Cisco NAC-3300 Series Quick Start Manual
QUICK START GUIDE
Cisco NAC Appliance Hardware Installation, Release 4.5
1 Preparing for Installation
2 Cisco NAC Appliance Hardware Summary
3 Configuration Worksheets
4 Connecting the Cisco NAC Appliance
5 Installing Software via CD on Cisco NAC Appliance
6 Running the Configuration Utility
7 Accessing the CAM Web Console
8 Using CLI Commands
9 Configuring Additional NIC Cards
10 Obtaining Documentation and Submitting a Service Request
2
Revised: July 6, 2009, 78-18807-01
About the Cisco NAC Appliance
Cisco® NAC Appliance (formerly Cisco Clean Access) is a Network Admission Control (NAC)
product that allows network administrators to authenticate, authorize, evaluate, and remediate wired,
wireless, and remote users and their machines prior to allowing users onto the network. It identifies
whether networked devices such as laptops, desktops, and corporate assets are compliant with a
network's security policies, and it repairs any vulnerabilities before permitting access to the network.
Cisco NAC Appliance is a network-centric integrated solution administered from the web console of
the Clean Access Manager (CAM), enforced through the Clean Access Server (CAS), and applied on
clients through the Clean Access Agent and Cisco NAC Web Agent client software. You can deploy the
Cisco NAC Appliance solution in the configuration that best meets the needs of your network.
The Cisco NAC Appliance is a Linux-based network hardware appliance which is pre-installed with
either the CAM (MANAGER) or CAS (SERVER) application, the operating system and all relevant
components on a dedicated server machine. The operating system comprises a hardened Linux kernel
based on a Fedora core. Cisco NAC Appliance does not support the installation of any other packages
or applications onto a CAM or CAS dedicated machine.
About This Document
The Cisco NAC Appliance Hardware Installation, Release 4.5 Quick Start Guide provides basic
hardware specifications and installation instructions for Cisco NAC Appliance. It provides
instructions for how to initially configure your CAM and CAS using the Configuration Utility, access
the CAM web console, and install product licenses. Once the initial configuration of your CAM and
CAS is complete, you will be able to access the CAM web console to continue the rest of the
configuration for your deployment as described in the Cisco NAC Appliance Configuration Quick
Start Guide, Release 4.1.
For comprehensive configuration information, refer to the latest Cisco NAC Appliance - Clean Access
Manager Installation and Configuration Guide, Release 4.5(1) and Cisco NAC Appliance - Clean
Access Server Installation and Configuration Guide, Release 4.5(1). These guides are available per
release on Cisco.com under
http://www.cisco.com/en/US/products/ps6128/products_installation_and_configuration_guides_list.h
tml. When using the online publications, make sure to refer to the documents that match the software
version running on your Cisco NAC Appliance (e.g. “Release 4.5”).
3
Note This Quick Start Guide does not cover the Cisco NAC Network Module (NME-NAC-K9). For
information on Cisco NAC Network Module installation and configuration, see Getting
Started with Cisco NAC Network Modules in Cisco Access Routers.
1 Preparing for Installation
Verifying the Package Contents
Verify the contents of the packing box, shown in Figure 1, to ensure that you have received all items
necessary to install your Cisco NAC Appliance. Save the packing material in case you need to repack
the unit. If any item is missing or damaged, contact your Cisco representative or reseller for
instructions. Some Cisco NAC Appliance models might include additional items that are not shown.
Figure 1 Shipping Box Contents
Note Because product software is preloaded onto Cisco NAC-3300 Series appliances, the shipping
contents do not include a separate Cisco NAC Appliance software installation CD. Refer to
Upgrading Cisco NAC Appliance Software, page 5 for additional details.
Important
Safety
Information
Cisco NAC
Appliance
Getting Started
Guide
Cisco
Information
Packet
181022
Cisco NAC Appliance
RJ-45 cable
(straight-through)
AC power cord
Rack mounting kit
Documentation
DB-9 serial null modem cable
(for HA)
RJ-45 cable
(crossover; for HA)
4
Failover Bundles
If you ordered a Failover Bundle, you will receive two physical Cisco NAC Appliances, and you will
need to perform the initial configuration on each machine as described in this guide. After initial
configuration is complete, configure High Availability (HA) using the CAM or CAS web console and
physically connect the appliances to create the HA pair. Refer to the “Configuring High Availability
(HA)” chapter of the latest Cisco NAC Appliance - Clean Access Manager Installation and
Configuration Guide, Release 4.5(1) for CAM HA configuration details and Cisco NAC Appliance Clean Access Server Installation and Configuration Guide, Release 4.5(1) for CAS HA configuration
details.
Note When connecting high availability (failover) pairs via serial cable, BIOS redirection to the
serial port must be disabled for NAC-3300 series appliances. Refer to the “Disable BIOS
Redirection for Serial HA (Failover) Connections” section of the Supported Hardware and
System Requirements for Cisco NAC Appliance (Cisco Clean Access) for details.
Equipment Required
You need to supply a workstation (PC or laptop) and keyboard/monitor/mouse to run the Cisco NAC
Appliance Configuration Utility on the appliance. Once the initial configuration is complete, you will
need a standard (straight-through) Ethernet Category 5 network cable with RJ-45 connectors to
connect the interfaces of the Cisco NAC Appliance to the network (eth0 for the CAM; eth0 and eth1
for the CAS). You will need a crossover RJ-45 Ethernet cable to connect HA-pair appliances together.
The Cisco NAC Appliance Hardware Summary, page 8 provides interface details for each model.
Rack Mounting
The Cisco NAC Appliance occupies one rack unit (1U). A rack-mounting kit is included in the
shipment. For rack-mounting information and instructions, refer to the 1U Rack Hardware
Installation Instructions document from HP included in the shipping box.
Cisco NAC Appliance Licensing
You need at least 1 Clean Access Manager license and 1 Clean Access Server license for your Cisco
NAC Appliance system to work. Both licenses are installed via the administration web console. For
Out-of-Band (OOB) deployments, you must add both the OOB CAS license and the CAS as an
Out-of-Band device to the CAM to access the OOB Management module of the CAM web console.
5
• For instructions on how to obtain new license(s) for your system, see Cisco NAC Appliance Service
Contract/Licensing Support.
• For instructions on how to install licenses for your system (after initial configuration is complete),
see Install CAM License, page 45 and Add Additional Licenses, page 48.
Upgrading Cisco NAC Appliance Software
Cisco NAC-3300 Series appliances are preloaded with a default version of the Cisco NAC Appliance
software, which may not match the latest release of the software. Cisco recommends that you run the
latest supported version of the system software to ensure you have the latest product enhancements
and fixes.
Note Cisco NAC Appliance Release 4.5 (and later) only supports and can only be installed on
Cisco NAC Appliance CCA-3140, NAC-3310, NAC-3350, NAC-3390, and NME-NAC-K9
(NAC network module) platforms.
To upgrade Cisco NAC Appliance to the latest supported software version, you can either upgrade
your appliance via script or perform fresh CD installation of the latest Cisco NAC Appliance software
on your machines.
To upgrade any of the appliances, you can download and run the standard product upgrade file (e.g.
cca_upgrade-4.5.0-NO-WEB.tar.gz). The upgrade mechanism automatically determines whether the
machine is a Clean Access Server or a Lite/Standard/Super Clean Access Manager, and executes
accordingly. For step-by-step upgrade instructions, refer to the “Upgrading” section of the Release
Notes for Cisco NAC Appliance, Version 4.5(1) at
http://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.html.
Starting from release 4.5, there is only one product installation CD (nac-4.5_0-K9.iso) for all appliance
platforms. The installation package determines whether the Clean Access Server, Clean Access
Manager, or Super Clean Access Manager was previously installed, as well as the previous software
version. See Installing Software via CD on Cisco NAC Appliance, page 28 for further details.
Downloading Cisco NAC Appliance Software
You can access the latest versions of upgrade and ISO files for Cisco NAC Appliance as follows.
Caution Before downloading or installing any Cisco NAC Appliance software, make sure to refer
to the Release Notes for that specific Cisco NAC Appliance release version at
http://www.cisco.com/en/US/products/ps6128/prod_release_notes_list.html to
understand the enhancements, caveats and upgrade impact to your existing deployment.
6
Step 1 Log in with your Cisco ID and access the Software Download site for Cisco NAC Appliance:
a. You can go directly to the Software Download site at
http://www.cisco.com/cgi-bin/apps/tblbld/tablebuild.pl?topic=279515766.
b. Or, access the Cisco NAC Appliance support page at
http://www.cisco.com/en/US/partner/products/ps6128/index.html and click the “Download
Software” link.
Step 2 Click the link for the latest appropriate software release (e.g. “Cisco NAC Appliance Software
Version 4.5.x”).
Step 3 Refer to the “Release” column to locate the latest version of the product file (e.g. 4.5.x.y), and
click the filename link. Follow the prompts to download the file to your local computer.
Cisco NAC Appliance product files use the following file naming conventions:
• nac-4.5_x_y-K9.iso—Product ISO for CAS and Lite/Standard/Super CAM
• cca_upgrade-4.5.x.y-NO-WEB.tar.gz—Product Upgrade Archive
Note Files with the “CCAAgent” prefix are for the Cisco Clean Access Agent only.
Files with the “nme-nac” prefix are used for Cisco NAC Network Module only (see Getting
Started with Cisco NAC Network Modules in Cisco Access Routers for details).
Upgrading Firmware
Cisco NAC-3300 Series appliances are subject to any system BIOS/Firmware upgrades required for the
server model on which they are based.
For Cisco NAC-3310 platforms, refer to the “DL140 G3 Required BIOS/Firmware Upgrades” section
of the Supported Hardware and System Requirements for Cisco NAC Appliance (Cisco Clean Access)
for further details.
For More Information
For more information on Cisco NAC Appliance, refer to the following documents at
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html. When using
the online publications, refer to the documents that match the software version running on your
Cisco NAC Appliance (e.g. “Release 4.5”).
• Cisco NAC Appliance Data Sheet
• Cisco NAC Appliance Service Contract/Licensing Support
7
• Supported Hardware and System Requirements for Cisco NAC Appliance
• Switch Support for Cisco NAC Appliance
• Support Information for Cisco NAC Appliance Agents, Release 4.5
• Release Notes for Cisco NAC Appliance, Version 4.5(1) (includes “Upgrading” section)
• Cisco NAC Appliance Configuration Quick Start Guide, Release 4.1 (software configuration)
• Cisco NAC Appliance - Clean Access Manager Installation and Configuration Guide, Release
4.5(1)
• Cisco NAC Appliance - Clean Access Server Installation and Configuration Guide, Release 4.5(1)
• Getting Started with Cisco NAC Network Modules in Cisco Access Routers
• Cisco NAC Profiler Installation and Configuration Guide, Release 2.1.8
For the latest online updates to this quick start guide, refer to
http://www.cisco.com/en/US/products/ps6128/prod_installation_guides_list.html.
For details on how to obtain technical support, refer to Obtaining Documentation and Submitting a
Service Request, page 53.
8
2 Cisco NAC Appliance Hardware Summary
Table 1 summarizes the hardware specifications for each Cisco NAC Appliance. See the “Diagrams”
column for links to detailed diagrams showing NIC ports, power supply sockets, LEDs and buttons.
Table 1 Cisco NAC Appliance Hardware Summary
Cisco NAC
Appliance Product Hardware Specifications Diagrams
NAC-3310
1,2
MANAGER
Lite Manager
supporting up
to 3 standalone
or HA-pair
CASs
Single processor: Xeon 2.33 GHz dual core
1 GB RAM
80 GB NHP SATA HDD
4 10/100/1000 LAN ports [2 Broadcom
5721 integrated NICs; 2 Intel e1000 PCI-X
NICs (HP #NC360T)]
CD/DVD-ROM Drive
4 USB Ports (2 front, 2 rear)
Note NAC-3310 is based on HP ProLiant
DL140 G3.
• Cisco
NAC-3310
Front Panel,
page 10
• Cisco
NAC-3310
Front Panel
LEDs/Buttons,
page 11
• Cisco
NAC-3310 Rear
Panel, page 12
• Cisco
NAC-3310 Rear
Panel LEDs,
page 13
SERVER
CAS
supporting
100, 250, or
500 users
9
NAC-3350
3
MANAGER
Standard
Manager
supporting up
to 20
standalone or
HA-pair CASs
Single processor: Xeon 3.0 GHz dual core
Dual power supply
2 GB RAM
2 x 72 GB SFF SAS RAID HDD
Smart Array E200i Controller
4 10/100/1000 LAN ports [2 Broadcom
5708 integrated NICs; 2 Intel e1000 PCI-X
NICs (HP #NC360T)]
CD/DVD-ROM Drive
4 USB Ports (1 front, 1 internal, 2 rear)
Cavium CN1120-NHB-E SSL Accelerator
Card
Note NAC-3350 is based on HP ProLiant
DL360 G5.
• Cisco
NAC-3350
Front Panel,
page 14
• Cisco
NAC-3350
Front Panel
LEDs/Buttons
• Cisco
NAC-3350 Rear
Panel, page 15
• Cisco
NAC-3350 Rear
Panel LEDs
SERVER
CAS
supporting
1500, 2500, or
3500 users
NAC-3390
3
MANAGER
Super Manager
supporting up
to 40
standalone or
HA-pair CASs
Dual processor: Xeon 3.0 GHz dual core
Dual power supply
4 GB RAM
4 x 72 GB SFF SAS RAID HDD
Smart Array E200i Controller
4 10/100/1000 LAN ports [2 Broadcom
5708 integrated NICs; 2 Intel e1000 PCI-X
NICs (HP #NC360T)]
CD/DVD-ROM Drive
4 USB Ports (1 front, 1 internal, 2 rear)
Cavium CN1120-NHB-E SSL Accelerator
Card
Note NAC-3390 is based on HP ProLiant
DL360 G5.
• Cisco
NAC-3390
Front Panel,
page 18
• Cisco
NAC-3390
Front Panel
LEDs /Buttons
• Cisco
NAC-3390 Rear
Panel, page 20
• Cisco
NAC-3390 Rear
Panel
LEDs/Buttons
1. NAC-3310 may require a firmware/BIOS upgrade for HP ProLiant DL140 G3. See Upgrading Firmware, page 6.
2. NAC-3310 supports iLO (Lights Out 100i Remote Management). The default iLO “Administrator” account has
default username/password: admin/admin. Defaults can be changed through the BIOS setup.
3. NAC-3350 and NAC-3390 support iLO2 (Integrated Lights Out, version 2). See panel tags for admin account details.
Table 1 Cisco NAC Appliance Hardware Summary (continued)
Cisco NAC
Appliance Product Hardware Specifications Diagrams
10
Cisco NAC-3310 Front and Rear Panels
The Cisco NAC-3310 Appliance is the recommended platform for Clean Access Lite Manager and
Clean Access Server (100/250/500 user count) deployments. A NAC-3310 CAM Lite can manage up
to 3 Clean Access Servers or 3 HA-CAS pairs. A NAC-3310 CAS can support 100, 250, or 500 users.
The Cisco NAC-3310 comes equipped with 4 network interfaces to provide flexibility in NIC interface
selection and to facilitate CAS high availability configuration.
For additional details, see Cisco NAC Appliance Hardware Summary, page 8.
Figure 2 Cisco NAC-3310 Front Panel
1
Hard disk drive (HDD) bay
6
HDD activity LED indicator (green)
2
CD-ROM/DVD drive
7
Power button with LED indicator (bicolor:
green/amber)
3
UID (Unit identification) button with
recessed LED indicator (blue)
8
Thumbscrews for the front bezel
4
System health LED indicator (amber)
9
Front USB ports
5
Activity/link status LED indicators for NIC 1
(eth0) and NIC2 (eth1) (green)
1 2 3
4 6
5 7
8 9 8
180955
11
Figure 3 Cisco NAC-3310 Front Panel LEDs/Buttons
1
UID LED (recessed) Blue = A UID button has been pressed.
2
System health LED Off = System health is normal
Amber = A pre-failure system threshold has been breached. This
can be any of the following:
• At least one fan failure (system or processor fan)
• At least one of the temperature sensors reached critical level
(system or processor thermal sensors)
• At least one memory module failure
• A power supply unit error has occurred
3
Activity/link status LED
for NIC 1 (eth0) and NIC
2 (eth1)
Solid green = An active network link exists
Flashing green = An ongoing network data activity exists
Off = The server is off-line
4
HDD activity LEDs Flashing green = Ongoing drive activity
Off = No drive activity
5
Power status LED
(recessed)
Green = The server has AC power and is powered up
Amber = The server has AC power and is in standby mode
Off = The server is powered off (AC power disconnected)
UID
187416
1 2 3 4 5
12
Figure 4 Cisco NAC-3310 Rear Panel
1
Ventilation holes
9
UID button with recessed LED indicator
(blue)
2
Thumbscrew for the top cover
10
Rear USB ports (black)
3
Thumbscrews for the PCI riser board
assembly
11
Video port (blue)
4
NIC 3 (eth2) and NIC 4 (eth3) PCI Express
GbE LAN (RJ-45) ports (Intel)
12
Serial port
513
PS/2 keyboard port (purple)
6
Standard height/full-length PCI Express
x16/PCI-X riser board slot cover
14
PS/2 mouse port (green)
7
Power supply cable socket
15
10/100 Mbps iLO LAN port for IPMI
management (RJ-45)
8
NIC 1 (eth0) and NIC 2 (eth1) integrated
GbE LAN (RJ-45) ports (Broadcom)
2 31 6 3 7
151312111098
14
180957
54
13
Figure 5 Cisco NAC-3310 Rear Panel LEDs
1
NIC activity/link status
LEDs for NIC 1 (eth0) and
NIC 2 (eth1)
Solid green = An active network link exists
Flashing green = An ongoing network data activity exists
Off = The server is off-line
2
NIC network speed LEDs Steady amber = The LAN connection is using a GbE link
Steady green = The LAN connection is using a 100 Mbps link
Off = The LAN connection is using a 10 Mbps link
3
UID LED (recessed) Blue = A UID button has been pressed
4
Link status LED for the
10/100 Mbps LAN port
Green = A network link exists
Off = No network link exists
5
Activity status LED for the
10/100 Mbps LAN port
Flashing green = Network activity exists
Off = No network activity exists
1
4 5
3
2
187417
14
Cisco NAC-3350 Front and Rear Panels
The Cisco NAC-3350 Appliance provides enhanced capability for enterprise wide Clean Access
Standard Manager and Clean Access Server (1500/2500/3500 user count) deployments. A NAC-3350
Standard CAM can manage up to 20 Clean Access Servers or 20 HA-CAS pairs. A NAC-3350 CAS
can support up to 1500, 2500, or 3500 users.
Similar to the Cisco NAC-3310, the Cisco NAC-3350 comes equipped with 4 network interfaces to
provide flexibility in NIC interface selection and facilitate CAS high availability configuration. The
Cisco NAC-3350 additionally provides 2 GB of RAM, two SAS drives configured in RAID 0 and 1,
an SSL accelerator, and dual power supply to support large network deployments and provide added
reliability for a centralized CAM/CAS deployment in the network core.
For additional details, see Cisco NAC Appliance Hardware Summary, page 8.
Figure 6 Cisco NAC-3350 Front Panel
Figure 7 Cisco NAC-3350 Front Panel LEDs/Buttons
1
Hard drive bay 1
4
Video connector
2
Hard drive bay 2
5
HP Systems Insight Display
3
CD-ROM/DVD drive
6
USB connector
181236
3
1 2 4 5 6
1 2 3
4
5
6
180960
15
Figure 8 Cisco NAC-3350 Rear Panel
1
Power On/Standby button
and system power LED
Green = System is on
Amber = System is shut down, but power is still applied
Off = Power cord is not attached, power supply failure has
occurred, no power supplies are installed; facility power is not
available, or disconnected power button cable
2
UID button/LED Blue = Identification is activated
Flashing blue = System is being managed remotely
Off = Identification is deactivated
3
Internal health LED Green = System health is normal
Amber = System health is degraded. (To identify the component in
a degraded state, refer to “HP Systems Insight Display and
LEDs.”)
Red = System health is critical. (To identify the component in a
critical state, refer to “HP Systems Insight Display and LEDs.”)
Off = System health is normal when in standby mode
4
External health LED
(power supply)
Green = Power supply health is normal
Amber = Power redundancy failure occurred
Off = Power supply health is normal when in standby mode
5
NIC 1 (eth0) link/activity
LED
Green = Network link exists
Flashing green = Network link and activity exist
Off = No link to network exists
If power is off, the front panel LED is not active. For status, view
the rear panel LED for the RJ-45 connector (Figure 9 on page 16).
6
NIC 2 (eth1) link/activity
LED
Green = Network link exists
Flashing green = Network link and activity exist
Off = No link to network exists
If power is off, the front panel LED is not active. For status, view
the rear panel LED for the RJ-45 connector (Figure 9 on page 16).
181237
2 3 4 5
67891011121314
1
16
Figure 9 Cisco NAC-3350 Rear Panel LEDs
1
NIC 3 (eth2) PCI-X port (Intel)
8
Keyboard connector (purple)
2
NIC 4 (eth3) PCI-X port (Intel)
9
Mouse connector (green)
3
PCI Express expansion slot 2
10
Video connector (blue)
4
Power supply bay 1
11
Serial connector
5
Power supply bay 2
12
USB connector
6
Integrated NIC 2 (eth1) port (Broadcom)
13
USB connector
7
Integrated NIC 1 (eth0) port (Broadcom)
14
iLO 2 NIC connector (RJ-45)
1
iLO 2 NIC activity LED Green = Activity exists
Flashing green = Activity exists
Off = No activity exists
2
iLO 2 NIC link LED Green = Link exists
Off = No link exists
3
10/100/1000 NIC 3 (Intel) Activity
LED
Steady green = High activity
Flashing green = Activity exists
Off = No activity (if link LED is off, link is dead)
4
10/100/1000 NIC 3 (Intel) Link LED Orange = 1000 Mbps
Green = 100 Mbps
Off = 10 Mbps (if activity LED is off, link is dead)
5
10/100/1000 NIC 4 (Intel) Activity
LED
Steady green = High activity
Flashing green = Activity exists
Off = No activity (if link LED is off, link is dead)
6
10/100/1000 NIC 4 (Intel) Link LED Orange = 1000 Mbps
Green = 100 Mbps
Off = 10 Mbps (if activity LED is off, link is dead)
181238
1 2 7 8 9 10 11 12 13
3 5
4 6
17
7
10/100/1000 NIC 1 (Broadcom)
Activity LED
Green = Activity exists
Flashing green = Activity exists
Off = No activity exists
8
10/100/1000 NIC 1 (Broadcom) Link
LED
Green = Link exists
Off = No link exists
9
10/100/1000 NIC 2 (Broadcom)
Activity LED
Green = Activity exists
Flashing green = Activity exists
Off = No activity exists
10
10/100/1000 NIC 2 (Broadcom) Link
LED
Green = Link exists
Off = No link exists
11
UID button/LED Blue = Identification is activated
Flashing blue = System is being managed remotely
Off = Identification is deactivated
12
Power supply 1 LED Green = Normal
Off = System is off or power supply has failed
13
Power supply 2 LED Green = Normal
Off = System is off or power supply has failed
Loading...