|
|
This chapter describes how to install the various Cisco User Control Point (UCP) components. The installation procedure involves the following steps, which must be completed in the following order:
1. Installing the Oracle Enterprise Database Software
2. Installing the ActiveWeb Software
3. Installing the CiscoSecure ACS
4. Installing the UCP UNIX Components
5. Creating UCP Tables and Triggers - Part 1
6. Configuring and Starting the ActiveWeb and SMS Database Adapters
7. Importing UCP Events into the Information Broker
8. Creating UCP Tables and Triggers - Part 2
9. Installing the NCC from the Windows NT CD-ROM
10. Configuring and Starting UCP Services
11. Installing the CiscoSecure Global Roaming Server
12. Installing the NetFlow Collector
13. Installing Netsys
ActiveWeb, UCP, and the CiscoSecure Access Control Server (ACS) run on one or more Sun Solaris systems. The Network Control Console (NCC) runs on a Windows NT system.
This section describes how to install and configure an Oracle database for use with UCP.
Before installing Oracle, add the following lines to the /etc/system file:
************************************************************************ set shmsys: shminfo_shmmax = 209715200 set shmsys: shminfo_shmseg = 50 set semsys: seminfo_semmns = 1750 set semsys: seminfo_semmni = 70 ************************************************************************ * SHMMAX: The maximum size (in bytes) of a single shared memory * segment. * SHMSEG: The maximum number of shared memory segments that can be * attached by a process. * SEMMNS: The number of semaphores per set. It should be at least the * same size as the maximum number of Oracle processes. * SEMMNI: The number of semaphore set identifiers. ************************************************************************
During Oracle installation, assign tablespace disk usage as follows:
SYSTEM: 150 MB RBS: 150 MB TEMP: 100 MB
After Oracle is installed, complete the procedures described in this section.
To set the superuser environment, follow these steps:
Step 1 Declare the ORACLE_HOME and ORACLE_SID environment variables for the "root" user in /.cshrc and /etc/profile files.
Step 2 Add $ORACLE_HOME/bin to root's PATH environment variable.
To specify the Oracle compatibility, follow these steps:
Step 1 Use a text editor to open the init{SID}.ora file in the $ORACLE_HOME/dbs directory.
Step 2 Find the line:
and change it to the following:
Step 3 Save the file and exit the text editor.
To create tablespace for UCP, follow these steps:
Step 1 Use SQL to create a tablespace for UCP tables named UCP_TBL. Assign 100 MB for the first 10,000 user profiles plus 70 KB for each additional 100 user profiles. For example:
where oracle_data_dir is the directory where the tablespace will be stored.
Step 2 Use SQL to create a tablespace for UCP indexes named UCP_IDX. Assign 100 MB for the first 10,000 user profiles plus 70 KB for each additional 100 user profiles. For example:
where oracle_data_dir_2 is a different directory where the tablespace will be stored.
Use SQL to create a UCP user account. For example:
CREATE USER ucpuser IDENTIFIED BY ucppass DEFAULT TABLESPACE ucp_tbl;
GRANT CONNECT TO ucpuser;
GRANT RESOURCE TO ucpuser;
where ucpuser and ucppass is the name and password of the UCP user account.
To start the Oracle database, log in to the server using the Oracle UNIX account and complete the following steps:
Step 1 Verify the ORACLE_HOME environment variable is declared.
Step 2 Start the srvrmgrl utility that is located in the /$ORACLE_HOME/bin directory.
Step 3 Enter the following commands:
To stop the Oracle database, log in to the server using the Oracle UNIX account and complete the following steps:
Step 1 Ensure that no sessions are active.
Step 2 Start the svrmgrl utility.
Step 3 Enter the following commands:
The following components must be able to access the Oracle database:
To ensure that they can access the Oracle database, install them on the system running Oracle, install SQL*Net, or NFS mount the Oracle directory.
To mount the Oracle directory, follow these steps:
Step 1 Make sure the mountd and nfsd daemons are running on both systems. To check whether the daemons are running, enter the following commands:
Step 2 From the remote machine, enter the following command:
where pathname is the location of the Oracle directory.
Step 3 From the local machine, enter the following command:
where ip_address is the IP address of the remote machine, path_remote is the location of the remote Oracle directory, and path_local is the location of the local directory where the Oracle directory will be mounted.
Whether a client mounts a database or uses SQL*Net, you must create a tnsnames.ora file. To do this, create the file /var/opt/oracle/tnsnames.ora. and add the following lines:
UCP= (DESCRIPTION= (ADDRESS= (PROTOCOL=TCP) (HOST=hostname) (PORT=port_number)) (CONNECT_DATA=(SID=SID)))
where hostname is the name or IP address of the server running Oracle, port_number is the port used to communicate with the client (default: 1521), and SID is the database server ID.
To set up a server host, open the /$ORACLE_HOME/network/admin/listner.ora file and append the following lines:
TCP_LISTENER= (ADDRESS_LIST= (ADDRESS = (PROTOCOL = TCP) (HOST = hostname) (PORT = port_number) ) ) SID_LIST_TCP_LISTENER = (SID_LIST = (SID_DESC = (SID_NAME = SID) (ORACLE_HOME = oracle_home) ) )
where hostname is the name or IP address of the server running Oracle, port_number is the port used to communicate with the client, SID is the database server ID, and oracle_home is the Oracle directory.
To verify that you can connect to the Oracle database, change to the $ORACLE_HOME/bin directory and enter the following command:
./tnsping TNS_name
where TNS_name is the TNS name defined in the tnsnames.ora file.
The ActiveWeb software provides components that allow the various UCP services to communicate with each other by means of predefined events.
The following components are installed during the ActiveWeb installation:
Follow these steps:
Step 1 Place the ActiveWeb CD-ROM in the CD-ROM drive on the Sun Solaris system.
Step 2 Log in as root.
Step 3 Change to the /cdrom/activesw directory and run install.ksh.
Step 4 Locate the Install Keys for the following components:
Step 5 When prompted, enter the Install Keys on a single line. Separate each key with a single space. For example:
Step 6 Follow the installation prompts until you are prompted to select installation directories for the ActiveWeb components. Cisco recommends that you accept the default values.
Step 7 Follow the installation prompts until you are prompted to enter a domain name. Enter the domain name. If you are not sure of the name, check the hosts file.
To find the domain name, change to the directory where the hosts file is located (default: /etc) and enter the following:
The text that appears after the machine name is the domain name. In this example, the domain name is "cisco.com."
Step 8 When prompted, enter the ActiveWeb Broker license key. The license key is located in the ActiveWeb CD-ROM booklet.
Installation is complete.
Step 9 Repeat this procedure for each ActiveWeb installation.
After installing the ActiveWeb software, the Information Broker starts automatically. To verify the broker is working, use the broker_ping command. Change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following command:
broker_ping localhost
Broker #1@localhost is alive
Because all events flow through the Information Broker, it is a potential performance bottleneck. To improve performance and throughput, UCP event traffic can be distributed between up to four brokers. Assign each broker to one of the following categories:
Multiple ActiveWeb Information Brokers can be installed on a single system or multiple systems. However, if all brokers are started on the same system, they share the same resources. If one broker becomes overloaded, it might affect the performance of the other brokers.
To create and start the ActiveWeb Information Brokers, follow these steps:
Step 1 Start the ActiveWeb manager utility on any machine where ActiveWeb is installed. Change to the ActiveWeb directory (default: /opt/active/bin) and enter the following:
The manager window appears.
Step 2 From the File menu, select Add Broker Host. Enter the name or IP address of a broker host and click OK.
Repeat this step for each broker host.
Step 3 Add brokers to broker hosts.
From the File menu, select Add Broker Host. Enter a name for the broker and click OK.
The broker is added. Repeat this step until all four brokers are created.
Step 4 When you are finished, exit the manager utility.
To control access to ActiveWeb Information Brokers, set up network access lists (NALs). NALs control which IP addresses have access to a broker or client group operations.
To set up a NAL, follow these steps:
Step 1 Start the ActiveWeb manager utility on any machine where ActiveWeb is installed. Change to the ActiveWeb directory (default: /opt/active/bin) and enter the following:
The manager window appears.
Step 2 Select the local host. From the File menu, select Properties.
The Properties window appears.
Step 3 Click the Security tab.
Step 4 Select Allow access from only these machines and add all machines that will be allowed to access the local host.
Step 5 Click OK.
Step 6 Select a broker. From the File menu, select Properties.
The Properties window appears.
Step 7 Click the Security tab.
Step 8 Select Allow access from only these machines and add all machines that will be allowed to access the broker.
Step 9 Click OK.
Step 10 Select a broker's Client Groups folder and double-click default.
The Properties window appears.
Step 11 Click the Security tab.
Step 12 Select Allow access from only these machines and add all machines that will be allowed to access the broker.
Step 13 Click OK.
Step 14 Repeat Steps 6 through 13 for each Broker on the local host.
Step 15 Repeat this procedure for each local host.
To check whether the broker is running, use the broker_ping or enter the following:
ps -ef | grep active
bin 2204 2203 0 May 08 pts/5 9:54 activebroker -d /var/opt/active Y bin 2203 1 0 May 08 pts/5 0:00 /opt/active/bin/brokermonitor
To manually start the ActiveWeb processes and the Information Broker, change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following command:
./S45broker start
To manually stop the ActiveWeb processes and the Information Broker, change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following command:
./S45broker stop
The CiscoSecure ACS software shipped with UCP is provided on the same CD-ROM as the UCP software.
Follow these steps to install the CiscoSecure ACS from the UCP CD-ROM:
Step 1 Log in as root on the machine where you will install CiscoSecure. For more information, see Table 1-1.
Step 2 Copy the package CiscoSecure-x.x.x.UCP.solaris.PKG.Z from the CD_ROM to the host where you will install CiscoSecure. For example, copy the package to /tmp.
Step 3 Change directories to /tmp.
Step 4 Uncompress the package using the following command:
Step 5 Transfer the package into a Solaris installable package using the following command:
When prompted to select packages to install, press Enter. The Solaris installable package is created.
Step 6 Install the package by entering the following command:
Step 7 Follow the installation prompts until prompted to select a directory. Enter the directory in Table 1-1 (default: /opt/acs).
Step 8 Follow the installation prompts until prompted to enter the fully qualified domain name. For example, if the system is named "machine1" and the domain is "cisco.com," you would enter machine1.cisco.com.
Step 9 When prompted, enter the CiscoSecure ACS license key. The license key is located in the UCP CD-ROM booklet.
Step 10 When prompted to enter the TACACS+ NAS name, press Enter. UCP does not use TACACS+.
Step 11 When prompted to enter the TACACS+ NAS secret key, press Enter.
Step 12 Follow the installation prompts until prompted to select a database. Enter 2 for Oracle Enterprise.
Step 13 When prompted to enter the username and password for the Oracle database, use the username and password in Table 1-1. For more information, see the "Installing the Oracle Enterprise Database Software" section.
Step 14 Enter the Oracle database TNS name. For more information, see the "Accessing the Oracle Database" section.
Step 15 When prompted, enter the location of the NFS mounted oracle directory. For more information, see the "Accessing the Oracle Database" section.
Step 16 Continue following the installation prompts. Accept the default values until prompted to select the number of database connections. Cisco recommends at least 10 connections.
Step 17 Continue following the installation prompts. After CiscoSecure ACS is installed, verify that the SQL tables were created.
To verify CiscoSecure Installation, complete the following steps:
Step 1 Start SQL*Plus with the account used to install CiscoSecure by entering:
where ucpname and ucppass are the username and password used for Data Store in the Oracle database and TNS_name is the TNS name defined in the tnsnames.ora file.
Step 2 Confirm that 18 entries were created by entering:
Step 3 Exit SQL*Plus.
The UCP UNIX components must be installed on each system that will run UCP services. For a list of systems that will run UCP services, review Table 1-1.
Follow these steps to install UCP on each target server:
Step 1 Insert the CD-ROM labeled UCP 1.0 into the CD-ROM drive on the target server.
Step 2 Become root on the target system.
Step 3 Copy the UCP package CSCEucp.x.x.x.PKG.Z into a temporary directory. For example, copy the file to /tmp.
Step 4 Change to the temporary directory.
Step 5 Uncompress the package by entering:
where x.x.x is the UCP version number you are installing.
Step 6 Install the package by entering:
You are prompted to accept the UCP license agreement.
Step 7 Enter y.
You are prompted to enter the target directory for the installation.
Step 8 Enter the UCP directory you specified in Table 1-1 (default: /opt/ucp).
You are prompted to enter the name of the POP so the target server (the system on which you are installing) will appear in the NCC display.
Step 9 Enter the name of the POP. All UCP components must belong to the same POP.
You are prompted to enter the name or IP address of the host where the Information Broker that will communicate with the server is running.
Step 10 Enter the IP address or the host name of the host where the ActiveWeb Information Broker is installed.
You are prompted to specify whether to turn on the service monitor feature. When this feature is on, it automatically restarts a UCP service for the server if the service goes down.
Step 11 Specify whether you want the service monitor feature turned on or off.
Cisco recommends that you answer y to this prompt.
You are prompted to copy the control adapter start and stop scripts to the rc2.d and rc0.d directories.
Step 12 Enter y and press Enter.
You are prompted to start the master daemon automatically after the installation. The master daemon monitors the health of services.
Step 13 Specify when to start the master daemon:
 | Caution Before manually starting the master daemon, verify that one is not already running. If it is, kill the existing process. The script does not check for this condition. Multiple copies of the master daemon will cause system malfunctions. |
The system prints out your selections and prompts you to verify them.
Step 14 To change any of your selections, enter y and you will be prompted to reenter your selections. Otherwise, enter n.
You are prompted to continue the installation process.
Step 15 Enter y to complete the installation.
The installation process is complete. A log of the installation processing is saved in the file /tmp/ucp_install.log. Repeat the above procedure for each system running UCP services.
To verify the UCP master daemon is running, enter the following command from the command line interface of each system where you installed UCP components:
# ps -ef | grep Master
root 1685 1684 0 20:12:10 ? 0:05 /opt/ucp/MasterDaemon -r /opt/ucp root 1684 1 0 20:12:10 ? 0:00 /opt/ucp/MasterDaemon -r /opt/ucp
To manually stop the master daemon, change to the UCP directory (default: /opt/ucp) and enter the following command:
# ./S97 MasterDaemon stop
Stopping the UCP Control Adapter service.
To manually start the master daemon, enter:
# ./S97 MasterDaemon start
UCP Control Adapter Daemon Starting.
To create tables and triggers in the Oracle-based UCP Data Store, follow these steps:
Step 1 Confirm that the CiscoSecure ACS tables (there should be 18) are in the Data Store by executing the following SQL statement:
Step 2 Exit SQL*Plus.
Step 3 Change to the /ds/install directory where UCP s installed (default: /opt/ucp/ds/install).
Step 4 Start the dbinstall utility by entering:
Step 5 Select a tablespace for UCP table objects by entering:
Select the number that corresponds to the UCP tablespace (UCP_TBL).
Step 6 Select a tablespace for UCP index objects by entering:
Select the number that corresponds with the UCP index tablespace (UCP_IDX).
Step 7 Install part 1 of UCP tables and triggers by entering:
Step 8 Exit dbinstall by entering:
If you are using an Oracle SMS database, follow these steps:
Step 1 Change to the /ds/install directory where UCP is installed (default: /opt/ucp/ds/install).
Step 2 Start the dbinstall utility by entering:
Step 3 Select a tablespace for UCP table objects:
Select a tablespace for SMS table objects.
Step 4 Select a tablespace for SMS index objects by entering:
Select a tablespace for SMS index objects.
Step 5 Install the UCP tables in the SMS database by entering:
Step 6 Exit dbinstall by entering:
The UCP Data Store requires a database adapter (dbAdapter) to communicate with the information bus.
If you are using an SMS, you must install an SMS dbAdapter to communicate with the information bus and the UCP Data Store.
For detailed information about configuring a Database Adapter in the Solaris environment, refer to "Configuring and Starting a dbAdapter on Solaris 2.x" in the ActiveWeb Installation Guide.
Follow these steps to configure and start the dbAdapter(s):
Step 1 On the system where you have installed the ActiveWeb software, change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following:
The ActiveWeb Adapter configuration window appears.
Step 2 If you are not configuring an SMS dbAdapter, continue to the next step. Otherwise, do the following.
(a) Click Adapter, then click New.
The Configure Database Adapter window appears.
(b) In the Adapter window, specify the following information:
(c) Click the tab that corresponds to the database used by the SMS.
The Configure Database Adapter window appears.
(d) If your SMS uses an Oracle database, enter the following information:
(e) If your SMS uses another database, such as Informix or Sybase, specify the correct information for the fields on the configuration tab. Refer to the ActiveWeb documentation for detailed information.
(f) Press Test. You should see a "No Problems Found" message.
Step 3 Configure the dbAdapter to communicate with the UCP Data Store.
(a) Click Adapter, then click New.
The Configure Database Adapter window appears.
(b) In the Adapter window, specify the following information:
(c) Click the Oracle tab.
The Configure Database Adapter window appears.
(d) In the Configure Database Adapter window, specify the following information:
(e) Press Test. You should see a "No Problems Found" message.
Step 4 Click OK.
Step 5 Select Save and Restart Adapters, then exit from the configuration utility.
If you need to start or stop the dbAdapters, change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following command:
# ./S50adapter {start | stop}
To enable UCP components to communicate over the Information Bus, import the event definitions with the ActiveWeb manager utility.
The following steps provide brief instructions for importing event definitions. For detailed information on using the manager utility, see "Importing Information From a File Into a Broker" in the ActiveWeb Broker User Guide.
Step 1 On the system where ActiveWeb is installed, change to the /bin directory where ActiveWeb is installed (default: /opt/active/bin) and enter the following:
Step 2 Expand the tree of the host where the broker is running.
Step 3 Select a broker (default: Broker #1).
Step 4 From the File menu, select Import.
Step 5 The Import From File window appears.
Step 6 Browse the list of files and select eventdefs.evt (default location: /opt/ucp/events).
Step 7 Click Open.
Step 8 The Import window appears.
Step 9 Ensure that:
Step 10 Click Import.
Step 11 Repeat Steps 2 through 10 for each broker.
Step 12 Stop and Restart the dbAdapters as described in the "Starting and Stopping the dbAdapters" section.
Follow these steps to create additional tables and triggers in the UCP Data Store:
Step 1 Change to the /ds/install directory where UCP is installed (default: /opt/ucp/ds/install).
Step 2 Start the dbinstall utility:
Step 3 Select a tablespace for UCP table objects:
Select the number that corresponds to the UCP tablespace (UCP_TBL).
Step 4 Select a tablespace for UCP index objects:
Select the number that corresponds with the UCP index tablespace (UCP_IDX).
Step 5 Install part 2 of UCP tables and triggers by entering:
Step 6 Verify installation of UCP database objects by entering:
Step 7 Exit dbinstall by entering:
You can install NCC on a Windows NT server or a Windows NT workstation as follows:
Step 1 Insert the CD-ROM labeled NCC x.xx (where x.xx is the current NCC release) into the CD-ROM drive.
Step 2 From My Computer on your desktop, select the CD-ROM drive and double-click setup.exe.
Step 3 Follow the instructions in the prompts displayed by the setup program.
Step 4 After installation, start the NCC. To start the NCC, click Start, point to Programs, point to Network Control Console, and click NCC.
The password prompt appears.
Step 5 Enter the NCC username (default: admin) and password (default: admin).
Step 6 From the Tools Menu, select Options.
The Options properties sheet appears.
Step 7 Verify that NCC is pointing to the correct broker. You can do this by making sure the Broker Host field indicates the host name IP address of the default broker.
Step 8 Click OK.
Step 9 From the Tools Menu, select AWAD Configuration.
The AWAD Configuration dialog box appears.
Step 10 Make sure the host name or IP address of the default broker is in the Broker Name field.
Step 11 Exit and restart NCC.
Step 12 Right-click Root and select New POP from the popup menu. Enter the POP name.
Within a few minutes, servers belonging to the POP will begin appearing in the NCC directory tree.
After you have installed UCP and the NCC, you can start and configure the individual UCP services as described in the following sections.
Before attempting to configure or start UCP services, the master daemon must be running on each system that will run UCP services. If you selected the option to automatically start the master daemon after installation of the UCP UNIX components, you do not need to do anything. If you chose not to start the master daemon after installation of the UCP UNIX components, you must start the master daemon on each system where it was not started.
If you are not sure whether the master daemon is running, enter the following command:
ps -ef | grep Master
root 1912 1 0 May 20 ? 0:00 /opt/ucp/MasterDaemon -r /opt/nc1 root 1913 1912 0 May 20 ? 1:55 /opt/ucp/MasterDaemon -r /opt/nc1
To manually start the master daemon, go to the UCP installation directory and enter the following command.
| Caution Do not enter this command if the master daemon is already running. |
S97MasterDaemon start
Or, enter the following command at the system prompt:
# install_directory/S97MasterDaemon start
where install_directory is the name of the directory where UCP was installed.
After the master daemons are running, you can start UCP services from the NCC.
If UCP is using multiple Information Brokers, they must be configured to accept event categories (such as: heartbeat, inter-component, data transfer, and accounting events) from services that are configured and started from the NCC.
If UCP is using a single Information Broker, continue to the next procedure. Otherwise, follow these steps:
Step 1 From the Tools menu, select Options.
The NCC Application Options properties sheet appears.
Step 2 Click the Brokers tab.
Step 3 In the Default Broker Hosts section, select a broker for the following:
Step 4 Click OK.
Before starting the DS Adapter, make sure CiscoSecure ACS is installed or mounted on the host on which you start the DS Adapter. If it is mounted, make sure the TNS file is properly configured on the ACS machine. Provide the appropriate command-line interface (CLI) path in the NCC configuration.
To start the DS Adapter, follow these steps:
Step 1 From the NCC directory tree, select the host server where the DS Adapter is installed.
Step 2 From the Server menu, select Start New Service.
Step 3 Select Data Store Adapter.
The Data Store property sheet appears.
Step 4 Click the Specific tab.
Step 5 Configure the following settings:
(a) Select cliscriptpath and enter the path to the CLI directory (default: /opt/acs/CLI) on the system where CiscoSecure ACS is installed.
(b) Select dbserverhost and enter the host name or IP address of the system where the CiscoSecure ACS is running.
(c) Select dbserverport and enter the port number on which the DB server on the CiscoSecure ACS is configured to listen (default: 9900).
Step 6 Click Apply.
Step 7 Click Start. Within a few minutes, the service will appear in the NCC directory tree.
Before starting the SMS Adapter, verify that the DS Adapter and Oracle dbAdapters are up and running:
To start the SMS Adapter:
Step 1 From the NCC directory tree, select the host server where the SMS Adapter is installed.
Step 2 From the Server menu, select Start New Service.
Step 3 Select SMS.
Step 4 Click Start.
Within a few minutes, the service will appear in the NCC directory tree.
This section describes how to start the mother cache and the local caches.
To configure and start the mother cache, follow these steps:
Step 1 From the NCC directory tree, select the host on which you want to start the mother cache.
Step 2 From the Server menu, select Start New Service, point to Cache, and click Master Cache.
The Cache Manager Properties property sheet appears.
Step 3 Click the Communications tab.
Step 4 In the ListeningPortNum parameter, specify the port that the mother cache will use to listen for update packets (default: 5521).
Step 5 Click Apply.
Step 6 Click Start.
Within a few minutes, the service will appear in the NCC directory tree.
At each system where a local cache is installed, complete these steps to configure and start the local cache:
Step 1 From the NCC directory tree, select the host on which you want to start the local cache.
Step 2 From the Server menu, select Start New Service, point to Cache, and click Local Cache.
The Cache Manager Properties property sheet appears.
Step 3 Click the Communications tab.
Step 4 In the ListeningPortNum parameter, specify the port number that the local cache will use to listen for update packets (default: 5522).
Step 5 Click the Specific tab.
Step 6 Go to the peercaches section.
Step 7 Select Primaryserver and enter the port number (default: 5521) and machine name where the mother cache is running. For example:
where host_name is the name or IP address of the host running the mother cache.
Step 8 If there is a secondary mother cache, select Secondaryserver1 and enter the port number (default: 5521) and machine name where the secondary mother cache is running. For example:
where host_name is the name or IP address of the host running the secondary mother cache.
Step 9 Click Apply.
Step 10 Click Start.
Within a few minutes, the service will appear in the NCC directory tree.
To configure and start the Translation service, follow these steps:
Step 1 From the NCC directory tree, select the host on which you want to start the Translation service.
Step 2 From the Server menu, select Start New Service.
Step 3 Select Translation Service.
The Translation Properties property sheet appears.
Step 4 Click the General tab and make sure the broker points to the correct machine.
Step 5 Click the Communications tab.
Step 6 In the ListeningPortNum parameter, specify the port number that the Translation service cache will use to listen for update packets (default: 9921).
Step 7 Click the Specific tab.
Step 8 Go to the userrecordrequester section.
Step 9 Select Primaryserver and specify the port number (default: 5522) and the machine name where the local cache is running. For example:
where host_name is the name or IP address of the host running the local cache.
Step 10 Click the Performance tab.
Step 11 Make sure the MaxThreads parameter is set to more than the MaxConnection parameter in $ACS_INSTALLED_DIR/CSU/libdb.conf.
Step 12 Click Apply.
Step 13 Click Start.
Within a few minutes, the service will appear in the NCC directory tree.
After installing the CiscoSecure ACS, the Network Control Console (NCC), and UCP, you can use the NCC to start and stop the CiscoSecure ACS. Follow these steps:
Step 1 From the NCC directory tree, select the host server where the CiscoSecure ACS is installed.
Step 2 From the Server menu, select Start New Service.
Step 3 Select CiscoSecure.
The CiscoSecure Properties property sheet appears.
Step 4 Click Start.
The CiscoSecure ACS starts. Within a few minutes, the service will appear in the NCC directory tree.
After you install the CiscoSecure ACS, you must configure it to communicate with UCP. This section provides a brief procedure for doing this. For detailed ACS configuration information, see the CiscoSecure ACS for UNIX 2.2.1 User Guide.
Follow these steps:
Step 1 Point a Java- or Javascript-enabled browser to the system where the CiscoSecure ACS is installed. Log in to the CiscoSecure ACS.
Step 2 Click Advanced.
Step 3 Click Servers.
Step 4 Click on the IP address of the CiscoSecure ACS.
Step 5 Select the port (default: 1645) that CiscoSecure ACS will use to listen for authorization and authentication packets from the UCP Protocol Gateway Service (PGS). The port number you specify here should be the same as the port number you specified in the primaryserver parameter under the a1anda2requester section.
Step 6 Select the port (default: 1646) that CiscoSecure ACS will use to listen for accounting packets from the UCP Protocol Gateway Service (PGS). The port number you specify here should be the same as the port number you specified in the primaryserver parameter under the a1anda2anda3requester section.
The procedure for configuring the PGS is described in the section "Configuring and Starting the Protocol Gateway Service" earlier in this chapter.
Follow these steps to configure and start the Protocol Gateway Service (PGS):
Step 1 From the NCC directory tree, select the host on which you want to start the Translation service.
Step 2 From the Server menu, select Start New Service.
Step 3 Select PGS.
The Protocol Gateway Properties property sheet appears.
You can now configure the PGS as described in the following sections. When you are done configuring the PGS, click Apply. Then, click Start to start the service.
Follow these steps:
Step 1 In the Protocol Gateway Properties property sheet, click the Specific tab.
Step 2 Go to the radius section.
Step 3 Configure the portnumber parameter for the PGS.
The portnumber parameter specifies the port number on which the PGS listens for RADIUS authentication and authorization requests (default: 1645).
Step 4 Go to the a1anda2requester section. This section specifies RADIUS authentication and authorization settings.
Step 5 In the primaryserver parameter, specify the port number (default: 1645) and machine name where the CiscoSecure ACS is listening. For example:
specifies that PGS will forward RADIUS packets to the primary CiscoSecure ACS abcd-ultra, which is listening for authentication and authorization requests on port 1645.
You can leave the rest of the configuration parameters set to the default settings.
Follow these steps:
Step 1 In the Protocol Gateway Properties property sheet, click the Specific tab.
Step 2 Go to the radacct section (accounting section).
Step 3 In the portnumber parameter, specify the port on which the PGS will listen for accounting requests (default: 1646).
Verify that your network access server (NAS) client is sending accounting packets to this port number.
Step 4 Go to the a1anda2anda3requester section.
Step 5 In the primaryserver parameter, specify the port number and machine name on which the CiscoSecure ACS is listening for accounting requests. For example:
specifies that PGS will forward accounting requests to the primary CiscoSecure ACS abcd-ultra, which is listening for accounting requests on port 1646.
Step 1 In the Protocol Gateway Properties property sheet, click the Specific tab.
Step 2 Verify that the CiscoSecure ACS is configured to listen for authentication and authorization requests on the same port specified in the PGS configuration (a1anda2requester section, primaryserver parameter).
Step 3 Verify that the CiscoSecure ACS is configured to listen for accounting requests on the same port that was specified in the PGS configuration (a1anda2anda3requester section, primaryserver parameter).
Follow these steps:
Step 1 In the Protocol Gateway Properties property sheet, click the Specific tab.
Step 2 Go to the dhcp section.
Step 3 Set the configurationfile parameter to dhcp.cfg.
Step 4 In the portnumber parameter, specify the port number on which the PGS will listen for accounting requests (default: 67).
Step 5 Go to the dhcpforwardrequester section.
Step 6 In the primaryserver parameter, specify the port number and machine name of the DHCP server. For example:
specifies that PGS will forward DHCP requests to dhcp-ultra, which is listening for DHCP requests on port 3000.
Step 7 Verify the DHCP service is running on the same host (for example, dhcp-ultra) and listening on the same port (for example, port 3000) for DHCP requests.
Step 8 Go to the Debug section.
Step 9 Set the NoIPCollector parameter value to 0.
Step 10 Set the NoUserRecordUpdater parameter value to 0.
Step 11 Set the Enable parameter to 1.
Follow these steps:
Step 1 In the Protocol Gateway Properties property sheet, click the Specific tab.
Step 2 Go to the RadiusStateMachine section.
Step 3 Create a new parameter and name it DynamicIP. Set its value to Terminal.
Step 4 Select the A1andA2 parameter and change its value to DynamicIP.
Step 5 Go to the requesters section. Select the list parameter and add DynamicIP to the list of services.
Step 6 Go to the dynamiciprequester section.
Step 7 In the primaryserver parameter, specify the port number and machine name of the DHCP server. For example:
specifies that PGS will forward DHCP requests to dhcp-ultra, which is listening for DHCP requests on port 3000.
Step 8 Go to the debug section and make sure the values of NoIpCollector and NoUserUpdater are set to 0.
Step 9 Click Apply.
Step 10 Open the radius.cfg file with a text editor (default: /opt/ucp/config/radius.cfg) and make sure the parameter NoDynamicIP is set to 0.
When you have completed the PGS configuration, click Apply, then Start to start the PGS. Within a few minutes, the service will appear in the NCC directory tree. To view log information, see the file /tmp/pgw.log.
| Caution The DS Adapter and the Oracle dbAdapter should be up and running before you add any new NAS clients. |
In order for PGS to be aware of and perform service for NASes, do the following:
Step 1 Configure the NAS(es) for RADIUS authentication as described in the CiscoSecure ACS for UNIX User Guide.
Step 2 In the Protocol Gateway Properties sheet, click the Valid Clients tab.
Step 3 Click Select.
A list of available NASes appears.
Step 4 Select a client to make a known client of PGS and click the < button.
Step 5 Click Done.
Step 6 Click Apply, then OK.
When users log in and are authorized for network services by UCP, the DHCP service assigns them one or more IP addresses that correspond to specific service levels. To set up address pools that can be correlated with specific service levels, you must edit the DHCP service configuration file, dhcpd.conf.
Follow these steps to configure and start the DHCP service:
Step 1 From the NCC directory tree, select the host on which you want to start the DHCP Service.
Step 2 From the Server menu, select Start New Service.
Step 3 Select DHCP.
The DHCP Properties property sheet appears.
Step 4 Click the Specific tab.
Step 5 Specify the listening port number in the ListeningPortNum parameter (default: 2000).
The listening port number must be the same one that was configured for PGS to talk to the DHCP service.
Step 6 Go to the dhcp section.
Step 7 Select the ScavengerRate parameter and set its value to -1.
Step 8 Select the ScavengerThreshold parameter and set its value to -1.
Step 9 Start the DHCP service by clicking Apply, then Start.
Within a few minutes, the service will appear in the NCC directory tree.
For logging information, see the file /tmp/dhcpd.log.
Complete these steps to configure and start the DNS service:
Step 1 From the NCC directory tree, select the host on which you want to start the DNS Service.
Step 2 From the Server menu, select Start New Service.
Step 3 Select DNS.
The DNS Properties property sheet appears.
Step 4 Click the Communications tab.
Step 5 In the ListeningPortNum parameter, specify the listening port number (default:1000).
Step 6 Click the Specific tab.
Step 7 Set the allowrecursion parameter to on.
Step 8 Set the usethreadpool parameter to on.
Step 9 Start the DNS server by clicking Apply, then Start.
Within a few minutes, the service will appear in the NCC directory tree.
The Accounting Parser is an optional component that is included with UCP. To configure and start the Accounting Parser, complete the following steps:
Step 1 From the NCC directory tree, select the host running the CiscoSecure ACS.
Step 2 From the server menu, select Start New Service.
Step 3 Select Accounting Parser. The Accounting Parser Properties property sheet appears.
Step 4 Click the General tab and make sure the broker is pointing to the correct machine.
Step 5 Click the Specific tab.
Step 6 Select AccountingDirectoryName and enter the path to the accounting directory where the AAA server writes accounting information.
Step 7 Select TimeInterval and specify how often (in seconds) the NetFlow Parser will parse the NetFlow accounting file.
Step 8 Select GuidTarget and enter SMSAdapter.
Step 9 Start the Accounting Parser by clicking Apply, then Start.
Within a few minutes, the service will appear in the NCC directory tree.
Complete these steps to start the Accounting tool:
Step 1 On the system where you want to run the Accounting tool, change to the UCP configuration directory:
Step 2 Edit the accttool.cfg file.
Step 3 Specify the broker host, server name, and the accounting directory.
The accounting directory is where the Accounting tool will write the accounting information.
Step 4 Change to the ucp directory:
Step 5 Enter the following command:
Step 1 On the machine where you want to install the GRS, follow the instructions to install GRS. For more information, refer to the CiscoSecure Global Roaming Server User Guide.
Step 2 Log in as root.
Step 3 Insert the CiscoSecure GRS CD-ROM into the CD-ROM drive.
Step 4 At the command prompt, enter:
Step 5 At the command prompt, enter:
This installs CiscoSecure GRS in the default directory: /opt/CSCOgrs.
Step 6 The installation program prompts you for an installation directory.
The NetFlow Collector collects accounting information about UCP user sessions and stores the information in an accounting file from which you can extract data such as user time online and services used.
You can install the NetFlow Collector on any server that has a network connection to a Cisco 7000 series router.
Complete these steps to install the NetFlow Collector:
Step 1 On the server where you will install the NetFlow Collector, create a directory for the NetFlow files. For example, enter:
Step 2 Insert the UCP installation CD-ROM into the system's CD-ROM drive.
Step 3 Go to the directory that you just created:
Step 4 Copy the NetFlow installation file from the CD-ROM to the netflow directory:
Step 5 From the NetFlow directory, enter the following command:
Step 6 Review the NetFlow README file.
Step 7 Enter the following command:
The NetFlow Collector is installed in the directory /opt/CSCOnfc.
Step 8 Edit the system's .cshrc file to add the following lines:
Step 9 Save your changes.
Step 10 If NetFlow switching is not already enabled on the router, configure the router to enable NetFlow switching or contact the router administrator to set up NetFlow switching on the router.
For detailed information on configuring the router for NetFlow switching, refer to the chapter "Configuring the NetFlow FlowCollector" in the NetFlow FlowCollector Installation and User Guide.
Note the following points regarding the NetFlow installation:
Step 1 From the NCC directory tree, select the host on which you want to start the NetFlow Parser.
Step 2 From the server menu, select Start New Service.
Step 3 Select NetFlow.
The NetFlow Properties property sheet appears.
Step 4 Click the General tab and make sure the broker points to the correct machine.
Step 5 Click the Specific tab.
Step 6 Go to the userrecordrequester section.
Step 7 Set NetFlowDirectoryName to the value specified in the DataSetPath parameter in the nfconfig file (the NetFlow configuration file).
Step 8 Select the NFCheckTimeInterval parameter and specify how often (in seconds) the NetFlow Parser should parse the NetFlow accounting files.
Step 9 Select the NFCollectorDirectoryName parameter and enter /opt/CSCOnfg/bin.
Step 10 Select the GuidTarget parameter and enter SMSAdapter.
Step 11 Start the Netflow Parser by clicking Apply, then Start.
The NetFlow Parser starts, and this process automatically starts the NetFlow Collector.
Step 1 Go to the machine on which you want to install Netsys.
Step 2 Enter the following:
Step 3 Log in as a user:
Step 4 Enter the following command to run the installation script from the command line:
Step 5 If you installed Netsys in the /opt/netsys directory, enter:
Step 6 Enter the following commands to obtain a license:
Step 7 Start the License Manager Daemon(lmgrd):
Step 8 Start Netsys from the NCC.
Step 9 Enter the following to start the Netsys GUI:
Step 10 Complete the following steps to establish a baseline for Netsys to use to communicate with the router:
(a) Create a directory for the router configuration files, for example:
(b) Copy the router/NAS files into the directory.
(c) From the Netsys GUI, click file.
(d) Click new to create the new baseline.
(e) Select the directory where you have the configuration files for the router, for example, /tmp/config.
(f) Select the router(s) for which you want to create a baseline.
(g) Enter the name of the baseline and click OK.
After you create a baseline, you can view reports of the baseline by clicking on the reports, or you can schedule a process by clicking the Schedule button.
After installing Netsys, you must configure the CiscoSecure ACS to transfer Virtual Private Dialup Network (VPDN) information to Netsys.
Complete these steps:
Step 1 Start the CiscoSecure ACS Administrator tool.
Step 2 Go to advanced mode.
Step 3 Click members.
Step 4 Create a new Group and name it "VPDN."
Step 5 Select the UCP-vIP-new Dictionary for the VPDN group.
Step 6 In ReplyAttributes, select the 9,1 Cisco avpair attribute twice.
Step 7 Click 9,1 Ciscoavpair and enter vpdn:tunnel-id=xxxx.
Step 8 Click the other 9,1 Ciscoavpair item and enter vpdn:ip-addresses=x.x.x.x.
Step 9 Click submit.
Step 10 After you submit, if you have already scheduled the VPDN transfer process from Netsys, wait for about 10 minutes for it to appear on the NCC.
Step 11 If you haven't scheduled a VPDN collection, from the Netsys Administrator tool, click the Schedule button.
The Schedule window appears.
Step 12 In the Reports section, click Run VPDN Collection And Web Reports.
Step 13 Click the Schedule button.
A series of popup windows appear.
Step 14 Click OK to the series of windows that pop up to schedule your VPDN collection.
After you have scheduled the VPDN collection, the NCC is updated.
To uninstall UCP, follow these steps:
Step 1 From NCC, stop all services for each server in the POP. To stop a service, right-click the service and select Stop from the popup menu.
Step 2 Stop the master daemon for each system running UCP. Select a system running UCP. From the terminal prompt, change to the directory where UCP is installed (default: /opt/ucp) and enter the following command:
Step 3 After the master daemon stops, enter the following command:
Follow the prompts to remove the package.
Step 4 Repeat Steps 2 and 3 for each system running UCP components.
Step 5 Go to the system running CiscoSecure ACS.
Step 6 From the terminal prompt, change to the directory where CiscoSecure ACS is installed (default: /opt/acs) and enter the following command:
Follow the prompts to remove the package.
Step 7 Go to the system running the ActiveWeb Information Broker.
Step 8 From the terminal prompt, change to the directory where the ActiveWeb components are installed (default: /opt/active/bin) and stop the dbAdapter and broker services. Enter the following commands:
Step 9 Uninstall the ActiveWeb Information Broker by entering the following command:
Step 10 Go to the Windows NT system running NCC.
Step 11 From the Control Panel, double-click Add/Remove Programs.
The Add/Remove Programs Properties property sheet appears.
Step 12 Select Network Control Console from the list of programs and click Add/Remove. Follow the prompts to uninstall NCC.
The UCP software is now uninstalled.
|
|