|
|
This chapter describes how to install the various Cisco User Control Point (UCP) components. The installation procedure involves the following steps, which must be completed in the following order:
1. Installing the Oracle Enterprise Database Software
2. Installing the ActiveWeb Software
3. Installing the CiscoSecure ACS
4. Installing the UCP UNIX Components
5. Creating UCP Tables and Triggers - Part 1
6. Configuring and Starting the ActiveWeb and SMS Database Adapters
7. Importing UCP Events into the Information Broker
8. Creating UCP Tables and Triggers - Part 2
9. Installing the NCC from the Windows NT CD-ROM
10. Configuring and Starting UCP Services
11. Installing the CiscoSecure Global Roaming Server
12. Installing the NetFlow Collector
ActiveWeb, UCP, and the CiscoSecure Access Control Server (ACS) run on one or more Sun Solaris systems. The Network Control Console (NCC) runs on a Windows NT system.
Before installing any UCP components, you must install the Oracle Enterprise database software. Oracle does not need to be installed on the server where other UCP components are running and can be accessed using SQL*Net or by mounting the Oracle directory.
This section describes how to install and configure an Oracle database for use with UCP.
Before installing Oracle, add the following lines to the /etc/system file:
During Oracle installation, assign tablespace disk usage as follows:
Note To reduce I/O contention, assign each tablespace to a separate partition or, ideally, a separate disk drive.
After Oracle is installed, complete the procedures described in this section.
To set the superuser environment, follow these steps:
Step 2 Add $ORACLE_HOME/bin to root's PATH environment variable.
To specify the Oracle compatibility, follow these steps:
Step 2 Find the line:
and change it to the following:
Step 3 Save the file and exit the text editor.
To create tablespace for UCP, follow these steps:
where oracle_data_dir is the directory where the tablespace will be stored.
Step 2 Use SQL to create a tablespace for UCP indexes named UCP_IDX. Assign 100 MB for the first 10,000 user profiles plus 70 KB for each additional 100 user profiles. For example:
where oracle_data_dir_2 is a different directory where the tablespace will be stored.
Use SQL to create a UCP user account. For example:
where ucpuser and ucppass is the name and password of the UCP user account.
To start the Oracle database, log in to the server using the Oracle UNIX account and complete the following steps:
Step 2 Start the srvrmgrl utility that is located in the /$ORACLE_HOME/bin directory.
Step 3 Enter the following commands:
To stop the Oracle database, log in to the server using the Oracle UNIX account and complete the following steps:
Step 2 Start the svrmgrl utility.
Step 3 Enter the following commands:
The following components must be able to access the Oracle database:
To ensure that they can access the Oracle database, install them on the system running Oracle, install SQL*Net, or NFS mount the Oracle directory.
Note Regardless of how the Oracle database is accessed, make sure the environment variable ORACLE_HOME is set on the client host.
To mount the Oracle directory, follow these steps:
Step 2 From the remote machine, enter the following command:
where pathname is the location of the Oracle directory.
Step 3 From the local machine, enter the following command:
where ip_address is the IP address of the remote machine, path_remote is the location of the remote Oracle directory, and path_local is the location of the local directory where the Oracle directory will be mounted.
Whether a client mounts a database or uses SQL*Net, you must create a tnsnames.ora file. To do this, create the file /var/opt/oracle/tnsnames.ora. and add the following lines:
where hostname is the name or IP address of the server running Oracle, port_number is the port used to communicate with the client (default: 1521), and SID is the database server ID.
To set up a server host, open the /$ORACLE_HOME/network/admin/listner.ora file and append the following lines:
where hostname is the name or IP address of the server running Oracle, port_number is the port used to communicate with the client, SID is the database server ID, and oracle_home is the Oracle directory.
Note After setting up the server host, start the TNS listener utility by changing to the $ORACLE_HOME/bin directory and entering lsnrctl start tcp_listener.
To verify that you can connect to the Oracle database, change to the $ORACLE_HOME/bin directory and enter the following command:
where TNS_name is the TNS name defined in the tnsnames.ora file.
Certain ActiveWeb software components are required to run UCP. This section explains how to install the ActiveWeb software.
The ActiveWeb software provides components that allow the various UCP services to communicate with each other by means of predefined events.
The following components are installed during the ActiveWeb installation:
Note Make sure the Oracle server can be accessed from the machine where the ActiveWeb software is installed. For more information, see the "Accessing the Oracle Database" section. Note also that the client software for your Subscriber Management System (SMS) must be able to communicate with the ActiveWeb database adapter (dbAdapter).
Install the ActiveWeb software on any system that requires an ActiveWeb component. Make sure you install it on the systems that will run Information Brokers.
Step 2 Log in as root.
Step 3 Change to the /cdrom/activesw directory and run install.ksh.
Step 4 Locate the Install Keys for the following components:
Note The Install Keys are located in the ActiveWeb CD-ROM booklet.
Step 5 When prompted, enter the Install Keys on a single line. Separate each key with a single space. For example:
Note Enter only the Install keys. Do not enter License Keys until prompted.
Step 6 Follow the installation prompts until you are prompted to select installation directories for the ActiveWeb components. Cisco recommends that you accept the default values.
Step 7 Follow the installation prompts until you are prompted to enter a domain name. Enter the domain name. If you are not sure of the name, check the hosts file.
To find the domain name, change to the directory where the hosts file is located (default: /etc) and enter the following:
The text that appears after the machine name is the domain name. In this example, the domain name is "cisco.com."
Step 8 When prompted, enter the ActiveWeb Broker license key. The license key is located in the ActiveWeb CD-ROM booklet.
Step 9 Repeat this procedure for each ActiveWeb installation.
After installing the ActiveWeb software, the Information Broker starts automatically. To verify the broker is working, use the broker_ping command. Change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following command:
Because all events flow through the Information Broker, it is a potential performance bottleneck. To improve performance and throughput, UCP event traffic can be distributed between up to four brokers. Assign each broker to one of the following categories:
Note All UCP services can communicate with up to four brokers. To configure UCP services to communicate with multiple brokers, use the NCC.
Multiple ActiveWeb Information Brokers can be installed on a single system or multiple systems. However, if all brokers are started on the same system, they share the same resources. If one broker becomes overloaded, it might affect the performance of the other brokers.
Note UCP services access brokers through a combination of the host name or IP address and the broker name. For example, four brokers named Broker#1 can be located on four separate hosts.
To create and start the ActiveWeb Information Brokers, follow these steps:
Step 2 From the File menu, select Add Broker Host. Enter the name or IP address of a broker host and click OK.
Repeat this step for each broker host.
Step 3 Add brokers to broker hosts.
Note By default, Broker #1 is created when ActiveWeb is installed. Therefore, when you click on a broker host in the left frame of the manager window, you should see Broker #1 in the right frame. If you are using four broker hosts and Broker#1 appears in the right frame for each host, you do not need to add more brokers.
From the File menu, select Add Broker Host. Enter a name for the broker and click OK.
The broker is added. Repeat this step until all four brokers are created.
Step 4 When you are finished, exit the manager utility.
Note Cisco recommends that the Inter-Component broker runs on a separate machine.
To control access to ActiveWeb Information Brokers, set up network access lists (NALs). NALs control which IP addresses have access to a broker or client group operations.
To set up a NAL, follow these steps:
Step 2 Select the local host. From the File menu, select Properties.
The Properties window appears.
Step 3 Click the Security tab.
Step 4 Select Allow access from only these machines and add all machines that will be allowed to access the local host.
Step 5 Click OK.
Step 6 Select a broker. From the File menu, select Properties.
The Properties window appears.
Step 7 Click the Security tab.
Step 8 Select Allow access from only these machines and add all machines that will be allowed to access the broker.
Step 9 Click OK.
Step 10 Select a broker's Client Groups folder and double-click default.
The Properties window appears.
Step 11 Click the Security tab.
Step 12 Select Allow access from only these machines and add all machines that will be allowed to access the broker.
Step 13 Click OK.
Step 14 Repeat Steps 6 through 13 for each Broker on the local host.
Step 15 Repeat this procedure for each local host.
To check whether the broker is running, use the broker_ping or enter the following:
To manually start the ActiveWeb processes and the Information Broker, change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following command:
To manually stop the ActiveWeb processes and the Information Broker, change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following command:
The CiscoSecure ACS provides the authentication, authorization, and accounting (AAA) services used by UCP. This section provides instructions for installing a customized version of the CiscoSecure ACS provided with UCP. For more detailed information on the installation procedure for the CiscoSecure ACS, see the chapters "Preparing to Install the CiscoSecure ACS Software," and "Installing the CiscoSecure ACS Software" in the CiscoSecure ACS 2.2.1 for UNIX User Guide.
Note Make sure the Oracle server can be accessed from the machine where the CiscoSecure ACS is installed. For more information, see the "Accessing the Oracle Database" section.
The CiscoSecure ACS software shipped with UCP is provided on the same CD-ROM as the UCP software.
Note Before installing CiscoSecure ACS, make sure that the system is running Solaris version 2.5.1 with patches 103566-25, 103600-18, and 103640-14. To check the patch level, use the command showrev -p.
Follow these steps to install the CiscoSecure ACS from the UCP CD-ROM:
Step 2 Copy the package CiscoSecure-x.x.x.UCP.solaris.PKG.Z from the CD_ROM to the host where you will install CiscoSecure. For example, copy the package to /tmp.
Step 3 Change directories to /tmp.
Step 4 Uncompress the package using the following command:
Step 5 Transfer the package into a Solaris installable package using the following command:
When prompted to select packages to install, press Enter. The Solaris installable package is created.
Step 6 Install the package by entering the following command:
Step 7 Follow the installation prompts until prompted to select a directory. Enter the directory in Table 1-1 (default: /opt/acs).
Step 8 Follow the installation prompts until prompted to enter the fully qualified domain name. For example, if the system is named "machine1" and the domain is "cisco.com," you would enter machine1.cisco.com.
Step 9 When prompted, enter the CiscoSecure ACS license key. The license key is located in the UCP CD-ROM booklet.
Step 10 When prompted to enter the TACACS+ NAS name, press Enter. UCP does not use TACACS+.
Step 11 When prompted to enter the TACACS+ NAS secret key, press Enter.
Step 12 Follow the installation prompts until prompted to select a database. Enter 2 for Oracle Enterprise.
Step 13 When prompted to enter the username and password for the Oracle database, use the username and password in Table 1-1. For more information, see <Xref_Color><Xref_Color>the "Installing the Oracle Enterprise Database Software" section.
Step 14 Enter the Oracle database TNS name. For more information, see <Xref_Color>the <Xref_Color>"Accessing the Oracle Database" section.
Step 15 When prompted, enter the location of the NFS mounted oracle directory. For more information, see the "Accessing the Oracle Database" section.
Step 16 Continue following the installation prompts. Accept the default values until prompted to select the number of database connections. Cisco recommends at least 10 connections.
Note Do not select more than 40 connections. Otherwise, CiscoSecure ACS might not start due to insufficient file descriptors.
Step 17 Continue following the installation prompts. After CiscoSecure ACS is installed, verify that the SQL tables were created.
To verify CiscoSecure Installation, complete the following steps:
where ucpname and ucppass are the username and password used for Data Store in the Oracle database and TNS_name is the TNS name defined in the tnsnames.ora file.
Step 2 Confirm that 18 entries were created by entering:
Step 3 Exit SQL*Plus.
The UCP UNIX components must be installed on each system that will run UCP services. For a list of systems that will run UCP services, review Table 1-1.
Follow these steps to install UCP on each target server:
Step 2 Become root on the target system.
Step 3 Copy the UCP package CSCEucp.x.x.x.PKG.Z into a temporary directory. For example, copy the file to /tmp.
Step 4 Change to the temporary directory.
Step 5 Uncompress the package by entering:
where x.x.x is the UCP version number you are installing.
Step 6 Install the package by entering:
You are prompted to accept the UCP license agreement.
Step 7 Enter y.
You are prompted to enter the target directory for the installation.
Step 8 Enter the UCP directory you specified in Table 1-1 (default: /opt/ucp).
You are prompted to enter the name of the POP so the target server (the system on which you are installing) will appear in the NCC display.
Step 9 Enter the name of the POP. All UCP components must belong to the same POP.
Note The POP name you enter must also be defined using the NCC interface for the target server to appear in the NCC directory tree.
You are prompted to enter the name or IP address of the host where the Information Broker that will communicate with the server is running.
Step 10 Enter the IP address or the host name of the host where the ActiveWeb Information Broker is installed.
You are prompted to specify whether to turn on the service monitor feature. When this feature is on, it automatically restarts a UCP service for the server if the service goes down.
Step 11 Specify whether you want the service monitor feature turned on or off.
Cisco recommends that you answer y to this prompt.
You are prompted to copy the control adapter start and stop scripts to the rc2.d and rc0.d directories.
Step 12 Enter y and press Enter.
You are prompted to start the master daemon automatically after the installation. The master daemon monitors the health of services.
Step 13 Specify when to start the master daemon:
Note If you enter n in response to this prompt, you can still start or stop the
master daemon at any time by executing the following command from the UCP
directory:
./S97MasterDaemon {start | stop}
If the master daemon does not start, make sure the events are loaded in the active
broker.
The system prints out your selections and prompts you to verify them.
Step 14 To change any of your selections, enter y and you will be prompted to reenter your selections. Otherwise, enter n.
You are prompted to continue the installation process.
Step 15 Enter y to complete the installation.
The installation process is complete. A log of the installation processing is saved in the file /tmp/ucp_install.log. Repeat the above procedure for each system running UCP services.
To verify the UCP master daemon is running, enter the following command from the command line interface of each system where you installed UCP components:
To manually stop the master daemon, change to the UCP directory (default: /opt/ucp) and enter the following command:
To manually start the master daemon, enter:
To create tables and triggers in the Oracle-based UCP Data Store, follow these steps:
Step 2 Exit SQL*Plus.
Step 3 Change to the /ds/install directory where UCP s installed (default: /opt/ucp/ds/install).
Step 4 Start the dbinstall utility by entering:
Step 5 Select a tablespace for UCP table objects by entering:
Select the number that corresponds to the UCP tablespace (UCP_TBL).
Step 6 Select a tablespace for UCP index objects by entering:
Select the number that corresponds with the UCP index tablespace (UCP_IDX).
Note For improved performance, Cisco recommends that you store index and table objects in different tablespaces and on different disk drives. However, the same tablespace can be used for both index and table objects.
Step 7 Install part 1 of UCP tables and triggers by entering:
Step 8 Exit dbinstall by entering:
If you are using an Oracle SMS database, follow these steps:
Step 2 Start the dbinstall utility by entering:
Step 3 Select a tablespace for UCP table objects:
Select a tablespace for SMS table objects.
Step 4 Select a tablespace for SMS index objects by entering:
Select a tablespace for SMS index objects.
Step 5 Install the UCP tables in the SMS database by entering:
Step 6 Exit dbinstall by entering:
The UCP Data Store requires a database adapter (dbAdapter) to communicate with the information bus.
If you are using an SMS, you must install an SMS dbAdapter to communicate with the information bus and the UCP Data Store.
For detailed information about configuring a Database Adapter in the Solaris environment, refer to "Configuring and Starting a dbAdapter on Solaris 2.x" in the ActiveWeb Installation Guide.
Note Make sure the Oracle server can be accessed from the machine where the dbAdapters are installed. For more information, see the "Accessing the Oracle Database" section.
Follow these steps to configure and start the dbAdapter(s):
The ActiveWeb Adapter configuration window appears.
Step 2 If you are not configuring an SMS dbAdapter, continue to the next step. Otherwise, do the following.
The Configure Database Adapter window appears.
The Configure Database Adapter window appears.
(e). If your SMS uses another database, such as Informix or Sybase, specify the correct information for the fields on the configuration tab. Refer to the ActiveWeb documentation for detailed information.
(f). Press Test. You should see a "No Problems Found" message.
Step 3 Configure the dbAdapter to communicate with the UCP Data Store.
The Configure Database Adapter window appears.
The Configure Database Adapter window appears.
Step 4 Click OK.
Step 5 Select Save and Restart Adapters, then exit from the configuration utility.
If you need to start or stop the dbAdapters, change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following command:
Note The dbAdapter must be properly configured and running before you can load events into the Information Broker. If you are able to view the table names in your database using the ActiveWeb query_editor utility, the dbAdapter is properly configured. Definitions for the events the UCP components use to communicate with each other are provided in the /opt/ucp/events/eventdefs.evt file.
To enable UCP components to communicate over the Information Bus, import the event definitions with the ActiveWeb manager utility.
The following steps provide brief instructions for importing event definitions. For detailed information on using the manager utility, see "Importing Information From a File Into a Broker" in the ActiveWeb Broker User Guide.
Step 2 Expand the tree of the host where the broker is running.
Step 3 Select a broker (default: Broker #1).
Step 4 From the File menu, select Import.
Step 5 The Import From File window appears.
Step 6 Browse the list of files and select eventdefs.evt (default location: /opt/ucp/events).
Step 7 Click Open.
Step 8 The Import window appears.
Step 9 Ensure that:
Step 10 Click Import.
Step 11 Repeat Steps 2 through 10 for each broker.
Step 12 Stop and Restart the dbAdapters as described in the "Starting and Stopping the dbAdapters" section.
Follow these steps to create additional tables and triggers in the UCP Data Store:
Step 2 Start the dbinstall utility:
Step 3 Select a tablespace for UCP table objects:
Select the number that corresponds to the UCP tablespace (UCP_TBL).
Step 4 Select a tablespace for UCP index objects:
Select the number that corresponds with the UCP index tablespace (UCP_IDX).
Note For improved performance, Cisco recommends that you store index and table objects in different tablespaces and on different disk drives. However, the same tablespace can be used for both index and table objects.
Step 5 Install part 2 of UCP tables and triggers by entering:
Step 6 Verify installation of UCP database objects by entering:
Step 7 Exit dbinstall by entering:
You can install NCC on a Windows NT server or a Windows NT workstation as follows:
Step 2 From My Computer on your desktop, select the CD-ROM drive and double-click setup.exe.
Step 3 Follow the instructions in the prompts displayed by the setup program.
Step 4 After installation, start the NCC. To start the NCC, click Start, point to Programs, point to Network Control Console, and click NCC.
Step 5 Enter the NCC username (default: admin) and password (default: admin).
Step 6 From the Tools Menu, select Options.
The Options properties sheet appears.
Step 7 Verify that NCC is pointing to the correct broker. You can do this by making sure the Broker Host field indicates the host name IP address of the default broker.
Step 8 Click OK.
Step 9 From the Tools Menu, select AWAD Configuration.
The AWAD Configuration dialog box appears.
Step 10 Make sure the host name or IP address of the default broker is in the Broker Name field.
Step 11 Exit and restart NCC.
Step 12 Right-click Root and select New POP from the popup menu. Enter the POP name.
Within a few minutes, servers belonging to the POP will begin appearing in the NCC directory tree.
After you have installed UCP and the NCC, you can start and configure the individual UCP services as described in the following sections.
Before attempting to configure or start UCP services, the master daemon must be running on each system that will run UCP services. If you selected the option to automatically start the master daemon after installation of the UCP UNIX components, you do not need to do anything. If you chose not to start the master daemon after installation of the UCP UNIX components, you must start the master daemon on each system where it was not started.
If you are not sure whether the master daemon is running, enter the following command:
To manually start the master daemon, go to the UCP installation directory and enter the following command.
Or, enter the following command at the system prompt:
where install_directory is the name of the directory where UCP was installed.
After the master daemons are running, you can start UCP services from the NCC.
If UCP is using multiple Information Brokers, they must be configured to accept event categories (such as: heartbeat, inter-component, data transfer, and accounting events) from services that are configured and started from the NCC.
Note For information on configuring multiple ActiveWeb Information Brokers, see the "Creating and Starting Multiple ActiveWeb Information Brokers" section.
If UCP is using a single Information Broker, continue to the next procedure. Otherwise, follow these steps:
The NCC Application Options properties sheet appears.
Step 2 Click the Brokers tab.
Step 3 In the Default Broker Hosts section, select a broker for the following:
Step 4 Click OK.
Before starting the DS Adapter, make sure CiscoSecure ACS is installed or mounted on the host on which you start the DS Adapter. If it is mounted, make sure the TNS file is properly configured on the ACS machine. Provide the appropriate command-line interface (CLI) path in the NCC configuration.
To start the DS Adapter, follow these steps:
Step 2 From the Server menu, select Start New Service.
Step 3 Select Data Store Adapter.
The Data Store property sheet appears.
Step 4 Click the Specific tab.
Step 5 Configure the following settings:
(a). Select cliscriptpath and enter the path to the CLI directory (default: /opt/acs/CLI) on the system where CiscoSecure ACS is installed.
(b). Select dbserverhost and enter the host name or IP address of the system where the CiscoSecure ACS is running.
(c). Select dbserverport and enter the port number on which the DB server on the CiscoSecure ACS is configured to listen (default: 9900).
Step 6 Click Apply.
Step 7 Click Start. Within a few minutes, the service will appear in the NCC directory tree.
Before starting the SMS Adapter, verify that the DS Adapter and Oracle dbAdapters are up and running:
Step 2 From the Server menu, select Start New Service.
Step 3 Select SMS.
Step 4 Click Start.
Within a few minutes, the service will appear in the NCC directory tree.
This section describes how to start the mother cache and the local caches.
To configure and start the mother cache, follow these steps:
Step 2 From the Server menu, select Start New Service, point to Cache, and click Master Cache.
The Cache Manager Properties property sheet appears.
Step 3 Click the Communications tab.
Step 4 In the ListeningPortNum parameter, specify the port that the mother cache will use to listen for update packets (default: 5521).
Note The translation server must be configured to send requests to this port.
Step 5 Click Apply.
Step 6 Click Start.
Within a few minutes, the service will appear in the NCC directory tree.
At each system where a local cache is installed, complete these steps to configure and start the local cache:
Step 2 From the Server menu, select Start New Service, point to Cache, and click Local Cache.
The Cache Manager Properties property sheet appears.
Step 3 Click the Communications tab.
Step 4 In the ListeningPortNum parameter, specify the port number that the local cache will use to listen for update packets (default: 5522).
Note The translation server must be configured to send requests to this port.
Step 5 Click the Specific tab.
Step 6 Go to the peercaches section.
Step 7 Select Primaryserver and enter the port number (default: 5521) and machine name where the mother cache is running. For example:
where host_name is the name or IP address of the host running the mother cache.
Step 8 If there is a secondary mother cache, select Secondaryserver1 and enter the port number (default: 5521) and machine name where the secondary mother cache is running. For example:
where host_name is the name or IP address of the host running the secondary mother cache.
Step 9 Click Apply.
Step 10 Click Start.
Within a few minutes, the service will appear in the NCC directory tree.
To configure and start the Translation service, follow these steps:
Step 2 From the Server menu, select Start New Service.
Step 3 Select Translation Service.
The Translation Properties property sheet appears.
Step 4 Click the General tab and make sure the broker points to the correct machine.
Step 5 Click the Communications tab.
Step 6 In the ListeningPortNum parameter, specify the port number that the Translation service cache will use to listen for update packets (default: 9921).
Note CiscoSecure ACS should be configured to send requests to this port on the translation server. To confirm CiscoSecure ACS is sending requests to the proper port, check the libdb.conf file that is located in the /CSU directory where CiscoSecure ACS is installed (default: /opt/acs/CSU). Make sure it contains the name or IP address of the host where the Translation service runs.
Step 7 Click the Specific tab.
Step 8 Go to the userrecordrequester section.
Step 9 Select Primaryserver and specify the port number (default: 5522) and the machine name where the local cache is running. For example:
where host_name is the name or IP address of the host running the local cache.
Step 10 Click the Performance tab.
Step 11 Make sure the MaxThreads parameter is set to more than the MaxConnection parameter in $ACS_INSTALLED_DIR/CSU/libdb.conf.
Step 12 Click Apply.
Step 13 Click Start.
Within a few minutes, the service will appear in the NCC directory tree.
Note Cisco recommends setting the time interval to wait before a port can be reused to
5 seconds on the machine running Translation service. The Solaris default is 240000 ms
(4 minutes) and the minimum that can be set is 1 second. To set the parameter, enter:
ndd -set /dev/tcp tcp_close_wait_interval 5000.
To check the parameter setting, enter:
ndd /dev/tcp tcp_close_wait_interval.
Note Before configuring CiscoSecure ACS, make sure the libdb.conf file points to the listening port and IP address of the translation server. The libdb.conf file is located in the CSU directory where CiscoSecure is installed (default: /opt/acs/CSU).
After installing the CiscoSecure ACS, the Network Control Console (NCC), and UCP, you can use the NCC to start and stop the CiscoSecure ACS. Follow these steps:
Step 2 From the Server menu, select Start New Service.
Step 3 Select CiscoSecure.
The CiscoSecure Properties property sheet appears.
Step 4 Click Start.
The CiscoSecure ACS starts. Within a few minutes, the service will appear in the NCC directory tree.
After you install the CiscoSecure ACS, you must configure it to communicate with UCP. This section provides a brief procedure for doing this. For detailed ACS configuration information, see the CiscoSecure ACS for UNIX 2.2.1 User Guide.
Step 2 Click Advanced.
Step 3 Click Servers.
Step 4 Click on the IP address of the CiscoSecure ACS.
Step 5 Select the port (default: 1645) that CiscoSecure ACS will use to listen for authorization and authentication packets from the UCP Protocol Gateway Service (PGS). The port number you specify here should be the same as the port number you specified in the primaryserver parameter under the a1anda2requester section.
Step 6 Select the port (default: 1646) that CiscoSecure ACS will use to listen for accounting packets from the UCP Protocol Gateway Service (PGS). The port number you specify here should be the same as the port number you specified in the primaryserver parameter under the a1anda2anda3requester section.
The procedure for configuring the PGS is described in the section "Configuring and Starting the Protocol Gateway Service" earlier in this chapter.
Follow these steps to configure and start the Protocol Gateway Service (PGS):
Step 2 From the Server menu, select Start New Service.
Step 3 Select PGS.
The Protocol Gateway Properties property sheet appears.
You can now configure the PGS as described in the following sections. When you are done configuring the PGS, click Apply. Then, click Start to start the service.
Step 2 Go to the radius section.
Step 3 Configure the portnumber parameter for the PGS.
The portnumber parameter specifies the port number on which the PGS listens for RADIUS authentication and authorization requests (default: 1645).
Step 4 Go to the a1anda2requester section. This section specifies RADIUS authentication and authorization settings.
Step 5 In the primaryserver parameter, specify the port number (default: 1645) and machine name where the CiscoSecure ACS is listening. For example:
specifies that PGS will forward RADIUS packets to the primary CiscoSecure ACS abcd-ultra, which is listening for authentication and authorization requests on port 1645.
Note Verify that the CiscoSecure ACS that is running on the specified server is listening on the same port. If you have more than one CiscoSecure ACS, specify it as the secondary server.
You can leave the rest of the configuration parameters set to the default settings.
Step 2 Go to the radacct section (accounting section).
Step 3 In the portnumber parameter, specify the port on which the PGS will listen for accounting requests (default: 1646).
Verify that your network access server (NAS) client is sending accounting packets to this port number.
Step 4 Go to the a1anda2anda3requester section.
Step 5 In the primaryserver parameter, specify the port number and machine name on which the CiscoSecure ACS is listening for accounting requests. For example:
specifies that PGS will forward accounting requests to the primary CiscoSecure ACS abcd-ultra, which is listening for accounting requests on port 1646.
Note If a secondary CiscoSecure ACS is running, set the secondaryserver parameter to specify the port number and host name of the secondary server.
Follow these steps to verify that CiscoSecure ACS is configured to use the correct ports to listen for authorization, authentication, and accounting (AAA) requests:
Step 2 Verify that the CiscoSecure ACS is configured to listen for authentication and authorization requests on the same port specified in the PGS configuration (a1anda2requester section, primaryserver parameter).
Step 3 Verify that the CiscoSecure ACS is configured to listen for accounting requests on the same port that was specified in the PGS configuration (a1anda2anda3requester section, primaryserver parameter).
Step 2 Go to the dhcp section.
Step 3 Set the configurationfile parameter to dhcp.cfg.
Step 4 In the portnumber parameter, specify the port number on which the PGS will listen for accounting requests (default: 67).
Step 5 Go to the dhcpforwardrequester section.
Step 6 In the primaryserver parameter, specify the port number and machine name of the DHCP server. For example:
specifies that PGS will forward DHCP requests to dhcp-ultra, which is listening for DHCP requests on port 3000.
Step 7 Verify the DHCP service is running on the same host (for example, dhcp-ultra) and listening on the same port (for example, port 3000) for DHCP requests.
Step 8 Go to the Debug section.
Step 9 Set the NoIPCollector parameter value to 0.
Step 10 Set the NoUserRecordUpdater parameter value to 0.
Step 11 Set the Enable parameter to 1.
Step 2 Go to the RadiusStateMachine section.
Step 3 Create a new parameter and name it DynamicIP. Set its value to Terminal.
Step 4 Select the A1andA2 parameter and change its value to DynamicIP.
Step 5 Go to the requesters section. Select the list parameter and add DynamicIP to the list of services.
Step 6 Go to the dynamiciprequester section.
Step 7 In the primaryserver parameter, specify the port number and machine name of the DHCP server. For example:
specifies that PGS will forward DHCP requests to dhcp-ultra, which is listening for DHCP requests on port 3000.
Step 8 Go to the debug section and make sure the values of NoIpCollector and NoUserUpdater are set to 0.
Step 9 Click Apply.
Step 10 Open the radius.cfg file with a text editor (default: /opt/ucp/config/radius.cfg) and make sure the parameter NoDynamicIP is set to 0.
When you have completed the PGS configuration, click Apply, then Start to start the PGS. Within a few minutes, the service will appear in the NCC directory tree. To view log information, see the file /tmp/pgw.log.
In order for PGS to be aware of and perform service for NASes, do the following:
Step 2 In the Protocol Gateway Properties sheet, click the Valid Clients tab.
Step 3 Click Select.
A list of available NASes appears.
Step 4 Select a client to make a known client of PGS and click the < button.
Note To make all of the NASes known clients of PGS, click the << button.
Step 5 Click Done.
Step 6 Click Apply, then OK.
When users log in and are authorized for network services by UCP, the DHCP service assigns them one or more IP addresses that correspond to specific service levels. To set up address pools that can be correlated with specific service levels, you must edit the DHCP service configuration file, dhcpd.conf.
Follow these steps to configure and start the DHCP service:
Step 2 From the Server menu, select Start New Service.
Step 3 Select DHCP.
The DHCP Properties property sheet appears.
Step 4 Click the Specific tab.
Step 5 Specify the listening port number in the ListeningPortNum parameter (default: 2000).
The listening port number must be the same one that was configured for PGS to talk to the DHCP service.
Step 6 Go to the dhcp section.
Step 7 Select the ScavengerRate parameter and set its value to -1.
Step 8 Select the ScavengerThreshold parameter and set its value to -1.
Step 9 Start the DHCP service by clicking Apply, then Start.
Within a few minutes, the service will appear in the NCC directory tree.
For logging information, see the file /tmp/dhcpd.log.
Complete these steps to configure and start the DNS service:
Step 2 From the Server menu, select Start New Service.
Step 3 Select DNS.
The DNS Properties property sheet appears.
Step 4 Click the Communications tab.
Step 5 In the ListeningPortNum parameter, specify the listening port number (default:1000).
Step 6 Click the Specific tab.
Step 7 Set the allowrecursion parameter to on.
Step 8 Set the usethreadpool parameter to on.
Step 9 Start the DNS server by clicking Apply, then Start.
Within a few minutes, the service will appear in the NCC directory tree.
The Accounting Parser is an optional component that is included with UCP. To configure and start the Accounting Parser, complete the following steps:
Step 2 From the server menu, select Start New Service.
Step 3 Select Accounting Parser. The Accounting Parser Properties property sheet appears.
Step 4 Click the General tab and make sure the broker is pointing to the correct machine.
Step 5 Click the Specific tab.
Step 6 Select AccountingDirectoryName and enter the path to the accounting directory where the AAA server writes accounting information.
Step 7 Select TimeInterval and specify how often (in seconds) the NetFlow Parser will parse the NetFlow accounting file.
Step 8 Select GuidTarget and enter SMSAdapter.
Step 9 Start the Accounting Parser by clicking Apply, then Start.
Within a few minutes, the service will appear in the NCC directory tree.
Complete these steps to start the Accounting tool:
Step 2 Edit the accttool.cfg file.
Step 3 Specify the broker host, server name, and the accounting directory.
The accounting directory is where the Accounting tool will write the accounting information.
Step 4 Change to the ucp directory:
Step 5 Enter the following command:
Complete these steps to install the CiscoSecure Global Roaming Server (GRS). For more detailed information, refer to the CiscoSecure Global Roaming Server User Guide.
Note Make sure the Oracle server can be accessed from the machine where the GRS is installed. For more information, see the "Accessing the Oracle Database" section.
Step 2 Log in as root.
Step 3 Insert the CiscoSecure GRS CD-ROM into the CD-ROM drive.
Step 4 At the command prompt, enter:
Step 5 At the command prompt, enter:
This installs CiscoSecure GRS in the default directory: /opt/CSCOgrs.
Note To install to a directory other than the default, enter pkgadd -a none -d.
Step 6 The installation program prompts you for an installation directory.
Note When specifying an installation directory, be sure the directory does not reside within the path specified by the -d option.
The NetFlow Collector collects accounting information about UCP user sessions and stores the information in an accounting file from which you can extract data such as user time online and services used.
You can install the NetFlow Collector on any server that has a network connection to a Cisco 7000 series router.
Complete these steps to install the NetFlow Collector:
Step 2 Insert the UCP installation CD-ROM into the system's CD-ROM drive.
Step 3 Go to the directory that you just created:
Step 4 Copy the NetFlow installation file from the CD-ROM to the netflow directory:
Step 5 From the NetFlow directory, enter the following command:
Step 6 Review the NetFlow README file.
Step 7 Enter the following command:
The NetFlow Collector is installed in the directory /opt/CSCOnfc.
Step 8 Edit the system's .cshrc file to add the following lines:
Step 9 Save your changes.
Step 10 If NetFlow switching is not already enabled on the router, configure the router to enable NetFlow switching or contact the router administrator to set up NetFlow switching on the router.
For detailed information on configuring the router for NetFlow switching, refer to the chapter "Configuring the NetFlow FlowCollector" in the NetFlow FlowCollector Installation and User Guide.
Note If the master daemon is already running, stop it and start it so that the environment variables are set properly. Otherwise, the NetFlow Collector will not start.
Note the following points regarding the NetFlow installation:
Step 2 From the server menu, select Start New Service.
Step 3 Select NetFlow.
The NetFlow Properties property sheet appears.
Step 4 Click the General tab and make sure the broker points to the correct machine.
Step 5 Click the Specific tab.
Step 6 Go to the userrecordrequester section.
Step 7 Set NetFlowDirectoryName to the value specified in the DataSetPath parameter in the nfconfig file (the NetFlow configuration file).
Step 8 Select the NFCheckTimeInterval parameter and specify how often (in seconds) the NetFlow Parser should parse the NetFlow accounting files.
Step 9 Select the NFCollectorDirectoryName parameter and enter /opt/CSCOnfg/bin.
Step 10 Select the GuidTarget parameter and enter SMSAdapter.
Step 11 Start the Netflow Parser by clicking Apply, then Start.
The NetFlow Parser starts, and this process automatically starts the NetFlow Collector.
Complete the following steps to install Netsys. For more detailed information, refer to the Cisco NSM Installation and Licensing Guide.
Step 2 Enter the following:
Step 3 Log in as a user:
Note You must log in as root to run the installation script. Also, you must have read permissions across all $ECSP_HOME directories and read/write permissions in the $HOME/netsys_data, $ECSP_HOME/resources/license, $ECSP_HOME/resources/scheduler, and $ECSP_HOME/data directories.
Step 4 Enter the following command to run the installation script from the command line:
Step 5 If you installed Netsys in the /opt/netsys directory, enter:
Step 6 Enter the following commands to obtain a license:
Step 7 Start the License Manager Daemon(lmgrd):
Step 8 Start Netsys from the NCC.
Step 9 Enter the following to start the Netsys GUI:
Note If the Netsys GUI doesn't come up, this indicates that there is a problem with the license.
Step 10 Complete the following steps to establish a baseline for Netsys to use to communicate with the router:
(b). Copy the router/NAS files into the directory.
(c). From the Netsys GUI, click file.
(d). Click new to create the new baseline.
(e). Select the directory where you have the configuration files for the router, for example, /tmp/config.
(f). Select the router(s) for which you want to create a baseline.
After you create a baseline, you can view reports of the baseline by clicking on the reports, or you can schedule a process by clicking the Schedule button.
After installing Netsys, you must configure the CiscoSecure ACS to transfer Virtual Private Dialup Network (VPDN) information to Netsys.
Step 2 Go to advanced mode.
Step 3 Click members.
Step 4 Create a new Group and name it "VPDN."
Step 5 Select the UCP-vIP-new Dictionary for the VPDN group.
Step 6 In ReplyAttributes, select the 9,1 Cisco avpair attribute twice.
Step 7 Click 9,1 Ciscoavpair and enter vpdn:tunnel-id=xxxx.
Step 8 Click the other 9,1 Ciscoavpair item and enter vpdn:ip-addresses=x.x.x.x.
Step 9 Click submit.
Note You can create users inside this group if you want.
Step 10 After you submit, if you have already scheduled the VPDN transfer process from Netsys, wait for about 10 minutes for it to appear on the NCC.
Step 11 If you haven't scheduled a VPDN collection, from the Netsys Administrator tool, click the Schedule button.
Step 12 In the Reports section, click Run VPDN Collection And Web Reports.
Step 13 Click the Schedule button.
A series of popup windows appear.
Step 14 Click OK to the series of windows that pop up to schedule your VPDN collection.
After you have scheduled the VPDN collection, the NCC is updated.
To uninstall UCP, follow these steps:
Step 2 Stop the master daemon for each system running UCP. Select a system running UCP. From the terminal prompt, change to the directory where UCP is installed (default: /opt/ucp) and enter the following command:
Step 3 After the master daemon stops, enter the following command:
Follow the prompts to remove the package.
Step 4 Repeat Steps 2 and 3 for each system running UCP components.
Step 5 Go to the system running CiscoSecure ACS.
Step 6 From the terminal prompt, change to the directory where CiscoSecure ACS is installed (default: /opt/acs) and enter the following command:
Follow the prompts to remove the package.
Step 7 Go to the system running the ActiveWeb Information Broker.
Step 8 From the terminal prompt, change to the directory where the ActiveWeb components are installed (default: /opt/active/bin) and stop the dbAdapter and broker services. Enter the following commands:
Step 9 Uninstall the ActiveWeb Information Broker by entering the following command:
Step 10 Go to the Windows NT system running NCC.
Step 11 From the Control Panel, double-click Add/Remove Programs.
The Add/Remove Programs Properties property sheet appears.
Step 12 Select Network Control Console from the list of programs and click Add/Remove. Follow the prompts to uninstall NCC.
The UCP software is now uninstalled.
Posted: Tue Jan 21 04:05:15 PST 2003
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.