- Preface
- Chapter 1: Cisco NCS Overview
- Chapter 2: Getting Started
- Chapter 3: Configuring Security Solutions
- Chapter 4: Performing Maintenance Operations
- Chapter 5: Monitoring Devices
- Chapter 6: Monitoring Maps
- Chapter 7: Managing NCS User Accounts
- Chapter 8: Configuring Mobility Groups
- Chapter 9: Configuring Devices
- Chapter 10: Managing Clients
- Chapter 11: Using Templates
- Chapter 12: Configuring Hybrid REAP
- Chapter 13: Alarm and Event Dictionary
- Chapter 14: Reports
- Chapter 15: Performing Administrative Tasks
- Chapter 16: NCS Services
- Chapter 17: Tools
- Chapter 18: Configuring Virtual Domains
- Chapter 19: wIPS Policy Alarm Encyclopedia
- Appendix A: Troubleshooting and Best Practices
- Appendix B: NCS and End-User Licenses
- Appendix C: Cisco NCS Server Hardening
- Index
- Information About Maintenance Operations
- Performing System Tasks
- Performing NCS Operations
Performing Maintenance Operations
You can perform the actions at the system level, such as updating system softwares or downloading certificates that can be used with many items.
This chapter describes the system level tasks to perform with Cisco NCS. It contains the following sections:
•
Information About Maintenance Operations
Information About Maintenance Operations
A system-level task is a collection of tasks that relate to operations that apply to the NCS database as a whole. System tasks also includes restoring NCS database. For more information, see the "Restoring the NCS Database" section.
Performing System Tasks
This sections describes how to use NCS to perform system-level tasks. This section contains the following topics:
•Adding a Controller to the NCS Database
•Using NCS to Update System Software
•Downloading Vendor Device Certificates
•Downloading Vendor CA Certificates
•Using NCS to Enable Long Preambles for SpectraLink NetLink Phones
•Creating an RF Calibration Model
Adding a Controller to the NCS Database
To add a controller to the NCS database, follow these steps:
Note We recommend that you manage controllers through the controller dedicated service port for improved security. However, when you manage controllers that do not have a service port (such as 2000 series controllers) or for which the service port is disabled, you must manage those controllers through the controller management interface.
Step 1 Log into the NCS user interface.
Step 2 Choose Configure > Controllers to display the All Controllers page.
Step 3 From the Select a command drop-down list, choose Add Controller, and click Go.
Step 4 In the Add Controller page, enter the controller IP address, network mask, and required SNMP settings.
Step 5 Click OK. NCS displays a Please Wait dialog box while it contacts the controller and adds the current controller configuration to the NCS database. It then returns you to the Add Controller page.
Step 6 If NCS does not find a controller at the IP address that you entered for the controller, the Discovery Status dialog displays this message:
No response from device, check SNMP.
Check these settings to correct the problem:
•The controller service port IP address might be set incorrectly. Check the service port setting on the controller.
•NCS might not have been able to contact the controller. Make sure that you can ping the controller from the NCS server.
•The SNMP settings on the controller might not match the SNMP settings that you entered in NCS. Make sure that the SNMP settings configured on the controller match the settings that you entered in NCS.
Step 7 Add additional controllers if desired.
Using NCS to Update System Software
To update controller (and access point) software using NCS, follow these steps:
Step 1 Enter the ping ip-address command to be sure that the NCS server can contact the controller. If you use an external TFTP server, enter ping ip-address to be sure that the NCS server can contact the TFTP server.
Note When you are downloading through a controller distribution system (DS) network port, the TFTP server can be on the same or a different subnet because the DS port is routable.
Step 2 Click the Configure > Controllers to navigate to the All Controllers page.
Step 3 Select the check box of the desired controller, choose Download Software (TFTP or FTP) from the Select a command drop-down list, and click Go. NCS displays the Download Software to Controller page.
Step 4 If you use the built-in NCS TFTP server, choose the Default Server from the Server Name list box. If you use an external TFTP server, select New from the Server Name list box and add the external TFTP server IP address.
Step 5 Enter the file path and server file name in their respective text box (for example, AS_2000_release.aes for 2000 series controllers). The files are uploaded to the root directory which was configured for use by the TFTP server. You can change to a different directory.
Note Be sure that you have the correct software file for your controller.
Step 6 Click Download. NCS downloads the software to the controller, and the controller writes the code to flash RAM. As NCS performs this function, it displays its progress in the Status field.
Downloading Vendor Device Certificates
Each wireless device (controller, access point, and client) has its own device certificates. For example, the controller is shipped with a Cisco-installed device certificate. This certificate is used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local EAP authentication. However, if you wish to use your own vendor-specific device certificate, it must be downloaded to the controller.
To download a vendor-specific device certificate to the controller, follow the instructions:
Step 1 Choose Configure > Controllers.
Step 2 You can download the certificates in one of two ways:
a. Select the check box of the controller you choose.
b. Choose Download Vendor Device Certificate from the Select a command drop-down list, and click Go.
or
Click the URL of the desired controller in the IP Address column.
c. Choose System > Commands from the left sidebar menu.
d. Choose TFTP or FTP in the Upload/Download Command section.
e. Choose Download Vendor Device Certificate from the Upload/Download Commands drop-down list, and click Go.
Step 3 In the Certificate Password text box, enter the password which was used to protect the certificate.
Step 4 Specify if the certificate to download is on the TFTP server or on the local machine. If it is on the TFTP server, the name must be supplied in the Server File Name parameter. If the certificate is on the local machine, you must specify the file path in the Local File Name parameter using the Choose File button.
Step 5 Enter the TFTP server name in the Server Name parameter. The default is for the NCS server to act as the TFTP server.
Step 6 Enter the server IP address.
Step 7 In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to download the certificate.
Step 8 In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate.
Step 9 In the Local File Name text box, enter the directory path of the certificate.
Step 10 Click OK.
Downloading Vendor CA Certificates
Controllers and access points have a certificate authority (CA) certificate that is used to sign and validate device certificates. The controller is shipped with a Cisco-installed CA certificate. This certificate may be used by EAP-TLS and EAP-FAST (when not using PACs) to authenticate wireless clients during local EAP authentication. However, if you wish to use your own vendor-specific CA certificate, it must be downloaded to the controller. To download vendor CA certificate to the controller, follow the instructions:
Step 1 Click Configure > Controllers.
Step 2 You can download the certificates in one of two ways:
a. Select the check box of the controller you choose.
b. Choose Download Vendor CA Certificate from the Select a command drop-down list, and click Go.
or
Click the URL of the desired controller in the IP Address column.
c. Choose System > Commands from the left sidebar menu.
d. Choose Download Vendor CA Certificate from the Upload/Download Commands drop-down list, and click Go.
Step 3 Specify if the certificate to download is on the TFTP server or on the local machine. If it is on the TFTP server, the name must be supplied in the Server File Name parameter in Step 9. If the certificate is on the local machine, you must specify the file path in the Local File Name parameter in Step 8 using the Browse button.
Step 4 Enter the TFTP server name in the Server Name parameter. The default is for the NCS server to act as the TFTP server.
Step 5 Enter the server IP address.
Step 6 In the Maximum Retries text box, enter the maximum number of times that the TFTP server attempts to download the certificate.
Step 7 In the Timeout text box, enter the amount of time (in seconds) that the TFTP server attempts to download the certificate.
Step 8 In the Local File Name text box, enter the directory path of the certificate.
Step 9 Click OK.
Using NCS to Enable Long Preambles for SpectraLink NetLink Phones
A radio preamble (sometimes called a header) is a section of data at the head of a packet. It contains information that wireless devices need when sending and receiving packets. Short preambles improve throughput performance, so they are enabled by default. However, some wireless devices, such as SpectraLink NetLink phones, require long preambles.
To optimize the operation of SpectraLink NetLink phones on your wireless LAN, to use NCS to enable long preambles, follow these steps:
Step 1 Log into the NCS user interface.
Step 2 Click Configure > Controllers to navigate to the All Controllers page.
Step 3 Click the IP address of the desired controller.
Step 4 From the left sidebar menu, choose 802.11b/g/n > Parameters.
Step 5 If the IP Address > 802.11b/g/n Parameters page shows that short preambles are enabled, continue to the next step. However, if short preambles are disabled, which means that long preambles are enabled, the controller is already optimized for SpectraLink NetLink phones, and you do not need to continue this procedure.
Step 6 Enable long preambles by unselecting the Short Preamble check box.
Step 7 Click Save to update the controller configuration.
Step 8 To save the controller configuration, click System > Commands from the left sidebar menu, Save Config To Flash from the Administrative Commands drop-down list, and Go.
Step 9 To reboot the controller, click Reboot from the Administrative Commands drop-down list and Go.
Step 10 Click OK when the following message appears:
Please save configuration by clicking "Save Config to flash". Do you want to continue
rebooting anyways?
The controller reboots. This process may take some time, during which NCS loses its connection to the controller.
Note You can view the controller reboot process with a CLI session.
Creating an RF Calibration Model
If you would like to further refine NCS Location tracking of client and rogue access points across one or more floors of a building, you have the option of creating an RF calibration model that uses physically collected RF measurements to fine-tune the location algorithm. When you have multiple floors in a building with the same physical layout as the calibrated floor, you can save time calibrating the remaining floors by using the same RF calibration model for the remaining floors.
The calibration models are used as RF overlays with measured RF signal characteristics that can be applied to different floor areas. This allows the Cisco Unified Wireless Network Solution installation team to lay out one floor in a multi-floor area, use the RF calibration tool to measure and save the RF characteristics of that floor as a new calibration model, and apply that calibration model to all the other floors with the same physical layout.
Performing NCS Operations
This section contains the following topics:
Verifying the Status of NCS
This section provides instructions for checking the status of NCS. To check the status of NCS. You can check the status at any time, follow these steps:
Step 1 Log into the system as root.
Step 2 Using the Linux CLI, perform one of the following:
•Navigate to the installation directory (such as /opt/NCS1.0.X.X) and enter ./NCSStatus.
•Navigate to the installation directory (such as /opt/NCS1.0.X.X) and enter NCSAdmin status.
The CLI displays messages indicating the status of NCS.
Stopping NCS
This section provides instructions for stopping NCS. You can stop NCS at any time. To stop NCS follow these steps:
Note If any users are logged in when you stop NCS, their NCS sessions stop functioning.
Step 1 Log into the system as root.
Note To see which version of NCS you currently have installed, enter nmsadmin.sh version.
Step 2 Using the Linux CLI, perform one of the following:
•Navigate to the shortcut location (defaulted to /opt/NCSA.B.C.D) and enter ./StopNCS.
•Navigate to the installation bin directory (defaulted to /opt/NCSA.B.C.D/bin) and enter StopNCS.
The CLI displays messages indicating that NCS is stopping.
Backing Up the NCS Database
This section provides instructions for backing up the NCS database. You can schedule regular backups through the NCS user interface or manually initiate a backup.
Note Machine specific settings (such as FTP enable and disable, FTP port, FTP root directory, TFTP enable and disable, TFTP port, TFTP root directory, HTTP forward enable and disable, HTTP port, HTTPS port, report repository directory, and all high availability settings) are not included in the backup and restore function if the backup is restored to a different device.
This section contains the following topics:
Scheduling Automatic Backups
To schedule automatic backups of the NCS database, follow these steps:
Step 1 Log into the NCS user interface.
Step 2 Click Administration > Background Tasks to display the Scheduled Tasks page.
Step 3 Click the NCS Server Backup task to display the NCS Server Backup page.
Step 4 Select the Enabled check box.
Step 5 At the Backup Repositoiry parameter, Choose an exisiting backup repository or click create button to create a new repository.
Step 6 If you are backing up in remote location, select the FTP Repository check box. You need to enter the FTP location, Username and Password of the remote machine.
Step 7 In the Interval (Days) text box, enter a number representing the number of days between each backup. For example, 1 = a daily backup, 2 = a backup every other day, 7 = a weekly backup, and so on.
Range: 1 to 360
Default: 7
Step 8 In the Time of Day text box, enter the time when you want the backup to start. It must be in this format: hh:mm AM/PM (for example: 03:00 AM).
Note Backing up a large database affects the performance of the NCS server. Therefore, we recommend that you schedule backups to run when the NCS server is idle (for example, in the middle of the night).
Step 9 Click Submit to save your settings. The backup file is saved as a .zip file in the ftp-install-dir/ftp-server/root/NCSBackup directory using this format: dd-mmm-yy_ hh-mm-ss.zip
(for example, 11-Nov-05_10-30-00.zip).
Performing a Manual Backup
To back up the NCS database on a Linux server, follow these steps:
Note you do not need to shutdown Oracle or the platform to do a backup.
Step 1 Log into the system as root.
Step 2 Create a local or remote backup directory for the NCS database with no spaces in the name (for example, mkdir disk:/NCS1.0.X.X_Backup).
Note Make sure that the directory name does not contain spaces. Spaces can generate errors.
Note If it is a remote backup location, you MUST specify the correct ftp location (For example, ftp://hostname/location) and user credentials.
Step 3 You can do a backup either through Command Line
Step 4 Perform one of the following:
•Backup the appliance and application to the repository (local or remote).
backup testbackup repository backup_repo
•Backup the application only to the repository (local or remote).
backup testbackup repository backup_repo application NCS
The CLI displays messages indicating the status of the backup.
Restoring the NCS Database
This section provides instructions for restoring the NCS database. This section contains the following topics:
•Restoring the NCS Database in a High Availability Environment
Restoring the NCS Database
If you are restoring the NCS database in a high availability environment, see the "Restoring the NCS Database in a High Availability Environment" section. To restore the NCS database from a backup file. follow these steps:
Step 1 To view all local repository backups, use the below command:
show repository backup_repo
Note If possible, stop all NCS user interfaces to stabilize the database.
Step 2 Manually shutdown the platform as root.
Step 3 Using the CLI, perform one of the following:
•Restore the appliance and application backup by entering the following command:
restore testbackup-yymmdd-xxxx.tar.gpg repository backup_repo
•Restore only the application backup by entering the following command:
restore testbackup-yymmdd-xxxx.tar.gpg repository backup_repo application NCS
Step 4 Click Yes if a message appears indicating that NCS is running and needs to be shut down.
Note If the restore process shuts down NCS, a restart is attempted after a successful restore. The appliance will then restart and you will have to again login and restart the dbserver, and the platform manually as root (make sure you do not start with dbclean, else you will loose your recently restored data).
The CLI displays messages indicating that the NCS database is being restored.
Restoring the NCS Database in a High Availability Environment
During installation, you were prompted to determine if a secondary NCS server would be used for high availability support to the primary NCS server. If you opted for this high availability environment and enabled it in the Administration > High Availability page, the status appears as HA enabled. Before restoring a database, you must convert the status to HA not configured.
Note If you attempt to restore the database while the status is set to HA enabled, unexpected results may occur.
To change the status from HA enabled to HA not configured, follow one of these procedures:
•Click the Remove button in the HA Configuration page (Administration > High Availability).
•Restart the primary server. Go to the secondary HealthMonitor GUI (https://<SecondaryNCS>:8082), and click Failback.
–Use this method when one of the following instances has occurred:
The primary server is down and failover has not been executed, so then the secondary server is in SecondaryLostPrimary state.
or
The primary server is down and failover is already executed, so the secondary server is in the SecondaryActive state.
The primary server will now be in HA Not Configured mode, and you can safely restore the database.
Uninstalling NCS
This section provides instructions for uninstalling NCS. You can uninstall NCS at any time, even while NCS is running.
To uninstall NCS on a Linux server, follow these steps:
Step 1 Stop NCS.
Step 2 Log into the system as root through an X terminal session.
Step 3 Using the Linux CLI, navigate to the /opt/NCS1.0.X.X directory (or the directory chosen during installation).
Step 4 Enter ./UninstallNCS.
Step 5 Click Yes to continue the uninstall process.
Step 6 Click Finish when the uninstall process is complete.
Note If any part of the /opt/NCS1.0.X.X directory remains on the hard drive, manually delete the directory and all of its contents. If you fail to delete the previous NCS installation, this error message appears when you attempt to reinstall NCS: "Cisco NCS is already installed. Please uninstall the older version before installing this version."
Upgrading WCS to NCS
This section provides instructions for upgrading to NCS. If you are upgrading to NCS in a high availability environment, see the "Upgrading NCS in a High Availability Environment" section.
Note NCS supports data migration from WCS releases 7.0.164.3 and 7.0.172.0. If you do not have this release of WCS, you must upgrade to either WCS 7.0.164.3 or 7.0.172.0 first and then follow the migration steps.
To Upgrade from WCS to NCS, perform the following:
Step 1 Stop the WCS server.
Step 2 Run the export command to export all the WCS data in to an export file. For Linux, run the export.sh all and for windows run the export.bat all command.
Note Current zip tool can only handle zip files of up to 4G in size. If the WCS DB size is larger than 10G there is high possibility that the zip file size will be more than 4G. Please request for a patch if you face this issue.
Note While upgrading from WCS to NCS, on running the export command, you might encounter a "could not reserve enough space" error. If you encounter this error then access either the export.bat (for Windows OS) or export.sh (for Linux OS) file and replace the instance of -Xmx1024m with -Xmx512m.
Step 3 Copy the export.zip file (for example, wcs.zip) in to a local repository folder.
Step 4 Login to NCS as admin and stop the NCS server using the ncs stop command.
Step 5 Configure the repository in NCS Appliance using the repository command.
ncs-appliance/admin#configure
ncs-appliance/admin(config)#repository wcs-ftp-repo
ncs-appliance/admin(config-Repository)#url ftp://172.19.28.229//
ncs-appliance/admin(config-Repository)#user ftp-user password plain ftp-user
Note Make sure wcs.zip is listed for the 'show repository <repositoryname>' command. For tftp, if directory listing is not enabled, then restore will fail. This is an expected behavior and 'show repository' will throw error message.
ncs-appliance/admin# show repository wcs-ftp-repo
wcs.zip
ncs-appliance/admin# show repository wcs-tftp-repo
% Protocol does not support listing directories
Step 6 Execute the ncs migrate command to restore the WCS database.
ncs-appliance/admin# ncs migrate wcs-data wcs.zip repository wcs-ftp-repo
Using the noclientstats option, no client count and client statistics data will get migrated to NCS . By default no WCS events are migrated.
Step 7 Run the ncs start command to start the NCS server after the upgrade is completed.
Step 8 Login to the NCS User Interface using the root and the root password.
Note The client count, client summary, client throughput, client traffic, rogue AP, adhoc rogues, new adhoc rogues, PCI details, PCI summary and security summary reports, dashboard customizations, client station information and its statistics, all WCS events, RADIUS/TACACS server IP and credentials, and the root password are not migrated from WCS to NCS. Make sure you enable the RADIUS/TACACS server as AAA mode in Administration > AAA > AAA Mode Settings page and click Save.
Upgrading NCS in a High Availability Environment
If you have a primary and secondary NCS, follow these steps for a successful upgrade:
Step 1 You must first remove the HA configuration with the following steps:
a. Login to the primary NCS server.
b. Choose Administration > High Availability and select HA Configuration from the left sidebar menu.
c. Click Remove to remove the HA configuration.
Note It may take a few minutes for the remove to complete.
Step 2 You must first upgrade the secondary NCS with the following steps:
a. Shut down the secondary NCS. See the "Stopping NCS" section for more information.
Note You can use StopNCS for a graceful shut down. A graceful shut down does not trigger the automatic failover. Use the CLI command <NCSROOT>\nmsadmin.bat -switchover stop to trigger automatic failover when shutting down NCS.
b. Perform an upgrade on the secondary NCS.
c. Start the secondary NCS.
Note It will attempt to reconnect to the primary NCS, but a version mismatch error is returned.
Step 3 Upgrade the primary NCS.
a. Shut down the primary NCS. See the "Stopping NCS" section for more information.
b. Perform an upgrade on the primary NCS.
c. Start the primary NCS.
Step 4 Enable HA again on the primary NCS.
a. Login to the primary NCS server.
b. Choose Administration > High Availability and select HA Configuration from the left sidebar menu.
c. Enter the HA configuration settings and click Save to enable high availability.
Upgrading the Network
Network upgrades must follow a recommended procedure so that databases can remain synchronized with each other. For example, You cannot upgrade the controller portion of the network to a newer release but maintain the current NCS version and not upgrade it. The supported order of upgrade is NCS first, followed by the controller, and then any additional devices.
Reinitializing the Database
If you need to reset the database because of a synchronization problem or a corruption of some type, enter {install directory}/bin/dbadmin.(sh|bat) reinitdb to reinitialize the database.
Recovering the NCS Password
You can change the NCS application root user or FTP user password. This option provides a safeguard if you lose the root password. An executable was added to the installer /bin directory (passwd.bat for Windows and passwd.sh for Linux). For password recovery on a wireless location device, refer to Chapters 8 or 9 of the Cisco 2700 Series Location Appliance Configuration Guide. To recover the passwords and regain access to NCS, follow these steps:
Note If you are a Linux user, you must be the root user to run the command.
Note In Linux, use the passwd.sh to change the NCS password. The passwd is a built-in Linux command to change the OS password.
Step 1 Log in to the NCS command-line interface as an admin user.
Step 2 Run the following command:
ncs password root password password
Where password is the root user login password. You can enter a password not exceeding 80 characters.
Example of the command usage:
ncs-appliance/admin# ncs password root password ?
<WORD> Type in root user login password (Max Size - 80)
You should now be able to login to NCS web interface with the new root password.
Feedback