Tuesday, June 24, 2008

NAC Manager (CAM) Backups


The Cisco NAC Manager is the brain of the Cisco NAC solution. All configuration is stored in a database which makes the solution scalable. With that said, a crucial step in any deployment is developing a backup plan to ensure that if the NAC Manager or Failover Pair fails(Hardware failure, database corruption, administrator configuration mistake, fire, flood, sinkhole, etc.) the database can be restored and everything will be back up and working!

What gets backed up:

Everything that is stored in the database gets backed up. The following is a list of items that get backed up:

o Clean Access Server Configuration information (DHCP, Managed Subnets, VLAN Mapping, Static Routes, filters, etc.)
Filters (Device Filters, Subnet Filters)
Posture Assessment (Checks, Rules, Requirements,etc)
o Switch Management
o User Management (User Roles, Auth Servers, User Pages, Admin Users)
o Reports
o Licenses

What doesn't get backed up:

The less talked about item is what is not backed up. The following is a list of things that must be backed up manually during deployment and are not included in the database backup:

o Initial Configuration Information (service perfigo config) for the Managers and Servers. This means that good documentation of the initial network placement and ip addresses is a MUST.
o Failover Configuration (Good documentation will be the solution)
o Certificates (This is the #1 forgotten piece of information) Make sure to backup the private keys, root certificates, and CAM/CAS Certificates

Manual Backups:

The NAC Manager supports manual backups by going to administration -> backup, name the snapshot and hit "Create Snapshot". The snapshot may be downloaded to the local pc, if desired.

Figure 1 – Manual Backups

Automatic On-Box Backups:

The NAC Manager automatically creates daily snapshots of the Clean Access Manager database and preserves the most recent from the last 30 days. It also automatically creates snapshots before and after software upgrades, and before and after failover events. No configuration is required to enable these automatic backups. These backups are stored at /perfigo/backup directory.

Figure 2 – Automatic On-Box Backups

Automatic Off-Box Backups:

The first two methods are great, but what happens if the CAM gets caught in a fire? This is why creating a backup strategy to include automatically sending backups to another device that will not take the same hit as the CAM(Think different location) is vital. Cisco has provided a script located on the CAM(/perfigo/control/bin/) called pg_backup that will take a database backup and send it to an external FTP server. The following is a list of procedures to use the pg_backup script to send your DB backup to a ftp server nightly(See example for details):

o Login to the CAM as root
o cd /perfigo/control/bin
o Test using the pg_backup script
o Create a crontab file to use with cron (Example shows running pg_backup every morning at 2:30am)
o Import the crontab file
o Verify the file imported correctly

Figure 3 – Automatic Off-Box Backups
If ftp is not available within an organization SCP/NFS/SFTP may be utilized by creating a custom backup script or hiring a consultant to create one for the organization. Also, please note the pg_backup script names the file "csdb.gz". In order to keep multiple backups, create a backup rotation script on the ftp server or modify pg_backup to include a date.


Backups are vital to ensuring NAC will be up and running quickly through any failure. Be sure with any deployment a strong backup strategy is included.

Sources: CAM Installation & Configuration Guide v4.1.3

Coming Up Next: Restores

Happy Cisco-Live week to everyone attending in Orlando and make sure to sign up for the NAC Deployment or NAC Troubleshooting session.

No comments:

Post a Comment