Upgradition ACS 4.2.0.124.16 on appliance 1113 to ACS 4.2.1.15 and then to patch 8(Latest)

Similar Messages

• ACS 4.2.0.124 Appliance with Active Directory with windows 2008

  we have a solutions of 802.1x with Cisco ACS appliance wich is working fine, the soluction include two ACS appliance version 4.2.0.124, 02 remote Agent wich is setting up on windows 2003. The remote agent is integrated with Active Directory windows 2003. The computers have windows XP with service pack 2 and service pack 3, all computers do machine authentication and then user authentication. My customer in thinking in migrate the Active Directory windows 2003 to windows 2008. My question is ¿there wil be some problem with Active Directory 2008 with the current soluctión of ACS and 802.1x solution ? or I will have to do aditional task.     
  Marco

  Hi,
  You can find the suported Windows Server versions on the online documentation:
  ACS 4.2: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/installation/guide/windows/install.html#wp1041376.
  ACS 4.2.1: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Installation_Guide/windows/install.html#wp1041376.
  So, i would suggest you to double-check carefuly the Release and Service Pack of the new 2008 Servers and also the OS bit version to make sure you migrate to Win2008 but continue on a supported scenario.
  HTH,
  Tiago
  If   this helps you and/or answers your question please mark the question  as  "answered" and/or rate it, so other users can easily find it.

• Patch 9 ACS-4.2.0.124-9-SW install error and upgrade advice to 4.2.1

  Hi,
  I have two Windows ACS's which I need to replicate between each other - this happened in the past (when both at the same lower patch level)  , but the original Primary one of the pair one has had to be down graded to it's original level due to install errors. Both are now independant ACS's
  To sort out the lack of replication we need to patch the planned PR box from 4.2 (0) Build 124 to the same level as the planned DR which is at 4.2 (1) Build 15 Patch 4.
  We've tried installing Patch ACS-4.2.0.124-9-SW on the 4.2 (0) Build 124 as we were informed (some time ago) that it is required before running the ACS-4.2.1.15.4-SW.exe patch.
  The patch installed, but when we ran CSUpdate as per the instructions in Acs-4_2_0_124_9-SW-Readme.txt , we tried both the -install option and the -upgrade switch and got a [1] [169]:SL:loadHosts - execution failed Can not load HostDB error. (See screen shot)
  After this the ACS services  (in Windows Services ) wouldn't start, even after a server reboot.
  Should we leave this patch 9 and install cumlative patch 17 instead and then run ACS-4.2.1.15.4-SW.exe patch ?
  The read me notes for cumlative patch 4.2.1.15.4.17 looks like it might require Patch 9 as it only lists bug fixes from Patch 10 upwords (although it mentions a refix for 9 right at the bottom of the page).
  Thanks

  You may upgrade directly to patch 17, this one doesn't ask to apply csupdate.exe before the cumulative patch.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS 4.2.0.124.4 patch, cant upgrade

  upgrade from 4.2.0.124 to latest cumulative patch:
  csupdate.exe is not a valid win32 application

  Hi Sobolev,
  Before upgrading to patch 4, stop all the ACS services.
  Extract zip file in ACS_INSTALL_DIR to replace with the new files.
  Then Navigate to ACS_INSTALL_DIR\bin\ from command prompt and execute CSUpdate.exe -upgrade "ACS_INSTALL_DIR\CSDB\upgrade.dat".
  [ Eg: C:\Program Files\Ciscosecure Acs v4.2\bin>CSUpdate.exe -upgrade "C:\Program Files\Ciscosecure Acs
  v4.2\CSDB\upgrade.dat" ]
  Note: Put the path in double quotes ("") if there are any spaces in the path name
  Still if you face any problem, please revert back.
  Thanks,
  Kasthuri

• ACS Appliance 1113 with v4.2

  I have ACS appliance 1113 with v4.2 software. How do I tight this into Active directory? Do I have to run some software on the DC server?
  Thanks,

  You need to install remote agent on member server. The software will facilitate communication between acs and AD.
  Here is the link,
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/remote_agent/rawi.html
  Regards,
  ~JG
  Do rate helpful posts

• CSM 4.0.1 is removing ACS Server password and then cannot add a new

  Hi,
  We just wanted to use CSM 4.0.1 to change ACS Server keyword on a FWSM 3.2(5) but in the transcript I see how he removes the key and then the next statement is to add a 127.0.0.1 ACS Server that I have never defined and that failes because the connection is lost.
  Can CSM be used to change the ACS keyword and not loose the connection before changing it? The product allows such a change and does not stop albeit it should now that this is unsuccessful.
  Here is the transcript!
  Line# 2. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no snmp-server host fwsm-admin-context xxxx poll community comm1
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 3. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central (fwsm-admin-context) host xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 4. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010):  no key oldkey
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 5. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): exit
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 6. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging host fwsm-admin-context xxxx
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 7. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh timeout 30
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 8. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): ssh version 2
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 9. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffer-size 1048576
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 10. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): no logging debug-trace
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 11. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging trap informational
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 12. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging asdm debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 13. (SUCCESS) Sent (Thu Dec 16 16:22:13 CET 2010): logging buffered debugging
  Received (Thu Dec 16 16:22:14 CET 2010):
  Line# 14. (ERROR) Sent (Thu Dec 16 16:22:13 CET 2010): aaa-server aaa-central host 127.0.0.1
  Received (Thu Dec 16 16:22:14 CET 2010): ERROR: Interface "(inside)" does not exist. Please specify a valid interface name for this server
  ! COMMENT: Device reported error here and stopped accepting further commands
  ! COMMENT: BULK END
  Line# 15. (ERROR) Sent (Thu Dec 16 16:22:14 CET 2010): https://xxxx/config?context=admin Received (Thu Dec 16 16:22:14 CET 2010): 24300 : Login failed
  Caused by: Authentication failed on device [193.47.16.28]. Check the credentials.
  Error: Server returned HTTP response code: 401 for URL: https://xxxx/config?context=admin
  I think there are multiple problems, first it removes the key but does not add one and then it wants to add 127.0.0.1 to it and does not use an interface?

  I would say that it it the interface problem but not that it had no interface but it had another interface.
  The whole interface story is somewhat stupefying for me.
  What I wanted to do is to use a single AAA Server definition for all my contexts on a FWSM, due to multiple imports in the beginning I ended up having 40 or so in the objects.
  Each interface that we have on a context has a different name and it looks like CSM has a problem with this. We have tried to use interface with wildcards, but you cannot specify something like *context* or *vlan*. For us *context* is inside and *vlan* is outside.
  This verification of the AAA Server should be done before trying to deploy and then not having access. Luckily all our contexts had their own AAA connection setup, so I could make changes. Because we have not used the local use for more than 3 years and had 3 weeks to search it. We almost rebooted the FWSM this Sunday (using a maintenance window) but found the password last thursday.

• Ask the Expert: Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features)

  With Namit Agarwal and Rahul Govindan 
  Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn and ask questions about Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features) with experts Namit Agarwal and Rahul Govindan.
  This is a continuation of the live webcast.
  Cisco ASA CX (Context-Aware) is a next generation firewall service that serves as an extension to the Cisco Adaptive Security Appliance (ASA) firewall platform. In addition to the proven stateful inspection firewall capabilities, it provides us with next-generation capabilities and a host of additional network-based security controls for end-to-end network intelligence and streamlined security operations.
  Namit Agarwal is a customer support engineer at the Cisco Technical Assistance Center in Bangalore, India. He has more than four years of experience in the security domain. His areas of expertise include ASA firewalls, IPS, and ASA content-aware security (ASA CX). He has been involved in various escalation requests from around the world. He holds CCIE certification (number 33795) in security.   
  Rahul Govindan has been an engineer with the Security Technical Assistance Center team in Bangalore for more than three years. He works on security technologies such as VPN; Cisco ASA firewalls; and authentication, authorization, and accounting. His particular expertise is in Secure Sockets Layer VPN and IP security VPN technologies. He holds CCIE certification (number 29948) in security.
  Remember to use the rating system to let Namit and Govindan know if you have received an adequate response. 
  Because of the volume expected during this event, Namit and Govindan might not be able to answer every question. Remember that you can continue the conversation in the Security community, subcommunity VPN shortly after the event. This event lasts through November 1, 2013. Visit this forum often to view responses to your questions and the questions of other Cisco Support Community members.
  Webcast related links:
  Slides from the live webcast
  Video Recording of the live webcast
  Introduction to Cisco Adaptive Security Appliance (ASA) version 9.x (Context Aware Security and VPN Features): FAQ from live webcast

  Hello Namit and Rahul,
  Here are few questions that came in directly during your live webcast hence posting them here so that users can benifit:
  1)      How is ASA CX different from other UTM solutions ?
  2)      How is dynamic application inspection of CX better than other inspection engines  ?
  3)      What features or functionalities on the CX are available by default ?
  4)      what are the different ways we can run or install CX on the ASA platform ?
  5)      What VPN features are supported with multi context ASA in the 9.x release ?
  6)      What are the IPv6 Enhancements in the ASA version 9.x ?
  Request you to please provide your responses to them individually.
  Thanks.

• My iPod 5 has recently updated to iOS 7.0.3. I have noticed something where my internet willonly work for about 2-3 minutes and then stop working. It is not our internet, because all of our other appliances work completely fine. Any help?

  My iPod 5 has recently updated to iOS 7.0.3. I have noticed something where my internet will only work for about 2-3 minutes and then stop working. It is not our internet, because all of our other appliances work completely fine. Any help?

  I did not mean to click the "this solved my question button by the way.
  I have tried most of this, except for a couople of things i currently cannot due. The apps that are acting up the most are YouTube an Vine. Facebook and Safari work fine.

• Can Appliance 1113/1120 running ACS 4.1 replicate to ACS for Windows 4.2.1.15.2

  Anyone tested/tried to replication from ACS 4.1 (running on Appliance) to ACS for Windows 4.2(1)?

  Hi ,
  For replication to work between the two acs they should be on same version and patch level.
  Thanks
  Waris Hussain.

• Installing ACS 4.2 on an 1112 appliance

  I have a 1112 applicance and I would like to install ACS 4.2.  It has an older version of ACS on it and I really don't care if it gets destroyed.  I am looking for what would be the best/easiest way to install ACS 4.2 and blow the other install of ACS way.  Any assistance would help.
  -Dustin

  You will need to use the ACS 4.2 recovery CD's to install that version on your 1112 appliance.

• Configuring AAA network client on ACS v5.1 using the same RADIUS atributes from ACS v3.3

  Hello,
  I was wondering if i should use the same RADIUS VSA attribute on ACS v5.1 to authenticate AAA clients as those i was using on my old     ACS v3.3 server.
  Exemple : under ACS v3.3 i was using RADIUS (Cisco Aironet) attribute to authenticate AP & WLC, should i do the same under ACS v5.1 ?
  Best regards.

  Hello,
  When defining AAA client on the new ACS 5.x server you just select TACACS+ or RADIUS. We no longer define the RADIUS "vendor"/"VSA" when creating the AAA Client entry. All AAA client would be defined as RADIUS or TACACS+ only.
  If you were using specific VSA Attributes then you need to send those attributes back configuring Authorization Profiles on the ACS 5.x. You will find the specific VSA attributes there. Refer to the following screenshots:
  And here are the available attributes for the ACS for RADIUS Aironet:

• Location Appliance 2700 - is it supported with v7 WCS and WLC?

  The compatibility matrix shows no support for a Location Appliance 2700 for any version 7.0.x.x for WCS and WLC. However, I did see a thread here where a v6.0.x.0 had compatibility. v6.0.202.0 is MD. Is it compatible with v7 WCS and WLC?
  Can any of the experts please comment? Thank you.

  Hi,
  here is the link that will answer ur question!!
  http://www.cisco.com/en/US/docs/wireless/controller/4400/tech_notes/Wireless_Software_Compatibility_Matrix.html#wp78062
  Please dont forget to rate the usefull posts!!
  Regards
  Surendra

• ACS Appliance Upgrade path

  I am seeing patches and CSUpdate files with the same release date. My current version is Acs-4.2.0.124.9-CSUpdate fix Base image 4.2.0.107, Appliance Management Software 4.2.0.124,
  Question is which patch do I apply, the Cumulative, the CSUpdate, or both. Do I need to apply them one after the other, or is the .12 patch a rollup that includes the fixes in the previous versions, 10 and 11.
  One other thing, other than physically going to the colo and reading it off the server itself, where can I find the serial number of the unit.

  Appliance serial number cannot be viewed via GUI or serial.
  For upgrading ACS always apply most recent patch available and it covers all fix till date.
  First apply csupdate and then apply patch.
  Please post ACS related under head AAA.
  Regards,
  ~JG
  Do rate helpful posts

• Acs 4.2.1.15 appliance with vendor Huawei

  Hello,
  we have a new acs appliance (1113) with version 4.2.1.15 and we have successfully imported the codes for the new vendor Huawei.
  In the webgui of the appliance you can choose the different administration levels for users and groups.
  unfortunately we have the problem that RADIUS requests from any Huawei device will not arrive at the acs appliance. we do not see any entry in the logfiles.
  has anybody experiencies with the vendor Huawei and RADIUS request ?
  best regards
  Torsten Waibel
  P.S.: funnily enough we have no problem with our old acs server (1112) and version 4.0

  Hello,we have a new acs appliance (1113) with version 4.2.1.15 and we have successfully imported the codes for the new vendor Huawei.In the webgui of the appliance you can choose the different administration levels for users and groups.unfortunately
  we have the problem that RADIUS requests from any Huawei device will
  not arrive at the acs appliance. we do not see any entry in the
  logfiles.has anybody experiencies with the vendor Huawei and RADIUS request ?best regardsTorsten WaibelP.S.: funnily enough we have no problem with our old acs server (1112) and version 4.0
  Hi,
  If you have sucessfully imported the VSA in ACS and there is no log coming in ACS log file then need to do some troubleshooting you need to span the port of huawei port and acs port check that when ever you login into huawei devices at that any request goes to ACS or not and any log messages in huawei devices regarding the aaa packets that will give some view to troubleshoot the problem.
  Hope to Help !!
  Ganesh.H

• Cisco ACS 4.2 migration to ACS 5.4 advice

  Hello all, we are planning migrating off our ACS 4.2.0.124 ( non appliance ) to ACS 5.4. I'm looking for any advice or tips from anyone that has done the migration.
  Is the migration tool intrusive or can it be run at anytime?
  I thought about not using the migration tool and do a new install however we have a few hundred MAC address entered for a Mac authenticated SSID as well as about a 100 switches and routers for TACACS.
  We have about a half dozen WIreless Controllers that use AAA with a mix of SSID's that are doing WPA2 with Mac authentication, LEAP, and, PEAP. We also use TACACS for routers and switches and AAA for anyconnect users.
  Any advice on the migration process would be appreciated.
  Thanks,
  Dan

  Actually I managed to copy/paste from the ACS4.2 to the CSV file. The passwords will not be imported though so you have to reset the password for all users and let them change it.
  If I were you I would have use the import utility to migrate users to keep the password then I will update the information of users (including group membership) via update template CSV file.
  The migration I used before included few users that I could create on the spot and ask them to reset the password.  Most of the data were MAC addresses for MAC auth and IP addresses for TACACS+ AAA clients (switches, routers...etc).
  If you have too many users then the migration tool is your friend to get them imported without having to reset the password.
  It is also important that you read the migration guide before you use the utility. You'll find valuable information about what will be imported and how. What data will be maintained and what will not.
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"