NAC 4.5 Policy Import/Export Best Practice (CAMs at Different Locations)

Unanswered Question
Feb 16th, 2009
User Badges:
  • Silver, 250 points or more

I have read the document on how to enable Policy Import/Export in NAC 4.5.


If we want to export the policies from a high availability pair of CAMs on our production network to the backup pair of CAMs at a Disaster Recovery (DR)site, then how do we tie the production CAS licenses to these new CAMs?


We are thinking about scenarios where the production CAMs are completely lost and we are getting the business back up at the DR site. We are assuming that the production CAS boxes are in different locations from the production CAMs.


Can this be done?


Thanks.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Daniel Laden Mon, 02/16/2009 - 18:09
User Badges:
  • Cisco Employee,

I do not believe that is the intended use of PIE. It is more for environment that have multiple NAC Manager/Server pairs.


You have the issue where the two

NAC Manager pairs want to manage the same NAC servers pair.


One solution to explore:

The NAC Manger will perform a nightly backup stored in /perfigo/dbbackup. You can move that to the DR NAC Manager pair and load it in.


Database Recovery Tool

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/45/cam/m_admin.html#wp1053310


The license information will be wrong. The license information will need to be removed and the corrected information inserted. You will need a TAC case to regenerate the license files based on the new hardware.


You may be able to evaluation licenses until the updated licenes arrive.


https://tools.cisco.com/SWIFT/Licensing/PrivateRegistrationServlet?DemoKeys=Y

Cisco Clean Access Evaluation License


The license files are used to manage the Cisco NAC solution. It should continue to function with the licenses removed.


All this would need to be tested and confirmed true.






pmccubbin Tue, 02/17/2009 - 07:58
User Badges:
  • Silver, 250 points or more

Hi Dan,


Thanks for the reply.


What you say should be tested and confirmed true, though I doubt a client would won't to do this procedure during a time when they have failed over to a Disaster Recovery site. There would be too much going on to add the step of opening a TAC case to regenerate the license file. Even your suggestion to use evaluation licenses until the updated licenses arrive would be one more step during a busy time.


We have sent this scenario to the Business Unit for their consideration.


I give it a "5" from NYC but it didn't solve the issue in a customer friendly way. Thanks for giving it some thought in any event.


Paul

Daniel Laden Tue, 02/17/2009 - 22:04
User Badges:
  • Cisco Employee,

I do have to correct myself.


The TAC case to update the license is in the event of an RMA. You have purchased two HA NAC Managers pairs. Each will have a license. Once you import the DB, remove the license and add the correct license for this hardware.

greg.washburn Tue, 02/17/2009 - 11:31
User Badges:

I would confirm with Cisco that they allow it for DR from a licensing standpoint.

Couldn't you just modify the mac addresses and ip addresses for the DR CAM/CAMs. I mean aren't the licenses on the CAM tied to mac / ip + num users?

Install them both but then go into the underlying linux system and modify the mac address to be the same as your production systems.

Hopefully, you can use the same ip addresses in the DR site since it's likely they are internal and segregated from your main site.

When you bring up the DR CAM you input your production license (after modifying mac) and then restore the zipped up postgres database that is stored in /perfigo/backup on the CAM (db-4.5.0-daily.gz for ver 4.5). Or use the ones downloaded from the web gui.

Alternatively, use a hardware or software disk cloner and just clone the primary's hard drives to the DR hard drives and bring them up when you need them (then just restore the same back up you chose from above).

Actions

This Discussion