Cisco ACS upgrade

Similar Messages

• Cisco ACS Engine appliance 1120 software upgrade

  I want to upgrade my Cisco ACS Engine appliance 1120 from software version 3.3 to the latest version (5.x). How do I go about this? Someone should help please.

  It is highly suspicious that you would have a 1120 appliance that is running 3.3
  ACS 3.3 was with the ACS solution engine 1111, 1112 and 1113.
  ACS 5 requires the appliance 1120/1121 so it requires an appliance change. I'm puzzled about how you could be running 3.3 for 1120 since there is no installation DVD for that.
  As a general thing, one has to follow the ACS 5 migration guide on cisco.com that explains the process quite well. You need to go to acs 4.1/4.2 to migrate to 5.
  http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/migrate.html
  Nicolas

• ACS upgrade on windows

  Hi,
  I have ACS 4.1 installed on my windows servers, i want upgrade it to ACS 4.2.0.124
  Can i download the this version from cisco and upgrade?
  i would like to know the procedure to upgrade
  Please help
  Thanks
  Ravi

  Create a TAC case and request Special File Access. If you are entitled they will post the files and send you an email with the URL where you can download the new software. Then simply follow the documented upgrade instructions.

• Cisco ACS / Trend Micro Office / Cisco Trust Agent

  We currently utilize Cisco ACS Server and Trend Micro OfficeScan and would like to deploy Cisco Trust Agent 2.0 on a few laptops.  Has anyone been involved with such a deployment?  If so, any suggestions, documentation, suggestions?
  Thanks,

  CTR uses the admin shares to connect to a windows server.
  Depending on how you configured it: It will try a nmap fingerprint scan, use static OS mappings or perform a level 2 scan by using the admin shares.
  If you are using it through firewalls, the fingerprinting does not work properly.
  You will also notice that since version 2.0.3 there hasn't been any new agents developed for it. Also 2.0.5 started to upgrade all port scans etc whereas before it didn't.
  I would look to speaking to your cisco account team about the next version of Cisco IPS instead.

• Cisco ACS 5.4.0.46.6 - Cannot join to domain

  I am not able to join Cisco ACS to domain.  I get the error "wrong domain".  Nslookup resolves the domain correctly.  ACS troubleshoot adcheck shows the below error
  ADGC     : Check Global Catalog servers
                 : There is no GC in site "INGUA"
                 : It is recommended that a GC exist in each site.
  Checked with AD team and they confirm that GC does exist at this site. It is a Windows 2008 R2.  I am able to telnet to the required ports from the ACS console.  Tried applying the latest patch.  Tried re-imaging the ACS server.  Still the issue remains.  Any help appreciated.
  Cisco Application Deployment Engine OS Release: 2.0
  ADE-OS Build Version: 2.0.3.063
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2011 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: ZINGUA6001
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.4.0.46.6
  Internal Build ID : B.221
  Patches :
  5-4-0-46-6

  Hi Minakshi,
  I perform the update before your post and I test without deregister all server.
  So far, all was good.
  I had no issue and the update tooks me very less time without following the full UPGRADE procedure.
  The command had also a rollback for the update, so I take the risk.
  This is certainly not the case for upgrade but update seems to easier.
  Kind regards.
  Steve

• Cisco ACS 4.2(1) Certificate problem

  Hi guys,
  I am trying to upgrade the OS from w2k3 to w2k8 STD 32bits.
  I am using Cisco ACS v. 4.2.(1) path level 15 on this OS.
  When i try to activate de EAP-MSCHAPv2 after creating certificates (self sign or using external CA), the follwing problem is registered in windows APP log:
  Faulting application CSAuth.exe, version 0.0.0.0, time stamp 0x4e845055, faulting module CRYPT32.dll, version 6.0.6002.18005, time stamp 0x49e03824, exception code 0xc0000005, fault offset 0x00039f0e, process id 0x10e4, application start time 0x01cca543d1586766.
  What could be the problem here? the version of that DLL is different from w2k3 but ACS 4.2(1) release notes are clear when using w2k8 32Bits with no problems.
  best regards,
  NC

  Anyone?
  I think this maybe some Bug but i am not so sure about that.
  regards,
  NC

• Cisco ACS version 4.2 patch update

  Dear All,
  I am using cisco ACS version 4.2 (0) Build 124 and i would like to upgrade it with latest patch .Can anyone provide me the step by step procedure for the upgrade through serial console or through GUI.
  It would be also appreciate if if you could provide me the exact link / patch for 4.2(0) release.
  Regards..

  Ciscoworks can use various mechanisms to discover the devices on your network.
  The network administrator can discover the devices using different protocols, such as Cisco Discovery Protocol, BGP, OSPF, Address Resolution Protocol (ARP), HSRP, cluster, routing table, and ping sweep on IP range, that are activated at different layers of the Open Systems Interconnection (OSI) model in the device.
  It has a benefit when the devices on the network will not be better responsive to any other modules of Discovery.
  Usually other module learn IP of the neigbour device with their data, like asking CDP neighbour details or OSPF Table. Whereas in Ping Sweep LMS will simply continue to check devices based on the IP Range.
  Example, if you selected Ping Sweep On IP Range, you can specify the seed device as 10.77.209.209 and the subnet mask as 255.255.255.240. Entering a smaller subnet mask value may result in a longer discovery cycle, as discovery has to sweep IP addresses from more networks. It is recommended to enter a Class C mask instead of a Class A or B mask.
  So using Ping Sweep helps you find your devices faster of it is failry simple network with simple range of IP's on devices, may be on a single subnet.
  More details on How Ping Sweep Algorithm Works technically behind, in LMS, is available here:
  https://supportforums.cisco.com/docs/DOC-9005#Ping_Sweep_On_IP_Range
  This document describes, in depth about all modules used in LMS Device Discovery.
  Hope it will be helpful to understand.
  -Thanks
  Vinod
  **Rating Encourages contributors, and its really free. **

• CSM and ACS upgrade

  1.       Cisco ACS /Solution Engine I think, the dedicated appliance, unknown version)
  2.       Cisco Security Manager 3.1
  Are upgrades possible, or purchase of lastest version of the product is the only way out?
  What do we need for upgrading?
  Are there specific codes or new need to buy new products?
  In case of buying new products, which are the configurations?
  Your response will be appreciated.

  The ACS appliance has been released with at least three different major releases - 3.x, 4.x, and 5.x. If you have ACS 4.2 on an 1120 appliance, you can upgrade to the latest (5.3) on the same hardware. Anything else will require a new appliance (or use a VM solution).
  Please refer to the ordering guide and the migration guide for this information.
  For CSM, to upgrade you would need to go to 3.3. first and then to the current (4.2) CSM release. The necessary licenses are described in this product bulletin.
  It would probably be easier and cleaner to just build a new installation in both cases. Both products' architecture and db schema have changed significantly. The upgrade SKUs will probably save you some in licensing costs although both products have undergone changes in how they are licensed.
  Note that CSM will be coming out with a new version 4.3 later this spring.

• Cisco acs "manifest file not found" help

  srvacs01/admin# application upgrade ACS_5.5.0.46.tar.gz WCS
  Do you want to save the current configuration ? (yes/no) [yes] ? no
  6 [27522]: transfer: cars_xfer.c[54] [admin]: ftp copy in of ACS_5.5.0.46.tar.gz requested
  7 [27522]: transfer: cars_xfer_util.c[89] [admin]: ftp get source - ACS_5.5.0.46.tar.gz
  7 [27522]: transfer: cars_xfer_util.c[90] [admin]: ftp get destination - /storeddata/Installing/.1413207431/ACS_5.5.0.46.tar.gz
  7 [27522]: transfer: cars_xfer_util.c[109] [admin]: initializing curl
  7 [27522]: transfer: cars_xfer_util.c[122] [admin]: full url is ftp://10.222.15.196/acs5/ACS_5.5.0.46.tar.gz
  % Manifest file not found in the bundle
  srvacs01/admin#
  Cisco Application Deployment Engine OS Release: 1.2
  ADE-OS Build Version: 1.2.0.228
  ADE-OS System Architecture: i386
  Copyright (c) 2005-2009 by Cisco Systems, Inc.
  All rights reserved.
  Hostname: srvacs01
  Version information of installed applications
  Cisco ACS VERSION INFORMATION
  Version : 5.3.0.40.40
  Internal Build ID : B.839
  Patches :
  5-3-0-40-7
  5-3-0-40-9
  Pointed-PreUpgrade-CSCum04132-5-3-0-40

  Problem: "Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle" on ACS appliance during appliance upgrade
  The Error: Saved the running configuration to startup successfully % Manifest file not found in the bundle error appears when an attempt is made to upgrade ACS Express
  Solution
  Complete these steps in order to upgrade the ACS appliance without any issue:
  Download patch 9 (5-0-0-21-9.tar.gpg) and ADE-OS (ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg ) from: Cisco.com > support > download software > Security > Cisco Secure Access Control System 5.0 > Secure Access Control System Software > 5.0.0.21
  After you install the two files, install the ACS 5.1 upgrade ACS_5.1.0.44.tar.gz. This is available from the same path from previous step.
  Use this command in order to install the upgrade:
  application upgrade <application-bundle> remote-repository-name
  This completes the upgrade procedure.
  Refer to Upgrading an ACS Server from 5.0 to 5.1 for more information on how to upgrade the ACS appliance.
  please refer the upgrading acs server 5.4 to 5.5, for complete process.

• Cisco ACS 4.2 Solutions Engine replacement advice

  Hi everyone,
  I am hoping to get some advice on an upcoming upgrade.  We currently have a Cisco ACS 4.2 Solutions Engine.  (That's the physical appliance).  It is coming to end of support and we are looking to replace.  Here is what we use it for today:
  1. TACACS+ AAA for all routers and switches.  Gives us great reporting.
  2. PEAP Authentication for our wireless network off of a 5508 Wireless Controller.
  3. Machine Access Restrictions for our Wireless network.  (Basically Machine Authentication)
  I believe that is all we use it for today.  That said, hoping to get some of your opinions on a replacement.
  Any advice or opinions are greatly appreciated.
  Thanks,
  Josh

  Hi Josh,
    To add up to the above post, You will have to undergo the migration process from going to ACS 4.2 to ACS 5.4.
  Here is the migration guide:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/migration/guide/Migration_support.html
  Regards
  Minakshi
  (Do rate the helpful posts )

• Cisco ACS Server

  Hi
  I have at present a Cisco ACS server 3.3. I want to upgrade the server to latest version and also cluster it with another one so that we could have a redundant infrastructure as if one fails the other one takes over ..
  CAn you provide a suitable solution for this ?
  Thanks

  Hi,
  The Latest version is ACS 4.1. You can upgrade from 3.3.3 build 11 directly to 4.1.
  Then you can install another ACS 4.1 on different machine and setup replication between these two. This way you will have to make changes only on one ACS and the secondary will automatically get updated.
  Once these two are set, you can define both of these server as Radius/Tacacs server on the devices and there would be a redundancy.
  Regards,
  Vivek

• CIsco ACS 90 Days Trial

  Hello,
  I've been looking for the 90 day trial version of the Cisco ACS on Cisco.com. I've been able to find the trial for ACS 3.0 however is there a newer version above 4.0 for Windows available for download. All I could find is patches and upgrades however there is no full software available for download.
  Regards,
  Imran.

  Hi Imran,
  If you would like to have full software download for ACS windows, then please open up TAC case and we will publish files for you as only patches are available on cisco website.
  Thanks,
  Shilpa

• Configuring Cisco ACS 5.1 with Juniper Netscreen Firewall wit Radius & Tacacs+

  Hello,
  Can anybody tell me the step-by-step configuration of Cisco ACS 5.1, to configured it with Juniper Netscreen Firewall for radius & tacacs+ authentication and authorization?
  I am able to configure this with Cisco ACS 4.2 with customise VSA file but can't understand how to configure it on ACS 5.1.
  Thanks in Advance.

  Hi Eduardo,
  Can you tell me how to map ACS 4.2?
  service=junos-exec
  local-user-name=Engineering
  Into the new "shell profiles" on ACS 5.2? How do I verify these attributes are passed onto ACS 5.2? I don't have access to a sniffer or tap nor do I have writes on this box. I have to instruct our systems folks to investigate. It has been a back and forth battle.
  Also, I'd like to see where I'd map this on ACS 5.2.  Keep in mind in both cases I have a JUNOS config mapping to a login user Engineer and operations respectively.
  local-user-name=opertions
  allow-commands=((^ping *)|(^mtrace *)|(^traceroute *)|(^monitor *))
  deny-commands= ((^start *)|(^file delete *)|(^file rename *)|(^request *)|(^set cli restart-on-upgrade *)|(^set cli prompt *)|(^set chassis *)|(^set date *)|(^test *)|(^clear *)|(^op *))

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• VPN client and Cisco ACS

  hi,
  I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
  I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
  Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
  Any ideas?

  here is some debug from the router:
  Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
  Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
  Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
  Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
  Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
  Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
  Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
  Feb 24 12:28:58.989 UTC: T+: user: vpntest
  Feb 24 12:28:58.989 UTC: T+: port:
  Feb 24 12:28:58.989 UTC: T+: rem_addr:
  Feb 24 12:28:58.989 UTC: T+: data:
  Feb 24 12:28:58.989 UTC: T+: End Packet
  Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
  Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
  Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
  Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
  Feb 24 12:28:59.009 UTC: T+: msg: Password:
  Feb 24 12:28:59.009 UTC: T+: data:
  Feb 24 12:28:59.009 UTC: T+: End Packet
  s9990-cr#
  Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
  Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
  "AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
  In the VPN Client log it say "User does not provide any authentication data"
  So to summarise:
  -Same ACS server\router\username combination works fine for telnet access.
  -VPN works fine with local authentication.
  -No login failures showing in the ACS logs.