topic nac comamnd reference in Network Security

nac comamnd reference

rajbhatt — Fri, 21 Feb 2020 12:03:22 GMT

Hi,

Is there a command line command reference available for NAC

For example I want to see the certificates for NAC

Which debug command shall I use in NAC ? ( for eg , If it is ipsec i will use debug cry isa and debug cry ipsec )

And in what files , what info is kept like where are the default log files , boot files , HA files etc are stored .

There are some links available that mentiones only 5 directories , but not very useful .

Thaks in advance

Re: nac comamnd reference

Faisal Sehbai — Tue, 17 Aug 2010 05:37:59 GMT

Raj,

Is there a command line command reference available for NAC

Not per se. The appliance is a linux server, so most of the Linux utilites are available

For example I want to see the certificates for NAC

You can use openssl for this. For example on my test CAS:

[root@cas-4-7-2-1 ~]# openssl x509 -noout -in .perfigo/sec/tomcat.crt -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            dc:d9:45:d4:6f:89:14:24
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=NC, L=RTP, O=Cisco, OU=TAC, CN=1.1.1.1
        Validity
            Not Before: Jun 14 00:40:25 2010 GMT
            Not After : Mar 10 00:40:25 2013 GMT
        Subject: C=US, ST=NC, L=RTP, O=Cisco, OU=TAC, CN=1.1.1.1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)

[...]

Which debug command shall I use in NAC ? ( for eg , If it is ipsec i will use debug cry isa and debug cry ipsec )

To check whether the encryption is working for HA, try the /perfigo/common/bin/ha-ipsec-status.sh command

And in what files , what info is kept like where are the default log files , boot files , HA files etc are stored .

Main log file directory is for

CAS: /perfigo/access/tomcat/logs

CAM: /perfigo/control/tomcat/logs

HA logs are kept in /var/log. Most of other logs also live in the /var/log directory including boot message

HTH,

Faisal

Re: nac comamnd reference

rajbhatt — Tue, 17 Aug 2010 07:01:59 GMT

HI,

Thanks a lot

That s why trouble shooting nac is an issues .

For other cisco devices , we have command reference to refer to

Is there an equivalent command : for nac :

debug crypto ca 255

debug crypto ca mess 255

debug crypto ca trans 255

regards

Raj

Re: nac comamnd reference

Faisal Sehbai — Tue, 17 Aug 2010 09:48:37 GMT

Raj,

That's the point. Debugs for ipsec/ca are sort of irrelevant in CCA. The only place it's used is for HA between peers, and those are formed by the identity certificates and config files which are generated by the GUi. So if you do the certificates right, and your config is correct in the GUI, chances are that the IPSEC tunnels will come up fine too.

Most of the cases we see are certificate problems which cause the IPSEC tunnel to not come up and hence HA failures.

HTH,

Faisal