Acs 5.0 features

Similar Messages

• ACS 4.2 Feature Support

  Hello All,
  Is it possible to export the network devices in ACS..?
  We need to do it for our audit purpose.

  Prasan, Good to see you again
  Yes, you can get the aaa clients/devices information in excel sheet from below mentioned steps:
  Go to Network Configuration > Search > Keeps the search setting to default i.e. to search all. Then press search. There will be a "Download" option that will appear in the left corner of the search  result. Click on it save that list.
  This list will contain,
  - Name
  - IP Address
  - Type
  - NDG name (if any)
  NOTE: This will not contain the Shared Secret keys that AAA Client have.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Backup of ACS SE 4.2 - what do you get?

  If I use the GUI interface to FTP a backup of an ACS SE appliance, what do I get in the backup file? Just the config? Certificates? User database(s)?

  Actually the backup should have the certificate too. According to the documentation :
  Components Backed Up
  The ACS System Backup feature backs up the ACS user database that is relevant to ACS. The user database backup includes all user information, such as username, password, and other authentication information, including server certificates and the certificate trust list.
  If your ACS for Windows logs information to a remote ACS server, both ACS versions must have identical release, build, and patch numbers; or the logging might fail.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SCBasic.html#wp222373

• ACS 5.0 Patches

  Hi all,
  is there any patches available for ACS 5.0 system 90 day eval?
  I'm evaluating ACS on vmware platform.
  The 5-0-0-21-6.tar.tar patch doesn't seem to be a valid file to do it.
  The readme file talk about a .gpg file but the patch i've downloaded is a .tar fiel and it is impossible to untar it.

  Yes , thanks,
  But that's not my question.
  What i said is that the patch file available on cisco site seem not to be useful to load and run in the "ACS 5.0 features an improved, centralized management of software updates ".
  I mean, i've searched for the patch file, stored on my pc, activated a tftp server and tried to run the patch from the GUI of the ACS, it stand still in upgrading phase for a long time and nothing happened.
  In ACS gui the patch file is named .gpg but on cisco site no gpg file exist!!
  So , what is the right file to do upgrade?

• Resetting/Deleting Shared Profile Components

  we have ACS4.1 and LMS2.6
  LMS registered all apllications on ACS and was configured in ACS mode.
  There was a test installation of Cisco Unified Operations Manager and it also registered all aplications on the same ACS server.
  After this we have RME authorizations problem. User having all permissions in Shared Profile Components for RME can not access RME jobs.
  So the quiestion is - Can I somehow delete or reset Shared Profile Components? I want to register LMS applications again, but can not see how I can delete Shared Profile Components. I can only delete any roles in it.

  This chapter addresses the CiscoSecure ACS for WindowsServer features found in the Shared Profile Components section of the HTML interface
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a0080205a4a.html#wp737145

• ACS 5.5 RADIUS OUTBOUND Attributes Injection feature

  Hello
  I'm having a look at the RADIUS OUTBOUND Attributes Injection feature for the External Proxy service in ACS version 5.5.0.46.
  The use case is:
  ACS uses the External Proxy service to authenticate wireless users with certain domain suffixes
  Sometimes the username Access-Accept comes back with the domain suffix stripped.
  The result of this is:
  ACS logs a successful authentication with the sent username (with suffix)
  ACS sends the Access-Accept to the WLC and the user is listed on the WLC (without suffix)
  Subsequent accounting packets for the user appear in ACS (without suffix)
  In the past I've used a freeradius proxy server between ACS and the external proxy to 'rewrite' the username in the Access-Accept so that it matches the username origianlly sent in the Access-Request. The code for this looked something like the following.
  Post-proxy {
  update outer.reply {
  User-Name := "%{request:User-Name}"
  I'm looking to do the above solely with ACS but I can't see the Radius-ietf username attribute listed under the RADIUS OUTBOUND Attributes Injection feature. Is it possible to rewrite the username attribute in ACS 5.5?
  Thanks
  Andy

  Don't think this can be done in ACS 5.5 when using an External Proxy Service Type.
  Interestingly, it appears to be possible with a Network Access Service Type. Under Allowed Protocols there is a tick box for Send as User-Name in RADIUS Access-Accept - one of the options is RADIUS Access-Request User-Name. Hopefully this will be implemented in a future release for External Proxy.
  Cheers
  Andy

• ACS server with NAC feature

  Hi,
  I have ACS 3.3 version and i have seen the it has network admission control feature in it. I have cisco switches 3750G and windows servers 2003. Currently i am running machine/user authentication over EAP-PEAP and it seems running ok in my network. I have now a new requirement. we want to authorize the machine only when the machine has latest antivirus running on it. we have symantic antivirus on our machines.
  I am new to network admission control and don't know much.
  Can i do it with cisco ACS server? is we have to buy any equipment/software to accomplish this?  your help in this matter will be highly appriciated.
  Regards

  This is called NAC framework, and as far as I know this might be possible but you might find some limitations, see the following link for guides:
  http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html
  On the other hand the current NAC solution "Cisco Clean Access" Will allow you to play with it as desired, see:
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/product_data_sheet0900aecd802da1b5.html
  hth
  Ivan

• ACS v5 IP pool feature

  Hi friends ,
  i have problem with Acs v5 that it dosen't support IP pool feature . , i was using ACs v4 which was assigning IP's to VPN users - now i need to upgrade to v5 ?
  can you please help to solve this ?

  You may try the bug ID CSCse33323

• Account disablement on specific date feature on ACS 5.2

  Hi All ,
           I have ACS 1120 ACS appliance running ACS version 5.2.0.26.5 ,authenticating VPN users connecting from internet using radius protocol , we have requirement that VPN user account should be disabled by a specific date , Means user ID should be revoked when their contract expire connecting to our data center .
  I know this feature is available on ACS version 4.2.,but i could not this feature set on ACS 5.2.0 when user account is created , whether any new sepicfic patch has this feature enabled after acs version 5.2.0.26.5 ,please let me know on this .
  With out this feature this set , i cannot ensure ID are revoked automatically ,when specifc date come in to end user . 

  Account expiration is available in acs 5.3
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores_ps9911_TSD_Products_User_Guide_Chapter.html#wp1287418
  Check table 8-3

• Features of Cisco Secure ACS Appliance

  Hi,
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Normale Tabelle";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  I’m working on an evaluation of NAC systems. Therefore, I’ve chosen the Cisco Secure ACS as representative of a 802.1X based solution.
  There are a few questions I wasn’t able to answer by reading the product information available on Cisco.com. I hope that someone here might be able to help me. Any information is highly appreciated.
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
              o     Can known users still be authorized?
              o     Are unknown users still blocked?
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  •     Which kinds of Attacks can the ACS (alone) prevent?
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  Thanks for all answers.
  Regards,
  taouri

  See inline answers:
  The questions I wasn’t able to answer are:
  •     Can the ACS work in a heterogeneous environment (i.e. Cisco and Alcatel Switches)?
  Yes, as long as those devices support RADIUS and TACACS+ IETF standards.  Some devices require the configuration of vendor-specific AV-pairs to work properly, which the ACS in general can do.  You'll need to get details from the specific vendor on their requirements to insure it'll work.
  •     What happens if the server(s) fail?
              o     Can already authorized users still work?
  This is driven by the AAA client, not the ACS.  In general, if it isn't reauthenticating the users, then yes, they'll still work
              o     Can known users still be authorized?
  In general, no, not by the ACS, but for some cases such as dot1x, it may be possible to configure fallback to local authentication or define a critical VLAN.
              o     Are unknown users still blocked?
  Without contact to the server, the AAA client has no way of knowing what user is known / not known barring the above items.
  •     Is the ACS capable of authorizing users through routed networks or VPN tunnels?
  Yes, as long as the VPN device is capable of sending Radius or TACACS+ requests to the ACS
  •     Does a change of the assigned VLAN work without relogin (or even reboot) of the client?
  Yes, if using a supplicant that detects the EAP success message and knows to refresh the IP.
  •     Is there (besides of the reports) some kind of status overview with the ACS?
  Yes, this is covered in the documentation for the appropriate ACS solution.  Incidentally, the word ACS could mean ACS 4.x, or ACS 5.x, both of which are substantially different.
  •     Which kinds of Attacks can the ACS (alone) prevent?
  ACS authenticates and authorizes users.  It isn't in and of itself a device for prevention of the L2 attacks you list.
              o     Can it prevent MAC Spoofing?
              o     Can it prevent MAC Flooding?
              o     Can it prevent ARP Attacks?
              o     Can it prevent IP Spoofing?
              o     Can it eliminate rouge DHCP servers?
              o     Can it prevent STP Attacks
  •     And the last one: What happens if I plug in an unknown device into an IP-Phone? Is the switchport to       which the IP-Phone is connected blocked or only the unknown device?
  This depends on how you configure the dot1x parameters on the port.  In general, this is often configured in single-host mode with a voice vlan for the phone.  The phone passes through the EAPoL traffic the client passes, and in single host mode we rely on CDP bypass for the phone itself to bypass authentication.  There are excellent documents for the various dot1x configuration options in our IBNS (identity-Based Network Solutions) section here:
  http://www.cisco.com/en/US/customer/products/ps6638/products_ios_protocol_group_home.html

• ACS 5.3 Radius authentication with ASA and DACL

  Hi,
  I am trying to do Radius authentication on the ACS 5.3 for VPN access (cisco client) using a downloadable ACL with AD identity
  Clients are connecting to an ASA 5510 with image asa843-K8.bin
  I followed the configuration example on the Cisco site, but I am having some problems
  First : AD identity is not triggered, I put a profile  :
  Status
  Name
  Conditions
  Results
  Hit Count
  NDG:Location
  Time And   Date
  AD1:memberOf
  Authorization   Profiles
  1
  TestVPNDACL
  -ANY-
  -ANY-
  equals Network Admin
  TEST DACL
  0
  But if I am getting no hits on it, Default Access is being used (Permit Access)
  So I tried putting the DACL in the default profile, but when connecting I am immediately disconnected.
  I can see the DACL/ASA being authenticated in the ACS log but no success
  I am using my user which is member of the Network Admin Group.
  Am I missing something?
  Any help greatly appreciated!
  Wim

  Hello Stephen,
  As per the IP Pools feature, the ACS 5.x does not include such functionality. It is not on the ACS 5.x roadmap either as the recommended scenario would be to use a dedicated DHCP server.
  ACS 4.x included that functionality, however, it was not the best solution as the ACS returned the IP Address value as a RADIUS Attribute instead of acting as a real DCHP server.
  As per the IMEI and MISDN I am assuming you are referring to International Mobile Equipment Identity and Mobile Subscriber ISDN. Correct me if I am wrong.
  In that case it seems that the ACS 5.x should be able to Allow or Deny access based on Radius Attribute 30 (Called-Station-Id) and 31 (Calling-Station-Id).
  In that case you might want to use the End-Station Filters feature and use it as the condition for the Rule. The End-Station Filter feature uses CLI/DNIS where CLI is Radius Attribute 31 and DNIS is Attribute 30.
  I am assuming a Generic Username will be embedded on the devices request. In that case you will define which end-user devices will be granted access based on the above attributes.
  Here is a snapshot of the section:

• ACS 5.3, EAP-TLS Machine Authentication with Active Directory

  I have ACS 5.3. I am testing EAP-TLS Machine Authentication using Active Directory as an external Identity Store. II was testing and everything was going fine until I did some failure testing.
  My problem: I deleted my computer account out of Active Directory and tried to authenticate my wireless laptop and it still worked when it should have failed.
  Here is some of the output of the ACS log. You can see that the computer could not be found in AD and this was returned to the ACS. However, ACS still went ahead and authenticated the computer successfully.
  Evaluating Identity Policy
  15006 Matched Default Rule
  22037 Authentication Passed
  22023 Proceed to attribute retrieval
  24433 Looking up machine/host in Active Directory - LAB-PC-PB.VITS.attcst.sbc.com
  24437 Machine not found in Active Directory
  22016 Identity sequence completed iterating the IDStores
  Evaluating Group Mapping Policy
  12506 EAP-TLS authentication succeeded
  11503 Prepared EAP-Success
  Evaluating Exception Authorization Policy
  15042 No rule was matched
  Evaluating Authorization Policy
  15006 Matched Default Rule
  15016 Selected Authorization Profile - Permit Access
  22065 Max sessions policy passed
  22064 New accounting session created in Session cache
  11002 Returned RADIUS Access-Accept
  I was assuming that if the computer was not found, the Identity Policy would fail, so I did not configure any authorization policy. Do I need an authorization policy to tell the ACS to fail the authentication if the machine cannot be found in AD? If I need an authorization policy, how do I configure it?
  Note: In my Identity Store Sequence, I did enable the option:
  For Attribute Retrieval only:
  If internal user/host not found or disabled then exit sequence and treat as "User Not Found"
  but this only seems to work for internal identity stores (at least based on my testing)
  Under my Access Policy Identity tab, I configured the following Advanced features:
  Advanced Options
  If authentication failed
  RejectDropContinue
  If user not found
  RejectDropContinue
  If process failed
  RejectDropContinue
  And that didn't do anything either.
  Any ideas? Thanks in advance.

  Can try the following. Define an attribute to be retrieved from Active Directory and that exists for all objects. When defining the attribute it can be given a default value. Assign a default value which is a value that will never be returned for a real machine entry (eg "DEFAULTVALUE") and give it a "Policy Condition Name"
  Then can make a rule in the authorization policy such as
  If "Policy Condition Name" equals "DEFAULTVALUE" then "DenyAccess"

• ACS 5.3.0.40 On-demand Full Backup failed.

  Hi,
  I have ACS 5.3.0.40 Primary Secondary Authenticators , of which the Scheduled backup has stopped.
  When checked the :
  Monitoring Configuration >
  System Operations >
  Data Management >
  Removal and Backup
  > Incremental Backup , it had changed to OFF mode. without any reason.
  The same was observed earlier too.
  I have made the
  Incremental Backup to ON and intiated the
  View Full Database Backup Now. But it wasn't successful and reported an Error:
  FullBackupOnDemand-Job Incremental Backup Utility System Fri Dec 28 11:56:57 IST 2012 Incremental Backup Failed: CARS_APP_BACKUP_FAILED : -404 : Application backup error Failed
  Later i did the acs stop/start  "view-jobmanager" and  initiated the On-demand Full Backup , but no luck, same error reported this time too.
  Has any one faced similar type of error /problem reported , please let me know the solution.
  Thanks & Regards.

  One other thing; if this does end up being an issue with disk space it is worth considering patch 5.3.0.40.6 or later since improves database management processes
  This cumulative patch includes fixes/enhancements related to disk management to avoid following issue
  CSCtz24314: ACS 5.x *still* runs out of disk space
  and also fix for
  CSCua51804: View backup fails   even when there is space in disk
  Following is taken from the readme for this patch
     The Monitoring and Reporting database can increase when as records are collected. There are two mechanisms to reduce this size and prevent it from exceeding the maximum limit.
  1. Purge: In this mechanism the data will be purged based on the configured data retention period or upon reaching the upper limit of the database.
  2. Compress: This mechanism frees up unused space in the database without deleting any records.
  Previously the compress option could only be run manually. In ACS 5.3 Patch 6 there are enhancements so it will run daily at a predefined time, automatically when specific criteria are met. Similarly by default purge job runs every day at 4 AM. In Patch 6 new option provided to do on demand purge as well.
  The new solution is to perform the Monitoring and Reporting database compress automatically.
  2.       New GUI option is provided to enable the Monitoring and Reporting database compress to run on every day at 5 AM. This can be configured under GUI Monitoring And Configuration -> System Operations -> Data Management -> Removal and Backup
  3.       Changed the upper and lower limit of purging of Monitoring and Reporting data. This is to make sure at lower limit itself ACS has enough space to take the backup. The maximum size allocated for monitoring and reporting database is 42% of /opt( 139 GB). The lower Limit at which ACS purges the data by taking the backup is 60% of maximum size Monitoring and Reporting database (83.42 GB). The upper limit at which ACS purges the data without taking backup is 80% of maximum size Monitoring and Reporting database (111.22 GB).
  4. The acsview-database compress operation stops all services till 5.3 patch 5 , now only Monitoring and Reporting related services are stopped during this operation.
  5. Provided “On demand purge” option in Monitoring and Reporting GUI. This option will not try to take any backup, it will purge the data based on window size configured.
  6. Even if the “Enable ACS View Database compress” option is not enabled in GUI then also automatic view database compress will be triggered if the physical size of Monitoring and Reporting database reached to the upper limit of its size.
  7. This automatic database compress takes place only when the “LogRecovery” feature is enabled, this is to make sure that the logging which happens during this operation will be recovered once this operation is completed. ACS generates alert when there is a need to do automatic database compress and also to enable this feature.
  8. Before enabling “LogRecovery” feature configure the Logging Categories in such way that only mandatory data to log into Local Log Target and Remote Log Target as Log collector under System Administration > ... > Configuration > Log Configuration
  This “LogRecovery” feature can recover the logs only if the logs are present under local log target.
  9       This automatic database compress operation also performed only when the difference between actual and physical size of Monitoring and Reporting database size is > 50GB.
  10 The new CLI “acsview” with option “show-dbsize” is provided to show the actual and physical size of the Monitoring and Reporting database. This is available in “acs-config” mode.
             acsview     show-dbsize     Show the actual and physical size of View DB and transaction log file

• How to survive an ACS audit with aaa-reports!

  For many organisations the Cisco Secure ACS server is the guardian of the network - controlling administrative access to routers and switches plus overseeing end network users over VPN, wireless and firewall.
  Its no surprise therefore that it should come under intense scrutiny during an audit. Perhaps what is surprising is the lack on awareness over best practice for running ACS in a secure way. We'd like to help in our small way and below is a list of tips we've picked up over the years of providing reporting services for ACS.
  Buy aaa-reports! Of course we would say that... But without the ability to aggregate the logs from all your ACS servers and report on the data, or use our query builder for forensic analysis, or import the ACS database to document the policy features enabled.... you'll have a hard time getting the evidence that an auditor might ask for.
  Make sure ACS is logging the appropriate attributes for the reports you need to create. For example if you need to document who did what to devices in specific Network Device Groups (NDG) you must ensure this value actually gets logged. Performing ACS upgrades often sets logging configs back to their defaults.
  Create a build specification for your ACS. Detail the "meta config" of your ACS so that after an emergency hardware swap-out or software upgrade you can quickly check that the ACS has the correct configuration. The build spec document should be under version control and is a useful item in itself to convince an auditor your system is well controlled.
  Create a Change Control system for config changes on the ACS. Since its ACS that decides who gets access and what commands they run on your network its vital you report on the Administration Audit logs. During an audit you can then correlate entries in your change control system with actual edits recorded in the Admin Audit logs. aaa-reports! can document what all or individual ACS admins did in detail.
  Retain 2 years of actual CSV log data on your reporting server. For general day-to-day reporting you dont need this amount, but during an audit you may be required to show what happened on a specific historic date. aaa-reports! multi-db feature will allow you to create a specific back-end database just for this task and import logs from the required time period. Alternatively use the aaa-reports! snapshot feature to regularly save its database state, for example quarterly. You may then connect aaa-reports! to any of the historic snapshot databases to report on the data from that quarter.
  Regularly export the ACS database into aaa-reports! If you are running reports against log data from 2 years ago you also need to know what was in the ACS database at the same time - using a more recent ACS database might yield unexpected results because the configuration is likely to changed in the meantime. Usecsvsync to regularly grab the ACS database and keep them alongside the retained CSV logs for future reference.
  Review the quality of ACS log data. From time to time its worth taking a look at the quality of the data getting logged. We often find customers with rogue scripts being automated on devices that cause the ACS Failed Attempts logs to become full of many MBs of "junk data" - essentially one failed attempt for each line of the script. If left to continue for months the real data starts to become more difficult to find.
  In terms of specific questions that an audit will concentrate on, typically it will revolve around demonstrating that not only is there specific and adequate policy to control access to those parts of the network require it, but also to seek evidence that those policies are in fact working. In aaa-reports! we added a whole set of reports for TACACS+ Device Administration (TDA) that attempt to document the ACS policy configuration, answer questions such as "who can/cannot access devices and once connected what can they do?" and finally report on what did actually happen.
  Below are some additional TDA specific tips:
  Ensure services such as shell/exec are only enabled for ACS groups that really need it. The aaa-reports! TDA Group Summary report will list every ACS group and what TDA features are enabled. The TDA Group Detailreport can be used to inspect the policy in detail.
  Check for user-level ovverides. In general users should always inherit policy from their group unless there is good reason. The aaa-reports! TDA User Summary report list users with group overriden configuration. The TDA User Detail report can be used to inspect what policy items are specific to the user.
  Use Network Access Restrictions (NAR) to prevent login by unauthorised personnel. The first line of defence is to only allow device admin users access to routers and switches. We find some customers rely purely on command authorisation - this potentially lets anyone access the device who can authenticate. Imagine the scenario where ACS has "unknown authentication" enabled pointing at your Windows AD then answer "Who has access?". aaa-reports! can report group-by-group on device access controlled by NARs and therefore answer "Who has access to device XYZ?"
  Use Device Command Sets (DCS) for command authorisation. Create a set of re-usable DCSs with meaningful names in preference to simple group-level command authorisations. ACS administration is simplified and the auditor should understand what the intent of the policy is by its name. aaa-reports! can document the both the content of each DCS and the group assignments, thereby answering the question "What commands can user X execute on device XYZ?"
  Seek out and remove old ACS user accounts. aaa-reports! can report on inactive users both from examination of accounting logs and (if password aging is enabled) from the imported ACS database itself.
  Learn how to use the aaa-reports! Query Builder. Despite the comprehensive set of pre-built canned reports, during an audit you are likely to be asked questions about a specific date, user or device. Knowing how to use the QB to build filter/sort and group/totalling queries will get the answers quickly. Take the random question "How many sessions did user X have on devices A, B and C on this date?" The aaa-reports! QB can easily create custom reports that filter on any number of attribute values, group by multiple columns and have calculated fields such as sum, count, average etc. If you have a working knowledge of Visual Basic 6 (VB6) its also possible to use a rich array of formatting and other VB6 functions to create additional fields.
  The above list is of course by no means definitive as every customer will have their own specific needs from ACS and face different levels of compliance. Undergoing an audit is never easy, but at least with the right tools it doesnt have to be awful!
  For more infomation on extraxi aaa-reports! or to download our free 60 day trial version please visit http://www.extraxi.com/audit.htm

  .

• ACS migration from 4.1.1.23 to 5.6

  Dear Team.
  We need to upgrade an ACS 4.1.1.23 to a new ACS 5.6. This means a data migration from ACS 4.1.1.24 to 5.6
  The migration guide says that the migration utility must be run on a 4.1.1.24 to check the DB integrity and make some modifications.
  Our client has an ACS 4.1.1.23.
  In the Cisco Download page for ACS 4.1.1.24 there isn't any acumulative patch to 4.1.1.24. Anyone has any idea how we can upgrade the ACS 4.1.1.23 to .24?
  After this patch will be applied, we will backup data from 4.1.1.24 to migration server 4.1.1.24 with demo license (this file exist on Download Center)
  Thanks.

  You can upgrade to 4.2 and then to 5.6
   ACS 4.2 with the recovery DVD, no need to upgrade to ACS 4.1.1.24 and then to 4.2.
  Remember to make a backup before the upgrade.
  There is a feature that allows you to restore any ACS 4.1 backup into ACS 4.2.
  "Before you begin any upgrade procedure, we recommend that you back up your existing data and configuration. When, upgrading do a re-image of ACS 4.2 and then restore the ACS 4.1 configuration."
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/upgap.html#wp1120037
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-6/user/guide/acsuserguide/migrate.html#pgfId-1057975