Re: Cisco NAC 4.8

ethanm.so · ‎01-25-2011

Hello everyone,

Whenever I do a reboot from web GUI to test the HA failover, I would see the following error on CAM console, "VIA PadLock not

detected" and CAM would fail to sync the database with each other. I did digging about VIA Padlock and it seems like it is used by OpenSSL but I can't seem to find any cisco documentation about the error or troubleshooting guide. Anyone have any experiece with this error?

netlinkin · ‎01-26-2011

Hi Ethanm,

I am trying to implement NAC in my network in( L2 transparent mode) mainly because i have I dont want to do chnages in otther devices, I have CAM(3315) & CAS(3315) i have completed licensing on CAM , I see license as (CAM Lite which supports 3 srvs),

pls suggest topology designs ....currently i m bit confiuse where to put CAS/CAM in network...?

I have gone through the initial configuration of CAM & CAS.(connected via cross cable) >>> pls comment if wrong
Config <<
CAM(Eth0=192.168.200.15/24) &
CAS(Eth0=192.168.200.16/24 & Eth1=192.168.215.10/24),
preshared key : cisco, & allowed packets to flow from trusted to untrusted interface & vice -wersa.

& , now i am trying to ping 192.168.200.16(CAS) from CAM(192.168.200.15) but not sucessful.
hence unable to have connectivity between them I can take a webconsole of CAM & tried to add CAS to CAM,

but it fails & gives error { Failed to add server: Maximum limit for Clean Access Servers supported has been reached. } strange ? as this afresh device , Also i have reinstalled License at least 3-4 times...but no result...(dont know why this is so...)

I have gone through the pdf's but there is no guideline how to configure from basic(like how to connect....which interface shld be connected to where..)

Kindly share your comments /documents for the same from basic.

Following are the steps performed>>>

1. Connected PC(192.168.200.20) to CAM(192.168.200.15) >>
results : configured CAM as per process with service perfigo commands...used defaults certificate..able to ping CAM from PC & Vice wersa..able to take webconsole...

2. Connected to CAS (192.168.200.16) & PC(192.168.200.20) configured As above,,,results>> able to ping

3. Now i need to add CAS to CAM managemnet domain >>>hence i connected eth0 CAM & eth0 CAS via cross cable...& tried to ping CAS from CAM it failed....(it shld ping as the devices r in same subnet & connected to Eth0 trusted interafce)

Problem>>>> unable to find MAC entries of CAM in CAS & vice wersa.

Arp state is incomplete..

edwjames · ‎01-29-2011

I see that you are not able to add CAS to CAM,

Try these pointers:

1.Check interfaces on CAM, CAS (eth0) and switch(es).

2.Is shared secret between Manager and server correct ?

3.Check MOnitoring>>Event Logs.

4.Check Whether you loaded CAM and CAS Licenses, Both.

5.Ensure TCP ports 443,80,1099(CAS) and ports 443,80,8995,8996(CAM) are allowed at minimum.

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

p_sonkusare · ‎01-31-2011

Hi Edward,

Please find the comments,

1.Check interfaces on CAM, CAS (eth0) and switch(es).

>>> Connected Router Eth0/0(192.168.100.151/24) to CAM Eth0 (192.168.100.150)

Results >>> Able to ping vice-wersa
Findings >>> All is ok as can ping.

2. Connected Router Eth0/1(192.168.200.151/24) & CAS Eth0 (192.168.200.150)

    Results >>> Not able to ping to router IP(192.168.200.151) & vice wersa.
    findings>>>> checked CAS config . It shows

                          Interface Fake0 >> 192.168.200.150 (wonder about FAKE0 interafce ) & arp table also shows the same.
I configured 2-3 times just in case i may i have made mistake...but all the times the interface after configuration interface status is FAKE0.

2.Is shared secret between Manager and server correct ?

Comments >>> YES

3.Check MOnitoring>>Event Logs.

Comments>>>>> gives error like "Reached maximum limits for server". while adding CAS to CAM.(NO SERVER ADDED but still gives error)

4.Check Whether you loaded CAM and CAS Licenses, Both.

Comments>>>> licencse for CAM only, supports 3 servers

5.Ensure TCP ports 443,80,1099(CAS) and ports 443,80,8995,8996(CAM) are allowed at minimum.

Comments>>>> how to enable these...

Is it necessary to have SSL certificate ,Bcoz currently i am testing it on TEST LAB setup.

Pls suggets further

edwjames · ‎02-01-2011

Hi Pravin,

There are different Licenses for CAM and CAS, so load the CAM license(Manager License) first and then the CAS License.

If you have Licensing problem then contact the licensing team.

I am looking up on what i can find on your other Isuues ..

Yes SSL certificate is necessary.

Note: When adding CAS running in HA use virtual IP address to add CAS

§Check “Monitoring >> Event logs” for errors

If you get the error:

Reached maximum limits for server". while adding CAS to CAM

Licensing Issue!! Typically means a server(CAS) license file has not been loaded.

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

p_sonkusare · ‎02-01-2011

Hi Edward,

thanks for the same ,i"ll check with cisco for license.

ethanm.so · ‎02-03-2011

I'm sorry about the late reply.

Hopefully, you got things straightened out already but I'll just point out some points.

I'm not sure what you meant by default certificate.

After CAM and CAS are up initially, the first thing you want to do is configure their network settings individually. If you are deploying HA, you want to add HA pairs first before adding CAS to CAM. After that is done, export CAM certificate (do not include private key) and import this CAM certificate in CAS and export CAS certificate(again, do not include private key) and import this CAS certificate in CAM.

One detail that wasn't clearly mentioned in the guideline was that switchports for CAS should be configured as trunk ports. When we had it configured as access ports initially, we had problem connecting to CAS's web console or even pinging CAS.

I hope some of the points that I've mentioned above will be helpful.