Published On: August 6ᵗʰ, 2019 02:07

Installation and Upgrade Guide for Cisco Secure Access Control System 5.4

Installing the Cisco 1121 Secure Access Control System Hardware

This chapter describes how to install your CSACS-1121 Series appliance and connect it to the network.

It contains:

Before you begin the installation, read the Regulatory Compliance and Safety Information for the Cisco 1121 Secure Access Control System available on http://www.cisco.com at the following location:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/regulatory/
compliance/csacsrcsi.html.

Warning Only trained and qualified personnel should be allowed to install, replace, or service this equipment. Statement 1030

Warning This unit is intended for installation in restricted access areas. A restricted access area can be accessed only through the use of a special tool, lock and key, or other means of security.
Statement 1017

Rack-Mounting Configuration Guidelines

Each CSACS-1121 Series appliance has a set of rack handles (installed at the factory). You will use these handles later when you install the appliance in a 4-post rack. You can front (flush) mount or mid-mount the appliance in a 19-inch (48.3-cm) equipment rack that conforms to the 4-post rack specification (the inside width of the rack should be 17.5 inches [44.45 cm]).

Mount the appliance in the brackets. When the appliance is installed in the rack, it requires one EIA 1.75-inch (4.4-cm) vertical mounting space or 1 rack unit (RU) for mounting.

Caution You must leave clearance in the front and rear of the CSACS-1121 Series appliance, to allow cooling air to be drawn in through the front and circulated through the appliance and out the rear of the appliance.

The Rack Installation Safety Guidelines and the following information will help you plan the equipment rack configuration:

  • When mounting an appliance in an equipment rack, ensure that the rack is bolted to the floor.
  • Because you may install more than one appliance in the rack, ensure that the weight of all the appliances installed does not make the rack unstable.
Caution Some equipment racks are also secured to ceiling brackets due to the weight of the equipment in the rack. If you use this type of installation, make sure that the rack you are using to install the appliances is secured to the building structure.
  • As mentioned in Airflow Guidelines, maintain a 6-inch (15.2-cm) clearance at the front and rear of the appliance to ensure adequate air intake and exhaust.
  • Avoid installing appliances in an overly congested rack. Air flowing to or from other appliances in the rack might interfere with the normal flow of cooling air through the appliances, increasing the potential for overtemperature conditions within the appliances.
  • Allow at least 24 inches (61 cm) of clearance at the front and rear of the rack for appliance maintenance.
Caution To prevent appliance overheating, never install an appliance in an enclosed rack or a room that is not properly ventilated or air conditioned.
  • Follow your local practices for cable management. Ensure that cables to and from appliances do not impede access for performing equipment maintenance or upgrades.

Note The rack-mount hardware kit does not include a 2-post equipment rack.

Mounting the CSACS-1121 Series Appliance in a 4-Post Rack

Warning When the appliance is installed in a rack and is fully extended on its slide rail, it is possible for the rack to become unstable and tip over, which could cause serious injury. To eliminate the risk of rack instability from extending the rail or in the event of an earthquake, you should affix the rack to the floor.

This section contains:

4-Post Rack-Mount Hardware Kit

Figure 4-1 shows the items that you need to install the CSACS-1121 Series appliance in a 4-post rack.

Figure 4-1 Release Levers on the Slide Rail Hardware

The following table describes the callouts in Figure 4-1.

1

Cable straps
4

M6 screws
2

Slide rail
5

Shipping bracket
3

Front of rail
6

Rear of rail

Table 4-1 lists the contents of the rack-mount hardware kit (Cisco part number CSACS-1U-RAILS).

Table 4-1 Rack-Mount Hardware Kit

Item
Quantity

Slide rails

2

Cable straps

6

M6 screws

6

Installing the Slide Rails in a Rack

To install the CSACS-1121 Series appliance in a rack:

Step 1 Press on the rail-adjustment bracket on the rear of the slide rail (see Figure 4-2) to prevent the bracket from moving.

Step 2 Press the adjustment tabs 1 and 2 (see Figure 4-2) and slide the rail-locking carrier toward the front of the slide rail until it snaps into place.

Step 3 Press the adjustment Tabs 1 and 2 and slide the rail-locking carrier toward the rear of the slide until it snaps into place.

Figure 4-2 Installing the Slide Rail into the Rack

The following table describes the callouts in Figure 4-2.

1

Adjustment tab 1
3

Rail-adjustment bracket
2

Adjustment tab 2
 

If you need to adjust the slide-rail length, lift the release tab (see Figure 4-3) and fully extend the rail-adjustment bracket from the rear of the slide rail until it snaps into place.

Step 4 Align the pins on the rear rail-locking carrier with the holes on the rear mounting flange.

Step 5 Press the adjustment tab (see Figure 4-3) to secure the rear of the slide rail to the rear mounting flange.

Note Ensure that the pins are fully extended through the mounting flange and slide rail.

Figure 4-3 Adjusting the Slide-rail Length

The following table describes the callouts in Figure 4-3.

1

Adjustment tab

3

Pins not extended through the mounting flange and slide rail
2

Release tab
4

Pins extended through the mounting flange and slide rail

Step 6 Align the pins (see Figure 4-4) on the front rail-locking carrier to the front mounting flange.

If you have adjusted the rail length, push the rail-locking carrier back toward the rear of the slide rail to align the slide rail with the mounting flange.

Step 7 Press the adjustment tab to secure the front of the slide rail to the front mounting flange.

Note Ensure that the pins are fully extended through the mounting flange and the slide rail.

Step 8 Repeat these steps for the other slide rail.

Figure 4-4 Aligning the Slide Rail with the Mounting Flange

The following table describes the callouts in Figure 4-4.

1

Adjustment tab

4

Pins extended through the mounting flange and slide rail
2

Mounting flange
5

Pins not extended through the mounting flange and slide rail
3

Pins
 

 

Installing the Appliance into the Slide Rails

To install the CSACS-1121 Series appliance into the slide rails:

Step 1 Align the server on the slide rails and push it fully into the rack cabinet.

Step 2 Secure the server to the front mounting flanges with the captive thumbscrews (see Figure 4-5).

Note You must leave the shipping brackets attached to the slide rails unless the shipping brackets impede the server from sliding fully into the rack cabinet. If you need to remove the shipping brackets, see Step 3 .

Figure 4-5 Aligning the Server on the Slide Rails

The following table describes the callouts in Figure 4-5.

1

Shipping brackets

3

Thumbscrews
2

ACS server
 

Step 3 Press the release tab (see Figure 4-6) as indicated on the shipping bracket, and remove the shipping bracket from the slide rail.

Step 4 Repeat step 3 for the other shipping bracket. Store the shipping brackets for future use.

Note You must reinstall the shipping brackets on the slide rails before you transport the rack cabinet with the server installed. To reinstall the shipping brackets, reverse the steps.

Figure 4-6 Removing the Shipping Brackets

The following table describes the callout in Figure 4-6.

1

Release tab
 

 

Connecting Cables

This section describes how to connect your CSACS-1121 Series appliance to the network and the appliance console. This section includes:

Figure 4-7 CSACS-1121 Series Appliance Rear View

The following table describes the callouts in Figure 4-7.

.

1

AC power receptacle

5

(Blocked) Gigabit Ethernet 1

2

(Blocked) Gigabit Ethernet

6

(In Use) Gigabit Ethernet 0

3

Serial connector

7

USB 3 connector

4

Video connector

8

USB 4 connector

Attach cables (such as keyboard, monitor cables, if required) to the rear of the server. Route the cables to the left corner of the server (as viewed from the rear in Figure 4-8) and use the cable straps to secure the cables to the slide rails.

Figure 4-8 Connecting the Cables

Connecting the Network Interface

Warning Do not work on the system or connect or disconnect cables during periods of lightning activity. Statement 1001

This section describes how to connect the CSACS-1121 Series appliance Ethernet port.

The Ethernet connector supports Serial over Lan (SOL). The RJ-45 port supports standard straight-through and crossover Category 5 unshielded twisted-pair (UTP) cables. Cisco does not supply Category 5 UTP cables; these cables are available commercially.

To connect the cable to the appliance Ethernet port:

Step 1 Verify that the appliance is turned off.

Step 2 Connect one end of the cable to the Gigabit Ethernet 0 port on the appliance.

Step 3 Connect the other end to a switch in your network.

 

Ethernet Port Connector

The CSACS 1121 Series appliance comes with two integrated dual-port Ethernet controllers. ACS 5.4 supports multiple NICs. See Multiple Network Interface Connector for more information. These controllers provide an interface for connecting to 10-Mb/s, 100-Mb/s, or 1000-Mb/s networks and provide full-duplex (FDX) capability, which enables simultaneous transmission and reception of data on the Ethernet LAN.

To access the Ethernet port, connect a Category 3, 4, 5, 5E, or 6 unshielded twisted-pair (UTP) cable to the RJ-45 connector on the back of the appliance.

Table 4-2 describes the UTP cable Categories.

Table 4-2 Ethernet Cabling Guidelines

Type
Description

10BASE-T

EIA Categories 3, 4, or 5 UTP (2 or 4 pair) up to 328 ft (100 m)

100BASE-TX

EIA Category 5 UTP (2 pair) up to 328 ft (100 m)

1000BASE-T

EIA Category 6 UTP (recommended), Category 5E UTP or 5 UTP (2 pair) up to 328 ft (100 m)

Figure 4-9 shows the Ethernet RJ-45 port and plug.

Figure 4-9 RJ-45 Port and Plug

Table 4-3 lists and describes the RJ-45 pin signals used on the connector.

Table 4-3 Ethernet Port Pinout

Ethernet Port Pin
Signal
Description

1

TxD+

Transmit data +

2

TxD–

Transmit data –

3

RxD+

Receive data +

4

Termination network

No connection

5

Termination network

No connection

6

RxD–

Receive data –

7

Termination network

No connection

8

Termination network

No connection

Multiple Network Interface Connector

ACS 5.4 with the SNS-3415, Virtual machine, or CSACS-1121 platform allows you to use up to four network interfaces: Ethernet 0, Ethernet 1, Ethernet 2, and Ethernet 3.

Note You need to make sure that the Ethernet 0 interface is up and running successfully, to avoid system failure.

Table 4-4 lists the ACS 5.4 functional interfaces which are distributed among the network interfaces.

Table 4-4 ACS 5.4 Functional Interface Distribution Among Network Interfaces

Functional Interface
Network Interface

Customer Logging

Ethernet 0

Device Administration (TACACS+)

All

Distributed Management

Ethernet 0

External ID Stores (AD, LDAP, and RSA)

Ethernet 0

Management GUI (HTTP)

Ethernet 0

Management CLI (Secure Shell [SSH])

Ethernet 0

Monitoring and Troubleshooting/ACS View Syslog

All

Network Access (Radius)

All

RADIUS Proxy

All

TACACS+ Proxy

All

CS management functions use only the Ethernet 0 interface, whereas authentication, authorization, and accounting (AAA) protocols use all of the configured network interfaces. You must connect the ACS nodes in the distributed deployment only to Ethernet 0. The syslog messages are sent and received at the log collector’s Ethernet 0 interface. Data forwarding from one interface to another interface is prohibited to prevent potential security issues. The external identity stores are supported only on the Ethernet 0 interface. In ACS 5.4, multiple network interface connectors are also supported for the RADIUS and TACACS+ proxy functionalities.

The CLI and ACS management interfaces are accessible from both Ethernet 0 and Ethernet 1 interfaces if you configure both the Ethernet 0 and Ethernet 1 interfaces with IP addresses from the same subnet. Therefore, to restrict CLI and ACS management interface only to Ethernet 0 interface, the IP addresses for the Ethernet 0 and Ethernet 1 interfaces should be from different subnets.

Configuring Multiple Network Interfaces

By default, Ethernet 0 interface takes the IP address that is assigned for ACS. However, for the other Ethernet ports, you must configure the IP address manually.

To configure the IP address for Ethernet ports, complete the following steps:

Step 1 Login to the ACS CLI using the CLI username and password.

Step 2 Enter su admin to enter in to the EXEC mode.

Step 3 Enter config t to enter in to the configuration mode of the ACS CLI.

Step 4 Enter the command interface GigabitEthernet <interface_number>.

Step 5 Enter the command no shutdown to bring the interface up.

Step 6 Enter the command ip address <IP address> <Subnet Mask>.

The console displays the following message:

Changing the IP may result in undesired side effects on any installed application(s).

Are you sure you want to proceed? Y/N [N]:

Step 7 Enter Y.

The specified interface is configured with the given IP address.

ACS restarts automatically. Wait for some time to make sure that all the processes are up and running successfully.

 

In an IPv6 enabled network, the Ethernet interfaces other than Ethernet 0 use an IPv6 address. If you want to use IPv4 address for the other Ethernet ports, you must configure IPv4 addresses using the ip address <IPv4 address> <IP-Mask> command as described above.

Note ACS 5.4 supports IPv4 and IPv6 dual stack networking and does not support pure IPv6 network.

Connecting the Console

Warning Do not work on the system or connect or disconnect cables during periods of lightning activity. Statement 1001

Your CSACS-1121 Series appliance has a DCE-mode console port for connecting a console terminal to your appliance. The appliance uses a DB-9 serial connector for the console port.

The console port on the CSACS-1121 Series appliance includes an EIA/TIA-232 asynchronous serial (DB-9) connector. This serial console connector (port) allows you to access the appliance locally by connecting a terminal—either a PC running terminal-emulation software or an ASCII terminal—to the console port.

To connect a PC running terminal-emulation software to the console port, use a DB-9 female to DB-9 female straight-through cable.

To connect an ASCII terminal to the console port, use a DB-9 female to DB-25 male straight-through cable with a DB-25 female to DB-25 female gender changer.

To connect a terminal or a PC running terminal-emulation software to the console port on the CSACS-1121 Series appliance:

Step 1 Connect the terminal using a straight-through cable to the console port.

Step 2 Configure your terminal or terminal-emulation software for 9600 baud, 8 data bits, no parity, 1 stop bit, and no hardware flow control.

 

Serial (Console) Port Connector

The CSACS 1121 Series appliance has one serial port connector located on the back panel of the appliance.

Figure 4-10 shows the pin number assignments for the 9-pin, male D-shell serial port connector located on the back panel of the appliance. These pin number assignments are those defined for RS-232-C and conform to industry standards.

Figure 4-10 Serial Port Connector

Table 4-5 lists and describes the serial (console) port pinout.

Table 4-5 DB-9 Serial (Console) Port Pinout

Serial Port Pin
Signal
Description

1

DCD

Data Carrier Detect

2

RXD

Receive Data

3

TXD

Transmit Data

4

DTR

Data Terminal Ready

5

GND

Signal Ground

6

DSR

Data Set Ready

7

RTS

Request To Send

8

CTS

Clear To Send

9

RI

Ring Indicator

Connecting the Keyboard and Video Monitor

Warning Do not work on the system or connect or disconnect cables during periods of lightning activity. Statement 1001

This section describes how to connect a keyboard and video monitor to the CSACS-1121 Series appliance.

As an alternative to the keyboard and video monitor, you can use a serial console to connect to the CSACS-1121 appliance.

The CSACS-1121 appliance does not provide support for a mouse.

The CSACS-1121 provides USB ports on the front and rear of the appliance that can be used to connect a keyboard and video monitor.

To connect a keyboard and video monitor to the appliance:

Step 1 Verify that the appliance is turned off.

Step 2 Connect the end of the keyboard cable to the PS/2 (keyboard) port which is located on the back panel of the appliance.

Step 3 Connect the end of the video monitor cable to the PS/2 (video monitor) port which is located on the back panel of the appliance.

Step 4 Power on the appliance.

 

Cable Management

Cable management is the most visual aspect of your appliance setup. However, cable management is often overlooked because it can be time consuming.

Equipment racks and enclosures house more equipment today than ever before. This growth has increased the need for organized cable management both inside and outside the rack. Poor cable management not only leads to damaged cables or increased time for adding or changing cables, but also blocks critical airflow or access. These problems can lead to inefficiencies in the performance of your equipment or even downtime.

There are many solutions to address cable management. They can range from simple cable management rings, to vertical or horizontal organizers, to troughs and ladders.

All CSACS-1121 Series appliance cables should be properly dressed so as not to interfere with each other or other pieces of equipment. Use local practices to ensure that the cables attached to your appliance are properly dressed.

Proceed to the next section, Powering Up the CSACS-1121 Series Appliance, to continue the installation process.

Powering Up the CSACS-1121 Series Appliance

Warning Do not touch the power supply when the power cord is connected. For systems with a power switch, line voltages are present within the power supply even when the power switch is off and the power cord is connected. For systems without a power switch, line voltages are present within the power supply when the power cord is connected. Statement 4

Warning This equipment is intended to be grounded. Ensure that the host is connected to earth ground during normal use. Statement 39

This section contains:

Checklist for Power Up

You are ready to power up the CSACS-1121 Series appliance if:

  • The appliance is securely mounted.
  • Power, network, and interface cables are properly connected.

Power-Up Procedure

To power up the CSACS-1121 Series appliance and verify its initialization and self-test, follow this procedure. When the procedure is completed, the appliance is ready to be configured.

Step 1 Review the information in Safety Guidelines.

Step 2 Plug the AC power cord into the power cord receptacle at the rear of the appliance. (See location 1 in Figure 4-7.)

Step 3 Connect the other end of the power cord to a power source at your installation site.

Step 4 Press the power button on the front of the appliance. (See location 2 in Figure 4-11.)

The appliance should begin booting. After the operating system boots, you are ready to initialize the basic software configuration. For configuration procedures, see the software installation guide or user guide.

Figure 4-11 CSACS-1121 Series Appliance Front View

The following table describes the callouts in Figure 4-11.

1

Appliance power LED
6

System-error LED
2

Power-control button
7

USB 1 connector
3

Reset button
8

USB 2 connector
4

Hard disk drive activity LED
9

CD-eject button
5

Locator LED
10

CD drive activity LED

 

Checking the LEDs

When the CSACS-1121 Series appliance is up and running, observe the front-panel LEDs. The following LEDs provide power, activity, and status information:

CSACS-1121 Appliance Front-Panel LEDs

  • Appliance power, green:

On when power is on.

Off when power is off or an error condition has been detected in the operating voltages.

  • Hard disk activity, green:

On when appliance software has booted up and the appliance is operational.

Off when appliance has not yet booted or an error condition has been detected in the boot process.

For more detailed information about the LEDs, see Troubleshooting.

Preparing to Transport the Rack Cabinet

To transport the CSACS-1121 Series appliance to another location with the server installed:

Step 1 Remove the large screw (see Figure 4-12) and discard it.

Step 2 Remove and save the front screw.

Step 3 Loosen the other two rear screws.

Step 4 Fully extend the rail and insert the screw you saved into the position where the large screw had been located.

Step 5 Tighten all screws to secure the rail.

Step 6 Repeat the steps from 1 to 5 for the other rail.

Figure 4-12 Preparing to Transport the Rack Cabinet

The following table describes the callouts in Figure 4-12.

1

Large screw
3

Two rear screws
2

Front screw
 

Step 7 You must secure the server to the rack, by doing the following:

a. If necessary, disconnect the cables from the rear of the server.

b. Slide the server out of the rack 150 mm (6 inches) and insert the M6 screws in each slide rail.

c. Secure the server to the rack cabinet with the M6 screws. See Figure 4-13.Figure 4-13Figure 4-13

Step 8 Ensure that the rails are fully extended to the rear of the rack cabinet.

If you have removed the shipping brackets on the slide rails, you must reinstall them before you transport the rack cabinet with the server installed. Reverse the instructions on the shipping bracket to reinstall it, as shown in Figure 4-6.

Figure 4-13 Preparing to Move the Rack Cabinet to Another Location

 

Removing or Replacing the CSACS-1121 Series Appliance

Warning Before working on a system that has an On/Off switch, turn OFF the power and unplug the power cord. Statement 1

Warning Ultimate disposal of this product should be handled according to all national laws and regulations. Statement 1040

This section contains:

Removing a CSACS-1121 Series Appliance

To remove a CSACS-1121 Series appliance from your network:

Step 1 Power down the appliance.

Step 2 Disconnect the power cords and network cables.

Step 3 Physically remove the appliance from the rack.

The appliance is in constant communication on your network; thus, when the network notices that the appliance is no longer responding to it, the network stops sending requests to the appliance. This change is visible to users.

Note If other appliances are attached to the network, the network continues sending requests to the other appliances.

 

Replacing a CSACS-1121 Series Appliance

To replace an appliance:

Step 1 Remove the appliance from the network.

Step 2 Install a new appliance using the same installation procedures that you used for the previous appliance.

Step 3 Configure the new appliance using the same configuration parameters that you used for the removed appliance.