Installation and Initial Configuration

Available Languages

Download Options

  • PDF     (1.6 MB)
    View with Adobe Reader on a variety of devices
Updated:August 30, 2007

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Installation and Initial Configuration

Table Of Contents

Installation and Initial Configuration

Cisco NAC Profiler Collector/Server Hardware Summary

Cisco NAC Profiler Collector

Cisco NAC Profiler Server

Cisco NAC Profiler Server Front/Rear Panels

Installing the Cisco NAC Profiler Server

Configure a Standalone Cisco NAC Profiler Server

Collect Necessary Configuration Data

Initial System Startup—Set Passwords

Configure Hostname

Configure Network Management Interface: IP Address, Net Mask and Default Gateway and Name Server

Configure the Operational Parameters of NAC Profiler Server

Transition to Web Management

Configure a Cisco NAC Profiler Server HA Pair

Collect Necessary Configuration Data

Configure the Secondary Cisco NAC Profiler Server of the HA Pair

Configure Hostname

Configure Network Management Interface: IP Address, Net Mask, Default Gateway, Name Server

Configure the Operational Parameters of the Cisco NAC Profiler Server

Configure the Primary Cisco NAC Profiler Server of the HA Pair

Run the Subscribe Script on the Secondary Appliance

Transition to Web Management

Configuring the Collector on the Clean Access Server

Enable the Collector Service on the CAS

CLI Commands for Cisco NAC Profiler


Installation and Initial Configuration

This chapter contains the following sections:

Cisco NAC Profiler Collector/Server Hardware Summary

Installing the Cisco NAC Profiler Server

Configure a Standalone Cisco NAC Profiler Server

Configure a Cisco NAC Profiler Server HA Pair

Configuring the Collector on the Clean Access Server

Cisco NAC Profiler Collector/Server Hardware Summary

There are two primary components for Cisco NAC Profiler:

Cisco NAC Profiler Collector

Cisco NAC Profiler Server

Note For complete details on ordering and licensing,. refer to Cisco NAC Appliance Service Contract / Licensing Support at http://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.html.

Cisco NAC Profiler Collector

The Cisco NAC Profiler Collector is a distributed component that resides on the Cisco NAC Appliance SERVER (Clean Access Server) and communicates with the Cisco NAC Profiler Server. There is one Collector per Clean Access Server (CAS). The Collector gathers information about endpoints using SNMP, Netflow, DHCP, and active profiling. The Collector is co-resident with the Clean Access Server starting from Cisco NAC Appliance release 4.1.2 and later, and requires the following to function:

A Collector license must be obtained and installed on the Cisco NAC Profiler Server. Refer to Cisco NAC Appliance Service Contract/Licensing Support for details on how to obtain and install product licenses for Cisco NAC Profiler.

The Collector must be initially configured and enabled via the CAS CLI as described in Configuring the Collector on the Clean Access Server.

Table 4-1 summarizes the specifications for each Clean Access Server hardware platform and the number of endpoints supported when the Collector is enabled on the CAS.

Table 4-1 Cisco NAC Appliance Server Hardware Summary and Collector Support 

Clean Access Server
Platform
Number of Hosts Supported 1
Users/Endpoints
Endpoints Only

NAC-3310 2 ,3

100/100
250/250
500/500

200
500
1000

NAC-3350 4

1500/1500
2500/2500
3500/3500

3000
5000
7000

1 Cisco NAC Profiler Collector licensing has a 1:1 or 2:1 relationship to Clean Access Server user limits in a Cisco NAC Appliance deployment, depending on whether posture assessment is used. For example, a 2500-user CAS can support 2500 users and 2500 Collector endpoints, or up to 5000 Collector endpoints-only if there is no posture assessment.

2 NAC-3310 is subject to firmware/BIOS upgrade for HP ProLiant DL140 G3. See the "Upgrading Firmware" section of the Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1.

3 NAC-3310 platform supports iLO (Lights Out 100i Remote Management). The default iLO "Administrator" account has default username/password: admin/admin. Defaults can be changed through the BIOS setup.

4 NAC-3350 platform supports iLO2 (Integrated Lights Out, version 2). See panel tags for admin account details.


Note For further details on NAC Appliance hardware platforms refer to the Cisco NAC Appliance Hardware Installation Quick Start Guide, Release 4.1 available under http://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.html.

Cisco NAC Profiler Server

The Cisco NAC Profiler Server is an appliance that aggregates and classifies data from Collectors and manages a database of endpoint information. The Cisco NAC Profiler Server updates the Cisco NAC Appliance Manager (Clean Access Manager) device filter list to place endpoints into appropriate access Roles. The Cisco NAC Profiler Server can communicate with multiple Collectors on multiple Clean Access Servers, and can support up to a maximum of 40,000 endpoints. There is one Profiler Server for each CAM, as the Profiler Server has a 1:1 relation with the Clean Access Manager (CAM) in a Cisco NAC Appliance deployment.

Configuration of the Profiler Server

Table 4-2 summarizes the hardware specifications for the Cisco NAC Profiler Server.

Table 4-2 Cisco NAC Appliance Hardware Summary  

Cisco NAC Profiler Server Platform
Hardware Specifications
Diagrams

NAC-33501

Single processor: Xeon 3.0 GHz dual core

Dual power supply

2 GB RAM

2 x 72 GB SFF SAS RAID HDD

Smart Array E200i Controller

4 10/100/1000 LAN ports [2 Broadcom 5708 integrated NICs; 2 Intel e1000 PCI-X NICs (HP #NC360T)]

CD/DVD-ROM Drive

4 USB Ports (1 front, 1 internal, 2 rear)

Note NAC-3350 is based on HP ProLiant DL360 G5.

"Cisco NAC Profiler Server Front Panel" on page 4

"Cisco NAC Profiler Server Front Panel LEDs/Buttons" on page 4

"Cisco NAC Profiler Server Rear Panel" on page 5

"Cisco NAC Profiler Server Rear Panel LEDs" on page 5

1 NAC-3350 supports iLO2 (Integrated Lights Out, version 2). See panel tags for admin account details.


Cisco NAC Profiler Server Front/Rear Panels

Figure 4-1 Cisco NAC Profiler Server Front Panel

1

Hard drive bay 1

4

Video connector

2

Hard drive bay 2

5

HP Systems Insight Display

3

CD-ROM/DVD drive

6

USB connector


Figure 4-2 Cisco NAC Profiler Server Front Panel LEDs/Buttons

1

Power On/Standby button and system power LED

Green = System is on.
Amber = System is shut down, but power is still applied.
Off = Power cord is not attached, power supply failure has occurred, no power supplies are installed; facility power is not available, or disconnected power button cable.

2

UID button/LED

Blue = Identification is activated
Flashing blue = System is being managed remotely
Off = Identification is deactivated

3

Internal health LED

Green = System health is normal.
Amber = System health is degraded. (To identify the component in a degraded state, refer to "HP Systems Insight Display and LEDs.")
Red = System health is critical. (To identify the component in a critical state, refer to "HP Systems Insight Display and LEDs.")
Off = System health is normal when in standby mode.

4

External health LED (power supply)

Green = Power supply health is normal.
Amber = Power redundancy failure occurred.
Off = Power supply health is normal when in standby mode.

5

NIC 1 (eth0) link/activity LED

Green = Network link exists
Flashing green = Network link and activity exist.
Off = No link to network exists.
If power is off, the front panel LED is not active. For status, view the rear panel LED for the RJ-45 connector (Figure 4-4)

6

NIC 2 (eth1) link/activity LED

Green = Network link exists
Flashing green = Network link and activity exist.
Off = No link to network exists.
If power is off, the front panel LED is not active. For status, view the rear panel LED for the RJ-45 connector (Figure 4-4)


Figure 4-3 Cisco NAC Profiler Server Rear Panel

1

NIC 3 (eth2) PCI-X port (Intel)

8

Keyboard connector (purple)

2

NIC 4 (eth3) PCI-X port (Intel)

9

Mouse connector (green)

3

PCI Express expansion slot 2

10

Video connector (blue)

4

Power supply bay 1

11

Serial connector

5

Power supply bay 2

12

USB connector

6

Integrated NIC 2 (eth1) port (Broadcom)

13

USB connector

7

Integrated NIC 1 (eth0) port (Broadcom)

14

iLO 2 NIC connector (RJ-45)


Figure 4-4 Cisco NAC Profiler Server Rear Panel LEDs

1

iLO 2 NIC activity LED

Green = Activity exists
Flashing green = Activity exists
Off = No activity exists

2

iLO 2 NIC link LED

Green = Link exists
Off = No link exists

3

10/100/1000 NIC 3 (Intel) Activity LED

Steady green = High activity
Flashing green = Activity exists
Off = No activity (if link LED is off, link is dead)

4

10/100/1000 NIC 3 (Intel) Link LED

Orange = 1000 Mbps
Green = 100 Mbps
Off = 10 Mbps (if activity LED is off, link is dead)

5

10/100/1000 NIC 4 (Intel) Activity LED

Steady green = High activity
Flashing green = Activity exists
Off = No activity (if link LED is off, link is dead)

6

10/100/1000 NIC 4 (Intel) Link LED

Orange = 1000 Mbps
Green = 100 Mbps
Off = 10 Mbps (if activity LED is off, link is dead)

7

10/100/1000 NIC 1 (Broadcom) Activity LED

Green = Activity exists
Flashing green = Activity exists
Off = No activity exists

8

10/100/1000 NIC 1 (Broadcom) Link LED

Green = Link exists
Off = No link exists

9

10/100/1000 NIC 2 (Broadcom) Activity LED

Green = Activity exists
Flashing green = Activity exists
Off = No activity exists

10

10/100/1000 NIC 2 (Broadcom) Link LED

Green = Link exists
Off = No link exists

11

UID button/LED

Blue = Identification is activated
Flashing blue = System is being managed remotely
Off = Identification is deactivated

12

Power supply 1 LED

Green = Normal
Off = System is off or power supply has failed.

13

Power supply 2 LED

Green = Normal
Off = System is off or power supply has failed.


Note See the in-box documentation that shipped with your Cisco NAC Profiler Server for information on using the controls and interpreting the status LEDs on the front panel of the unit.

Installing the Cisco NAC Profiler Server

Caution Before performing the following procedure, see the safety instructions and important regulatory information in the Important Safety Information documentation packet.

Follow the steps listed below to power-up the Cisco NAC Profiler Server and establish a network connection with the Management interface of the appliance:

Step 1 Carefully open the shipping carton and remove the appliance. Remove any packing material from the appliance.

Step 2 Confirm that the box contains the items shown in Figure 4-5.

Figure 4-5 Shipping Box Contents

Note Retain the carton and the shipping materials in the event that the unit needs to be shipped in the future.

Step 3 Check the unit for obvious damage. If the appliance appears to be damaged, DO NOT INSTALL the unit. Contact customer support for instructions on how to obtain a replacement unit. Refer to Cisco NAC Appliance Service Contract /Licensing Support for details.

Step 4 The appliance may be operated as a free-standing unit or mounted in a standard 19-inch equipment rack or cabinet.

Note A rack-mounting kit is included in the shipment. For rack-mounting information and instructions, refer to the 1U Rack Hardware Installation Instructions for HP Products document also included in the shipment.

Step 5 After mounting the unit in the desired location, connect the power cable to the device's AC power receptacle located on the rear of the appliance and plug the other end of the power cable into a grounded AC outlet.

Step 6 Connect a monitor, keyboard, and mouse to the Cisco NAC Profiler Server either directly or via a KVM switch by making the appropriate connections using the keyboard, mouse and video connectors provided on the rear of the Cisco NAC Profiler Server as shown in Figure 4-3. Alternatively, a laptop or desktop computer running HyperTerminal or similar terminal emulation program can be used to access the Cisco NAC Profiler Server command line interface. Connect the RJ-45 connector of console cable to serial port B on the Cisco NAC Profiler Server, and the DB9F connector to the serial port of the laptop/desktop. Use the following parameters for the serial connection: 9600 Baud, 1 stop bit, 8 data bits, no parity.

Note These peripherals are necessary only for the initial IP configuration of the management interface of the Cisco NAC Profiler Sever that establishes a valid IP configuration and network connectivity for access to the web-based user interface later.

Step 7 To connect the management interface of the Cisco NAC Profiler Server to the network, attach an appropriate Ethernet cable (equipped with an RJ-45 connector) to the copper Ethernet port labeled NIC 1 (eth0) located on the rear of the appliance. (See Figure 4-3.)

Step 8 Power on the Cisco NAC Profiler Server by pressing the power button on the front of the appliance. The diagnostic LEDs will flash a few times as part of the power-on self-test (POST). Status messages are displayed on the console as the appliance boots up.

Step 9 Confirm the network connectivity to the Cisco NAC Profiler Server by observing the Ethernet port's status LEDs. The LEDs on the NIC cards of the Cisco NAC Profiler Server are interpreted as described in the table under Figure 4-4.

Tip If the NIC port LEDs do not indicate properly after connecting the cable from the appliance to the network port, check to make sure that the correct type of cable has been used to connect the Cisco NAC Profiler Server to the network and that the switch port is enabled and properly configured.

Step 10 Connect the monitoring interface or interfaces to the desired network ports. The second on-board copper port (NIC 2 in Figure 4-3 above) as well as the copper and or fiber ports added to the appliance expansion slots can be utilized as additional monitor ports for the Cisco NAC Profiler Server. The Cisco NAC Profiler Server uses the monitor ports to passively collect network packets of interest for use in Endpoint Profiling and Behavior Monitoring. See Chapter 3, "Preparing for Deployment" for further information.

Tip In order for the monitoring ports to collect network traffic useful for Endpoint Profiling and Behavior Monitoring, traffic of interest needs to be redirected to the network infrastructure port connected to the Cisco NAC Profiler Server monitoring port using SPAN, RSPAN or other traffic mirroring capability provided by the installed network infrastructure. See Chapter 7, "Configuring Cisco NAC Collector Modules" for detailed information on the use of monitoring ports.

The Cisco NAC Profiler Server may be operated as a single, non-redundant system or it can be configured as high-availability pair of servers:

If implementing the system as a single NAC Profiler Server, follow the instructions outlined in Configure a Standalone Cisco NAC Profiler Server, below.

If implementing the system as a HA pair of servers, you will receive two physical appliances, which you will need to connect together and configure via web console to create a High-Availability pair. Refer to Configure a Cisco NAC Profiler Server HA Pair for details.

Configure a Standalone Cisco NAC Profiler Server

The Cisco NAC Profiler Server ships with the Cisco NAC Profiler software pre-installed on the hard drive. When the system is started for the first time, a series of startup scripts guide the installer through several tasks necessary to configure the Cisco NAC Profiler Server and establish IP connectivity so that the web-based NAC Profiler user interface can be accessed via standard web browser from any point on the network. At the successful completion of these steps, continue to Chapter 5, "Configuring NAC Profiler for the Target Environment". Detailed configuration of the Cisco NAC Profiler system (NAC Profiler Server and one or more Collectors is performed as described in Chapter 6, "NAC Profiler Server Configuration".

Collect Necessary Configuration Data

Prior to beginning the setup of a Cisco NAC Profiler Server in a Standalone configuration, collect and record the data in Table 4-3 to ease the setup process.

Table 4-3 Standalone Cisco NAC Profiler Server—Configuration Data

Parameter
Value

Password for LINUX root user

 

Password for LINUX beacon user

 

Hostname

 

Management Interface IP address

 

Management Interface Net Mask

 

Default Gateway

 

Name Server IP address

 

Profiler Database Password
(default: profiler)

 

Web Admin User Password
(default: profiler)

 

The following Cisco NAC Profiler Server startup tasks are completed via the command line using the keyboard and monitor connected to the appliance peripheral ports or through a laptop/desktop computer running terminal emulation as described Installing the Cisco NAC Profiler Server. The scripts guide the user through input of basic configuration information to enable the Cisco NAC Profiler Server component of the Cisco NAC Profiler system.

Initial System Startup—Set Passwords

Upon the Cisco NAC Profiler Server booting for the first time, a standard login prompt is presented either on the monitor connected to the appliance or displayed through terminal emulation on a connected laptop/desktop as shown in Table 4-3

Figure 4-6 Cisco NAC Profiler System Login Prompt

Two LINUX user accounts are used on the Cisco NAC Profiler Server: root and beacon. As the system is started for the first time, passwords for both accounts need to be established.

Note Make sure to note the passwords assigned to these accounts as they need to be accessed later.

Step 1 In order to complete the initial Cisco NAC Profiler configuration, log into the system as the root LINUX user.

Step 2 On the first boot of the system, there are no passwords for the root or beacon users.

Step 3 Enter `root' at the login prompt, and press Enter.

Step 4 The system display the following message indicating that the system startup scripts are executing:

Figure 4-7 Welcome to the Cisco NAC Profiler

Warning Selecting Control-C or selecting Cancel on one of the user input screens while running the startup scripts will result in bypass of the configuration scripts, taking the user to the operating system command prompt without completing the initial configuration.

Step 5 Press the Enter key and create a password for the root user at the prompt.

If the password is too short or is derived from a dictionary word, the system gives a warning suggesting selection of an alternate, stronger password. Select a stronger password or override the warning by typing the same password again. An identical password string has to be entered twice in succession in order for the password to be accepted.

Step 6 The system then prompts for a password for the beacon user. Choose a password for the beacon user.

Step 7 After successfully setting the LINUX account passwords, the initial configuration scripts step the installer through several screens to set a number of environment-specific IP configuration parameters for the Cisco NAC Profiler Server including hostname, management interface IP address and mask, default gateway and name server (DNS server) for the newly installed Cisco NAC Profiler Server appliance. Referring to Table 4-3 can greatly expedite this process.

These parameters enable the system to communicate across the network allowing the detailed configuration of the system to be accomplished via the web-based graphical user interface.

The following sections outline the steps and illustrate the interfaces for setting the IP configuration parameters for a new Cisco NAC Profiler Server.

Configure Hostname

Step 1 The first step in the IP configuration of the Cisco NAC Profiler Server is the assignment of its hostname (Figure 4-8).

Figure 4-8 Configure Hostname

Step 2 Enter the desired hostname for this Cisco NAC Profiler Server. Select OK and press Enter to go on to the next step of the configuration script.

Configure Network Management Interface: IP Address, Net Mask and Default Gateway and Name Server

The network management interface is the primary communications interface for the Cisco NAC Profiler Server. It must be assigned IP configuration parameters that are appropriate for its operating environment. The device requires a valid host IP address, network mask and default gateway in order to be able to communicate via TCP/IP. The Cisco NAC Profiler Server is also provided with the address of the appropriate DNS server to be used for name resolution.

Figure 4-9 Configure Network Management Interface: IP Address

Step 1 After entering the desired IP address for the Cisco NAC Profiler Server management interface in dotted decimal notation (e.g., 10.10.10.1), press Enter to go to the next step and enter the network mask of the management interface.

Figure 4-10 Configure Network Management Interface Network Mask

Step 2 Enter the network mask to be utilized by the management interface in dotted decimal notation (e.g., 255.255.0.0), select OK using the arrow keys and press Enter to go to the next configuration page which enables the setting of the default gateway IP address.

The default gateway is the IP address of the router interface servicing the network segment to which the Cisco NAC Profiler Server is physically connected. This parameter specifies the router the Cisco NAC Profiler Server will utilize to reach other subnets and networks beyond its own.

Figure 4-11 Configure Network Management Interface: Gateway

Step 3 Enter the IP address of the desired default gateway for the Cisco NAC Profiler Server in dotted decimal notation (e.g., 10.10.10.254). OK using the arrow keys and press Enter to move onto the next step, name server (DNS) configuration.

Figure 4-12 Configure Network Management Interface: Name Server

Upon entering the name server IP address, selecting OK and pressing enter, a summary of the IP Information configured thus far will be provided as illustrated in Figure 4-13.

Figure 4-13 Verify Network Information

Verify that the information entered thus far is correct. If changes are required, use the arrow keys to select No and press enter. This will cause the scripts to restart from the beginning of the assignment of the IP parameters. All data entered for these parameters will be lost and the data entry steps beginning with the assignment of the management interface IP address will restart.

If the information is correct, make certain that Yes is selected and press Enter. The configuration scripts will restart all the network interfaces on the Cisco NAC Profiler Server to make the configuration changes active on the management interface. After the interfaces restart successfully, the Welcome screen appears. (See Figure 4-14.)

Figure 4-14 Welcome to the Cisco NAC Profiler

At this time, the validity of the completed IP configuration can be verified by issuing a Ping to the IP address of the Cisco NAC Profiler Server. Successfully pinging the appliance indicates a valid IP configuration which is necessary for management of the system via the web-based user interface.

Configure the Operational Parameters of NAC Profiler Server

Once the Cisco NAC Profiler Server has been configured for IP connectivity in the environment, the configuration scripts progress to setting up several parameters specific to the Cisco NAC Profiler Server such as installing and initializing the database and configuring the Cisco NAC Profiler for single-server or HA pair operation.

The first step is the selection of the password for the Cisco NAC Profiler Database and the administrative user account for the web-based NAC Profiler User Interface.

Note The admin web user account has full administrative access to the system configuration, including the creation and deletion of user accounts via the web interface. The database password is necessary for direct access to the database for operations such as backup and restore.

Figure 4-15 illustrates the screen that is used for setting the database password after progressing past the Welcome screen.

Figure 4-15 Set Database Password

Step 1 If the default Database password `profiler' is acceptable, select OK using the arrow keys and press Enter to move onto the next step, or edit the password as desired selecting OK and pressing enter when finished.

The system will now setup and initialize the Cisco NAC Profiler database, and when complete prompt the administrator to provide the password for the web interface administrative user, username `admin.'

The next screen sets the web-based user interface password for the admin user, which again defaults to `profiler' as illustrated below.

Figure 4-16 Set Admin Web UI Password

Step 2 If the default password is acceptable, select OK using the arrow keys and press Enter to move onto the next step, or edit the password as desired. Press OK to proceed with the next step of the configuration, designating whether this Cisco NAC Profiler Server will operate as a single server, or in a High Availability (HA) pair.

Figure 4-17 HA Configuration

Step 3 Select No and press enter to configure this Cisco NAC Profiler for standalone operation.

The installation script will now install the Zend Optimizer. The Zend Optimizer is used to accelerate PHP performance within the Cisco NAC Profiler user interface.

Step 1 The following screen appears, select OK and press Enter to proceed with Zend Optimizer installation.

Figure 4-18 Zend Optimizer Installation

The next screen displays the end-user license for Zend Optimizer. Please review the license for the Zend Optimizer, using the arrow keys to scroll up and down.

Step 2 When you have completed reading the license agreement, select Exit and press Enter. The following screen appears that enables the installer to accept the agreement.

Figure 4-19 Accept Zend Optimizer License

Step 3 Select Yes to continue with installation. Selecting No will terminate the Cisco NAC Profiler configuration scripts.

Complete the following steps accomplished through a series of screens to finish the install of the Zend Optimizer:

Step 1 Accept the default installation location (/usr/local/Zend) for the Zend Optimizer, select OK and press enter.

Step 2 Confirm the location (/etc) of the PHP.ini file by accepting the default. Select OK and press enter.

Step 3 Confirm that Apache (web server component used for serving NAC Profiler web-based UI) is in use, select Yes and press Enter.

Step 4 Confirm the full path to the Apache Control Utility by accepting the default (/usr/sbin/apachectl) select OK and press Enter.

The Zend Optimizer installation begins, and successful Completion of the Zend Optimizer installation is indicated by receiving the following messages on the terminal:

Figure 4-20 Zend Optimizer Configuration Change Notification

Step 5 Select OK and press Enter to confirm the configuration changes. A "successful installation" screen like Figure 4-21 appears.

Figure 4-21 Zend Optimizer Installation Successful

Step 6 Select OK and press enter, and the next screen prompts to confirm restart of the web server on the Cisco NAC Profiler.

Figure 4-22 Confirm Restart of Web Server

Step 7 Select OK and press Enter to complete the installation by restarting the web server. Upon successful restart of the web server, the following screen is displayed on the console.

Figure 4-23 Web Server Restart Complete

Step 8 Select OK to complete the installation of the Cisco NAC Profiler.

Successful completion of the initial configuration is indicated by the following message displayed at the console.

Figure 4-24 Standalone Cisco NAC Profiler Installation Complete

Transition to Web Management

At this juncture, the Cisco NAC Profiler Server is ready for configuration via the web-based user interface. Using a standard browser on another network-attached PC or laptop, enter the following URL to confirm that the UI being served by the Cisco NAC Profiler Server is accessible over the network: 

https://[IP address of management interface]/profiler

Enter admin as the username and the password selected above for the web interface. Figure 4-25 web page should display in the browser:

Figure 4-25 NAC Profiler Web UI Home Page

The session created for the initial configuration of the Cisco NAC Profiler Server appliance is still logged in as the root user at the appliance console. Issue the command "logout" at the prompt to logout of the system and lock the console.

This completes the initial configuration of your Cisco NAC Profiler Server appliance. Refer to Configuring the Collector on the Clean Access Server next, then continue to Chapter 5, "Configuring NAC Profiler for the Target Environment" for further configuration instructions of the Profiler system.

Configure a Cisco NAC Profiler Server HA Pair

The Cisco NAC Profiler Server can be configured to run as a High Availability (HA) pair. In this configuration two Cisco NAC Profiler Server appliances are deployed, a Primary and Secondary. NAC Profiler Server high-availability mode is an Active/Passive two-appliance configuration in which a standby NAC Profiler Server appliance acts as a backup to an active NAC Profiler Server appliance. While the active NAC Profiler Server carries most of the workload under normal conditions, the standby monitors the active NAC Profiler Server and keeps its data store synchronized with the active NAC Profiler Server's data. The data store includes system configuration information as well as the endpoint database.

If a failover event occurs, such as the active NAC Profiler Server is shut down or stops responding to the peer's "heartbeat" signal, the standby assumes the role of the active NAC Profiler Server.

When configuring an HA pair, the steps outlined in this section should be followed carefully to ensure successful start-up of the system in HA mode. It is highly recommended that this section be read in its entirety prior to beginning configuration.

Before powering either appliance on and beginning any configuration activities, the following steps should be completed.

1. Both Cisco NAC Profiler Server appliances in the pair should be installed with power available, but not powered on.

2. The eth0 (management) interfaces should be connected to the network on ports that are configured appropriately to allow IP connectivity between the appliances when they are powered-up and configured.

3. The eth1 (heartbeat) interfaces should be interconnected in such a way as to provide a private LAN (e.g., via a crossover cable or standalone switch) for maintenance of the heartbeat signal between the appliances.

4. Determination of the host address of a third device, preferably on the same subnet with ICMP enabled (required) which both Cisco NAC Profiler Server appliances can ping to determine that they are still able to communicate with the network. This mechanism adds to the failover capability by detecting/reacting to the failure of a network interface or other network connectivity issue.

5. Gather and record the required configuration parameters for each individual appliance and the HA pair as outlined in the next section.

Collect Necessary Configuration Data

Prior to beginning the setup of a Cisco NAC Profiler HA Pair, the data in the following tables should be collected and recorded to ease the setup process. Data that is specific to the Primary and Secondary appliances, as well as data that is shared by the pair needs to be collected and should be available for reference during the configuration steps outlined in the remaining sections of this chapter.

Secondary Cisco NAC Profiler Server Appliance

Parameter
Value

Password for LINUX root user1

 

Password for LINUX beacon user1

 

Hostname

 

Management Interface IP address

 

Management Interface Net Mask

 

Default Gateway

 

Name Server IP address

 

Profiler Database Password1

 

Web Admin User Password1

 

1 LINUX user passwords for the root and beacon users, the Cisco NAC Profiler database and admin web UI password should be identical for both appliances in the HA pair.


Primary Cisco NAC Profiler Server Appliance

Parameter
Value

Password for LINUX root user1

 

Password for LINUX beacon user1

 

Hostname

 

Management Interface IP address

 

Management Interface Net Mask

 

Default Gateway

 

Name Server IP address

 

Profiler Database Password1

 

Web Admin User Password1

 

1 LINUX user passwords for the root and beacon users, the Cisco NAC Profiler database and admin web UI password should be identical for both appliances in the HA pair.


In addition to the standard parameters that are specific to the Primary and Secondary Cisco NAC Profiler Servers in the HA pair; there are also several parameters that are required for the configuration of the virtualization and will be requested during the setup scripts:

Virtual HA IP Address—The IP host address of the virtual management interface of the HA pair. This is the IP address that will be used to communicate with the Cisco NAC Profiler HA pair, and used by the HA pair when communicating with other network entities, regardless of which physical appliance is the Master. It is specified as a host address in dotted-decimal notation with the number of mask bits specified in CIDR format (e.g., 10.1.1.200/24)

Local HA Network—Specify the first three octets of a private network IP address (e.g., 192.168.1) to be used for the heartbeat network between the 2 appliances (eth1 interfaces).

HA Authentication Key—Specify a text-string to be utilized by the appliances to authenticate. The HA Shared Key must be entered identically (case sensitive) on both appliances in order for the relationship to be established.

HA External Ping Host—This is the host IP address of another network device, preferably on the same subnet as the HA pair that will respond to ICMP echo requests from the Cisco NAC Profiler Server appliances. The Profiler Server appliances will ping this device regularly to ensure that they still have network connectivity as a measure to detect the failure of their network interface.

Table 4-4 Cisco NAC Profiler Server HA Pair Parameters

Parameter
Value

Virtual HA IP address

 

Local HA Network

 

HA Authentication Key

 

HA External Ping Host

 

Once this information is collected, the configuration of the HA pair can be initiated.

The sequence of events for the configuration of a Cisco NAC Profiler HA pair is as follows:

1. Configure the Cisco NAC Profiler Server that will be the Secondary appliance up until the point that the "Subscribe" process is ready to be run.

2. Configure the Cisco NAC Profiler Server that will be the Primary appliance through to completion.

3. Return to the Secondary appliance and run the Subscribe process which will initiate the communication between the two appliances, enabling the HA pair for completion of the system configuration as described i nChapter 5, "Configuring NAC Profiler for the Target Environment".

These steps will be outlined in detail in the remainder of this chapter.

Configure the Secondary Cisco NAC Profiler Server of the HA Pair

Power-on the Cisco NAC Profiler Server designated as the Secondary appliance of the pair with the data collection sheet completed in the last section readily available.

Upon the Cisco NAC Profiler booting for the first time, a standard login prompt is presented either on the monitor connected to the appliance or displayed through terminal emulation on a connected laptop/desktop as shown below:

Figure 4-26 Cisco NAC Profiler system login prompt

There are two LINUX user accounts on the Cisco NAC Profiler that are utilized: root and `beacon.' As the system is started for the first time, passwords for both accounts need to be established.

Note Be sure to note the passwords assigned to these accounts as they made need to be accessed later.

Step 1 In order to complete the initial Cisco NAC Profiler configuration, log into the system as the root LINUX user.

On the first boot of the system, there will be no passwords for the root or beacon users.

Step 2 Enter `root' at the login prompt, and press Enter.

The system will display the following message indicating that the system startup scripts are executing:

Figure 4-27 Welcome to the Cisco NAC Profiler

Warning Selecting Control-C or selecting Cancel on one of the user input screens while running the startup scripts will result in bypass of the configuration scripts, taking the user to the operating system command prompt without completing the initial configuration.

Step 3 Press the enter key and you will be prompted to create a password for the root user.

If the password is too short or is derived from a dictionary word, the system will give a warning suggesting selection of an alternate, stronger password. Select a stronger password or override the warning by typing the same password again.

An identical password string has to be entered twice in succession in order for the password to be accepted. The system will then prompt for a password for the beacon user.

Step 4 Choose a password for the beacon user referring to the notes above regarding root password selection.

At the successful completion of setting the LINUX account passwords, The initial configuration scripts will then step the installer through several screens to set a number of environment-specific IP configuration parameters for the Cisco NAC Profiler Server including hostname, management interface IP address and mask, default gateway and name server (DNS server) for the newly installed Cisco NAC Profiler Server appliance. Referring to the information in Collect Necessary Configuration Data can greatly expedite this process.

These parameters enable the system to communicate across the network allowing the detailed configuration of the system to be accomplished via the web-based graphical user interface as outlined in Chapter 5, "Configuring NAC Profiler for the Target Environment".

The following sections outline the steps and illustrate the interfaces for setting the IP configuration parameters for the newly installed Cisco NAC Profiler Server.

Configure Hostname

The first step in the IP configuration of the Cisco NAC Profiler Server is the assignment of its hostname, which is accomplished through the screen illustrated in Figure 4-28.

Figure 4-28 Configure Hostname

Enter the desired hostname for this Cisco NAC Profiler Server. Select OK and press Enter to go on to the next step of the configuration script.

Configure Network Management Interface: IP Address, Net Mask, Default Gateway, Name Server

The network management interface is the primary communications interface for the Cisco NAC Profiler Server. It must be assigned IP configuration parameters that are appropriate for its operating environment such that IP communications are enabled in the environment the appliance will be installed in. The device requires a valid host IP address, network mask and default gateway in order to be able to communicate via the TCP/IP. The Cisco NAC Profiler Server is also provided with the address of the appropriate DNS server to be used for name resolution.

Figure 4-29 Configure Network Management Interface—IP Address

Step 1 After entering the desired IP address for the Cisco NAC Profiler Server management interface in dotted decimal notation (e.g., 10.10.10.1), press Enter to go to the next step and enter the network mask of the management interface.

Figure 4-30 Configure Network Management Interface—Network Mask

Step 2 Enter the network mask to be utilized by the management interface in dotted decimal notation (e.g., 255.255.0.0), select OK using the arrow keys and press Enter to go to the next configuration page which enables the setting of the default gateway IP address.

The default gateway is the IP address of the router interface servicing the network segment to which the Cisco NAC Profiler Server is physically connected. This parameter specifies the router the Cisco NAC Profiler Server will utilize to reach other subnets and networks beyond its own.

Figure 4-31 Configure Network Management Interface—Gateway

Step 3 Enter the IP address of the desired default gateway for the Cisco NAC Profiler Server in dotted decimal notation (e.g., 10.10.10.254). OK using the arrow keys and press Enter to move onto the next step, name server (DNS) configuration.

Figure 4-32 Configure Network Management Interface: Name Server

Upon entering the name server IP address, selecting OK and pressing enter, a summary of the IP Information configured thus far will be provided as illustrated in Figure 4-33.

Figure 4-33 Verify Network Information

Verify that the information entered thus far is correct. If changes are required, use the arrow keys to select No and press enter. This will cause the scripts to restart from the beginning of the assignment of the IP parameters. All data entered for these parameters will be lost and the data entry steps beginning with the assignment of the management interface IP address will restart.

If the information is correct, make certain that Yes is selected and press Enter. The configuration scripts will restart all the network interfaces on the Cisco NAC Profiler Server to make the configuration changes active on the management interface. After the interfaces restart successfully, a Welcome screen appears. (See Figure 4-34.)

Figure 4-34 Welcome to the Cisco NAC Profiler

At this time, the validity of the completed IP configuration can be verified by issuing a Ping to the IP address of the Cisco NAC Profiler Server. Successfully pinging the appliance indicates a valid IP configuration which is necessary for management of the system via the web-based user interface.

Configure the Operational Parameters of the Cisco NAC Profiler Server

Once the Cisco NAC Profiler Server has been configured for IP connectivity in the environment, the configuration scripts progress to setting up several parameters specific to the Cisco NAC Profiler Server such as installing and initializing the database and configuring the Cisco NAC Profiler for single-server or HA pair operation.

The first step is the selection of the password for the Cisco NAC Profiler Database and the administrative user account for the web-based NAC Profiler User Interface.

Note The admin web user account has full administrative access to the system configuration, including the creation and deletion of user accounts via the web interface. The database password is necessary for direct access to the database for operations such as backup and restore.

Figure 4-35 illustrates the screen that is used for setting the database password after progressing past the Welcome screen.

Figure 4-35 Set Database Password

Step 1 If the default Database password `profiler' is acceptable, select OK using the arrow keys and press Enter to move onto the next step, or edit the password as desired selecting OK and pressing enter when finished.

The system will now setup and initialize the Cisco NAC Profiler database, and when complete prompt the administrator to provide the password for the web interface administrative user, username `admin.'

The next screen sets the web-based user interface password for the admin user, which again defaults to `profiler' as illustrated below.

Figure 4-36 Set Admin Web UI Password

Step 2 If the default password is acceptable, select OK using the arrow keys and press Enter to move onto the next step, or edit the password as desired. Press OK to proceed with the next step of the configuration, designating whether this Cisco NAC Profiler Server will operate as a single server, or in a High Availability (HA) pair.

Figure 4-37 Configure HA Pair

Step 3 Select Yes using the arrow keys and press enter to configure this Cisco NAC Profiler HA operation.

Selecting Yes progresses the script to asking the installer if this Cisco NAC Profiler Server will be the Primary or Secondary.

Figure 4-38 HA Configuration - Secondary Appliance

Step 4 Use the arrow keys to select No, and press enter to set up the Secondary Cisco NAC Profiler Server.

Refer to Collect Necessary Configuration Data in the first section of this chapter.

The next several screens allow for the entry of the HA pair attributes, beginning with the Virtual HA IP address, as shown in Figure 4-39.

Figure 4-39 Set Virtual IP Address of Secondary

Step 5 Input the host address chosen for the virtual IP address of the HA pair. Optionally, the network mask in use may be specified in CIDR format. If the netmask is not specified the system will default to the standard mask for the class of the IP network specified, (e.g., if 10.1.1.1 was specified with no netmask specified, it would be assumed to be 8 bits by default). When the desired virtual HA IP address (and netmask) has been entered, select OK.

Next, the script will prompt for the local HA network address, as shown below.

Figure 4-40 Set Local HA Network for Secondary

Step 6 Specify the first three octets of the class C network selected for the private LAN between the appliances used for the maintenance of heartbeat. Select OK and Enter to enter the next parameter, the hostname of the Primary appliance in the next screen shown below.

Figure 4-41 Set Pairs Hostname for Secondary

Step 7 Enter the hostname of the Primary HA Cisco NAC Profiler Server, refer to the data sheets collected at the beginning of the installation process to ensure that the hostname entered here matches the hostname of the other appliance in the HA pair exactly.

Step 8 Select OK and Enter to enter the next parameter, the HA Authentication Key in the next screen.

Figure 4-42 Set HA Authentication Key for Secondary

The HA authentication key is a secret shared between the two appliances. The HA authentication key between the two members of an HA pair must match exactly in order for the HA relationship to be established. Ensure that the HA authentication key entered in this step for the Secondary appliance is entered identically for the Primary appliance in the next step of the configuration process.

Step 9 Once the desired HA authentication key is entered, select OK and press enter to move to the next parameter, the External Ping Host which is entered as shown in Figure 4-43.

Figure 4-43 External Ping Host for Secondary

The External Ping Host should be a device external to the HA pair that is enabled to respond to ICMP Echo Requests. This is an optional parameter in the HA configuration but it is highly recommended that it be used as it is utilized to guard against network interface failure. The external ping host should be identical for both appliances in the HA pair. If this additional failover protection is not desired, leave the default IP address of 0.0.0.0.

Step 10 Select OK and Enter.

After the external ping host is entered, the startup scripts will display a summary of all the HA parameters entered for the Primary appliance as illustrated below.

Figure 4-44 Verify HA Information for Secondary

This screen allows for the checking of all the HA parameters entered for the Secondary Cisco NAC Profiler Server in the HA pair being configured.

Step 11 If all the parameters are correct, select Yes and Enter to complete the HA Configuration of the Secondary appliance.

If a correction or change needs to be made, selecting no will restart the process—all previously entered parameters will be lost.

Upon selecting yes, the Secondary Cisco NAC Profiler Server will initialize the HA configuration.

At the completion of that process, the startup scripts will resume with the setup of the remaining parameters for the secondary Cisco NAC Profiler Server.

Step 12 The installation script will now install the Zend Optimizer. The Zend Optimizer is used to accelerate PHP performance within the Cisco NAC Profiler user interface. The following screen appears, select OK and press Enter to proceed with Zend Optimizer installation.

Figure 4-45 Zend Optimizer Installation

The next screen displays the end-user license for Zend Optimizer. Please review the license for the Zend Optimizer, using the arrow keys to scroll up and down.

Step 13 When you have completed reading the license agreement, select Exit and press Enter. The following screen appears that enables the installer to accept the agreement.

Figure 4-46 Accept Zend Optimizer License

Step 14 Select Yes to continue with installation. Selecting No will terminate the Cisco NAC Profiler configuration scripts.

Complete the following steps accomplished through a series of screens to finish the install of the Zend Optimizer:

Step 1 Accept the default installation location (/usr/local/Zend) for the Zend Optimizer, select OK and press enter.

Step 2 Confirm the location (/etc) of the PHP.ini file by accepting the default. Select OK and press enter.

Step 3 Confirm that Apache (web server component used for serving NAC Profiler web-based UI) is in use, select Yes and press Enter.

Step 4 Confirm the full path to the Apache Control Utility by accepting the default (/usr/sbin/apachectl) select OK and press Enter.

The Zend Optimizer installation begins, and successful Completion of the Zend Optimizer installation is indicated by receiving the following messages on the terminal:

Figure 4-47 Zend Optimizer Configuration Change Notification

Step 5 Select OK and press Enter to confirm the configuration changes. A "successful installation" screen like Figure 4-48 appears.

Figure 4-48 Zend Optimizer Installation Successful

Step 6 Select OK and press enter, and the next screen prompts to confirm restart of the web server on the Cisco NAC Profiler.

Figure 4-49 Confirm Restart of Web Server

Step 7 Select OK and press Enter to complete the installation by restarting the web server. Upon successful restart of the web server, the following screen is displayed on the console.

Figure 4-50 Web Server Restart Complete

Step 8 Select OK to complete the installation of the Secondary Cisco NAC Profiler Server of the HA pair.

The following message at the console indicates successful completion of a Secondary appliance of an HA pair:

Figure 4-51 Installation of Secondary Complete

As outlined previously and stated in the message above, the Secondary Cisco NAC Profiler Server will need to be revisited after the completion of the configuration of the Primary appliance. Proceed with the configuration of the Primary as outlined in step 2 below, and step 3 will detail the process for running Subscribe to initialize the Cisco NAC Profiler HA pair.

Configure the Primary Cisco NAC Profiler Server of the HA Pair

Power-on the Cisco NAC Profiler Server designated as the Primary appliance of the pair with the data collection sheet completed in the last section readily available.

The initial startup of the appliance: assignment of network parameters and initial configuration of the Cisco NAC Profiler Server follows the exact same sequence as that outlined for the Secondary Server in the previous section. Using the data sheet parameters collected in the first section of this chapter for the Primary Cisco NAC Profiler, repeat the steps from the top of page 22 through the middle of page 30.

When the screen that asks whether this system will be used in an HA pair (as illustrated below), resume the Primary appliance setup procedure below.

Figure 4-52 Configure HA Pair

Step 1 Select Yes using the arrow keys and press enter to configure this Cisco NAC Profiler HA operation.

Selecting Yes progresses the script to asking the installer if this Cisco NAC Profiler Server will be the Primary or Secondary.

Figure 4-53 HA Configuration—Primary Appliance

Step 2 Use the arrow keys to select Yes, and press enter to set up the Primary Cisco NAC Profiler Server.

Refer to Collect Necessary Configuration Data in the first section of this chapter.

The next several screens allow for the entry of the HA pair attributes for the Primary, beginning with the Virtual HA IP address, as shown in Figure 4-54.

Figure 4-54 Set Virtual IP Address of Primary

Step 3 Input the host address chosen for the virtual IP address of the HA pair.

Next, the script will prompt for the local HA network address, as shown below.

Figure 4-55 Set Local HA Network for Primary

Step 4 Specify the first three octets of the class C network selected for the private LAN between the appliances used for the maintenance of heartbeat between the Primary and Secondary appliances. Select OK and Enter to enter the next parameter, the hostname of the other appliance in the next screen shown below.

Figure 4-56 Set Pairs Hostname for Primary

Step 5 Enter the hostname of the Secondary HA Cisco NAC Profiler Server; refer to the data sheets collected at the beginning of the installation process to ensure that the hostname entered here matches the hostname of the Secondary exactly.

Step 6 Select OK and Enter to enter the next parameter, the HA Authentication Key in the next screen.

Figure 4-57 Set HA Authentication Key for Primary

Step 7 Ensure that the HA authentication key entered in this step for the Primary appliance is entered identically to that specified for the Secondary appliance in the previous step of the configuration process. Once the desired HA authentication key is entered, select OK and press enter to move to the next parameter, the External Ping Host which is entered as shown in Figure 4-58.

Figure 4-58 External Ping Host for Primary

The External Ping Host specified for the Primary should be the same device specified for the Secondary.

After the external ping host is entered, the startup scripts will display a summary of all the HA parameters entered for the Primary appliance as illustrated below.

Figure 4-59 Verify HA Information for Primary

This screen allows for the checking of all the HA parameters entered for the Primary Cisco NAC Profiler Server in the HA pair being configured.

Note Before selecting Yes and proceeding with the setup of HA on the Primary appliance, ensure that the HA parameters on the Primary are consistent with those configured on the Secondary in the previous step. Doing so will ensure that the HA pair will come up successfully on the first attempt.

Step 8 If all the parameters are correct, select Yes and Enter to complete the HA Configuration of the Primary appliance.

If a correction or change needs to be made, selecting no will restart the process—all previously entered HA parameters for the Primary will be lost and will have to be entered again.

Upon selecting yes, the Primary Cisco NAC Profiler Server will initialize the HA configuration.

Upon completion of the HA initialization, the following message will display at the console:

Figure 4-60 Completion of HA Initialization on Primary

As part of the HA setup, an SSH session is initiated between the two appliances for the purpose of creating a permanent SSH channel that will be used for HA database updates over the heartbeat connection (eth1).

In completing this step, the Primary appliance will require the LINUX "beacon" user password for the Secondary appliance. Hit enter to continue and then enter the password for the beacon user on the Secondary appliance when prompted as shown in Figure 4-60.

You will see "Warning" messages on the screen as the SSH session is established. Please note that the IP address that displays on this screen is the "Secondary IP" address that was automatically determined based on the "Set Local HA Network" parameter that was configured earlier (see Figure 4-40).

After High-Availability services are stopped and restarted as part of the installation process, the startup scripts will resume with the setup of the remaining parameters for the Primary Cisco NAC Profiler Server.

The installation script will now install the Zend Optimizer on the Primary appliance. The Zend installation process for the Primary is identical to that of the Secondary. If necessary, refer to that procedure in the last section beginning on page 34. Step through the process to complete Zend installation. At the successful completion of that installation, the installer will be prompted to restart the web server as shown in Figure 4-61.

Figure 4-61 Confirm Restart of Web Server

Step 1 Select OK and press Enter to complete the installation by restarting the web server on the Primary Cisco NAC Profiler Server. Upon successful restart of the web server, the following screen is displayed on the console.

Figure 4-62 Web Server Restart Complete

Step 2 Select OK to complete the installation of the Primary Cisco NAC Profiler Server of the HA pair.

The following message at the console indicates successful completion of a Primary appliance of an HA pair:

Figure 4-63 Successful Installation on Primary appliance of HA pair

Run the Subscribe Script on the Secondary Appliance

After the successful completion of the previous step which included complete configuration of the Primary appliance, and the successful establishment of an SSH session between the two appliances in the HA pair, the Secondary appliance must be revisited in order to run the "subscribe.sh" script.

If the Secondary appliance is not already logged in as root, SSH to the Secondary appliance IP as user "beacon".

su - to elevate to the root user by providing the root password

Run the "subscribe script" by typing /usr/beacon/sql/subscribe.sh as shown in Figure 4-64.

Figure 4-64 Run subscribe.sh on Secondary

After the SSH channel is established between the two appliances in the HA pair, High-Availability services will initialize and this secondary appliance will become the "slave" of the HA pair.

This completes the installation scripts for a pair of NAC Profiler Server appliances in HA mode. At this time, the remaining configuration of the Cisco NAC Profiler system can be completed using the web UI, managing the system via the Virtual IP address assigned in the configuration of the Cisco NAC Profiler Servers.

Transition to Web Management

At this juncture, the Cisco NAC Profiler HA pair is ready for configuration via the web-based user interface. Using a standard browser on another network-attached PC or laptop, enter the following URL to confirm that the UI being served by the Cisco NAC Profiler HA pair is accessible over the network: 

https://[Virtual HA IP Address]/profiler

Enter `admin' as the username and the password selected above for the web interface. The following web page should display in the browser:

Figure 4-65 NAC Profiler Web UI Home Page

The session created for the initial configuration of the Cisco NAC Profiler Server is still logged in as the root user at the appliance console. Issue the command "logout" at the prompt to logout of the system and lock the console.

This completes the initial configuration of your Cisco NAC Profiler Server HA pair. Refer to Configuring the Collector on the Clean Access Server next, then continue to Chapter 5, "Configuring NAC Profiler for the Target Environment" for further configuration instructions of the Profiler system.

Configuring the Collector on the Clean Access Server

The Cisco NAC Profiler Collector module co-resides on the Cisco NAC Appliance Clean Access Server and must be enabled on the Clean Access Server as described in this section.

See CLI Commands for Cisco NAC Profiler for additional details.

Enable the Collector Service on the CAS

Step 1 Connect to the Clean Access Server and access its command line by direct console, serial connection, or SSH.

Step 2 Login as user root with the root password (default is cisco123)

Step 3 At the command line, type service collector config. 

[root@CAS_OOB /]# service collector config

This starts the short configuration script for the Collector. Either type a value or press the Enter key to accept the default value (shown in brackets [ ]) for each of the following prompts.

Step 4 Type y or press Enter to enable the Collector service on the CAS: 

Enable the NAC Collector (y/n) [y]: y

Step 5 Type y or press Enter to enter configure network settings for the Collector so that it can connect to the Cisco NAC Profiler Server: 

Configure NAC Collector (y/n) [y]: y

Network configuration to connect to a NAC Profiler Server

Step 6 Press Enter to configure the Collector as a client (default) or type server to configure it otherwise (not common): 

  Connection type (server/client) [client]:

Step 7 Type the IP address of the Cisco NAC Profiler Server that the Collector will communicate with: 

  Connect to IP [127.0.0.1]: 10.30.30.5

Step 8 Press Enter to accept the default port number (31416), or type another port number for communication with the Cisco NAC Profiler Server: 

  Port number [31416]:

Step 9 Type none if no encryption is desired, or type AES (default) or blowfish to configure encryption: 

Encryption type (AES, blowfish, none) [AES]: none

Step 10 Type the shared secret for the Profiler Server. See Shared Secret, page 6-8 for additional details. 

  Shared secret []: cisco123

Step 11 The NAC Collector configuration utility will next show status for each of the modules (Forwarder, NetMap, NetTrap, NetWatch, NetInquiry, NetRelay) in the Collector followed by a final confirmation: 

-- Configured CAS_OOB-fw

-- Configured CAS_OOB-nm

-- Configured CAS_OOB-nt

-- Configured CAS_OOB-nw

-- Configured CAS_OOB-ni

-- Configured CAS_OOB-nr


        NAC Collector has been configured

[root@CAS_OOB /]#

Step 12 Collector configuration on the Clean Access Server is complete.

Refer to Chapter 7, "Configuring Cisco NAC Collector Modules" for details on how to further configure Collector modules through the Cisco NAC Profiler Server web interface.

CLI Commands for Cisco NAC Profiler

Table 4-5 lists CLI commands issued on the CAS for the Cisco NAC Profiler Collector service. Refer to the Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide for complete details on the CAS CLI.

Table 4-5 Cisco NAC Profiler Collector CLI Commands for CAS

Command
Description

service collector start

Starts the Collector service on the CAS.

service collector stop

Shuts down the Collector service on the CAS.

service collector status

Displays the running status of the individual Collector modules on the CAS, for example: 

Profiler Status

  o Server      Not Installed

  o Forwarder   Running

  o NetMap      Running

  o NetTrap     Running

  o NetWatch    Running

  o NetInquiry  Running

  o NetRelay    Running

service collector restart

Stops and then restarts the Collector service on the CAS. This is used when the service is already running and you want to restart it.

service collector config

Starts the configuration of the Collector component so that it can communicate with the Cisco NAC Profiler Server. For example: 

[root@caserver12 /]# service collector config

Enable the NAC Collector (y/n) [y]: 

Configure NAC Collector (y/n) [y]: 

Network configuration to connect to a NAC Profiler Server

  Connection type (server/client) [client]: 

  Connect to IP [127.0.0.1]: 192.168.96.20

  Port number [31416]: 

  Encryption type (AES, blowfish, none) [AES]: none

  Shared secret []: cisco123

-- Configured caserver12-fw

-- Configured caserver12-nm

-- Configured caserver12-nt

-- Configured caserver12-nw

-- Configured caserver12-ni

-- Configured caserver12-nr


        NAC Collector has been configured

Was this Document Helpful?

FeedbackFeedback

Contact Cisco