ACS VM version migration to ISE

Similar Messages

• Is there a trial version of cisco ISE

  Is there a trial version of cisco ISE? I need to upgrade my knowledge from ACS to ISE and I am finding it difficult to find source material.
  Thanks
  Mark

  Q. Does the Identity Services Engine include an evaluation license?
  A. Yes. The Identity Services Engine includes a free 90-day evaluation license that can support up to 100 devices. The evaluation license supports Identity Services Engine Base and Advanced software packages.
  Q. Why isn’t there an evaluation license that includes the Plus software package?
  A. We want to make sure that prospective customers have an opportunity to explore all the ISE capabilities during an evaluation period. Moreover, with Plus being a subset of Advanced, there is no need to have a different evaluation license.
  Obtaining a Cisco ISE License from Cisco.com

• ACS 2.4 migration to 3.x?

  Hello,
  Has anyone migrated from ACS 2.4 to 3.x? If not, how else can you one get data from that version into the next?
  thanks!

  If you can get hold of the intermediate install images such as 2.6, 3.0 etc all you'd need do is keep installing one over the other. In fact you could go 2.4 direct to 3.0 or even 3.1. Its around 3.2 or 3.3 that the installers starting getting picky about what they would upgrade from.
  Remember all the group/user config can be dumped with csutil and re-imported into newer versions - but that doesnt include ACS admin config and the network config database.

• ACS any Version with Domain Controller on Windows Server 2008 R2 64bit

  Hi All
  Is there currently any ACS version working with Windows Server 2008 R2 domain controllers?
  Our server stuff has recently upgraded the Domain Controllers to 2008r2 and turned off the 2003 servers. This didn't make our ACS 4.1.4 really happy.
  I've read now serveral posts regarding issues with ACS and Server 2008r2 and hope to find a solution (besides switching to LDAP, yukk).
  Thanks
  pato

  Hi AllIs there currently any ACS version working with Windows Server 2008 R2 domain controllers?Our
  server stuff has recently upgraded the Domain Controllers to 2008r2 and
  turned off the 2003 servers. This didn't make our ACS 4.1.4 really
  happy.I've read now serveral posts regarding issues with ACS and
  Server 2008r2 and hope to find a solution (besides switching to LDAP,
  yukk).Thankspato
  Hi Pato,
  Just check out the below link hope that help.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  As per the link it says The support for Windows Server 2008 is applicable for ACS 4.2 Patch 4 onwards.
  Hope to Help !!
  Remember to rate the helpful post
  Ganesh.H

• ACS 5.3 Migration Utility Failures

  I'm trying to run the migration utility to export from ACS 4.2.0(124) to an ACS 5.3 appliance, and am receiving the "
  Fatal Error !! - cannot connect to ACS 4.x DB !!" error when I run the utility on the migration machine.  The migration machine has ACS 4.2.0(124) installed and is a Windows 2008 Standard Server SP1 running as a VM.  I am logging into the server with VNC (*not* RDP) with a locally-defined administrator account.  I get these errors in migration.log when I run the utility and try to do an "analyze and export" function:
  07-26-2012 13:36:55 JavaUtils.isAttachmentSupported(JavaUtils.java:1308) WARN - Unable to find required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart). Attachment support is disabled.
  07-26-2012 13:37:14 ACS4Connector.checkDBConnectivity(ACS4Connector.java:137)FATAL -  Fatal Error !! - cannot connect to ACS 4.x DB !!
  java.sql.SQLException: [Microsoft][ODBC Driver Manager] Data source name not found and no default driver specified
  at ianywhere.ml.jdbcodbc.IDriver.makeODBCConnection(Native Method)
  at ianywhere.ml.jdbcodbc.IDriver.connect(IDriver.java:354)
  at java.sql.DriverManager.getConnection(Unknown Source)
  at java.sql.DriverManager.getConnection(Unknown Source)
  at com.cisco.nm.acs.mgmt.migration.ACS4Connector.getConnecter(ACS4Connector.java:66)
  at com.cisco.nm.acs.mgmt.migration.ACS4Connector.checkDBConnectivity(ACS4Connector.java:133)
  at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.runExport(MigrationApplicationCLI.java:605)
  at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.main(MigrationApplicationCLI.java:266)
  Any ideas?

  Hi there,
  The migration utility doesn't work when running Windows 2008 or 64-bits machines. This is already documented:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn17779
  Let me know if it helps.

• How to find out date of an oracle version migration?

  Hey guys!
  somebody knows if and where I can find out at what date an Oracle database was patched (i.e. migrated from let's take Oracle 8i to 9i as example).
  In SYS.REGISTRY$HISTORY, I only find data from the latest CPU, nothing concerning the database version.
  Can you help me out?
  Regards,
  Thomas

  I found an temporary solution:
  In SYS.REGISTRY$HISTORY, upgrades from 9 to 10 are saved. So if you want to handle migration dates for this scenario, you're right in this view. Other scenarios aren't saved in this view.
  Maybe somebody can explain to me what version_time in V$DATABASE can be used for? Oracle Reference is pretty uninteresting concerning that.

• SQL Developer 2.1 version migration issue

  Hello Everyone,
  Since I was unable to find a similar topic on the forum, I'm posting now the problem I'm facing: I have downloaded release 2.1 for Windows 32 bit (without JDK) and I unzipped it in an empty 'sqldeveloper' folder on a Windows XP machine.
  Upon starting it up, there is no migration wizard popping up to allow me to import the existing settings from release 1.2.1 residing in a parallel folder 'sqldeveloper.1.2.1'. If it works, does it import anything more than connections?
  I tried to use the tools tab and explore various documentation sources (readme, help, forum, internet search) with no luck so far.
  I would guess there is something wrong in my deployment procedure since nobody else has complained of similar issues.
  Any hints or suggestions you may want to share would be greatly appreciated.
  Thank you,
  Dan

  The original poster mentioned that he was migrating from 1.2.1, a really old version. That version did/does not store user settings under "Application Data", but in "sqldeveloper/system" in its' own installation directory. Unfortunately, SQL Dev. 2.1 will (apparently) not let you import settings from anything prior to 1.5; at least I was not able to do it when I tried just now (I have all of my previous SQL Developer installations still on my hard drive). It looks to me like what he will have to do is first upgrade from 1.2.1 to 1.5.5 (which will allow him to import his old 1.2.1 settings), and then upgrade from 1.5.5 to 2.1.
  Ed. H.

• Porting ACS 4.2 rules to ISE

  I'm trying to move AAA services from an ACS 4.2 integrated to AD to an ISE3355 supporting remote access VPN on an ASA/AnyConnect and wireless (PEAP). The ISE3355 is AD integrated.
  With respect to Remote Access VPN using AAA on the ACS, I currently map various AD groups to ACS groups, and use the RADIUS IETF Class [025] attribute for the ACS group that associates an ACL name hardcoded in the ASA configuration to enforce the access policy.
  Is this a valid approach to porting policies from the ACS to the ISE?
  Or alternatively, must I define the ACLs on the ISE instead of using those already defined in the ASA configuration?
  I need to do a quick port, so any suggestions are appreciated.

  Thanks for your response Vattullu. My local Cisco account security-focused SE pointed me to this youtube video:
  http://www.youtube.com/watch?v=HcMf3q_lmYo
  This addressed the issue of authorization issue exactly the way I needed it.

• Cisco ACS 4.2 migration to ACS 5.4 advice

  Hello all, we are planning migrating off our ACS 4.2.0.124 ( non appliance ) to ACS 5.4. I'm looking for any advice or tips from anyone that has done the migration.
  Is the migration tool intrusive or can it be run at anytime?
  I thought about not using the migration tool and do a new install however we have a few hundred MAC address entered for a Mac authenticated SSID as well as about a 100 switches and routers for TACACS.
  We have about a half dozen WIreless Controllers that use AAA with a mix of SSID's that are doing WPA2 with Mac authentication, LEAP, and, PEAP. We also use TACACS for routers and switches and AAA for anyconnect users.
  Any advice on the migration process would be appreciated.
  Thanks,
  Dan

  Actually I managed to copy/paste from the ACS4.2 to the CSV file. The passwords will not be imported though so you have to reset the password for all users and let them change it.
  If I were you I would have use the import utility to migrate users to keep the password then I will update the information of users (including group membership) via update template CSV file.
  The migration I used before included few users that I could create on the spot and ask them to reset the password.  Most of the data were MAC addresses for MAC auth and IP addresses for TACACS+ AAA clients (switches, routers...etc).
  If you have too many users then the migration tool is your friend to get them imported without having to reset the password.
  It is also important that you read the migration guide before you use the utility. You'll find valuable information about what will be imported and how. What data will be maintained and what will not.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• Problem in installing ACS trial version

  Hi,
  I am having problem in installing ACS 4.1 trial version. On invoking the progem after installation completion, I get the web page "CiscoSecure ACS Trial 127.0.0.1:2002" opened.
  Appreciate your advise, why I am getting this web page and how to fix it.
  Thanks
  Any

  You need to add the site 127.0.0.1 (or localhost) to the trusted sites list in IE then when you open the link you will get the ACS welcome page. (Make sure you install the Java runtime as well).

• How many concurrent connections that an ACS server version 4.2 latest patch can handle?

  I have about 50 routers and layer-3 switches that autheticate via tacacs+.  The AAA server used to be on a Linux machine running open-source tacacs+ built by me.  I have a perl script that will log into all 50 devices at the same time to collect statistics.  This script is multi-threaded.  Everything is working fine so far.
  I recently out-sourced the AAA function to a 3rd party company, not by my choice.  The 3rd party uses Cisco ACS version 4.2 with the latest patch running on Windows 2003 Enterprise Server with 16GB RAM and quad processors with quad-cores, IBM x3650-M2 hardware. The connectivity between the 3rd party and my company is through a DS-3 connection.  Maximum bandwidth over this DS-3 connection is less than 10Mbps at most.
  I noticed that for the past 3 months I have multiple failures with this perl script due to authentication failure with the ACS server.  If I just run the script again a few routers/switches, there are no issues; however, whenever I started the script to log into 50 devices all at the same time, it will fail.  If I made the configuration on all routers/switches to point back to the old open-source tacacs+ server, the issue goes away.  The minute I switched back to the
  new ACS server, the issue came back.  If I modified the script to hit one device at a time, it works fine.  I think it is the ACS server can not handle a lot
  of AAA requests at the same time.
  Does anyone know how many concurrent connections that an ACS 4.2, with latest patches on Windows 2003 Enterprise Server with lot of memory and CPU power, can handle?  I can't seem to find this anywhere on Cisco website.
  Thanks in advance.

  No, Im not saying ACS cannot cope.
  Concurrency and latency are very different things. ACS CSTacacs can handle many 100s of simple authentications/authorisations per second with users in the internal database. If 1000s of devices all send traffic in the same instant it would take some seconds to work through the backlog of traffic.
  Also, worth considering that a limited number of tasks within ACS (or threads) can actually handle a much greater number of "logins" because they are generally multi-message allowing ACS to keep lots of plates spinning.
  If users are in an external databases the latency (per authentication) can increase depending on where the users are (eg Windows AD) and if bad enough can have a serious effect on the overall authentication rate. At which point customers normally turn to load balancing.
  If your device timeouts are 20 seconds (totally reasonable) I suggest the issue is more likely to be something else... a bug, perhaps specific to v4.2?

• EPM 11.1.2 Version Migration.....

  Hi,
  I installed 11.1.1.3 on Red Hat Enterprise Linux 5 with SQL database of version 2008 ,Manual deployment of Web Sphere 6.1 version.And external directory(Microsoft Active Directory) has been configured well but the issue here is I am unable to refresh From EAS Console which is throwing the below error:
  *Error: 1051502: Essbase failed to get roles list for [ESB:Analytic Servers:1] from Shared Services Server with Error [32:1062:Failed to connect to the user directory [msadServer].]*
  I came to know that if we can install the patch 11.1.1.3.06 this might be resolved.
  If so please suggest on the same.
  Can anyone suggest on the below Web Application Server combinations with Essbase Versions of 11.1.1.3 and 11.1.2.Is it possible?
  1) Install 11.1.1.3 (Manual deployment of Web Sphere application Server)and then go for patch11.1.1.3.06 ?
  2)Install 11.1.1.3.06 (With Web SPhere application Server)and then move to 11.1.2.1(Pack release with Web Sphere)?
  3)Install 11.1.2 (WIth Web Logic ) and then move to 11.1.2.1 patch (With Web sphere)?
  Thanks!
  Edited by: user8848866 on Dec 6, 2010 1:06 PM
  Edited by: user8848866 on Dec 6, 2010 1:08 PM

  11.1.2 don't support upgrades from previous version

• Version migration, shared ssl, session variables

  I'm migrating a shopping cart application from Cold Fusion
  4.5 to a new server running MX 7, and have run into a weird problem
  transferring session variables.
  Basically, there's two sites running on one physical server.
  The catalog, and then the shared ssl checkout pages. I'll call them
  catalog.com and sharedssl.com.
  Under 4.5, if I passed CFID & CFTOKEN in a link from
  identically named applications on catalog.com to sharedssl.com, the
  session and all its associated variables would transition
  seamlessly forward. Under MX, this is no longer happening. The
  *very first page* on sharedssl.com (the one that was directly
  passed CFID & CFTOKEN) will have access to those variables, but
  any subsequent pages on sharedssl.com will just throw errors.
  Looking at the debugging info, it's obvious that under MX a
  new CFID and CFTOKEN are being assigned when the user goes to
  sharedssl.com, regardless of the session id that was passed on; as
  soon as the "old" CFID & CFTOKEN aren't being explicitly
  mentioned, the "new" ones take over, resulting in a completely
  blank session.
  Has anyone else experienced anything similar? Is there a
  simple fix?
  I have some ideas on how to make this work, but I'd really
  like to keep this projection a "migration," and not, ie., a
  "rewrite." I guess I'm wondering whether there's a configuration
  checkbox I'm unaware of, or perhaps some arcane option in
  cfapplication that will restore the old behavior.
  Thanks for any help,
  Tim

  On which page is the following code?
  After login, user is validated and set values to those session.variables:
  ........user validation codes here......................
  <cfif mylogin NEQ true>
        <cflocation url="/login/login.cfm">
        <cfabort
  <cfelse>
        <cfset session.loggedin="Yes">
        <cfset session.username="#Trim(Form.username)#">
       <CFSET qUserRights = LoginObj.getUserRights('#Trim(Form.username)#')>
       <cfset session.userrights = qUserRights><!--- it's a query --->
      <CFSET qUserGroup = LoginObj.getUserGroup('#Trim(Form.username)#')>
          <cfloop query="qUserGroup">
             <cfset session.usergroup = user_group>
             <cfbreak>
          </cfloop>
      <!--- ****************** ???????????????????????????????????????????????????????????????????????????
      When I do cfdump in at this level, I can see that all of these session variables have been assigned to their values.
      But these session variables are not accessible from other pages. Other pages still show these session variable without its value.
      So, when I use these cfdumps in the index.cfm it is shown as they're not yet assigned with any values   ****************** --->
     <cfdump var="#session.loggedin#">
     <cfdump var="#session.username#">
     <cfdump var="#session.userright#">
     <cfdump var="#session.usergroup#">
  </cfif>

• ACS-1120 version 5.2

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin:0cm;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  Hi,
  i have 4 X ACS-1120. Each 2 are operating as an Primary and backup. I want to add a license in order for the ACS to support more than 500 networks which includes in the base license.
  As I understand this is the license required : L-CSACS-5-LRG-LIC=
  Is this license applicable to ACS-1120 appliance with ver 5.2 ? – I understand that it is.
  for my scenario, do I need to purchase total of 2 X L-CSACS-5-LRG-LIC= (one for each environment, one license will serve 2 X ACS in Primary and Backup) or I need to purchase 4 licenses each for each ACS ? – I understand that one license will serve deployment of two ACS in primary and active scenario.
  Appreciate your help,

  Please post in the correct forum:
  https://supportforums.cisco.com/community/netpro/security/aaa

• Cat 2940 ACS problem Version 12.1(22)EA6

  I have 2 2940 Version 12.1(22)EA6 that after i put int the tacs+ commands it will not let me back into the switch from anywhere. When I try to login in it tells me that the password is wrong, when i know it is correct.

  Hi
  Can you paste the relevant TACACS+ config commands taken from your switch here ?
  Also are you seeing any kinda logs in your syslog server or in ur switch related to the access attempts ?
  regds