08-16-2010 10:18 PM - edited 02-21-2020 04:03 AM
Hi,
Is there a command line command reference available for NAC
For example I want to see the certificates for NAC
Which debug command shall I use in NAC ? ( for eg , If it is ipsec i will use debug cry isa and debug cry ipsec )
And in what files , what info is kept like where are the default log files , boot files , HA files etc are stored .
There are some links available that mentiones only 5 directories , but not very useful .
Thaks in advance
08-16-2010 10:37 PM
Raj,
Is there a command line command reference available for NAC
Not per se. The appliance is a linux server, so most of the Linux utilites are available
For example I want to see the certificates for NAC
You can use openssl for this. For example on my test CAS:
[root@cas-4-7-2-1 ~]# openssl x509 -noout -in .perfigo/sec/tomcat.crt -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
dc:d9:45:d4:6f:89:14:24
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, ST=NC, L=RTP, O=Cisco, OU=TAC, CN=1.1.1.1
Validity
Not Before: Jun 14 00:40:25 2010 GMT
Not After : Mar 10 00:40:25 2013 GMT
Subject: C=US, ST=NC, L=RTP, O=Cisco, OU=TAC, CN=1.1.1.1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
[...]
Which debug command shall I use in NAC ? ( for eg , If it is ipsec i will use debug cry isa and debug cry ipsec )
To check whether the encryption is working for HA, try the /perfigo/common/bin/ha-ipsec-status.sh command
And in what files , what info is kept like where are the default log files , boot files , HA files etc are stored .
Main log file directory is for
CAS: /perfigo/access/tomcat/logs
CAM: /perfigo/control/tomcat/logs
HA logs are kept in /var/log. Most of other logs also live in the /var/log directory including boot message
HTH,
Faisal
08-17-2010 12:01 AM
HI,
Thanks a lot
That s why trouble shooting nac is an issues .
For other cisco devices , we have command reference to refer to
Is there an equivalent command : for nac :
debug crypto ca 255
debug crypto ca mess 255
debug crypto ca trans 255
regards
Raj
08-17-2010 02:48 AM
Raj,
That's the point. Debugs for ipsec/ca are sort of irrelevant in CCA. The only place it's used is for HA between peers, and those are formed by the identity certificates and config files which are generated by the GUi. So if you do the certificates right, and your config is correct in the GUI, chances are that the IPSEC tunnels will come up fine too.
Most of the cases we see are certificate problems which cause the IPSEC tunnel to not come up and hence HA failures.
HTH,
Faisal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide