ACS SE upgrade

Similar Messages

• Need advice about ACS/WLC upgrade ?

  We have two ACS 4402 with software version 5.2.193.0 . What version should I upgrade to ?
  The ACS is running version 5.2.148.0. What version do you recommend here ?
  Regards
  Johann F
  Volda Universiy College, Norway

  Hi Johan,
  Are you facing any bug or require any new feature?
  Normally recommended in the latest on your code train:
  latest on 5.2
  latest on 6.0
  latest on 7.0
  and so on...
  Have a good day.
  Serge

• Cisco acs 1120 upgrade to 4.2.1.15 help

  Hi All,
              I have cisco 1120 appliance downgrade from acs 5.0 to acs 4.2.0.124 , I need to upgrade to acs 4.2.1.15 . Does cisco 1120 acs appliance supports 4.2.1.15 , How can i upgrade to 4.2.1.15 from 4.2.0.124 .
              It requires any distribution server for upgrade process . Please suggest on this , Thank you

  Yes, you can upgrade it to 4.2.1.15 and you can download the version from the below listed link;
  http://tools.cisco.com/squish/d4e4A
  Here are the files you need to download:
  ACSse-Upgrade-Pkg-acs-v4.2.1.15-K9.zip
  ACSse-Upgrade-Pkg-appl-mng-v4.2.1.15-K9.zip
  NOTE: Please apply the management upgrade first and then software upgrade. ..
  Distribution server is a machine from where you can upload the patch onto the Cisco Secure ACS Appliance so If you will download the version on your laptop and upload it from there then that would be distribution server (Nothing special)
  Upgrade an appliance to 4.2.1.15
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2.1/Installation_Guide/solution_engine/upgap.html#wp1148376
  Hope this helps.
  Rgds,  Jatin
  Do rate helpful posts~

• ACS Appliance Upgrade

  I obtained the 3.3 release from Cisco. I'm currently running v3.2. When I go to System Configuration -> Appliance Upgrade Status -> Download -> Connect -> Download Now, it returns "No Distribution in Appliance". I can see the 3.3.3.11 in the software install table. but it returns the error above when trying to transfer the file. I'm running Apache / Windows XP SP2. Anyone seen this before?

  Hi,
  Without Distribution server, normally you need to load the new image into the current ACS appliance itself before execute the upgrade process. The new image can be transferred via serial or ACS web-based 'system upgrade' option.
  If I am not mistaken, the error you're getting was due to unavailability of distribution server.
  If you stuck with the image transfer, try to use CLI/console mode.
  Typicall upgrade method has 3 steps:
  1. Load new image (download from Cisco or using CD) onto a distribution server.
  2. Load the upgrade image onto the Cisco Secure ACS Appliance from the distribution server. Do it either from within the HTML interface, or from the serial console. The Cisco Secure ACS Appliance will verify the transferred files to ensure that they have not been corrupted.
  3. Apply the Cisco Secure ACS Appliance system upgrade. You can do this either from within the HTML interface, or from the serial console.
  Refer to the following url for complete upgrade processes & options:
  http://www.cisco.com/en/US/partner/products/sw/secursw/ps5338/products_installation_guide_chapter09186a0080203004.html#wp1044616
  Rgds,
  AK

• ACS Appliance Upgrade path

  I am seeing patches and CSUpdate files with the same release date. My current version is Acs-4.2.0.124.9-CSUpdate fix Base image 4.2.0.107, Appliance Management Software 4.2.0.124,
  Question is which patch do I apply, the Cumulative, the CSUpdate, or both. Do I need to apply them one after the other, or is the .12 patch a rollup that includes the fixes in the previous versions, 10 and 11.
  One other thing, other than physically going to the colo and reading it off the server itself, where can I find the serial number of the unit.

  Appliance serial number cannot be viewed via GUI or serial.
  For upgrading ACS always apply most recent patch available and it covers all fix till date.
  First apply csupdate and then apply patch.
  Please post ACS related under head AAA.
  Regards,
  ~JG
  Do rate helpful posts

• ACS 1112 upgrade

  Hi everyone,
  I want to upgrade my ACS appliance 1112 running software version 3.3 to 5.x?
  How can i go about this or should i go and purchase new ACS appliance(1120)?
  br
  sam

  a.kiprawih is right, you need to upgrade your ACS 3.2(1) to ACS 4.0, then take a backup of it and restore it in new ACS 1112 ACS 4.0. The easiest way to accomplish it would be take a backup of ACS SE 1111 3.2(1), open a TAC case send your backup to TAC, get it upgraded to 4.0, they'll send you upgraded backup, restore it in ACS SE 1112 4.0 appliance, you are ready to roll. If you dont want to send your backup to TAC, create a test Win2000 server, install ACS 3.2(1), take a backup oif ACS SE 1111 3.2(1), restore it. Upgrade it to ACS 3.3(3) build 11 on Win2000, take a backup. Then again upgrade it to ACS 4.0 on Win2000, take this backup(Final one).
  Configure your ACS SE 1112 4.0 basic setup, then restore the ACS 4.0 backup from Win2000, and make sure you have all your IP address and other stuff in place, you are good to roll.
  NOTE : While uprading from ACS 3.3(3) build 11 to ACS 4.0 on Win2000 serer, you may hit a bug due to trailing spaces in NAS ip address defined on ACS server. Best way.. Open a TAC case.
  Let me know if this helps :)

• ACS Express upgrade for native Linux OS

  I'm running ACS Express 5.0.0.18. A recent security scan flagged the ACS as running outdated versions of Apache and Tomcat, plus other issues. Will the 5.0.1.1 upgrade package perform an update on these components? If so, what will be the updated versions, given that the upgrade package is over one year old? Are there any other alternatives for bringing the OS components up to date? Any advice is appreciated.
  Regards,
  Mike

  Hi Mike,
  what are the exact vulnerabilities you're referring to?
  I ask this as there are some known issues affecting also the ACS Express version 5.0.1.1, such as the following ones:
  * CSCtg52362:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg52362
  * CSCtg52369:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtg52369
  We don't have precise ETA for the fix yet, but you may monitor the above bugs to get notified about updates.
  In any case, you have to wait for the next patch to be out to get this fixed.
  In the meanwhile I would also recommend to mitigate the impact of those issues by preventing non-admin workstations to have access to the ACS GUI (e.g. with a firewall or ACL); in any case this is good practise as these web pages should not be reachable for non-admin staff (nor external internet users of course).
  In any case, if you need for further assistance on this, please open a TAC case, so we can verify this in more details.
  Thanks!
  Regards,
  Federico
  If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

• ACS SE upgrade questions

  We currently have an ACS SE 1112 version 3.3.4.12. Windows Active Directory is being used to authenticate users.
  We have a new ACS (1113 running 4.1.1.23.5) that will be replacing this one.
  Regarding the new install, do I need to install a new remote agent to use with Active Directory? Also, can I use the same IP address for the new ACS SE that is being used for the one that will be replaced? We didn't want to change our switch and router configs if it isn't necessary. If it's possible just to set up everything on the new ACS SE and then unplug the old one and plug in the new one.
  I am new to ACS and was not around when it was originally set up so sorry if these are dumb questions!
  Please advise. Thanks so much.

  It should work as long as you don't miss anything, and yes you are supposed to install an agent that matches the version you are running. You might want to go ahead and put the latest updates on the ACS before you put it into operation. The process is kind of different than other updates. You might want to read my other ACS posts. I recently killed one of my ACS boxes because I did not install the CSUPdate cumulative patch before installing the lastest patch of the same rev level. (i.e. read directions carefully). Make sure you do an FTP backup before updating the software. If anything goes wrong you could have to reimage the box. There were lots of bug fixes in the updates since 4.1.1.
  Randy

• ACS 4.1 to differentiate and restrict users

  Hello all,
  I've bee wrestling with this issue off and on for some time, but have had limited success. There is something I don't quite understand just yet. I hope someone here can help.
  I want to set up AAA on ACS 4.1 for authenticating login sessions to my swtiches, ASA and access points. That part is easy, and it even works, but here's what I 'm having trouble with:
  Our ACS server points to our Windows 2003 AD database. If I set up my switches with AAA, anyone in the AD database can login to the switch. I only need about 5 people to have admin access to my switches, not the 4000 others.
  Also, I need to administer my access points. I am also a wireless user. Betty Sue in accounting is a wireless user, but has no need to administer the access point to which she associates. Same thing goes with our ASA and remote access VPN connections. How do I identify how a user connects to the device and set restrictions based on this?
  To put it another way:
  User A is Admin, wireless user, VPN user. Needs full access to all these devices. This part is easy.
  User B is accountant (or whatever), wireless user, VPN user. Should not have any access to administer the switch, AP, or ASA they are connecting to.
  I hope that makes sense. I've been through the NAP documents. I think the solution is there, but I'm not bright enough or brave enough to figure it out, at least not on a live network:)
  Thanks for any help.
  Scott

  All,
  I'm just now getting back to this. ACS is upgraded and the NAP is configured and almost working as I need it to be, with a big exception. Maybe someone can help?
  When I use telnet to login to a device, I am asked for "Username". With a sniffer, I can see that the AV Pair used to identify VTY connections is being sent with the proper value, and the user I want to be denied is denied. Subsequent requests to login are all asking for "Username", and all send the correct AV Pair, and all are rejected. Nice.
  Here's the issue. When I use SSH lo login to the same device, with the same credentials, I am asked to "Login as". The first time, the AV Pair I need is sent and the user is denied. When I am asked again, I'm not asked for user name or to "login as" again, I'm only asked for the password. If I enter the correct password, the user, any user, is allowed. Not good. With the sniffer, I see that the AV Pair is only sent with the first attempt, subsequent attempts don't send the AV Pair in question, so ACS can't act on this information, and so the user who should be denied, is not.
  Any ideas for how to get around this? Can SSH be setup to present the username to the login session every time? Is there a way to force the sending of this AV Pair every time? Can I set up something to say that any user has only one attempt to login?
  The AV Pair in question is [061]NAS-Port-Type=5
  Thanks for any help

• ACE SE 1112 4.0 : Services not starting

  I upgraded the appliance from 3.3.3 to 4.0.1.42 and the services do not start. I have nothing under "TCP Ports Opened" and "UDP Ports Opened" on the Appliance Status page. How do I start the services?
  I have "CiscoSecure ACS on xxxxx Is Currently Running" on the System Configuration (Service Control) page

  There is a slight descrepancy in your information provided. TCP port 2002 is currently opened & CSADMIN service is running.Thats the reason you are able to view the ACS GUI. Try to restart all services from service control.If thats not possible try to do restart all from COM port connection using hyper terminal.
  Upgrading ACS SE involves 2 steps.
  1: Appliance management upgrade
  2: ACS SE upgrade
  Make sure you had successfully completed all the required steps for performing an upgrade.
  You can verify this on Systems config -> Upgrade status.

• Cisco Secure Access Control Server for Windows 3.0

  I have to rebuild a server using Cisco Secure Access Control Server for Windows 3.0 ... I cannot locate this software under "download software" in cisco.com ..
  where can I download a copy for Cisco Secure Access Control Server for Windows 3.0 ?

  Hi,
  You can not download the ACS windows Solution engines softwares from the cisco.com > download pages as these s/w are not available there. You can only download patches and remote agent software.
  In order to get any ACS software/ upgrade assistance you need to open up a TAC case.
  Also, ACS 3.0 is not supported by Cisco anymore..getting support for this version or any 3.x is not possible.
  HTH
  Regards,
  JK

• ACS loses connection with AD occasionally after upgrade from 5.2 to 5.3.0.40

  ACS had been integrated with Active Directory before ACS upgrade to 5.3. After the ACS 5.3 upgrade users aren’t able to login to AAA devices occasionally. Error message is:
  {AuthenticationResult=Error; Type=Authentication; Authen-Reply-Status=Error; }
  24429 Could not establish connection with Active Directory
  At the same time, when this issue occurs, ACS connection to AD works fine (checked with Users and Identity Stores> External Identity Stores > Active Directory “Test Connection”)

  I had the same problem, I opened a Cisco TAC case and my issue was resolved.
  Sent: Tuesday, 14 August 2012 9:58 AM
  Subject: RE: 622739355 HelpDesk#SVR328332-2 : Troubleshoot Cisco ACS 1121 v5.3 With Windows Active Directory
  Hi Ramraj,
  Thanks for the link to the article, but from what I’ve seen in the logs I’m not sure that we’ve got the same root cause to the issue.
  From the ACSADAgent.log files I can see log messages like:
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG network.state NST: SniffList: postfailsort=mykulad11p.cssc.dksh.net
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.kerberos.adhelpers Encryption (id 1) is not supported by KDC. Try next in the list
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.osutil Module=Kerberos : KDC refused skey: KDC has no support for encryption type (reference base/adhelpers.cpp:216 rc: -1765328370)
  Aug 11 11:10:56 CSSC-TPM-DC-ACS-1 adclient[5524]: DEBUG base.adagent Unable to refresh computer credentials: KDC refused skey: KDC has no support for encryption type
  This lines up with the error message that we see in the TACACS+ Authentication logs:
  24493 ACS has problems communicating with Active Directory using its machine credentials.
  I have come across a NETBIOS limitation (it’s not an ACS bug, but a bug has been filed for tracking and documentation purposes) that prevents two ACSs from being connected to Active Directory at the same time if the first 15 characters of their hostnames are the same. The bug ID is CSCtj62342 and its externally visible details are available here: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtj62342
  The hostname of the primary ACS is : MYMY-TPM-DC-ACS-1
  The hostname of the secondary ACS is: MYMY-TPM-DC-ACS-2
  From the hostnames, we can see that the first 16 characters of the hostnames are the same. What this means is that once the primary is connected to AD, after some time passes (this will depend on when the secondary goes an talks to AD) the secondary will lose its connection to AD and any authentications hitting the secondary will fail with the same error: 24493 ACS has problems communicating with Active Directory using its machine credentials.
  To resolve this issue, the hostnames of the ACSs will need to be changed so that the first 15 characters of their respective hostnames are not the same. Please keep in mind that this is a NETBIOS limitation and not a software bug.

• After upgrading ACS 3.3.1 to 4.2 on windows the local database is not working

  Hi,
  I have upgaded the ACS 3.3.1 for windows server to 4.2. Everything went fine but the local database is not working.
  The CD is an upgrade kit from 3.x to 4.2 on windows. I tried to install directly the 4.2 I was able to install but integration with AD/LDAp is not working. Anysay its an upgrade kit so I cant expect it shoud work when install drectly the 4.2 but by upgrading from 3.3 to 4.2 everything should work fine.
  I followed the upgradation path as recomended.
  Also we have a requirment that once it is upgraded to 4.2 we need to shift the whole thing from the physical server to a virtual machine on VMware ESX server 3.5.
  Can anybody pls guide me if anything else to do after the upgradation.
  Thanks & Regards
  Sachi

  Hi Javier,
  First of all I was facing a problem of restoring the old database of 3.3 to 4.2. Somehow I overcame that issue by following the below steps. Now local authentication is working fine but AD/other External database authentication is not working. As you told the setting for the unknown users are configured to fetch the credentials from the external database if it is not in the local database.
  Do we need to do anything in the AD itself?
  Regards
  Sachi
  Steps for ACS upgrade to 4.2 version
  Below are the requested steps mentioned for the up gradation from ACS 3.3.2 to ACS 4.2.
          1)     Take a configuration backup from existing ACS. ACS--->System
  configuration----> ACS Backup
  2)    now if you have  ACS 3.3.2 on server. take backup of the ACS
  3)   Insert the cd or if you have the set up on the system then  Run the setup of ACS 3.3.4. During the process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 3.3.4 upgrade.
  4)     Once you are at 3.3.4, take a backup and keep it handy.
  5)     Run the setup of 4.1.1. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.1 upgrade.
  6)Once you are at 4.1.1.24 take a backup and keep it handy.
  7)     Run the setup of 4.2. During this process it will prompt you to
  upgrade existing configuration. Make sure you check that option else we will
  loose the database. Now you need to hit next.next to finish the 4.2 upgrade.
  8)     Once you are at 4.2 take a backup and keep it handy. Now run the
  patch 12 and take a backup again.
  9)     Now fresh install 4.2 on your new production server and install patch
  12. Restore the 4.2 patch 12 backup and you should be all set.

• How to upgrade the patches in ACS 5.1

  I want to upgrade the acs 5.1 in distributed system. We have one hub/ primary ACS and two other spoke / secodary acs. I have following querry.
  Will it be possible to upgrad only one Secondary server.>
  Will updated secondary ACS will able to sych it configuration with primary acs running on older version?
  Will updated secondary acs will retain the current configuration and authenticate the client.?

  Current version of ACS system is 5.1.0.44
  Primary ACS is also working as log collector.
  I have downloaded the patch 5.1.0.44.6.rar.rar, so i belive i should rename it to 5.1.0.44.6.tar.gpg.
  so if i want to upgrade my ACS system:
  I will have to do following steps:
  de-register secondary ACS from primary and take the backup of secondary ACS
  update the patch using repository.
  finally i will have to upgrade the primary ACS.
  I would like to know what is the difference between installing / updating  patch and  Upgrade the ADE-OS version which is shown as second step in cisco.com site.

• What's the right procedure to upgrade from ACS 5.1 to 5.3

  Hi folks,
  What would be the right procedure to upgrade ACS 5.1 to 5.3 ?
  Our client needs to a smooth upgrade to the latest and greatest 5.3 version. The plan is use a backup made on 5.1 and install it on the new system.
  Should the new system be running version 5.1 or I can start with 5.2 to save time for the upgrade?
  Eugene

  The patch 2 installation went OK, failing on the restore part.
  The database file is 206 MB of size. Isn't it too much to pull over FTP?
  ACS53/admin# restore DB_Backup-120320-1607.tar.gpg repository REPO
  Restore requires a reboot to successfully complete. Continue? (yes/no) [yes] ?
  % Failure occurred during request
  And the FTP server doesn't report any error. The connection is made and closes:
  20:53:43 192.168.1.160 [8]USER boss 331 0
  20:53:43 192.168.1.160 [8]PASS - 230 0
  20:53:52 192.168.1.160 [8]sent /DB_Backup-120320-1607.tar.gpg 226 0
  20:53:52 192.168.1.160 [8]QUIT - 226 0
  Any ideas ?