.cisco.com/public/sw-center/index.shtml. You will likely be required to provide your CCO credentials.

Navigate to Security > Endpoint Security > Cisco Network Access Control > Cisco NAC Appliance to download software for Cisco NAC Appliance.


OL-2609-01



http://www.cisco.com/public/support/tac/home.shtml

http://www.cisco.com/go/cfn


Documentation

Documentation

Table 8 Updates to this Guide

Date Description

11/27/12 Updates (for 4.9(x)):


• Restrictions for Cisco NAC Network Module, page 5 (Added restriction on upgrading from 4.8(x) to 4.9(x))

9/23/10 Updates (for 4.9):


• Restrictions for Cisco NAC Network Module, page 5 (Added restriction on upgrading from 4.8(x) to 4.9)

7/26/10 Updates (for 4.8):

• Router, page 3 (Added Routers supported by Cisco NAC Appliance Release 4.8)


• Restrictions for Cisco NAC Network Module, page 5 (Added restriction on upgrading from 4.6(1) to 4.8)

10/3/08

9/25/08

Updates (for 4.5):

• Network Module, page 4

• Restrictions for Cisco NAC Network Module, page 5 (added WOOB note)

• How to Operate, Maintain, and Troubleshoot Cisco NAC Network Module, page 39 (added link to upgrade section)

• Upgrading Cisco NAC Appliance Software on the Cisco NAC Network Module, page 42 (moved and updated section)

• Re-Installing Cisco NAC Network Module Software, page 48 (step 1)

6/11/08 • Updated Restrictions for Cisco NAC Network Module, page 5 with notes for 4.1.2.1

• Corrected section CAS VLAN Mapping Form (Disable VLAN Mapping/VLAN Pruning), page 13

• Updated step 1 of Re-Installing Cisco NAC Network Module Software, page 48.

• Added section Configuring and Administering Cisco NAC Appliance, page 53.

• Updated boilerplate and hypertext links

11/02/07 Minor updates/corrections

8/22/07 Cisco NAC Network Module (NME-NAC-K9) release


OL-2609-01

Documentation

Related Documents

Related Topic Document Title

Cisco NAC Appliance

For the latest updates to Cisco NAC Appliance documentation on Cisco.com, visit www.cisco.com/go/nac/appliance. Refer to the document versions that correspond to the release you are running on your machines.

Data sheets Cisco NAC Appliance

Cisco NAC Network Module for Integrated Services Routers

Ordering guide Cisco NAC Appliance Ordering Guide

Licensing Cisco NAC Appliance Service Contract / Licensing Support

System requirements Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)

Supported switches (OOB) Switch Support for Cisco NAC Appliance

Release notes Release Notes for Cisco NAC Appliance (Cisco Clean Access) (Version 4.1(2) or later)

Configuration guides Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide

Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide

Appliance hardware (MANAGER/SERVER)

Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1

Network module Getting Started with Cisco NAC Network Modules in Cisco Access Routers (this guide)

Installing Cisco Network Modules in Cisco Access Routers at

http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/InstNetM.html

Connecting Cisco Network Admission Control Network Modules at

http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/nacnm.html

Additional Cisco Documentation

Cisco IOS software Cisco IOS Software website at http://www.cisco.com/en/US/products/sw/iosswrel/tsd_products_support_category_home.html

Voice and IP communications

Cisco Voice and IP Communications website at http://www.cisco.com/en/US/products/sw/voicesw/tsd_products_support_category_home.html

Tip To ensure that you are displaying the most current information on the Cisco.com website, force your browser to refresh by pressing Ctrl-F5.

To narrow your Cisco.com search to technical documents, from the Cisco.com home page on the upper right under the Search box, click Advanced Search > Technical Support & Documentation and enter your search criteria.

To provide feedback about the Cisco.com website or a particular technical document, from the top of any Cisco.com web page, click Feedback.


OL-2609-01

http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/InstNetM.html

http://www.cisco.com/go/nac/appliance

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/license.html






http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/nacnm.html

http://www.cisco.com/en/US/products/sw/iosswrel/tsd_products_support_category_home.html

http://www.cisco.com/en/US/products/sw/voicesw/tsd_products_support_category_home.html

http://www.cisco.com/en/US/products/ps6128/prod_bulletin0900aecd805d0358.html

http://www.cisco.com/en/US/products/ps6128/products_data_sheet0900aecd802da1b5.html

http://www.cisco.com/en/US/products/ps6128/products_data_sheets_list.html

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/srvrhw.html

http://www.cisco.com/en/US/docs/security/nac/appliance/support_guide/switch_spt.html

Documentation

Glossary

blade Alternate term for network module.

boothelper A small subset of the system software that runs on the module. It boots the module from the network and assists in software installation and upgrades, disaster recovery, and other operations when the module cannot access its software.

bootloader A small set of system software that runs when the system first powers up. It loads the operating system (from the disk, network, external compact flash, or external USB flash), which loads and runs the NAC application. The bootloader may optionally load and run the boothelper.

CAM Clean Access Manager

The policy configuration server and management database for Cisco NAC Appliance deployment. The Clean Access Manager can manage from 1 to 40 Clean Access Servers in a deployment.

CAS Clean Access Server

The policy enforcement server to which end users connect in Cisco NAC Appliance deployments. The Clean Access Server is managed by the Clean Access Manager.

CCA Cisco Clean Access (also known as Cisco NAC Appliance software)

Cisco NAC Appliance Cisco Network Admission Control solution

Cisco NAC Network Module

NME-NAC-K9 network module for Cisco Integrated Services Routers 2811, 2821, 2851, 3825, and 3845. In addition, Cisco NAC Appliance Releases 4.8 and later support Cisco Integrated Services Routers 2911, 2921, 2951, 3925, and 3945. The Cisco NAC Network Module is a Clean Access Server (CAS) platform for 50 or 100 users.

Cisco NAC-3300 Series Appliances

Cisco NAC Appliance hardware appliance platforms for the Clean Access Manager and Clean Access Server:

• NAC-3310 SERVER

• NAC-3350 SERVER

• NAC-3310 MANAGER

• NAC-3350 MANAGER

• NAC-3390 MANAGER (Super Manager)

service (or services) engine

Alternate term for network module with installed application software.


OL-2609-01

Documentation

Note For terms not included in this glossary, see the following references:

• Cisco IOS Voice Configuration Library Glossary

• Internetworking Terms and Acronyms

Obtaining Documentation and Submitting a Service RequestFor information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What’s New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2012Cisco Systems, Inc. All rights reserved.

service module Standalone content engine with its own startup and run-time configurations that are independent of the Cisco IOS configuration on the router.

TFTP Trivial File Transfer Protocol. Simplified version of FTP that allows files to be transferred from one computer to another over a network, usually without the use of client authentication (for example, username and password).


OL-2609-01

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

http://www.cisco.com/go/trademarks

http://www.cisco.com/en/US/docs/ios/12_3/vvf_c/cisco_ios_voice_configuration_library_glossary/VCLgloss.html

http://www.cisco.com/en/US/docs/internetworking/terms_acronyms/ita.html

Documentation


OL-2609-01

Getting Started with Cisco NAC Network Modules in Cisco ... · Getting Started with Cisco NAC...

Documents

Transcript of Getting Started with Cisco NAC Network Modules in Cisco ... · Getting Started with Cisco NAC...