Cisco Cisco NAC Appliance 4.1.0
16-8
Cisco NAC Appliance - Clean Access Manager Installation and Administration Guide
OL-12214-01
Chapter 16 Configuring High Availability (HA)
Configure the HA-Secondary CAM
7.
If your machine only has one serial port and you are using COM1 as the Heartbeat Serial Interface,
you must check the Disable Serial Login checkbox to ensure serial login is disabled on COM1. See
you must check the Disable Serial Login checkbox to ensure serial login is disabled on COM1. See
for further details.
8.
To maintain synchronization, the Clean Access Manager peers exchange data by a crossover
network. You must specify a private network address space not currently routed in your organization
in the Crossover Network field (such as
network. You must specify a private network address space not currently routed in your organization
in the Crossover Network field (such as
10.10.10
). The default crossover network provided is
192.168.0.252. If this address conflicts with your network, make sure to specify a different private
address space. For example, if your organization uses the private network 192.168.151.0, use
10.1.1.x as the crossover network. The subnet mask and last octet of the IP address are fixed, so only
enter the network portion of the IP address in the Crossover Network field.
address space. For example, if your organization uses the private network 192.168.151.0, use
10.1.1.x as the crossover network. The subnet mask and last octet of the IP address are fixed, so only
enter the network portion of the IP address in the Crossover Network field.
9.
Click Update and then Reboot to restart the Clean Access Manager.
After the Clean Access Manager restarts, make sure that the CAM machine is working properly. Check
to see if the Clean Access Servers are connected and new users are being authenticated.
to see if the Clean Access Servers are connected and new users are being authenticated.
Configure the HA-Secondary CAM
1.
Open the web admin console for the Clean Access Manager to be designated as the HA-Secondary,
and go to Administration > CCA Manager > SSL Certificate.
and go to Administration > CCA Manager > SSL Certificate.
2.
Before starting:
–
Back up the secondary CAM’s private key
–
Make sure the private key and SSL certificate files associated with the Service IP/HA-Primary
CAM are available (previously exported as described in
CAM are available (previously exported as described in
).
3.
Import the HA-Primary CAM’s private key file and certificate as described below:
a.
In the SSL Certificate tab, choose Import Certificate from the Choose an action: menu
b.
Click Browse next to the Certificate File field, and browse to your backup copy of the private
key file generated with the certificate that will be used for the HA pair.
key file generated with the certificate that will be used for the HA pair.
c.
Choose Private Key as the File Type.
d.
Click Upload to upload the private key.
e.
With Import Certificate selected from the Choose an action: menu, browse to the certificate
(temporary or CA-signed) associated with the private key.
(temporary or CA-signed) associated with the private key.
f.
Choose CA-signed PEM-encoded X.509 Cert as the File Type.
g.
Click Upload to upload the temporary certificate or CA-signed certificate.
h.
Click Verify and Install Uploaded Certificates.
See
for details.
4.
Go to the Administration > CCA Manager > Network & Failover | Network Settings and change
the IP Address of the secondary CAM to an address that is different from the HA-Primary CAM IP
address and the Service IP address (such as n
the IP Address of the secondary CAM to an address that is different from the HA-Primary CAM IP
address and the Service IP address (such as n
.153
).