Cisco Content Hub - Cisco NAC Profiler Server Configuration

Published On: August 6ᵗʰ, 2019 02:07

Cisco NAC Profiler Installation and Configuration Guide, Release 2.1.8

This chapter contains the following topics:

•Overview

•Profiler Module Configuration

•Editing the Server Configuration

•Server Network Connections on Cisco NAC Profiler Systems

–Add Network Connection to Server Module Configuration of Type Server

–Add Network Connection to Server Module Configuration of Type Client

•Editing a Server Network Connection

•Removing a Server Network Connection

•Saving Edits to a Server Module

•Configuring Profiler Server High Availability (HA)

•Add Network Connection, Client Type, for CAS/Collector HA Pair.

Overview

The next task associated with configuration of Cisco NAC Profiler is configuration of the Profiler Server. Recall that the web-based management interface is served by the Profiler Server and it provides management of all components of the system including modules running on the Collectors. Correct configuration of this component at the outset ensures that the initial system configuration can be created and the system brought into service.

When the Profiler Server is initialized as described in Chapter 4, "Installation and Initial Configuration", (e.g. non-HA Pair or HA Pair) a very basic system configuration is created, including initial configuration for the Server module itself. The basic server configuration includes default parameters that allow the system to come up and be managed via the web interface so that further configuration can be completed to enable the system for endpoint profiling and behavior monitoring in the target environment. The Collector modules are initialized with the parameters required to communicate with the Server over the network in order to get their completed configuration and send data back to the Server for processing. Once the Server is configured as described in this chapter, communication with the Collectors will be established, and their configurations added to the system configuration and completed as described in the next chapter.

Prior to beginning the configuring of the Profiler Server module, the Collectors should be configured and the Collector Service started using the service collector start command at the root prompt, via a SSH session to the device

Profiler Module Configuration

The configuration of Profiler module instances in Cisco NAC Profiler configuration is accomplished through the Configuration Tab of the management interface, by selecting the Profiler Modules option from the left hand navigation pane. Figure 6-1 shows a table in the main pane which contains a link for adding a Collector module, and another for listing the Profiler modules (e.g., Server and Collectors) currently saved to the system configuration.

Figure 6-1 Configure Profiler Modules Page

Selecting the List Profiler Modules link from the table in the main pane presents a page containing two tables: one showing the Collector modules currently saved to the configuration and their respective status, and another showing the Profiler Server and its status (see Figure 6-2). The Collector module names and Server are hot-links which if selected, open the edit/configuration view for the selected module.

Note If the Server module of a newly configured Cisco NAC Profiler system indicates a status of 'not running', it is likely that either the license key file was not uploaded properly or the MAC Address of the appliance does not match that in the license key file. Ensure that the license file loaded was generated using the correct MAC Address.

Figure 6-2 Table of Modules

Editing the Server Configuration

To edit a Server module, navigate to the Table of Modules as described above. Select the server name link (`Server') from the Table of Servers to bring up the Configure Server form (see Figure 6-3).

Figure 6-3 Server Configuration Form

The Configure Server form is divided into nine sections or areas of related configuration parameters that define how the Server module will operate, and a list of all Network Connections currently configured for the Server.

The first four sections are mandatory Server module configuration parameters and are populated with default values for Server modules initialized at appliance start-up.

The LDAP Configuration section is optional and specific to environments where the LDAP integration capability will be utilized to integrate NAC Profiler with other systems such as RADIUS authentication servers. See Chapter 14, "LDAP Integration for Cisco NAC Profiler"for detailed instructions for using the NAC Profiler LDAP functionality.

Sections 6 and 7 are specific to integration of Cisco NAC Profiler with Cisco NAC Appliance. See Chapter 11, "Integration with Cisco NAC Appliance,"of this guide for detailed instructions on the use and configuration of these Server module parameters.

The next section, SNMP Configuration, is optional configuration parameters and is utilized as desired. There are no default values for these parameters.

The ninth and final section of the Server configuration, called 'Network Connections' is used for configuring the connections between the Server and the other modules in the Cisco NAC Profiler system.

The following outlines the purpose of each of the Server configuration parameters found in each of the ten sections of the Configure Server form.

1. Database Maintenance

Endpoint Timeout

Specifies a time value (in hours) that the NAC Profiler engine will wait without a refresh of endpoint data before removing port mapping information for an endpoint, and disassociating IP information from the MAC address of the endpoint in the database. This parameter is designed specifically for environments in which NAC Profiler is unable to utilize SNMP traps for detecting the disconnection of an endpoint from an access port. It is designed specifically to prevent endpoint location data from becoming stale in the absence of real-time notifications of topological changes that would normally be indicated by SNMP traps from the edge infrastructure.

Note that endpoints that have their port mapping and IP data removed because of expiration of the Endpoint Timeout value are not removed from the NAC Profiler database completely. All information derived about the endpoint based on MAC address remains in the database.

The default value of this parameter is 0 hours, which is interpreted as no timeout value set which is typical for configurations where traps can be sent to NAC Profiler. If traps are not available, set the number of hours NAC Profiler will wait without a refresh before removing port mapping and IP information about endpoints from the database.

Directory Timeout

Specifies a time value (in days) that the NAC Profiler engine will wait without a refresh of the data used for making a Profiling decision on an endpoint before timing the endpoint out of the Endpoint Directory. This timeout can be used to prune endpoints that have left the network and either have not returned to the network, or will not return. This can be used to prevent the Endpoint directory from growing too large in dynamic environments. If the endpoint being timed-out of the Endpoint Directory is in a Profile that matches a NAC Event, the endpoint is removed from the Endpoint Directory and a Remove MAC event is triggered that results in the endpoint being removed from the Device Filter List of the CAM (see Chapter 11, "Integration with Cisco NAC Appliance," for more information on Cisco NAC Profiler integration with Cisco NAC Appliance.

The default value of this parameter is 0 hours, which is interpreted as no timeout value set. If it is desirable to in the absence of regular refreshes of Profiling data on an endpoint to time the endpoint out of the Directory (and out of the Device Filter List if integration with Cisco NAC Appliance is configured), set this value to an appropriate value in hours. Consideration should be given to the rule(s) bound to the applicable Profile and the specifics of the environment and operating characteristics of the device to determine the value selected for this parameter.

Historical Limit

Specifies a time value (in days) that NAC Profiler will maintain historical data on endpoints in the database. The default value is 30 days which means that historical information about each MAC address and each IP address in the database is available within the system for up to 30 days into the past. Data older than 30 days is removed from the database, preventing the database from growing without bounds.

Increasing this parameter should take into consideration the number of endpoints and other environmental characteristics to ensure that the system does not exhaust hard disk space.

2. Network Mapping Configuration

Mapping Interval [Layer 2]

Defines how often (in minutes) the NetMap module(s) running on the Collectors will poll Layer 2 devices (switches) for information via SNMP. (Default is 60 minutes)

Mapping Interval [Layer 3]

This parameter defines how often (in minutes) the NetMap module(s) running on the Collectors will poll Layer 3 devices (routers) in the database for information via SNMP. (Default is 30 minutes).

Distribute Load Over

Specifies a time value (in minutes) over which to distribute the SNMP polling of network devices in the system configuration. The NetMap module was designed to allocate the SNMP polling of network devices over a defined period of time to make efficient use of Cisco NAC Profiler system and network resources. This value specifies the time period over which that distribution should occur. The default value is 15 minutes.

For each NetMap module in the system, the number of network devices assigned for polling is divided that by the value of this parameter to determine how many devices will be polled each minute by the NetMap module. The NetMap module(s) will in turn spawn a worker for each device. If the number of devices is greater than the Maximum allowed workers as specified in the NetMap module configuration (see Chapter 7, "Configuring Collector Modules"), NetMap will queue these requests. If the Distribute Load Over parameter is set to 1 it will do all requests at once.

The following example shows how this calculation is made for a given NetMap module with n number of network devices assigned to it, with this parameter set to the default value of 15 minutes.

Example:

Network Devices assigned to NetMap = 60

Distribute Load Over value = 15

Devices per Bucket = (60/15) = 4

Therefore at the top of each minute for a total of 15 minutes, 4 XML requests are sent to the NetMap module, initiating 4 NetMap workers, each worker polling a network device.

Note There could be more NetMap workers than devices per bucket at any given time, if the workers from previous minutes are still working. Additionally, workers may be spawned for traps that have been received. However, there should never be more than the maximum allowed workers (plus the main NetMap process).

3. Active Profiling Configuration

Frequency

Specifies the polling interval (in minutes) the NetInquiry module(s) running on the Collectors will perform their active profiling function. (Default is 60 minutes).

See Chapter 7, "Configuring Collector Modules," and Chapter 9, "Configuring Endpoint Profiles," for an in-depth discussion of both the NetInquiry module and the Active Profiling capabilities of Cisco NAC Profiler.

4. Profiling Configuration

These parameters are used to age the individual Profiling data elements gathered by Cisco NAC Profiler about an endpoint over time. Each element of Profiling data about an endpoint observed by NAC Profiler is tagged with a time-based confidence value which is set to 1.0 the first time the data is seen, and reset to that value each time NAC Profiler observes the endpoint behavior. The parameters below specify how each of the individual Profiling data elements will be timed-out by NAC Profiler if they are not re-observed within a defined period of time.

a. Aging Interval. Specifies a time value (in days) to wait for a refresh before decrementing the confidence value for each data element.

b. Age Penalty. Specifies a value (%) to decrement the confidence value with the expiration of an Aging Interval without a refresh of Profiling data.

For example, if a DHCP request from an endpoint was observed by NAC Profiler at time = 0, that DHCP data element would be tagged with a confidence value of 1.0 (100%). If an Aging Interval was set to 4 days, with an Age Penalty of 25% and another DHCP request was not observed by NAC Profiler for four days, the confidence value of that data element would be decremented from 100% to 75%. If no DHCP request was observed for 4 Aging Intervals (e.g., 16 days), then the DHCP information would have a confidence value of 0, and that information would no longer be used for Profiling that endpoint.

5. LDAP Configuration (optional)

See Chapter 14, "LDAP Integration for Cisco NAC Profiler," for detailed instructions on the configuration of the NAC Profiler LDAP service.

6. External Reference (Required for integration with Cisco NAC Appliance)

Profiler Interface DNS/IP address

Enter the hostname (preferred) or IP address of the Profiler Server. The hostname or IP address entered here will be made part of a web link that will be embedded in the description field of each entry that NAC Profiler creates in the CAM Device Filter List. These web links give the administrator the ability to easily link to the NAC Profiler endpoint database to find out more details about endpoints entered into the Device Filter List directly from the CAM interface.

7. NAC Configuration

The parameters in this section are specific to NAC Profiler integration with Cisco NAC appliance. Configuration of integration of Cisco NAC Profiler with Cisco NAC Appliance requires configuration of both Server module parameters, as well as configuration of endpoint events specific to Cisco NAC Appliance integration.

Refer to Chapter 11, "Integration with Cisco NAC Appliance," for a complete explanation of these parameters and instructions on configuration of Profiler integration with Cisco NAC Appliance.

8. SNMP Configuration (Optional)

Cisco NAC Profiler is capable of sending SNMP traps when endpoint events (see Chapter 11, "Integration with Cisco NAC Appliance") occur. Configure these parameters to instruct Cisco NAC Profiler to send traps to an external trap server such as the NMS.

Manager IP Address

Enter the IP address of the system that should receive SNMP traps from Cisco NAC Profiler if desired.

Manager Community String

Enter the community string for the trap receiving system specified above. This is required for the NAC Profiler traps to be received by that system.

9. Network Connections

This configuration parameter specifies how the Profiler Server module will communicate with the Collector(s) deployed throughout the system. The next section of this document describes the purpose and use of the Network Connections section of the Server configuration, and outlines how they are configured using the GUI.

During appliance start-up, the Profiler Server will have a Network Connection added to the configuration by default. This Network Connection, added for purposes of enabling communication with the internal (non-configurable) Forwarder module running on the Profiler Server, is identifiable by the IP address specified: 127.0.0.1, the internal loop back interface, with a Connection Type of Server. This can be interpreted as specifying that the Server module listen on the internal loop back interface for sessions initiated on port 31416, by Remote Collector Services running on the same system.

Note For Cisco NAC Profiler systems, the Network Connections section of the Profiler Server configuration must be modified such that communications between the Profiler Server and the Forwarders running on the Collectors is enabled. To add a Network Connection to a Server module configuration, complete the procedure in Server Network Connections on Cisco NAC Profiler Systems. .

As outlined in Chapter 3, "Preparing for Deployment," when configuring Cisco NAC Profiler systems it is necessary to have information about all components in the system such as IP addresses and desired encryption shared secrets readily available.

Decisions such as the setup of communications between the components, specifically whether each Collector will contact the Server (Forwarder on Collector service configured as a 'client') or whether the Server will initiate the connection (Forwarder on Collector service configured as 'server') should have been made and the Collectors configured accordingly during CAS startup.This ensures that the configuration of Server to Collector communications can be accomplished readily.

When Remote Collection services are initially started up, an initial configuration of the Forwarder module is created such that the Forwarder is able to make contact with the Server module running on the NAC Profiler in the system. The configuration of the Network Connections on the Server module must be consistent with that setup on the Collectors at system startup for inter-module communications to occur normally.

Server Network Connections on Cisco NAC Profiler Systems

Inter-module communications between the Forwarder module running on a Collector service and the Server module running on the Profiler Server (or HA pair) can be set up in one of two ways:

•The Forwarder on the Collector can be configured to initiate the connection with the Server (e.g., Connection Type of 'Client' on the Forwarder)

•Or alternatively the Forwarder can be configured to listen for connections initiated by the Server (e.g., Connection Type of 'Server' on the Forwarder).

The Network Connections required to be added on the Server module of an NAC Profiler or HA pair are determined by the setup of the Collector service in a Cisco NAC Profiler system.

In deployments where some or all of the Forwarders on the Collectors in the system have been set up with Client configurations, the Server module will require the addition of a Network Connection, with Connection Type of Server, specifying the management interface (eth0) for NAC Profiler or the VIP for HA pairs. This addition to the Server module configuration results in the Server listening on the specified TCP port (31416 by default) for network connections by the Forwarder(s) in the system configured to be clients connecting back to that Server module. Figure 6-4 illustrates communications between the Server module and the Forwarder on the remote collection service when the Forwarder is configured as a Client, as described in Chapter 4, "Installation and Initial Configuration".

Figure 6-4 Client Network Connection on Forwarder

In deployments where one or more Collector services have Forwarder configurations that are set to 'Server' and are relying on the Server module to initiate the connection, a Network Connection with Client Connection Type must be added to the Server module configuration for each Collector configured in this manner. Figure 6-5 illustrates communications between the Server module and the Collector service when the Forwarder is configured as a Server.

Figure 6-5 Server Network Connection on Forwarder

For distributed Cisco NAC Profiler systems employing one or more Remote Collection services, follow the procedures below for adding the necessary Network Connections to the Server module configuration in order to support deployed Collector services.

Add Network Connection to Server Module Configuration of Type Server

To add a new Network Connection to a Server module configuration, select the Add connection button. The Add network client/server form that allows specifying the configuration parameters of the Network Connection to be added to the Server module configuration is displayed in the main pane. See Figure 6-6.

Figure 6-6 Add Network Client/Server Form (Server)

This form allows the specification of each of the required parameters of the Network Connection being added to the Server module configuration which will enable bidirectional communications between the Server and another NAC Profiler module (typically the Forwarder modules on CAS/Collectors, as described in the last section) in the system. Each of these parameters is described in detail below.

Connection Type

The Connection Type specifies how this Network Connection between the Server module and external modules will be initially established. Selecting the Server radio button specifies that the Server module will expect the Network Connection(s) to be established by the other module and that it should listen for connections on the specified TCP port number. Selecting the Client radio button specifies that the Server module itself should initiate this Network Connection with the other module. For step-by-step procedures for adding a Client-type Network Connection, refer toAdd Network Connection to Server Module Configuration of Type Client.

IP Address

For Connection Types specified as "Server" as described immediately above, enter the IP address of the local interface on the appliance the Server module should listen on for connections from remote Fowarder modules in the system.

Note The Server module running on a NAC Profiler, the IP address for Server Connection Types should be that of the management interface (eth0) of the appliance. If the Server module is running on a NAC Profiler HA pair, the IP address specified for a Network Connection of Type 'Server' should be that of the VIP assigned to the HA pair. This ensures that the Collectors utilizing the connection will maintain connectivity with the Server regardless of which appliance is currently the Primary for the pair.

For example, if the Management interface of the Profiler Server appliance was assigned the address 169.254.222.1, adding a Network Connection with this address specified would result in the Server module listening for TCP connections on the specified port number on the Management interface of the appliance. Remote modules would be able to communicate with the Server by initiating TCP connections to the IP address of the Management interface of the appliance running the Server.

A single Network Connection with Connection Type of Server defined in the Server module configuration on NAC Profiler, will support connection of multiple remote Forwarders with Client network connections. Server module Network Connections are considered as "one-to-many."

Port

For most cases the default TCP port number of 31416 should be accepted, however an alternative available layer 4 port value may be specified. This is the port number that the Network Connection being added will utilize for module-to-module communications.

Encryption Type

Select the desired encryption type for the Network Connection being added from the drop-down list. This parameter specifies either that the Network Connection will be unencrypted (select the None option), or the algorithm to use for encrypting the data being transmitted. Currently available encryption options are AES (default) and Blowfish. The Network Connection of the modules at both ends of the Network Connection must have the same encryption algorithm selected in order for encrypted session to be successfully established.

Shared Secret

Specify the shared secret that should be used in establishing encrypted communications over the Network Connection to be added, if desired. The field should be left blank if the Network Connection will be unencrypted. The modules at both ends of the Network Connection must be configured with the identical Shared Secret in order for the encrypted session to be established successfully.

The CAS/Collectors are configured at startup with the parameters they require such as Connection Type, Encryption Type, Shared Secret and address information as required to complete the configuration of the Forwarder end of the communication. This enables bidirectional communication with the Server module for the system so that the Collectors are able to get their detailed configuration from the Server. It is good practice to plan and document these parameters for the entire system at the outset of system configuration to ensure system-level communication can be established efficiently.

Select the Add Connection button to save the new Network Connection to the Server Configuration, and return to the Configure Server from, which should now display the Network Connection just added.

If additional Network Connections are to be added to the Server module, utilize the procedures in this section or the next to add additional entries as required, then save the changes as described in Saving Added Network Connections to the Server Module Configuration.

Add Network Connection to Server Module Configuration of Type Client

Note When configuring a system with multiple "Client" connections (e.g., multiple Collectors configured as Server), a Network Connection for each of the Forwarders that the Server module on NAC Profiler will initiate a connection with is required in the Server module configuration. Unlike Server Network Connections, Client Network Connections on a Server are "one-to-one."

When the Client radio button for Connection Type on the Add Network Client/Server form is selected, the form changes subtly as shown in Figure 6-7 and Figure 6-8, one taken from a system with a single NAC Profiler and the second from an NAC Profiler HA Pair.

Figure 6-7 Add Server Module Client Network Connection - Standalone

Figure 6-8 Add Server Module Client Network Connection - HA Pair

The primary difference in the Add network client/server for the Client connection type is the section immediately above the Add Connection button, entitled "Allowing Connection(s) From:".

For Cisco NAC Profiler systems with standalone NAC Profiler appliances, this section lists two IP addresses. In the case of systems with an NAC Profiler deployed as a HA pair four IP addresses are displayed in the list.

The addresses in the "Allowing Connections From" display the addresses that are used in the construction of the configuration file for the downstream Forwarder module on the collector. They are used in the configuration of the Access Control List (ACL) on the Forwarder. The addresses are those that will be allowed to connect to the Collector with a Server connection and should be verified against those configured during the startup of the Collector when they were configured with a corresponding Server Network Connection in accordance with the procedures specified in Chapter 4, "Installation and Initial Configuration,".

In the standalone case, the Server will connect to the Collector service using this client connection, initiating the connection using the management interface (eth0) IP address. The loopback address is included as well for completeness.

For HA pairs, outbound connections from the virtualized Server module may at different times utilize the IP address of the management interface (eth0) of either of the members in the pair dependent upon which appliance is currently the Primary, or the VIP. For NAC Profiler HA pairs, the list should include the management interface(eth0) IP addresses of the Primary and Secondary appliances in the pair, the VIP and the loopback address.

To add a Client Network Connection to a Server module, complete the following fields of the Add network client/server form:

IP Address

For Connection Types specified as "Client" the IP address entered should be the IP address of the remote Collector the Server module will initiate communications with. For example, when adding a Network Connection to a Server module to establish communication with a Forwarder module on a Collector, specify the IP address of the management interface (eth0) of that Collector service, in this field. If the Collector is deployed on an HA CAS pair, the VIP of the CAS pair should be entered.

Port

For most cases the default TCP port number of 31416 should be accepted, however an alternative available layer 4 port values may be specified. This is the port number that the Network Connection being added will utilize for module-to-module communications.

Encryption Type

Shared Secret

The form requires the shared secret to be entered identically two times to prevent mistakes in typing the desired string.

Note The Collector services are configured at startup in accordance with Chapter 4, "Installation and Initial Configuration", with the parameters they require such as Connection Type, Encryption Type, Shared Secret and address information as required to complete the configuration of the Forwarder end of the communication. This enables bidirectional communication with the Server module for the system so that the Collectors are able to get their detailed configuration from the Server.

Saving Added Network Connections to the Server Module Configuration

When all required Network Connections have been added to the Server Module configuration, select the Update Server button at the bottom of the Configure Server form. Then perform an Apply Changes -> Update Modules to generate the new Server configuration file and restart the module using the configuration with the added Server module Network Connections so that they are ready for use when the Collectors are added to the system configuration as described in Chapter 7, "Configuring Collector Modules,".

Editing a Server Network Connection

To edit an existing Network Connection in a Server module configuration, navigate to the Configure Server form and scroll down to the Network Connections section, select the Edit radio button to the right of the Network Connection to be edited. Then select the Edit Button. The Edit network client/server form is displayed which reflects the current configuration and allows each of the Network Connection parameters to be edited as required (see Figure 6-9). Refer to Server Network Connections on Cisco NAC Profiler Systems for a description of each of these parameters for Server and Client network connections on a Server module.

Figure 6-9 Edit Network Client/Server Form

Once the desired changes are made to an existing Network Connection, select the Edit Connection button to save the edits to the configuration, and return to the Configure Server form.

Removing a Server Network Connection

To remove a Network Connection from a Server module configuration, select the Remove checkbox to the right of the Network Connection or Connections to be removed. Selecting the Remove button will result in the removal of the selected Network Connection or Connections from the Server module configuration.

Saving Edits to a Server Module

When all desired changes have been made to the configuration of the Server module being edited, select the Update Server button at the bottom of the Configure Server form. Selecting the Update Server button results in the browser returning to the Table of Modules page, and a message displayed at the top of the main pane that the server configuration has been saved.

The changes to the Server module configuration are not committed to the running configuration until the Apply Changes -> Update Modules procedure is performed as described at the end of the previous chapter.

Configuring Profiler Server High Availability (HA)

The Cisco NAC Profiler Server is capable of operating in a High Availability (HA) mode, where a second appliance acts as a backup to the primary Profiler Server. When a Profiler Server is initially set up as described in Chapter 4, "Installation and Initial Configuration," the system is set up as either a single appliance or High Availability pair. Refer to the step-by-step instructions in Configure a Cisco NAC Profiler Server HA Pair, page 4-20 to configure a High Availability Profiler Server pair. The remainder of this section provides an overview of the operation of the High Availability feature.

The following key points provide a high-level summary of HA-Profiler Server operation:

•The Profiler Server high-availability mode is an Active/Passive two-appliance configuration in which a standby Profiler Server acts as a backup to an active Profiler Server.

•The active Profiler Server performs all tasks for the system. The standby Profiler Server monitors the active Profiler Server and keeps its database synchronized with the active Profiler Server's database.

•Both Profiler Servers share a virtual Service IP for the eth0 (management) interface.

•The primary and secondary Profiler Servers exchange UDP heartbeat packets every 2 seconds. If the heartbeat timer expires, stateful failover occurs.

•The eth1 interface on the Profiler Servers can be used for heartbeat packets and database synchronization.

Cisco NAC Profiler Server high-availability mode is an Active/Passive two-appliance configuration in which a standby Profiler Server appliance acts as a backup to an active Profiler Server appliance. While the active Profiler Server carries most of the workload under normal conditions, the standby monitors the active Profiler Server and keeps its data store synchronized with the active Profiler Server's data. The data store includes system configuration information as well as the endpoint database.

If a failover event occurs, such as the active Profiler Server is shut down or stops responding to the peer's "heartbeat" signal, the standby assumes the role of the active Profiler Server.

When first configuring the HA peers, you must specify an HA-Primary Profiler Server and HA-Secondary Profiler Server. Initially, the HA-Primary is the active Profiler Server, and the HA-Secondary is the standby (passive) Profiler Server, but the active/passive roles are not permanently assigned. If the primary Profiler Server goes down, the secondary (standby) becomes the active Profiler Server. When the original primary Profiler Server restarts, it assumes the backup role.

When the Profiler Server starts up after HA is configured, it checks to see if its peer is active. If not, the starting Profiler Server assumes the active role. If its peer is active as it starts up, the starting Profiler Server becomes the standby.

Two Profiler Servers may be configured as an HA pair at the same time as the system is implemented, or a new Profiler Server may be added to an existing standalone Profiler Server to create a high-availability pair at any time. Refer toChapter 15, "Cisco NAC Profiler Server Command Line Reference" for instructions on adding a HA peer to a standalone Cisco NAC Profiler system. In order for the pair to appear to the network and to the Clean Access Manager as a single entity, a Service IP address must be specified as the trusted interface (eth0) address for the HA pair.

To create the crossover network on which high-availability information is exchanged, the eth1 ports of both Profiler Servers are connected and a private network address not currently routed in your organization (the default HA crossover network address is 192.168.0.252) is specified. Profiler Server then creates a private, secure two-node network for the eth1 ports of each Server to exchange UDP heartbeat traffic and synchronize databases. Note that the Profiler Server always uses eth1 as the UDP heartbeat interface.

Note To prevent any possible data loss during database synchronization, always make sure the standby (secondary) Profiler Server is up and running before failing over the active (primary) Profiler Server.

Before configuring high availability on a Profiler Server pair, ensure that:

•Both Profiler Servers are installed and configured.

•For heartbeat, each Server needs to have a unique hostname (or node name). For HA Profiler Server pairs, this host name will be provided to the peer, and must be resolved via DNS or added to the peer's /etc/hosts file.

•The HA-Primary Profiler Server is fully configured for runtime operation of Cisco NAC Profiler. This configuration is automatically duplicated in the HA-Secondary (standby) Server.

•Both Profiler Servers are accessible on the network (try pinging them to test the connection).

•The Profiler Server appliances both have Ethernet port (eth1) available.

•Port Security is not enabled on the switch interfaces to which the Profiler Servers are connected. This can interfere with Profiler Server HA and DHCP delivery.

Add Network Connection, Client Type, for CAS/Collector HA Pair.

Cisco NAC Profiler (release 2.1.8 and later) includes changes to the procedure for the configuration of CAS/Collector HA pairs deployed with standalone and HA Profiler Server pairs. Follow the procedure below when deploying CAS/Collector HA pairs in a Cisco NAC Profiler system:

Create a Network Connection of type Client in the Server module configuration which will result in the Profiler Server initiating a connection to the VIP/Service IP address of the Collector service running on the HA CAS pair

See Chapter 4, "Installation and Initial Configuration,"for configuration procedure for setting up an HA CAS/Collector pair.

Step 1 Using the GUI, open the Configure Server form (navigate to Configuration tab, select NAC Profiler Modules -> List NAC Profiler Modules. From the Server table, click on the Server link to display the Configure Server form and display the current Profiler Server configuration.

Step 2 Scroll down to the Network Connections section of the form, near the bottom

Step 3 Select the 'Add connection' button to add a new network connection

Step 4 For Connection Type: select the 'client' radio button

Note When the Client radio button is selected, the add network connection form changes as shown in Figure 6-10. Note that the Allow Connections From section is shown at the bottom of the form. For standalone appliances, this should be populated with the loopback address (127.0.0.1) and the IP address of the eth0 interface of the Profiler Server. For HA Profiler Server pairs, the loopback and the eth0 interface addresses of both appliances should be displayed.

Figure 6-10 Connection Type is Client for CAS/Collector HA Pair

Step 5 Enter the IP address of the VIP of the CAS HA pair hosting the Collector service in the IP Address field.

Step 6 Enter the TCP port number for the connection between Profiler Server and Collector - must match that configured on the Collector services running on both members of the HA pair.

Step 7 Select the desired encryption type from the drop down - must match that configured on the Collector services running on both members of the HA pair.

Step 8 Enter the shared secret for the encryption type selected-leave blank if no encryption was selected. Shared secret must match that configured on the Collector services running on both members of the HA pair.

Step 9 Click on Add connection button to save new connection

Step 10 Verify that the newly added connection now appears in the list of network connections for the Server module (Edit Server form), then click on Update Server to save the configuration.