Best Practice to Implement Policy Import Export (PIE) in Cisco NAC

Document ID: 108331

Updated: Nov 12, 2008

Download PDF

PIE Best Practice Recommendations

Configurations

Verify

Related Information

Introduction

The purpose of this document is to highlight the best practice guidelines to ensure a successful implementation of the Policy Import Export (PIE) feature in Cisco NAC.

Familiarity is required with the Cisco NAC Manager (Clean Access Manager) web interface and the policies that are typically configured. Refer to the Release Notes for Cisco NAC Release 4.5 for what is and is not supported with PIE.

Components Used

The information in this document is based on these software and hardware versions:

Cisco NAC Software 4.5.0

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Cisco recommends that you configure the same auto update settings on both master and receiver NACMs (under Device Management > Clean Access > Updates > Update) to ensure that all NACMs have the same Cisco updates before you perform a Policy Sync. This is because the current checks on the master override any checks on the receiver if you perform Cisco updates on a receiver NACM with different auto update settings and then perform a Policy Sync.
If you have an OOB NACM and any legacy NACM(s) with an IB-only license, make sure that you use the OOB NACM as the master NACM and the legacy NACM(s) as the receivers.
Once PIE is enabled for a particular component between the master and the receiver, the receiver tables/information are completely replaced with the information that is pushed from the master. It is not cumulative on the receiver side. For example, if the receiver has a traffic rule that allows access to mcafee.com and the master has traffic rules that allow access to cisco.com and abc.com, but no rule for mcafee.com, the receiver and master will have identical rules once the sync is executed: cisco.com and abc.com. Note that the traffic rule for mcafee.com does not exist on the receiver after the sync since the master did not have that rule. The best practice is to configure the master NACM as desired but not modify the policy settings on the receivers.
The maximum number of supported receivers is 10. Although there is no technical limitation to the number of receivers, the best practice recommendation is to keep this to the supported number (fewer than or equal to 10).

Note: For NACM HA-pairs, the Policy Sync settings are disabled for the standby NACM.
The master and receiver(s) must run the same version of Cisco NAC (4.5 or higher) release.
Ensure that both NAC managers have Certificate Authority (CA) signed certificates and both master and receiver trust the certificates of each other. Certificates are key to secure the synchronization between the master and receiver. The master has to trust the certificate presented by the receiver and vice-versa. For this, it is necessary to ensure that each of them has the root CA of their peer certificate (full chain if intermediary is involved) in the trusted CA list. In production deployments, the best practice is to replace the self-signed certificates on the NAC Manager with CA signed certificates. In short, make sure that the NAC manager SSL certificate best practices are met before you implement PIE.
Make sure that you are logged in as a Full-Control Admin user to the master NAC Manager in order to perform automatic or manual Policy Sync.
Auto sync allows you to schedule an automatic Policy Sync once every X number of days (minimum is 1 day). If you desire to use auto sync for PIE, Cisco strongly recommends that you to perform a manual sync and verify that the sync works successfully before you enable auto sync between your NAC managers.