Cisco Cisco NAC Appliance 4.1.0
16-5
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 16 Configuring High Availability (HA)
Configure the HA-Primary CAM
Configure the HA-Primary CAM
Once you have verified the prerequisites, perform the following steps to configure the Clean Access
Manager as the HA-Primary for the high availability pair. See
Manager as the HA-Primary for the high availability pair. See
example.
1.
Open the web admin console for the Clean Access Manager to be designated as the HA-Primary, and
go to Administration > CCA Manager > SSL Certificate to configure the SSL certificate for the
primary CAM. The Generate Temporary Certificate form appears.
go to Administration > CCA Manager > SSL Certificate to configure the SSL certificate for the
primary CAM. The Generate Temporary Certificate form appears.
Note
The HA configuration steps in this chapter assume that a temporary certificate will be exported
from the HA-Primary CAM to the HA-Secondary CAM.
from the HA-Primary CAM to the HA-Secondary CAM.
If using a temporary certificate for the HA pair:
a.
Complete the Generate Temporary Certificate form and click Generate.
The certificate must be generated for the Service IP address of the HA pair.
b.
When finished generating the temporary certificate, choose Export CSR/Private
Key/Certificate from the Choose an action menu.
Key/Certificate from the Choose an action menu.
c.
Click the Export button for Currently Installed Private Key to export the SSL private key.
Save the key file to disk. You will have to import this key into the HA-Secondary CAM later.
Save the key file to disk. You will have to import this key into the HA-Secondary CAM later.
d.
Click the Export button for Currently Installed Certificate to export the current SSL
certificate. Save the certificate file to disk. You will have to import this certificate file into the
HA-Secondary CAM later.
certificate. Save the certificate file to disk. You will have to import this certificate file into the
HA-Secondary CAM later.
If using a CA-signed certificate for the HA pair:
Note
The CA-signed certificate must either be based on the Service IP or a hostname/domain
name resolvable to the Service IP through DNS. See
name resolvable to the Service IP through DNS. See
for details.
a.
Select Import Certificate from the Choose an action: menu.
b.
Use the Browse button next to the Certificate File field and navigate to the CA-signed cert.
c.
Choose CA-signed PEM-encoded X.509 Cert from the File Type dropdown menu:
d.
Click Upload to import the certificate. Note that you will need to import this same certificate
into the HA-Secondary CAM later.
into the HA-Secondary CAM later.
e.
Click Verify and Install Uploaded Certificates.
f.
Select Export CSR/Private Key/Certificate from the Choose an action dropdown list.
g.
Click the Export button for the Currently Installed Private Key to export the SSL private key
associated with the CA-signed certificate. Save the key file to disk. You will need to import this
file into the HA-Secondary CAM later.
associated with the CA-signed certificate. Save the key file to disk. You will need to import this
file into the HA-Secondary CAM later.
2.
Go to Administration > CCA Manager and click the Network & Failover tab. Choose the
HA-Primary option from the High-Availability Mode dropdown menu.
HA-Primary option from the High-Availability Mode dropdown menu.
The high availability
settings appear: