Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
541
Views
0
Helpful
3
Replies

nac comamnd reference

rajbhatt
Level 3
Level 3

‎08-16-2010 10:18 PM - edited ‎02-21-2020 04:03 AM

Hi,

Is there a command line command reference available for NAC

For example I want to see the certificates for NAC

Which debug command shall I use in NAC   ? ( for eg  , If it is ipsec i will use debug cry isa and debug cry ipsec )

And in what files , what info is kept like where are the default log files , boot files , HA files etc are stored .

There are some links available that mentiones only 5 directories  , but not very useful .

Thaks in advance

0 Helpful
3 Replies 3

Faisal Sehbai
Level 7
Level 7

‎08-16-2010 10:37 PM

Raj,

Is there a command line command reference available for NAC

Not per se. The appliance is a linux server, so most of the Linux utilites are available

For example I  want to see the certificates for NAC


You can use openssl for this. For example on my test CAS:

[root@cas-4-7-2-1 ~]# openssl x509 -noout -in .perfigo/sec/tomcat.crt -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            dc:d9:45:d4:6f:89:14:24
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, ST=NC, L=RTP, O=Cisco, OU=TAC, CN=1.1.1.1
        Validity
            Not Before: Jun 14 00:40:25 2010 GMT
            Not After : Mar 10 00:40:25 2013 GMT
        Subject: C=US, ST=NC, L=RTP, O=Cisco, OU=TAC, CN=1.1.1.1
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)

[...]

Which debug command shall I use in  NAC   ? ( for eg  , If it is ipsec i will use debug cry isa and debug  cry ipsec )

To check whether the encryption is working for HA, try the /perfigo/common/bin/ha-ipsec-status.sh command

And  in what files , what info is kept like where are the default log files ,  boot files , HA files etc are stored .

Main log file directory is for

CAS: /perfigo/access/tomcat/logs

CAM: /perfigo/control/tomcat/logs


HA logs are kept in /var/log. Most of other logs also live in the /var/log directory including boot message


HTH,

Faisal

0 Helpful

rajbhatt
Level 3
Level 3
In response to Faisal Sehbai

‎08-17-2010 12:01 AM

HI,

Thanks a lot

That s why trouble shooting nac is an issues .

For other cisco devices , we have command reference to refer to


Is there an equivalent command : for nac :

debug crypto ca 255

debug crypto ca mess 255

debug crypto ca trans 255

regards

Raj

0 Helpful

Faisal Sehbai
Level 7
Level 7
In response to rajbhatt

‎08-17-2010 02:48 AM

Raj,

That's the point. Debugs for ipsec/ca are sort of irrelevant in CCA. The only place it's used is for HA between peers, and those are formed by the identity certificates and config files which are generated by the GUi. So if you do the certificates right, and your config is correct in the GUI, chances are that the IPSEC tunnels will come up fine too.

Most of the cases we see are certificate problems which cause the IPSEC tunnel to not come up and hence HA failures.

HTH,

Faisal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card