Manualshelf

Specifications

ManualsBrandsHP ManualsComputer equipment3350 - Cisco NAC Appliance
51525354555657585960
2-5
Cisco NAC Appliance - Clean Access Manager Configuration Guide
OL-28003-01
Chapter 2 Device Management: Adding Clean Access Servers, Adding Filters
Working with Clean Access Servers
Configure Clean Access Manager-to-Clean Access Server Authorization
When you add Clean Access Servers to the CAM, you can also choose to enable mutual Authorization
between the appliances to enhance network security.
Using the CAM Authorization web console page, administrators can enter the Distinguished Names
(DNs) of one or more CASs to ensure secure communications between the CAM and CAS(s). Once you
enable the Authorization feature and add one or more CASs to the Authorized CCA Servers list, the
CAM does not accept communications from CASs that do not appear in the list. Therefore, when you
choose to employ and enable this feature in your network, you must add all of your managed CASs to
the Authorized CCA Servers list to ensure you maintain CAM-CAS connection for all of the CASs in
your network.
Likewise, you must also enable this feature and specify a CAM DN on all of the CASs in your network
to establish two-way authorization between the CAMs/CASs.
If you have deployed your CAMs/CASs in an HA environment, you can enable authorization for both
the HA-Primary and HA-Secondary machines in the HA pair by specifying the DN of only the
HA-Primary appliance. For example, if the CAM manages a CAS HA pair, you only need to list the
HA-Primary CAS on the CAM’s Authorization page. Likewise, if you are enabling this feature on a CAS
managed by a CAM HA pair, you only need to list the HA-Primary CAM on the CAS’s Authorization
page.
Summary of Steps to Configure Clean Access Manager-to-Clean Access Server Authorization
Step 1 Configure CAS Authorization on the CAM web console under Device Management > Clean Access
Servers > Authorization (see Enable Authorization and Specify Authorized Clean Access Servers,
page 2-6).
Step 2 Configure CAM Authorization on the CAS web console under Administration > Authorization (see
the “Enable Authorization and Specify the Authorized Clean Access Manager” section in the Cisco NAC
Appliance - Clean Access Server Configuration Guide, Release 4.9(x)).
Step 3 Before deploying in a production environment, obtain trusted CA-signed certificates for CAM and CAS
and import them to CAM/CAS under Administration > SSL > Trusted Certificate Authorities (for
CAM), and Administration > SSL > Trusted Certificate Authorities (for CAS).
Warning
If your previous deployment uses a chain of SSL certificates that is incomplete, incorrect, or out of
order, CAM/CAS communication may fail after upgrade to release 4.5 and later. You must correct your
certificate chain to successfully upgrade to release 4.5 and later. For details on how to fix certificate
errors on the CAM/CAS after upgrade to release 4.5 and later, refer to the How to Fix Certificate Errors
on the CAM/CAS After Upgrade Troubleshooting Tech Note.
Step 4 If you are upgrading your Cisco NAC Appliance release, clean up Trusted Certificate Authorities on the
CAM under Administration > CCA Manager > SSL > Trusted Certificate Authorities, and on the
CAS under Administration > SSL > Trusted Certificate Authorities (see Manage Trusted Certificate
Authorities, page 14-16 and the “View and Remove Trusted Certificate Authorities” section in the Cisco
NAC Appliance - Clean Access Server Configuration Guide, Release 4.9(x), respectively).