nac comamnd reference

Unanswered Question
Aug 16th, 2010
User Badges:

Hi,


Is there a command line command reference available for NAC


For example I want to see the certificates for NAC


Which debug command shall I use in NAC   ? ( for eg  , If it is ipsec i will use debug cry isa and debug cry ipsec )


And in what files , what info is kept like where are the default log files , boot files , HA files etc are stored .


There are some links available that mentiones only 5 directories  , but not very useful .



Thaks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Faisal Sehbai Mon, 08/16/2010 - 22:37
User Badges:
  • Gold, 750 points or more

Raj,


Is there a command line command reference available for NAC


Not per se. The appliance is a linux server, so most of the Linux utilites are available


For example I  want to see the certificates for NAC


You can use openssl for this. For example on my test CAS:


[[email protected]-4-7-2-1 ~]# openssl x509 -noout -in .perfigo/sec/tomcat.crt -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            dc:d9:45:d4:6f:89:14:24
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=NC, L=RTP, O=Cisco, OU=TAC, CN=1.1.1.1
        Validity
            Not Before: Jun 14 00:40:25 2010 GMT
            Not After : Mar 10 00:40:25 2013 GMT
        Subject: C=US, ST=NC, L=RTP, O=Cisco, OU=TAC, CN=1.1.1.1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)


[...]



Which debug command shall I use in  NAC   ? ( for eg  , If it is ipsec i will use debug cry isa and debug  cry ipsec )


To check whether the encryption is working for HA, try the /perfigo/common/bin/ha-ipsec-status.sh command


And  in what files , what info is kept like where are the default log files ,  boot files , HA files etc are stored .


Main log file directory is for

CAS: /perfigo/access/tomcat/logs

CAM: /perfigo/control/tomcat/logs


HA logs are kept in /var/log. Most of other logs also live in the /var/log directory including boot message


HTH,

Faisal

rajbhatt Tue, 08/17/2010 - 00:01
User Badges:

HI,


Thanks a lot


That s why trouble shooting nac is an issues .


For other cisco devices , we have command reference to refer to


Is there an equivalent command : for nac :


debug crypto ca 255

debug crypto ca mess 255

debug crypto ca trans 255

regards

Raj

Faisal Sehbai Tue, 08/17/2010 - 02:48
User Badges:
  • Gold, 750 points or more

Raj,


That's the point. Debugs for ipsec/ca are sort of irrelevant in CCA. The only place it's used is for HA between peers, and those are formed by the identity certificates and config files which are generated by the GUi. So if you do the certificates right, and your config is correct in the GUI, chances are that the IPSEC tunnels will come up fine too.


Most of the cases we see are certificate problems which cause the IPSEC tunnel to not come up and hence HA failures.


HTH,

Faisal

Actions

This Discussion